Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 13:57
Static task
static1
Behavioral task
behavioral1
Sample
e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe
Resource
win10v2004-20240802-en
General
-
Target
e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe
-
Size
1.8MB
-
MD5
320bfe32e64a031b70edd32097fd148e
-
SHA1
e4f4aa216b8775feff342ff10ac78710f328f75a
-
SHA256
e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc
-
SHA512
9962cd1fc6f9fc2c8823ed2d73bcb99a01ee52c01669771a1364b2414e605a63d077abd4c950819227c2952442bca0dd4f81086fb51dc9553bfa3a31ed1a1962
-
SSDEEP
49152:S7z+ATgJwId+hd5hI62lN5PT6CGm3kMD3cv7:S7ey9wN5rJ/3k0sv
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
pid Process 4804 svoutse.exe 4740 5706e7601d.exe 4696 20b970ccbe.exe 3616 26cc9b36e6.exe 948 svoutse.exe 5448 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5706e7601d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\5706e7601d.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3056-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3056-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3056-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4760 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 4804 svoutse.exe 948 svoutse.exe 5448 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4740 set thread context of 3056 4740 5706e7601d.exe 94 PID 4696 set thread context of 4156 4696 20b970ccbe.exe 96 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26cc9b36e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5706e7601d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20b970ccbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4760 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 4760 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 4804 svoutse.exe 4804 svoutse.exe 948 svoutse.exe 948 svoutse.exe 5448 svoutse.exe 5448 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4504 firefox.exe Token: SeDebugPrivilege 4504 firefox.exe Token: SeDebugPrivilege 4504 firefox.exe Token: SeDebugPrivilege 4504 firefox.exe Token: SeDebugPrivilege 4504 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe 3056 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe 4504 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4804 4760 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 87 PID 4760 wrote to memory of 4804 4760 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 87 PID 4760 wrote to memory of 4804 4760 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 87 PID 4804 wrote to memory of 4740 4804 svoutse.exe 91 PID 4804 wrote to memory of 4740 4804 svoutse.exe 91 PID 4804 wrote to memory of 4740 4804 svoutse.exe 91 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4740 wrote to memory of 3056 4740 5706e7601d.exe 94 PID 4804 wrote to memory of 4696 4804 svoutse.exe 95 PID 4804 wrote to memory of 4696 4804 svoutse.exe 95 PID 4804 wrote to memory of 4696 4804 svoutse.exe 95 PID 4696 wrote to memory of 4156 4696 20b970ccbe.exe 96 PID 4696 wrote to memory of 4156 4696 20b970ccbe.exe 96 PID 4696 wrote to memory of 4156 4696 20b970ccbe.exe 96 PID 4696 wrote to memory of 4156 4696 20b970ccbe.exe 96 PID 4696 wrote to memory of 4156 4696 20b970ccbe.exe 96 PID 4696 wrote to memory of 4156 4696 20b970ccbe.exe 96 PID 4696 wrote to memory of 4156 4696 20b970ccbe.exe 96 PID 4696 wrote to memory of 4156 4696 20b970ccbe.exe 96 PID 4696 wrote to memory of 4156 4696 20b970ccbe.exe 96 PID 4804 wrote to memory of 3616 4804 svoutse.exe 97 PID 4804 wrote to memory of 3616 4804 svoutse.exe 97 PID 4804 wrote to memory of 3616 4804 svoutse.exe 97 PID 3056 wrote to memory of 4352 3056 RegAsm.exe 99 PID 3056 wrote to memory of 4352 3056 RegAsm.exe 99 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4352 wrote to memory of 4504 4352 firefox.exe 101 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 PID 4504 wrote to memory of 1972 4504 firefox.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe"C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdcc4e11-de57-477f-ac7f-b08d213f3446} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" gpu7⤵PID:1972
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f95b41b-ab2c-4016-a361-bc35b9ccfd76} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" socket7⤵PID:2112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1656 -childID 1 -isForBrowser -prefsHandle 1616 -prefMapHandle 3388 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {187ca067-3d10-4ecf-8bb6-be11892ff8cf} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab7⤵PID:4568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1612 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3592 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c26d0c2-3a52-4726-9f37-6d95ef246927} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab7⤵PID:2932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {793c64b3-00f9-43ec-9509-a155311275bd} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" utility7⤵
- Checks processor information in registry
PID:5528
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 4488 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ab6a342-2140-41e6-b984-f1892cc36d88} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab7⤵PID:6088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef74cb61-f1d6-4ecf-9a52-740816c66820} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab7⤵PID:6116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e98d6a5-6c10-48e1-8504-79a5fbfd01a5} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab7⤵PID:6128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6232 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6575c7a4-203e-41a8-81f7-b0aa5f6c6e5b} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab7⤵PID:5360
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4156
-
-
-
C:\Users\Admin\1000003002\26cc9b36e6.exe"C:\Users\Admin\1000003002\26cc9b36e6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:948
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5448
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json
Filesize34KB
MD5240e6a86f051483241b9514ee6477f53
SHA10c5db0943b5e0dec7dbd5765f46065e7d41cbd4d
SHA256a17858529fcb65235aa5c0e255c643dea9968684f4b9a4655477680dcd408fe4
SHA512b086bbcaf605b6032f47cd1d3020fbb38ce0a3be6dc1bc1026f22eb83d1bccc0f129e0e72a889d1d1f8d6b7610b9290b291ac127dd562789eabb3f9def14f3d8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5270cdf2c6264de3891131ab98ecec8dd
SHA122a5763bdd588e32591e39ac07f8ab0912078f0e
SHA2560630c6b25bbcac460aea99c643e1cf56d618e0e329d478b64922ae45b21b463a
SHA512b78d4c61ac013b201bfb8fe45b0b7e335d1f710c2b100a577ed1e38e56f8239610b0618d18b52575becee8d27bc13d3b84c736b8f01d56ff15d3e9f18cc08fe2
-
Filesize
1.8MB
MD5320bfe32e64a031b70edd32097fd148e
SHA1e4f4aa216b8775feff342ff10ac78710f328f75a
SHA256e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc
SHA5129962cd1fc6f9fc2c8823ed2d73bcb99a01ee52c01669771a1364b2414e605a63d077abd4c950819227c2952442bca0dd4f81086fb51dc9553bfa3a31ed1a1962
-
Filesize
1.2MB
MD5f5d4a5d65de3574a5088acbde245b775
SHA129ce38d8fdc2cbf64ae80481843bdbd6f7085015
SHA256857eec247df3a7adfbb82e574cb7333fa522ede95ce9b486fb349a5f9455c063
SHA5120214b30e1f589658dab52a37dc1a7c89df22a167306568e141048f3b33560796e943dbe4a8e9b009df0ef6a8fb369ad4ab95a498426c643de0690c922a6ba657
-
Filesize
206KB
MD52f76d8ea3e1db9164e420c4d574aa44b
SHA1ddeb21ff46fc9e6a94363035de6f3d8aab5f740f
SHA256fd6cdb68a33740d70fb2454f8af23b91d379405b61ce858a804635859877c20d
SHA5123cab2a539cb3e20dc01741923762c5cc50e07dd270d585c5c0478de8db087d9b723b39c819e3169b7a4a55cac1efa40c36b651d31a3eda7b6547ee6ec07108cd
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
Filesize16KB
MD5912392ce0401f86148b6ba62f560e394
SHA1cfed865ceba5dff37959553faf49ef259b93d491
SHA25625283781553bc688d952812117d3aedde3e2fb24d74580f746eb6311c0db2db8
SHA512ae2bd1bab3c4889d47a653db178a719dbfe2a02aa456780e1bc9093999324e9285d310d6f629f31397056bba464ba0416b2cae78042fe92eb13de674195f0500
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
Filesize10KB
MD5c7973bb6fced68a26ffdfabb609c604c
SHA1fd410fc8d4631e92dcf6c5e05ee11745e7f77925
SHA256285f54ac457728a0e1ec41f8140653ab9b47d8f4e921c2531bd59634a29d28a1
SHA51299bfd17dcdf7781596c01d6ca68b0a58450761bb102432e023c1b324592fff11d64ff1b5f09132d3bf1bb12eaaaec41e0b4695b38d9b7d36bf5f76bcbc5d9636
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5cd854d6fd1b0267c26f1c6d7b2c0172e
SHA1466f142aa3415e8263f45a440e89c9f3d49b72dc
SHA256b69d6501b5daa9fa7011207a69d1eaf8cd3b5441785c63b78f83b1d17ed8f87f
SHA512c76a79ea9da6eacda8c0f5a5260713376924cb156849ef2a8165fa9bff5ff4e7cf7e9da8dcff281ec947af6d1b72b578298ee90406916ea536753edf3a00c658
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e25b81a03ebe8101df72e0e0b1bcb07a
SHA1d4bfdfa0aa1aac057a6318dc2d52977ce509ccee
SHA256ecfad0c4fcf1fcafab4162c7832c13ea79617e2858b0240ab0613aad884bc8a4
SHA512ef49b1cf5c0e0b5593717ced72cf86159511eaab68423cbdbda9fcfdc04059501a87b55e71d16f69e874c51bdc64e1a0285199edd6b5981f71a3656c4fbc0cba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\044cbd08-d508-4b08-87aa-0ef1b72066b1
Filesize28KB
MD59d2c84d2fc9f9535fb53811af88edfcb
SHA181f47c2f571c2d60a0fd886995283c44697a95a2
SHA256bb8e138507f5d887f7af3082eb96bf4ad7eefdadd43f3eb1fe16ab54e4b8a5b9
SHA512ddbdb1e5e5a11da968a3d4143b37ab9ad8c867e76a403ed9dea65c4cd365eb9376be0ba127fff178a2b22074ca49a51806eb2f22dc96fb055ba7c0933b5c5bd5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\7c85cd46-6c03-4f29-83fe-0017a5c34844
Filesize982B
MD527db8a4a5ca469d832fbe15efa368e77
SHA16524d7c84083e5fee4963f7d91734dcd416b506e
SHA25657fc878407244358f1505dc37184b57c0510007e75918ce922ec3691f5017f8c
SHA512598b3c1d571c103d6825464ceba9765cca6ce1737a982b119809b541ba53b5c2e55da35ccb4069d4fad371dd1b56a55cdeb60c0426e1705ab208844d4a5e2b22
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\cf8f3738-c89f-4b54-b3cf-d3e3f9e2ff01
Filesize671B
MD5ec40ef27a777851d31b69c7f53240d61
SHA16b8e69cf677bb2f4bc5ef81a001309ae4675b487
SHA256a87726f1eeb1c035ad9f959341f2254e96914bd6b1d5a68a9548a5f30923d3c7
SHA512dc2974ad794133821bbacb629a2f2209765d6a57fc5a3dc9206833e8cf6b7a47e1ce505fdd7e52d6e337cdc5d666da5fd7682e483eb1a37fc0f9e1b152f5d6e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD54bef4eb08ac759070f1c4dd972a43450
SHA117bffc9a80ebf666b52fb60931bfd773fa9493f1
SHA2560d5191d652fa9ab38f9d99aec5413333ff9cdadbc99552f3e1789596d64d1288
SHA512ecb3e9e46467eecf739fc714962b7e2e4ffaa578e4f50ec43e8919cdfd3f9fe7c5aa09a2077a02ac2d5d026b9dfcd1877592713d90fb732a4a35a63af2f609aa
-
Filesize
13KB
MD526b5110db856b1a0459f22f24996ed4c
SHA1a131bd7483ff65709849917f1c52fa9a2e3b6602
SHA2561c09b539c8e079713306302882f34804ca06e36517f723e6a0a79a1b70de76e7
SHA512009cc325d8c6b9f91f6954cf4a5c69ddb7de901de4d4954ba160f9cc682ce3f5c318d2a9b26061e93e91b96062e79365f0103fadbff27eeb24cecfd15c65f1c5
-
Filesize
16KB
MD51b02c6eabf455b9b1da623779b29bf3f
SHA1582a5a2be399c62126a3a645cdb7c2f18a1a0168
SHA2563e4b54752976c68b688ac905f6d34dbd7bc8dcbbe52224097e22521269646440
SHA5127dc36b3470ab0bd612b9137ffaa7791d686e0b9006c4c1084b4c46a964420a3857bc523d2dcaca09b2f9f3cc397323e45b55063248ae6ab72260a9942ac2bc1e
-
Filesize
15KB
MD5fab57dd42b1b8d5236a6174d7990dcee
SHA1a1e7b803ed23bf329b1adba46f780809e547ba0c
SHA256b14506d55acd4659d89e1fa19eb99006dcd4de3042a15d0b51093143d53283b9
SHA512986bb5ce079e30b62935c35aa40228b5a3c0f877fcc00c4fa4f7080b798665424e5f7fb44ca4f40a50372191b288bd1f1f9e41ec9bf07680e9fbae6d8ab38769
-
Filesize
11KB
MD5a9e679d7b535c2b15eb700ad601d90e5
SHA1718503845c2f5b6251f4bf44989d7d317f3d22e6
SHA25626b63472c6a3a2a4808edcd7867a3a827864c259700697f2429fc8516a20edff
SHA512731d1fd7e8f82668dd845bde6fce383e277e1b907f531c764366d410b4b37a7c66ec1ffa8beb2d3d104358a51005a1849457e29a7a365c7bd1dcb5fccc03196b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5de048050d898cf982c474046693624e9
SHA19a1af5fd1525cb291eca1b22636c03b14fca6c47
SHA2564770cf05422df831f237fd7f9d56b7868369f81a86f45d36e8aa55e999c2d4dc
SHA512fc46afbee5f1cbfb258f4f26b8aa84eb38d16816454bb6ad6d08fb5bba3a3df2e4d0d8376971c0f111e4b20bdd1ee836f1e48e2cb92c4cdabc40c8362da0cb5b