Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-08-2024 13:57
Static task
static1
Behavioral task
behavioral1
Sample
e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe
Resource
win10v2004-20240802-en
General
-
Target
e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe
-
Size
1.8MB
-
MD5
320bfe32e64a031b70edd32097fd148e
-
SHA1
e4f4aa216b8775feff342ff10ac78710f328f75a
-
SHA256
e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc
-
SHA512
9962cd1fc6f9fc2c8823ed2d73bcb99a01ee52c01669771a1364b2414e605a63d077abd4c950819227c2952442bca0dd4f81086fb51dc9553bfa3a31ed1a1962
-
SSDEEP
49152:S7z+ATgJwId+hd5hI62lN5PT6CGm3kMD3cv7:S7ey9wN5rJ/3k0sv
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 5 IoCs
pid Process 2840 svoutse.exe 4088 c770c2ddc0.exe 3764 20b970ccbe.exe 1192 26cc9b36e6.exe 4904 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\c770c2ddc0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\c770c2ddc0.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4524-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4524-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4524-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1916 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 2840 svoutse.exe 4904 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4088 set thread context of 4524 4088 c770c2ddc0.exe 80 PID 3764 set thread context of 2512 3764 20b970ccbe.exe 86 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c770c2ddc0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20b970ccbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26cc9b36e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1916 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 1916 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 2840 svoutse.exe 2840 svoutse.exe 4904 svoutse.exe 4904 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe Token: SeDebugPrivilege 3484 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 4524 RegAsm.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 3484 firefox.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe 4524 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3484 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2840 1916 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 78 PID 1916 wrote to memory of 2840 1916 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 78 PID 1916 wrote to memory of 2840 1916 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe 78 PID 2840 wrote to memory of 4088 2840 svoutse.exe 79 PID 2840 wrote to memory of 4088 2840 svoutse.exe 79 PID 2840 wrote to memory of 4088 2840 svoutse.exe 79 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 4088 wrote to memory of 4524 4088 c770c2ddc0.exe 80 PID 2840 wrote to memory of 3764 2840 svoutse.exe 81 PID 2840 wrote to memory of 3764 2840 svoutse.exe 81 PID 2840 wrote to memory of 3764 2840 svoutse.exe 81 PID 3764 wrote to memory of 812 3764 20b970ccbe.exe 82 PID 3764 wrote to memory of 812 3764 20b970ccbe.exe 82 PID 3764 wrote to memory of 812 3764 20b970ccbe.exe 82 PID 3764 wrote to memory of 4544 3764 20b970ccbe.exe 83 PID 3764 wrote to memory of 4544 3764 20b970ccbe.exe 83 PID 3764 wrote to memory of 4544 3764 20b970ccbe.exe 83 PID 3764 wrote to memory of 1028 3764 20b970ccbe.exe 84 PID 3764 wrote to memory of 1028 3764 20b970ccbe.exe 84 PID 3764 wrote to memory of 1028 3764 20b970ccbe.exe 84 PID 3764 wrote to memory of 3656 3764 20b970ccbe.exe 85 PID 3764 wrote to memory of 3656 3764 20b970ccbe.exe 85 PID 3764 wrote to memory of 3656 3764 20b970ccbe.exe 85 PID 3764 wrote to memory of 2512 3764 20b970ccbe.exe 86 PID 3764 wrote to memory of 2512 3764 20b970ccbe.exe 86 PID 3764 wrote to memory of 2512 3764 20b970ccbe.exe 86 PID 3764 wrote to memory of 2512 3764 20b970ccbe.exe 86 PID 3764 wrote to memory of 2512 3764 20b970ccbe.exe 86 PID 3764 wrote to memory of 2512 3764 20b970ccbe.exe 86 PID 3764 wrote to memory of 2512 3764 20b970ccbe.exe 86 PID 3764 wrote to memory of 2512 3764 20b970ccbe.exe 86 PID 3764 wrote to memory of 2512 3764 20b970ccbe.exe 86 PID 2840 wrote to memory of 1192 2840 svoutse.exe 87 PID 2840 wrote to memory of 1192 2840 svoutse.exe 87 PID 2840 wrote to memory of 1192 2840 svoutse.exe 87 PID 4524 wrote to memory of 3572 4524 RegAsm.exe 88 PID 4524 wrote to memory of 3572 4524 RegAsm.exe 88 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3572 wrote to memory of 3484 3572 firefox.exe 91 PID 3484 wrote to memory of 4552 3484 firefox.exe 92 PID 3484 wrote to memory of 4552 3484 firefox.exe 92 PID 3484 wrote to memory of 4552 3484 firefox.exe 92 PID 3484 wrote to memory of 4552 3484 firefox.exe 92 PID 3484 wrote to memory of 4552 3484 firefox.exe 92 PID 3484 wrote to memory of 4552 3484 firefox.exe 92 PID 3484 wrote to memory of 4552 3484 firefox.exe 92 PID 3484 wrote to memory of 4552 3484 firefox.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe"C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d126d77c-7488-4cfa-8c4a-57191eb7ea3b} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" gpu7⤵PID:4552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54ca7373-e735-49e8-b3e8-0bd06e9dcb24} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" socket7⤵PID:3360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2864 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 2972 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f54fd2c-7d1f-4b0f-b88f-eade99aeb323} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:2444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3816 -childID 2 -isForBrowser -prefsHandle 3808 -prefMapHandle 3804 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fad72809-a6bf-4d7e-bf44-bd01242e0f17} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:3436
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb7cefe-90e4-4aa1-a784-80bc52169477} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" utility7⤵
- Checks processor information in registry
PID:2568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5460 -prefMapHandle 5456 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7c96e71-9f25-4c2d-923d-608a530eae23} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:2884
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -childID 4 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42f88a3e-a564-474b-90f2-94421ddb22f2} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:2268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5780 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32d663b4-49ce-4371-ad3b-5efd32074b31} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:2872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6188 -childID 6 -isForBrowser -prefsHandle 6228 -prefMapHandle 6224 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {313a4ca3-0b3b-48fc-ac96-bf7047d56446} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab7⤵PID:1520
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2512
-
-
-
C:\Users\Admin\1000003002\26cc9b36e6.exe"C:\Users\Admin\1000003002\26cc9b36e6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1192
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4904
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json
Filesize31KB
MD52e8cb8760d95044f510e4b5f37b2a5d6
SHA1c3b16fd80dd2040b4f02b767700131e610eeb9e2
SHA256719ed94562a58c2d8db39672aa0b569ae3ba793aa0fdae6ceb33037e6047a9b9
SHA512f809faf61ba672d809b437144054c1828b2daa1e0adc5855b6340952bdb7eb90213aeff86fd0b67aae07387909305b0929eecd966d0a434208824f91d9f483d4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5ca2ede2511c2a5b6311810e6aa88d7e1
SHA1bdaac797675a7eef104941457bbe6a5b6be3ecb1
SHA25606c86827b4d30172bf02b57018f00bd12569e6761d370ab37436ed8672002a17
SHA51232a91c38e85beca4343e218b87bc223e96c9154b72f71bfa709eaff9c2cb4d8c22685ce76ccfa3fc24dfac80cf1522ba6683696a1f26d305c550120490839508
-
Filesize
1.8MB
MD5320bfe32e64a031b70edd32097fd148e
SHA1e4f4aa216b8775feff342ff10ac78710f328f75a
SHA256e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc
SHA5129962cd1fc6f9fc2c8823ed2d73bcb99a01ee52c01669771a1364b2414e605a63d077abd4c950819227c2952442bca0dd4f81086fb51dc9553bfa3a31ed1a1962
-
Filesize
1.2MB
MD5f5d4a5d65de3574a5088acbde245b775
SHA129ce38d8fdc2cbf64ae80481843bdbd6f7085015
SHA256857eec247df3a7adfbb82e574cb7333fa522ede95ce9b486fb349a5f9455c063
SHA5120214b30e1f589658dab52a37dc1a7c89df22a167306568e141048f3b33560796e943dbe4a8e9b009df0ef6a8fb369ad4ab95a498426c643de0690c922a6ba657
-
Filesize
206KB
MD52f76d8ea3e1db9164e420c4d574aa44b
SHA1ddeb21ff46fc9e6a94363035de6f3d8aab5f740f
SHA256fd6cdb68a33740d70fb2454f8af23b91d379405b61ce858a804635859877c20d
SHA5123cab2a539cb3e20dc01741923762c5cc50e07dd270d585c5c0478de8db087d9b723b39c819e3169b7a4a55cac1efa40c36b651d31a3eda7b6547ee6ec07108cd
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize7KB
MD592d71f2e9d5676bf851efb45a050a84b
SHA1b2ccc4b09dccd02b510a690d8f2d882df789dfb6
SHA2561219690142b5caec119219b2e2c1ba1434eeb7b89f51caaa33536e2857b5800c
SHA5122b78da735412a78c9fbf5bfeb1df99350ed39fde91829554f5fd5de26c7c61f154c9b69ae7c5df44b388a0420adac14ef26036a40979707abdcf1d297302b206
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize10KB
MD51cedf3e0302e83aeca9f82e96718f603
SHA1163915c1aa3bad9386dc281fb92e85a997f1657e
SHA25652d5a1009c4ad9e53f33c72679d7ad573806997073eede5db691b065db8c3ccb
SHA512405c4d84a0e308cb41bacaae809fe547a235f96feb3541bb53d61656271fbc58f08de315fe77d8ba8e857f743b37fbcf3f335c896ceaede86223b9f4f3b3e532
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD52d6fcec4ba506893d2a77dbe40ee4ea4
SHA1ab2a594d4f76ce8c76806ecca871144bdbb64b40
SHA25667d8304fd2bbb5f4edc766983e98de3d17c74b9d17f589d271cb249d2168266e
SHA512dd529307f600c7ef8715a0b32d6953ea6b23b55312310a7989e3600982868c9b0b29748fdded7573770bb8e17caba99ac60b77dfb3bf05775754254797bb2d26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD523f802a30b768ae173464521bc463b2b
SHA1a1627ba6deea8da4009038dc6e1127a7cfd5b5e9
SHA2564b6114936dc508d66cb2e7a206942c58a9bd563591fafff897eb522f6eb84a22
SHA5127ffc643c8d7d32514b8cf0e342e724de6c70d36ca57be35085fb54c4f4f9e9717482251536dea93633027f25250bdf9fc74d161529a7325561408bb3515eefb7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5832e540f7f36f19ecae81562609a27d1
SHA187658f87efea828ec8c2ee0d12ffa7a7aad99a61
SHA2568af03cc0567ec692d71489110afff64f6a5a8deb6fc4e22c9d707f4f30013a17
SHA51229a8c318c9dc2341995460d8e6f8e949e15797caae1d8b4e7ff492f9d692082c09fd7457c25fb96e4bd78ce2b29a2aca3b05728994c9a3e9c8abd1334b0018c0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5aeb47254679758c151705335f90f3041
SHA18af0b9eb32fbece767c7b33d253884da7c846ab6
SHA2562c6fcab9396f9d61f4ff4a801e530b022f65ecc851319e99857e2ba302ec0cf6
SHA512478f6a68624b0191512202cc4892e7a949bd12a0938f29f85dbcf6285b0a5cd1b86a3c75a62706731ccc16be035394894caaf935561b45201124b84715d25d37
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5f4caa5ddd051006911d8be199fc601d1
SHA14f0dd36ef4d88128512a15cc532ee7e211705550
SHA2562281cea4df5e6882253649cd823efed8e145be0f4682780f814915d8e8b80f13
SHA512c992454e2dc6ed7e38c0a2798a5a893fb8c36527e1c7fc332cadd3e61e307f74997a55eaac1579fcb552d14ffaf0ed7bf55aad9f89010e03e688216a11040391
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\22070b57-2324-4c3c-bfe1-cdb8cce6002c
Filesize982B
MD5e1173962eba83d1e7ed8763135c5a3c3
SHA122493bcf1c4a05e4151e965a7fb79dafa07b51ca
SHA25674aba0407b6560946e7b21e7dd98669e7e0741ff51250ff63c077846f6f4f2e7
SHA5122c16fd76a1f96765b619bc9bac2b910606a4a7557bea262982992e52c4924e748c3a135d08328bcc414e42060843dac196693abfb0adbae4a8c8bec42c488cf9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\353dccd1-dd81-4f62-92ac-e17f2ffbf69c
Filesize671B
MD58a8eefd56238cccc46f460dde20937df
SHA17dc1726787aad68d4d7e603c025ac20a30cd6732
SHA2567306b50f7fff516a5e5e45db6018b27dbf2c64163da03db0838e5a9f8d86d094
SHA5124b25d5f60056a1ca46c45604eada8e0fe1bb22999cf2d3c9fc313862759093af7d0e875827d297996815af7429dc20aa9f2a0eac2359b9d1c4fb1480c98329c7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\f84d8aaf-bf59-4d15-b109-6043f6fd3e02
Filesize25KB
MD5ea069ad35ed29030aaa1ceb7d36a088e
SHA1e29004a235c3958f6327aecdac754db38c002e7c
SHA256ae0966b064aa142a42a3a55e5bf1477dc45d857ce77978baa646fafede401d4c
SHA5124c1ccc5083598281b0b83549f97b42343ca2b1517facc0bbffc6757bc9ac6a8724eadf8e92e913441974df536c23edd13f98a6b071562654725676130ab973a0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD54eb5852b4b6b6eb895d4f290dbfc1f79
SHA1320e34b54d6f8fd8d029eabc54a8fd1f7fa78be9
SHA25655743e41374bb00edffb9901cc2c570818c3d5ceac818d9de2b84e7f02ffe7e7
SHA5123d7f58ecd3109f1d1242a6c6d535338727a49b2f20750004d24987a6de98e42ca1d87dd990fa1b2dc13a16ca886a0c04a09620c0e06faef2fa204c5bab05b725
-
Filesize
16KB
MD564086e9a813359328c205d73f454cf82
SHA1e174e7e5a48bcd776616d3dfb8fc8af587fbbc87
SHA25661351927f825c1ee39b06cb01f0450746d325b170fd8b166a17b742dde2e470b
SHA51221d5c2493cc210d9714a37eb0e456c7c77c17ec69dea7848beabe22b1d1a04ab647e1784e7908fcdf32a83ed938748add010e85ca34c55fd63339ac269c06942
-
Filesize
11KB
MD519fc2b0f0c25d36c458e323453171d24
SHA136b5cc633e76365f9098e72648d08ed545217e00
SHA256190d04bc508e91818925e6d8450ce898a1bb0313b264a66e7f88ed221079c2ce
SHA51276bf9a2577aa1a0713ca215e260968f7370586fdc35c9f0698032328a42d258b93e5d44bb82dedcd01d86a3cf9bfd7542bba9476786ef47069e3790e75bc428f
-
Filesize
11KB
MD56f1b1abe5c46d0aa7d0129c449c11cde
SHA1d6e029752b1165e43b16f5f2d04a9acbc84814ba
SHA256a299db76303809840f752dad7f1cf7dcf5e2d3453b18863dcfda18a8eb03b6a7
SHA51238284a0d3cbbc5b4b056a11f4796ace4f98d728f17b212607b003386a4dec528506c5bd2b1a3378ef18060e746506755d4d9209a7f7894032aa843810f280365
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5b1ea79a0b0d6c33bd0ed458e9f9ac375
SHA14aaa2979972c1e34d7df2a21d39d745c1d30d057
SHA2568c82cd08d92a1f73be93b8184fdefe6e0e366ff203165b7b7c0b33e3edd45eb0
SHA5128874ad21fe9d368d594f23b8fcec7a2c5f7e870c68ced35f56796c249eaa98733461eed817437b0d8ad721b523c375d0e17674c7b06ef3a396a953c884c380f8