Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe
Resource
win10v2004-20240802-en
General
-
Target
8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe
-
Size
1.8MB
-
MD5
19d4b831e5dd11605dedad6373ca39b8
-
SHA1
5b6058633e97812425c3d02b35478d3a03c27188
-
SHA256
8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060
-
SHA512
872d63031169322a829b766a452abae14f38ad9618bb0a52aaa8079ab178cb659a6de03446767f72762dabb6738e050daa3d68f9f8053be8b35e7dac58add9e9
-
SSDEEP
49152:mP+5L+DNleL7usSVou5DhOOroBT9IaRw0:mP+5qZs7usPADhq59J
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 6 IoCs
pid Process 2340 svoutse.exe 4124 e1598c2793.exe 3044 facfc2c046.exe 1800 2b6a1acebe.exe 4284 svoutse.exe 4472 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1598c2793.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\e1598c2793.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/940-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/940-53-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/940-55-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2576 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 2340 svoutse.exe 4284 svoutse.exe 4472 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4124 set thread context of 940 4124 e1598c2793.exe 100 PID 3044 set thread context of 1216 3044 facfc2c046.exe 102 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1598c2793.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language facfc2c046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b6a1acebe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2576 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 2576 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 2340 svoutse.exe 2340 svoutse.exe 4284 svoutse.exe 4284 svoutse.exe 4472 svoutse.exe 4472 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3928 firefox.exe Token: SeDebugPrivilege 3928 firefox.exe Token: SeDebugPrivilege 3928 firefox.exe Token: SeDebugPrivilege 3928 firefox.exe Token: SeDebugPrivilege 3928 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2576 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 940 RegAsm.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 940 RegAsm.exe 3928 firefox.exe 3928 firefox.exe 3928 firefox.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe 940 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3928 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2576 wrote to memory of 2340 2576 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 92 PID 2576 wrote to memory of 2340 2576 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 92 PID 2576 wrote to memory of 2340 2576 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 92 PID 2340 wrote to memory of 4124 2340 svoutse.exe 98 PID 2340 wrote to memory of 4124 2340 svoutse.exe 98 PID 2340 wrote to memory of 4124 2340 svoutse.exe 98 PID 4124 wrote to memory of 4704 4124 e1598c2793.exe 99 PID 4124 wrote to memory of 4704 4124 e1598c2793.exe 99 PID 4124 wrote to memory of 4704 4124 e1598c2793.exe 99 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 4124 wrote to memory of 940 4124 e1598c2793.exe 100 PID 2340 wrote to memory of 3044 2340 svoutse.exe 101 PID 2340 wrote to memory of 3044 2340 svoutse.exe 101 PID 2340 wrote to memory of 3044 2340 svoutse.exe 101 PID 3044 wrote to memory of 1216 3044 facfc2c046.exe 102 PID 3044 wrote to memory of 1216 3044 facfc2c046.exe 102 PID 3044 wrote to memory of 1216 3044 facfc2c046.exe 102 PID 3044 wrote to memory of 1216 3044 facfc2c046.exe 102 PID 3044 wrote to memory of 1216 3044 facfc2c046.exe 102 PID 3044 wrote to memory of 1216 3044 facfc2c046.exe 102 PID 3044 wrote to memory of 1216 3044 facfc2c046.exe 102 PID 3044 wrote to memory of 1216 3044 facfc2c046.exe 102 PID 3044 wrote to memory of 1216 3044 facfc2c046.exe 102 PID 2340 wrote to memory of 1800 2340 svoutse.exe 103 PID 2340 wrote to memory of 1800 2340 svoutse.exe 103 PID 2340 wrote to memory of 1800 2340 svoutse.exe 103 PID 940 wrote to memory of 880 940 RegAsm.exe 105 PID 940 wrote to memory of 880 940 RegAsm.exe 105 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 880 wrote to memory of 3928 880 firefox.exe 107 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 PID 3928 wrote to memory of 4488 3928 firefox.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe"C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e81ad4d-16ca-4817-8eaf-e9ef16b76085} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" gpu7⤵PID:4488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3205e69-f08a-4e66-bbd1-b7995308bb25} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" socket7⤵PID:892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1568 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 1680 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6127927b-beda-4d43-ac28-7c2cebc50ed5} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab7⤵PID:880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3456 -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3500 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {614871e0-0d40-4e0b-8630-9e6892a1ef49} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab7⤵PID:1392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4624 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3be69ece-bcd2-436f-a0d4-fb3271bae74f} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" utility7⤵
- Checks processor information in registry
PID:6000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5112 -childID 3 -isForBrowser -prefsHandle 5096 -prefMapHandle 5092 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56a6d52b-3951-4b36-b4e9-74abdcde7526} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab7⤵PID:5364
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 4 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c353ece-f2bb-4086-8049-25cf0309321f} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab7⤵PID:5380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 5 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7444de64-fe40-4ba9-9299-c13c1f0364f8} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab7⤵PID:5392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6088 -childID 6 -isForBrowser -prefsHandle 6036 -prefMapHandle 6064 -prefsLen 27181 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00d896b4-1556-44c5-aa8d-8a96b669756a} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab7⤵PID:5568
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1216
-
-
-
C:\Users\Admin\1000003002\2b6a1acebe.exe"C:\Users\Admin\1000003002\2b6a1acebe.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:81⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4284
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4472
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5f48baf42064cefb4e06d886085c7292a
SHA15d723c8a3fd090257fd2dc753ab8c474ca6ddf6c
SHA25680d7cc7de0cf76c1522731eb1029acf162915f9073429274591fb09c9d91c148
SHA51222f72092f2bf851c2c99141b3ab5de1238a9a4c3af71eb4c0403f0db0fa413fbbbd02bc71cd7d929531814be6c26baa09294d01216ee7afb66ed5cccf12060f7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
Filesize
1.8MB
MD519d4b831e5dd11605dedad6373ca39b8
SHA15b6058633e97812425c3d02b35478d3a03c27188
SHA2568e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060
SHA512872d63031169322a829b766a452abae14f38ad9618bb0a52aaa8079ab178cb659a6de03446767f72762dabb6738e050daa3d68f9f8053be8b35e7dac58add9e9
-
Filesize
1.2MB
MD521f570b2a3b04bc8c2d031c296413458
SHA172c65436b31fe8d27c00eca9acf9590c7d6fd222
SHA256a4fc1e5a680d5701279a61ada37dc8b19d302c7113e70324caba4156a0f9c2ea
SHA512d0cfc5dfb6d34ad66db0ffc469ea1276f60fe87a58e307e7e2ce887c37413bb09a5fec4b425f4bfef4b8a3a4e6da70e2434f8424797e38bd40fdc1604a8ae874
-
Filesize
206KB
MD51248fcc89f1bcbaa44ea9c47ec824d7e
SHA1a6bd2f5b2ca96bebc8158dd435ffff8d02ff6550
SHA256343da582cbe90421cadbaadbbead3532ec26d82f9b3d297feb8b669d71754c5d
SHA512a96870d51390ab21b188b5b7ba6d3e030cf78fd6d6c75eb93f2dd7f9d1869715db59b894a4165c31b69bf4f05ffcc18a7443df3266145d09b3f873c6a6b984c3
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize7KB
MD553d9d751888b438f775798472ac44075
SHA109a1ec9588e9ad6af5a5e575c7d01957f6067217
SHA256f0a434d936c25daebd0620afe23ee01777db07b0c851a12638e56c414d023287
SHA512bdf75006358f6b05796ae2a68787c0bcbcb9cd593ef6bd05aa6cbd5f4e77b6b5dec4ab0319360a6931a8baf1e666c24926db6aeb5e7d6f595f227b5ef79912e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize16KB
MD56f3c5a0d36457da150944b911c7b294c
SHA172628525906e040552d4b9ca9b97157f1d81a450
SHA2564a24757dc1214ac42df12d525493ca631319d2f8ab120d56e22a0bac144ead57
SHA512f8ca4b9a137e8017b7a00aa52acf0d3f7ecabcf0ba291a9924a05ec4bca8ff34c9011b9e0a68363e44e347f8841f548dd85c9d2cc2cd18bf47c5eb2c663edb03
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize10KB
MD552ebdad21d38e280e20785aa1e9f491d
SHA1837e9713b21df223fb733c76e5771fe992edbb0b
SHA256c10254a94dcc5c8d56eb1a07ec8356a14064ee42313686c1fd460ebc1820c140
SHA51224c574f6f3a504f24feb3fb8c53c97b36cc94fdcc2434fcb26c957cb251372d69d721dee3054fe1cf707dcad95ea1444c862c7b6110a56442831ad90d8701ad8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5757948b58bc6e17a57459197c5b93529
SHA11259e41db790eba61c9769cf1779f7a6aca27581
SHA256fbc7c65e5014a5bfc5ac4fc7452661d7eac50570afbbd12e88071a88a4f45aa1
SHA512723e8317fd13fc292643b6b5829c9d68c507a01c73ea29e586f2bf053eb67970a64c2a7d118e2d5b0f100ebb5df2c02622b3fc0f39a13046fd84127dce4a5767
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5738c7207e0f00d008863aa02757dd8f2
SHA1ec3592732cc22b4d3d384499d8eff52c013d3348
SHA256fcd0550c759d3581a983e497852eb14252cb4a85839e64bb13173e20322efabb
SHA5129cdf2dbcc7dbb63cf6f8739a5202653a2ebdb9b80db4a8e64aec4e19d7afed3a2828e04be3324c22fe196c38a7459e008ee0ca2b1c006e582d806d0ef87f0584
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD59fe52cc79b46d42cc5efd1fe1f05394a
SHA1f8af6d03a758e48b5acdaea5f56aa4b179cac7d6
SHA25623da754b16ce7716f9b79ae9f5027042cb5b8d286f1567a4759b427b8b39249e
SHA512cc92178468317ffc6062c08cbad937406265b61675ce2351291cf8cad8067aef6b28939cbd5d0b6f3b0f4c2331bc46c11cccba3e971ed7f028480e03d3099592
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD59714ea81be29667ff7397cd8b531d7f1
SHA14643e193c67023fff7c284e3b07b986bdb2acb1a
SHA25607c25b77402d93b8c63b9c7785236f7f5f09896e1c23af0f7d05847954aa6e3a
SHA5124febd4d775e07ca254b37d0546a87acd403f2d5641dd9175e8967d8853d44c6dc1a5e4f57d66446b41198e9ecbc529b06904732a610322ee1d079df63c849b75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\0562660b-6b15-4624-ad0b-c9d97b5301e7
Filesize982B
MD50f1b40522a96cde11ebe015a8e6ef505
SHA14609a81e86a4f92994ac576622de052d8ee4de94
SHA256fbbfec382f12b1c87288bac5fef49a149b2580603742293938057a506feafdeb
SHA51215814e69c0c94b50745272c9bf64b6fd8b86ac1805d22c9aeb445ed6301ec2aedaeb3fbe2440d671cc92bf98346383e4583bcde0c4ebd42c9e3a18de3d869d3d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\c6e2767e-d883-4672-aa42-e4b3cd6e85d9
Filesize671B
MD5bcf007f2b609cce3f15b4c85c10fd4de
SHA1f2706734cba181b8b5d8d6092f1a300f1f9578c3
SHA256783bff9ad9f1f9cba82deb1f9d28c7207258dd080583bdf3d4c3262cb07bbbc7
SHA512d3ef6ee652def7b7b881afdbb063e8279dc683f1b3c77ef303e6993339ab2faac77083c0f41c5e715faed0984f63596b7ac269cb7d2fee927bfaa1710eaee4ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\e0950232-cda5-428a-a6c2-54e97bda9928
Filesize26KB
MD56b6311a975184b67dc9e47c415b74b48
SHA1c68a599e411b83b2e75e692554cf579a6ef6ba9f
SHA256e094af7ef7e3732e29e56d100b7064b03e6b54d11db88445152cc5e197846d53
SHA512c9e0b352185bc8e26bcb11cfb4d674cbe5922d95cc95fa74478aa19e7a1e4e7add1a7b9ce33796896ea7921384467004b841430e59bd19faa86475b1c6037cf8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD54147377aed2abb40d51db945f551668c
SHA11b23006713e93694014fb78f18238b9217d93701
SHA25672594e4a1844a082529c8076eeba33599982524c81a1db1d743932ad80301d1e
SHA5120f354713f03e52e99bfe4b9ef458b114062ad8dd9f0068988c2c6d6b1ba8edeba8292ab94e75884d6fcf3654eb3dc958fb3863ce7324dfa43888d8c146844ea9
-
Filesize
11KB
MD5718772d86509ff18e006b37af917e44c
SHA11449de5bedeb3c304c795cd05e76bc45473faea5
SHA2566d4590416a1b8436d101755e98f9c5657ebde5fd5540cbb939a7c38b1df95248
SHA512497165ef686ee58c51baa14951c7badb91495f58e1dd319a650c90e9f8dc91d271d14a36f857795aebaf2f46b7feabc854b1193c99dbe26efa6cb80eb46e1e0c
-
Filesize
11KB
MD5c20ed2029f83cc2170ec03c229e3fc91
SHA15f2854ef073d24e401e615ad0eb451dd936d524e
SHA256e4f22196299c6da83f06c936aea29ab73a3986ccacdbdaf9f613a53fbb2653ea
SHA512c184d28d1d5f21bbafe1095ba8508c262f98e1eef3e1c25c136fd2cc19204ca46d9d904cc2e17282abe4f621a52cdb3cceac4e87c1c1c029949443b592441238
-
Filesize
16KB
MD52dd40d09eb798ce3d854493f5a081068
SHA1caf9985063b31117d2482bc5e4106769d46496ca
SHA256d8b7eacdafd26a27393b6ebe603dae2e9cc3a3c097dd639503a8beba41acad00
SHA5127bbe19ca146c77ae422547b853fbf1edf04b2f49c622eae83be189f1ccd42fb6cf2402c57eaca0742e7bd175caea11d1aaf8735b797a06df6441ad6ed6a32db4
-
Filesize
16KB
MD5a3fc9538e0c2ea309840670f9714c4d5
SHA19a85123b12cf41cb24102339a7337b507ad51c6a
SHA256ccce78fb4a3551b16cf8ebab57bf77490d12adae2b6afd0b94ace2790dbbe090
SHA51243f6da7d436a001723f9a50fdc905cb632f77de1bee67e6479c3dd3f3c2357972a546f215ba87d68fe8f73b7dc304fcbde58afe8cc8cbb366001ae8ac382e63d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5aee6bdef0af9e47a950088b8fb05405f
SHA1ad5597e7e4a9d2bf88639fff504fe6477a81ee85
SHA256f0e4402bc1ab9b6a68633f761de8a14b2f5b1599ff3450133dd158c610da93c2
SHA512fea954713093b81b5e92540a5fc097021f035bcb2782e9e8d5616085770d49ea71b272bffe3b9bea888cfa82996e78db2a341ce8ad436fd5f06c7995ab3471db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD59cfe4d16a8fc5b605eab93a5673dd38c
SHA13c707a174ebaee1ab0bb4a499b15204c6381229b
SHA25615bbeafa17fee29e3355f8adcae0ee37642561f430b96a6459c8cf9ef39f1598
SHA512853244ebe4b965e6e6a7f1ca8b451bb7981014f08fdae36f64ec088bc3a93f5c05b1ef45ccf782d258443801129668d24784bca8f80bb13553efb0862d5fc3f1