Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 16:51
Static task
static1
Behavioral task
behavioral1
Sample
1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe
Resource
win10v2004-20240802-en
General
-
Target
1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe
-
Size
1.8MB
-
MD5
e3fd0516e07f3c086155870f11b17f41
-
SHA1
1adb49efdfa5e12dd0849e45b7ebbec4dc0e8f8b
-
SHA256
1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2
-
SHA512
7f70c92d8ce86a830631c5829cc74f7a91a8e9cada59e193f766bbff9486bf163053f164eb57dcc3bfa57b2441d263d073f2f57767acf0f5500cb08fcb15df74
-
SSDEEP
49152:ORtRQfDAsqJHGdoNdO9TK7P+FIH7HKg0O89/Cpy:ORyDWAH8+aHKHO89/Gy
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe -
Executes dropped EXE 7 IoCs
pid Process 4420 svoutse.exe 2912 ac5b144c02.exe 2156 614def4a3d.exe 3132 33dd1d58ed.exe 5556 svoutse.exe 4964 svoutse.exe 3380 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ac5b144c02.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\ac5b144c02.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/904-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/904-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/904-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1360 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 4420 svoutse.exe 5556 svoutse.exe 4964 svoutse.exe 3380 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2912 set thread context of 904 2912 ac5b144c02.exe 90 PID 2156 set thread context of 1940 2156 614def4a3d.exe 95 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 614def4a3d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33dd1d58ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac5b144c02.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1360 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 1360 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 4420 svoutse.exe 4420 svoutse.exe 5556 svoutse.exe 5556 svoutse.exe 4964 svoutse.exe 4964 svoutse.exe 3380 svoutse.exe 3380 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2340 firefox.exe Token: SeDebugPrivilege 2340 firefox.exe Token: SeDebugPrivilege 2340 firefox.exe Token: SeDebugPrivilege 2340 firefox.exe Token: SeDebugPrivilege 2340 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1360 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe 904 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe 2340 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4420 1360 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 88 PID 1360 wrote to memory of 4420 1360 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 88 PID 1360 wrote to memory of 4420 1360 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 88 PID 4420 wrote to memory of 2912 4420 svoutse.exe 89 PID 4420 wrote to memory of 2912 4420 svoutse.exe 89 PID 4420 wrote to memory of 2912 4420 svoutse.exe 89 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 2912 wrote to memory of 904 2912 ac5b144c02.exe 90 PID 4420 wrote to memory of 2156 4420 svoutse.exe 93 PID 4420 wrote to memory of 2156 4420 svoutse.exe 93 PID 4420 wrote to memory of 2156 4420 svoutse.exe 93 PID 2156 wrote to memory of 2388 2156 614def4a3d.exe 94 PID 2156 wrote to memory of 2388 2156 614def4a3d.exe 94 PID 2156 wrote to memory of 2388 2156 614def4a3d.exe 94 PID 2156 wrote to memory of 1940 2156 614def4a3d.exe 95 PID 2156 wrote to memory of 1940 2156 614def4a3d.exe 95 PID 2156 wrote to memory of 1940 2156 614def4a3d.exe 95 PID 2156 wrote to memory of 1940 2156 614def4a3d.exe 95 PID 2156 wrote to memory of 1940 2156 614def4a3d.exe 95 PID 2156 wrote to memory of 1940 2156 614def4a3d.exe 95 PID 2156 wrote to memory of 1940 2156 614def4a3d.exe 95 PID 2156 wrote to memory of 1940 2156 614def4a3d.exe 95 PID 2156 wrote to memory of 1940 2156 614def4a3d.exe 95 PID 4420 wrote to memory of 3132 4420 svoutse.exe 98 PID 4420 wrote to memory of 3132 4420 svoutse.exe 98 PID 4420 wrote to memory of 3132 4420 svoutse.exe 98 PID 904 wrote to memory of 4364 904 RegAsm.exe 99 PID 904 wrote to memory of 4364 904 RegAsm.exe 99 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 4364 wrote to memory of 2340 4364 firefox.exe 101 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 PID 2340 wrote to memory of 1088 2340 firefox.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe"C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72374624-0b7f-4c11-91bc-6c88464e81b7} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" gpu7⤵PID:1088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab14020d-f306-42bd-9805-3566b87a0004} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" socket7⤵PID:944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2876 -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2940 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a2818df-8c9e-438a-832a-7dbf1993b768} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab7⤵PID:3308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3564 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 2656 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7fd2a08-3f31-492e-99b9-37fc7502d2c1} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab7⤵PID:4536
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4476 -prefMapHandle 4472 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a31cc470-d32f-4ddc-a201-827b2a2f2819} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" utility7⤵
- Checks processor information in registry
PID:5548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 3 -isForBrowser -prefsHandle 5628 -prefMapHandle 5624 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2baa7c28-14cb-4210-a7d3-f940c1015aae} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab7⤵PID:4808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 4 -isForBrowser -prefsHandle 6012 -prefMapHandle 6004 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6632ea45-0c8e-479e-9050-6ab6d710ef98} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab7⤵PID:5228
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 5 -isForBrowser -prefsHandle 6024 -prefMapHandle 6020 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8671841-5bea-4295-a70c-7f31213189a4} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab7⤵PID:5236
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6164 -childID 6 -isForBrowser -prefsHandle 6440 -prefMapHandle 6436 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55bc7669-47e7-43c8-95b9-a623fdc61c55} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab7⤵PID:5252
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1940
-
-
-
C:\Users\Admin\1000003002\33dd1d58ed.exe"C:\Users\Admin\1000003002\33dd1d58ed.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5556
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4964
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3380
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json
Filesize31KB
MD52c07b98ed1b5d37c8a801872ceb343af
SHA1d512b598a7566daa14e42d122288068554a88109
SHA256a725483745f808435096cb4aa2e30295498c847ebca77a6ae4db8163cadad637
SHA5121c92c29540b23249766489b29b598c2dec8e84390e2da43b1ed5ed2be104f1c753792461d51baf8b681a995c362b7ea04783e71c84197e306c8375e723acd714
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5ca961141dba0c4f8dbdb637f0022ff0c
SHA13d16483534b6fff2d024f6dc363f664a0ad3a6a3
SHA2566f4b27bda9d53d59896d1c7e3c623b385b6382790f7e3e7891973c37cc8bf041
SHA512e26d537005e1d3967c5ad383ab5f08194fc9ea56f1e540411430d437033f151876243b590bc5930554a5068b1c0c6dfe1e2e1a66fb2cc776286bb7dc21c5adad
-
Filesize
1.8MB
MD5e3fd0516e07f3c086155870f11b17f41
SHA11adb49efdfa5e12dd0849e45b7ebbec4dc0e8f8b
SHA2561e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2
SHA5127f70c92d8ce86a830631c5829cc74f7a91a8e9cada59e193f766bbff9486bf163053f164eb57dcc3bfa57b2441d263d073f2f57767acf0f5500cb08fcb15df74
-
Filesize
1.2MB
MD565c92fd9df13e8e9a60bfc3a4f9c2988
SHA1d6346ae9dec7841b4d331e002abb78a0d509c45f
SHA256b61c01b84a7e177e932728e2939d5a868703def4338d736d110bc7101d591219
SHA512e4e99e292fe4a90a159577b0c8132dec9e20a6fcb8b7c122ca2242fe072b9a1b6c8b7c72e4e8557b0deb3a396e4d3d91a4faaa01763f43dd01bb6214be538d63
-
Filesize
206KB
MD5b99cb4285c29917fe0f1dab529d7a8e5
SHA15bf0b88e319a383bbd8b4abe2b81403a0902303c
SHA256b553e2bb5b2d20a0a78ee2a8012416285ebf65cb787f8d436274673dc8520aa1
SHA5125f08473e5e08b4d384071b8904780f5ef1e8cb5d0c8266825487510379cf46f837955c4b2757727b68c0340351089206174b920c564d218c34e079219cfc7335
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin
Filesize7KB
MD5308224a5b644c264e2f78e134f59df07
SHA132ec978c7cb4e96bbf0957c456aee29132a747f6
SHA256e416484c0957d435b7683b4b9b2bfa71fc23d73f10e900c157d9e7c2f33ebe6f
SHA5120cad785179a3f78b11931158e486695db59a86d4ee84c2b493d41f603ef330f6534edc8c33179b1ad6595d141895b6bb2632ad70593fe536c0f5ec3d409ea95b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin
Filesize10KB
MD5caee7c40c1523a1652b8ab66f89028a1
SHA18db3afb7892b67fe7c826e89005360d4824b858e
SHA2563d5c3b6ed838618c433d1157efb65fd387e7117a188aa3936eb3667f13586b4f
SHA512a4dd70c5e6087adc6c9449c98577b56337972cc5b758bb5169ed7a96fed09c93c9ed97770980692b54ba6f8c784201f9027c3b9739f568ca7f6e9d0f64e72eef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD586fbdd2f6202aa105f03fba41475ca86
SHA196ba9fa3a82ccc02d3798838fb5484ad4d8d1756
SHA256a43f89d1e12e489eb6c36d1e16144fff654e67071eb84f27eabab0ce42a742cb
SHA51247ac2396a81ad65fc875ce053523f3556ec5e322c0ec0d23f3ccaab4e04db672a19303c707357a25e7b36a336e05b8720aa4adbd7b2b450f50e1dc7f892e52a0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5d14331f9ce0a3a9838bf359074c09216
SHA171d32cc800dd49d51b8ef9f01f54bcf7917538b0
SHA256445305e9190c3357bf53d2a788e9f091dd68a4db93a655aea8506f84315c63c5
SHA5126e78c9482cb6048f0bfac38a5a6e6dd163799ad863f602bed9d6dab27e3ec2841ffd10d1c40facb7845d0387626620e31eab1fd9da898761b00d8c9c48352771
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD588a3618753dfa18f66bade20ef11eb83
SHA1ec4923875bd906921222644e5b9251fc39dc5250
SHA2568b397fbe2da9422a65d78a540c6ea038cb4c345c0cd5aafd09ea2f45c61fe2b7
SHA5122f08a2f42ee240d0045e52692367fe9468cc3c9fedfa8912264c556a1749ba33a66235f0a6c4ac375cc6b540bea8f980f709392887841768de7599530a2c7c24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD57b88d3b6e70c3d4bfa095d21a92c33c5
SHA117032a9588cca2d3e3b73b334535a6dfae15bfcb
SHA2560d20c0b6ef081449ed889c0ced50dfe7973d7fbfa004c7dececf159705652e18
SHA512c9c7f9b8a1d17289f2dc23d986cc02600258687822023fc4f2a6a2facdc00173b9e66dc7c2e4e79fadc28688f015fb1f4905c0ca8ef7e5847d72b77c33f427ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\8fcb602b-258e-44d9-ac73-b2459880d874
Filesize671B
MD5370961ddce3b89400d67690918593d1c
SHA1bc57f7cf8c0f694520558038810e03f40ffb8b6c
SHA256b847e509d9677d2171bfd4530fc2de61bd415d2e4b925668c89ad18fc4dee6e3
SHA5123158eb743376cbe75e5336293e2b29d166ae5f93554fe01aeb1fbd619ad059306845322fec454643b3239cefc441ce7e5318ac3743bdfb0975af92d01fd2b8bc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\d7dbd31a-e15f-4192-a801-18109dec80bc
Filesize982B
MD59b168dfb4f48b00e5c64df3a7314b257
SHA1c02e34e14d66e6b4523c03d915f4060d7bc34441
SHA256221dc8352ad70c5fbc938c947b7a6a73e12fb5a7cfd87824195ec601783b55b4
SHA512b14dd8650579627703d8e50d328e6eb00347fb5e7ddba389272b286f10ce05b5866576dacf6ebf5dc04e4215ce1db790901679b423ad9fce4a30a2104bc2dc00
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\f54100e1-d724-46c4-92b5-f5bf89a47f4b
Filesize27KB
MD5b4e901a357724f13dd1739e2f978f10b
SHA1bd3fc6fdf4a4784d9cb41e2c5fc86b54e9d45c5e
SHA256ae5087aca9e8fd97edfa7720814667ab9d07e15333cdb9cd35f0120ff5be8442
SHA5121dada6f7ce213de259c5bde9dfc0ac9da3307fc0fe34a1856ecb2eb4f4617cd7e34882b8e5b08f309e1cc5ac9948b58ec94bd2f8c93df2bb37c6e92ba4a1ed89
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5886b96138f706085efc8df3a97d1d3a7
SHA11a92a859f94b9e8ec8cfc81226efc1cfbe214377
SHA25622a53336c501cda77b172197507420eddbad5db6484a59142b49f557f7984d89
SHA51284d8a23b77cf1f621e62dac6949fec50251541d0e02177d5e43f3f07c0c5a27e1f1e769748a4314286aec4590ae90fab6e9ef538d961e0640497135edd3eef29
-
Filesize
16KB
MD5e3ee47937dccdd17e626ca244699ed49
SHA161ff8fdedbc64801ede3a448e6a78075d4c935f9
SHA256838d80f7bb05ed844a5ad6adbe693832896fd02f79f79aec3f525494072be3c9
SHA512c40c760ef6f20481b7024e8db13fe9bbc1a5f798dc7077e5ba2c8cd59130f132d154bff62a275e453d9c30b0c745bc37ffaa594e18e1655d2dc67de806ddde33
-
Filesize
11KB
MD50a689593aaecb5f1f755d1c4a8c1dc86
SHA16beb792a53ff811b6c6ef93c723b16ea9f9f2c95
SHA256c2add7bedd0a1ef09cffa1bc136da0d3959709fc0a3f4506068f466e398037d8
SHA512f0c842823a40552f34a81e42ae1a34bee1b58b423321139929f6e26df9db0194e81ee43075e37800f8ad68f204c92d20b1b3dadbf95b0466edd18bdb5f7cceb2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5f76ad0d62f6b959d16463b5bbb7f1574
SHA180177d2889eb76a11d0ed7cb4c304098f781f00f
SHA2560f4cee50edbe68fcc40402f8f0c2c3d961c8076c6a9544959cc5796613e8d3c8
SHA51223ae9aafe2b7461e318d4f15909b2c72b4a3c44c01d8ae0e3c1df5abae08990e0f37af3543ecdc9fb316cbf12076f7fe6049ac9b884ddc48edd6247d5a107366