Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-08-2024 16:51
Static task
static1
Behavioral task
behavioral1
Sample
1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe
Resource
win10v2004-20240802-en
General
-
Target
1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe
-
Size
1.8MB
-
MD5
e3fd0516e07f3c086155870f11b17f41
-
SHA1
1adb49efdfa5e12dd0849e45b7ebbec4dc0e8f8b
-
SHA256
1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2
-
SHA512
7f70c92d8ce86a830631c5829cc74f7a91a8e9cada59e193f766bbff9486bf163053f164eb57dcc3bfa57b2441d263d073f2f57767acf0f5500cb08fcb15df74
-
SSDEEP
49152:ORtRQfDAsqJHGdoNdO9TK7P+FIH7HKg0O89/Cpy:ORyDWAH8+aHKHO89/Gy
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 7 IoCs
pid Process 1804 svoutse.exe 3400 8a371439cd.exe 460 4ae3fa6821.exe 3472 1b123b9113.exe 5148 svoutse.exe 4760 svoutse.exe 4180 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a371439cd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\8a371439cd.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4488-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4488-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4488-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3316 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 1804 svoutse.exe 5148 svoutse.exe 4760 svoutse.exe 4180 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3400 set thread context of 4488 3400 8a371439cd.exe 84 PID 460 set thread context of 4964 460 4ae3fa6821.exe 86 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a371439cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ae3fa6821.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b123b9113.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3316 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 3316 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 1804 svoutse.exe 1804 svoutse.exe 5148 svoutse.exe 5148 svoutse.exe 4760 svoutse.exe 4760 svoutse.exe 4180 svoutse.exe 4180 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4528 firefox.exe Token: SeDebugPrivilege 4528 firefox.exe Token: SeDebugPrivilege 4528 firefox.exe Token: SeDebugPrivilege 4528 firefox.exe Token: SeDebugPrivilege 4528 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4488 RegAsm.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4528 firefox.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4528 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3316 wrote to memory of 1804 3316 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 82 PID 3316 wrote to memory of 1804 3316 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 82 PID 3316 wrote to memory of 1804 3316 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe 82 PID 1804 wrote to memory of 3400 1804 svoutse.exe 83 PID 1804 wrote to memory of 3400 1804 svoutse.exe 83 PID 1804 wrote to memory of 3400 1804 svoutse.exe 83 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 3400 wrote to memory of 4488 3400 8a371439cd.exe 84 PID 1804 wrote to memory of 460 1804 svoutse.exe 85 PID 1804 wrote to memory of 460 1804 svoutse.exe 85 PID 1804 wrote to memory of 460 1804 svoutse.exe 85 PID 460 wrote to memory of 4964 460 4ae3fa6821.exe 86 PID 460 wrote to memory of 4964 460 4ae3fa6821.exe 86 PID 460 wrote to memory of 4964 460 4ae3fa6821.exe 86 PID 460 wrote to memory of 4964 460 4ae3fa6821.exe 86 PID 460 wrote to memory of 4964 460 4ae3fa6821.exe 86 PID 460 wrote to memory of 4964 460 4ae3fa6821.exe 86 PID 460 wrote to memory of 4964 460 4ae3fa6821.exe 86 PID 460 wrote to memory of 4964 460 4ae3fa6821.exe 86 PID 460 wrote to memory of 4964 460 4ae3fa6821.exe 86 PID 1804 wrote to memory of 3472 1804 svoutse.exe 87 PID 1804 wrote to memory of 3472 1804 svoutse.exe 87 PID 1804 wrote to memory of 3472 1804 svoutse.exe 87 PID 4488 wrote to memory of 3184 4488 RegAsm.exe 88 PID 4488 wrote to memory of 3184 4488 RegAsm.exe 88 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 3184 wrote to memory of 4528 3184 firefox.exe 91 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 PID 4528 wrote to memory of 980 4528 firefox.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe"C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31e76937-ba93-4d85-91b0-447351871fd0} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" gpu7⤵PID:980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a08277aa-0161-4a80-b38e-64a4616b280c} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" socket7⤵PID:596
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 1676 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3042df6-4a90-43cf-9cb4-383e6113ade3} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab7⤵PID:1464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4012 -childID 2 -isForBrowser -prefsHandle 3896 -prefMapHandle 3208 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59468d31-c72c-4527-8f96-be9590254ffe} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab7⤵PID:1616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4704 -prefMapHandle 4448 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7038112d-18a8-4201-a1c3-65df6a9e258c} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" utility7⤵
- Checks processor information in registry
PID:4964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 3 -isForBrowser -prefsHandle 5564 -prefMapHandle 5556 -prefsLen 27101 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fb25da3-b1c4-460d-876a-3a1745bf4325} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab7⤵PID:1272
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5856 -prefMapHandle 5844 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {102b206f-b657-4958-8f70-69f0d4a36f60} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab7⤵PID:2824
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 5 -isForBrowser -prefsHandle 5988 -prefMapHandle 5992 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {698b4745-13c7-43d7-954b-7881cfb7487b} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab7⤵PID:5044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 6 -isForBrowser -prefsHandle 6224 -prefMapHandle 6228 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f3eca28-5eb1-433b-853f-4207880fc42a} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab7⤵PID:780
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4964
-
-
-
C:\Users\Admin\1000003002\1b123b9113.exe"C:\Users\Admin\1000003002\1b123b9113.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3472
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5148
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4760
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4180
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json
Filesize28KB
MD5ca36c69f109838ce8c7659e7cd62bfb6
SHA13aa7d024ef43d5e5a66d0560f2838a3e0fa6c267
SHA2564fee9be89d50918a1913bf59b925cfb54710b81f8c4aab8ae2ea79fdd459d1cb
SHA512a003fd0ba6326755ffc50444cf9815d81327ded0f301d9aecd724e18271f211d51bc01aadaaab2f1580ad3684d31364bd1a3789ac398265d8062912a52564bc0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD58732ec0f1a538fe51bc3db5889d806db
SHA1697ea40ce58e7ecacc86e56ea19a06627d254757
SHA2562d59a884fc67e8504ca2500f65e969505133b8a3fbedab55effd8398264be14b
SHA51265e038ea766654dcf774af30a612f38bc49ad30dd9e57f9ea52995382a8efc664131a92177feef2faaca2c0f0c1c5f7f31d909f3993235124d04856a49cd61c6
-
Filesize
1.8MB
MD5e3fd0516e07f3c086155870f11b17f41
SHA11adb49efdfa5e12dd0849e45b7ebbec4dc0e8f8b
SHA2561e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2
SHA5127f70c92d8ce86a830631c5829cc74f7a91a8e9cada59e193f766bbff9486bf163053f164eb57dcc3bfa57b2441d263d073f2f57767acf0f5500cb08fcb15df74
-
Filesize
1.2MB
MD565c92fd9df13e8e9a60bfc3a4f9c2988
SHA1d6346ae9dec7841b4d331e002abb78a0d509c45f
SHA256b61c01b84a7e177e932728e2939d5a868703def4338d736d110bc7101d591219
SHA512e4e99e292fe4a90a159577b0c8132dec9e20a6fcb8b7c122ca2242fe072b9a1b6c8b7c72e4e8557b0deb3a396e4d3d91a4faaa01763f43dd01bb6214be538d63
-
Filesize
206KB
MD5b99cb4285c29917fe0f1dab529d7a8e5
SHA15bf0b88e319a383bbd8b4abe2b81403a0902303c
SHA256b553e2bb5b2d20a0a78ee2a8012416285ebf65cb787f8d436274673dc8520aa1
SHA5125f08473e5e08b4d384071b8904780f5ef1e8cb5d0c8266825487510379cf46f837955c4b2757727b68c0340351089206174b920c564d218c34e079219cfc7335
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin
Filesize10KB
MD52a920846ee34f6e4eb869c7583678bef
SHA18e443b585f2b5dc8655a0a19b0318a5b5a1f8448
SHA2567b1d522512b6b3c6c062e39366a03af7b61868cc70967efe181a95ccd580f23e
SHA5129dfb8b0d92ac54084dae72a69a627f0964e21db8646ddb347faffc89c48813e038e5844b293083ed09fefe089279d1cc2f4a8f0cee00932aa879554338506ec1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin
Filesize11KB
MD5646ba7497b71040d1b9539bf0decd937
SHA1d8e3669e2f8c4db98c14ea0e629984805b668b61
SHA256ea301f0b83e28cebcb16d272ab22b0656f821c9ff1f33882233192d562e336ff
SHA51286eb16cdb90f36f0bfc7a7c95a11f73e9ec7b8c79cd3b092d1bc6b9478dd93c8274abae265f41c5bd9a7dfd491927ca25ef7ef73e14d6921143a2c9d08c11dc7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD53e282607d6309ceac351a70aa8da3140
SHA1ba0050142faae3905775197e34b907b5aa952264
SHA25650205235ba8577950f2d0236e318e5bd3d9a440aadcd8c868395079d540cdc51
SHA512063c26e6333ffb3d16c9f422bbe2552995a5acc7932f9d15bbe7456087d34cc4d056ec3c04fd100b9072ab18935e0dfecb4972c2a8bbc2bb46d2aa8bb055679e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD55823a06663989db0a2bc1928526895e7
SHA18a32eaf9f2f2894da526396d1a687880a60be4f5
SHA25683984c77e53f1800c99e7ea84e306214ddb8a7bf870eafec84c5cf7e0eaf137a
SHA512fac2da12f9079e4cd97b54755b32565f06ca3af0c16fa39386d3e5b6bd697b9341cc7436db96b926c7b35f113d1140fab5ef9db28254d623b15f0b6ad73efdb2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\81a717a6-a6eb-4b76-bd5f-58422e4d403b
Filesize671B
MD54126e8d3647602693c8559e0eac7388d
SHA1dd6acfe3c938bf9ebf5ee46f00834701d37e9a3f
SHA25668af1fbc45ecb3f367edde090b54e2f2c3b1f054ce75e8b30a73de562e537134
SHA5122fe99189f73ef0128132ae529c927713a0cf22afd9641f8bead5085f4af5b2e61c3dc24da4ace3f6122aa144ca607d8f12938c651933b20845f0e256ceeccabd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\9084371b-b1f5-406a-a815-01045636a284
Filesize26KB
MD55ffadfc71401f3360a3059129dfb3e12
SHA19591036e1b8c2cbfe2706266e6443f3800925424
SHA25628f362cbac7abf6319cfe438b19ec149bd89cbe8fde0abfe7ed15f1a678f87f0
SHA512ec0d1fe1fa5f8207d54bcb1f0993ac7e519937b290415d4bca46bfb4125ffe10e7b7e8674bf092cf2a3fa7cefa381a7643845d75d29e8150ae1a3f00735eaf80
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\f152997f-4a5f-45b5-80bf-bd854a494ecd
Filesize982B
MD549da46ed43cb0f81e82c57a178c009a5
SHA129c5b35df6a499aad8e948eb2941ca68a5818f1e
SHA256b5c4795764885aba33afc14200845454a5e08b1ada4a391f98b7d912505e3293
SHA512d70ed80fca4cd2e52e383c12363ac151460942bd265c3aaf4bafb8bfbe4e7c9204ee8f543bc12dc749b1a39854bd7b3e8e804c5ae5052f27c59148e7172f9f88
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5a1cf3aba2de5b0d5260f56acac57625c
SHA144ee7877f5d6e11ee1eb13e4154a95dc98af22ef
SHA2563c8bd64d0c543fa64ad32b593c3a90648a02ce2c6cfbfc596663d77d423fd440
SHA512848cbb1398db5c1a8956060175f607f52be932e71df61929c276f8751a6e3e938c1a9573820ae8a748144a20c6c63cdb0c082176e1e3dc2b294ba7e12da4ec0d
-
Filesize
16KB
MD5894241137c132ad97612d60159878848
SHA1b3cb368d97b5b26329802258e55f94904ba055e4
SHA25621c6c30dfd1f2c6348827cbc8b4691360131cc9df90ac8bde46aff7d4ec8f3b7
SHA5123b1c92aadd7bfb31b9cf1adad043ec806f2b642bd9bd0d8e836a25965e3b8ba2462b875d7adec4110b91a973f996759db58fe0f9a8ae44d8d65e2bb7373668b7
-
Filesize
11KB
MD513e9ee2738ef4033ac95d605e6e89d6e
SHA1615a168c49677d3d6bdcb22822ff50fdc5e7974c
SHA2568f69f8ae0d308de20d23947b524739c99f5e3f60e85fe8c4a4688f4a1f64b299
SHA512a9dfb8f6af68b0aba273826c3277419dcd8ddf2e845e67a1d8df1aeb3e9431a86187492ed72bdc912aa3c3ef78aaa18edf414c2b94cef26f35bb308faa181985
-
Filesize
11KB
MD58d0cf001ccf2044d9018d01bb1ad6a60
SHA178c4d2bfe0de8d39077dc95710b86df8783d5875
SHA2560a6bd7dbd2021691179d093ebab6b8a0df76bb0224f4492dd9590085b2b8fbfb
SHA512c2e7e3972a2b01abb4489fa2cb0df7ece8814643a6bde941bee64345ba794765dc37d54f5888395f381273a81886c0adefd18a7df97cc4cb68faf13452b4bf23
-
Filesize
10KB
MD5b70fa4134f94f85a0f5e0cd3da54316a
SHA15aa97f88eb1b173989549d56bd0697755cbe6fdd
SHA25688009bfb872b66a362732a017c1a9791d9c9818d15ca05c80903d4e61a715afb
SHA5124e64f20ad87008ef8775ddd77e3fafaf5243877e1b1c400f8e1cd1b80ba85fa14319510e6c796ecf9c39403859dd2cd8159e56cf346aa0839a17c8984bd3a8d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD523156ff13153779faebb5f84f1067830
SHA157edb61e590dfe541042e8c4c8642fe800e69203
SHA256c67f23b7ddd4ebe59018c504b87e369cb596dda830369a7e559611d4d57922bd
SHA51293305cfb42da296faf2deb9d5f65b977a88c6683c6fa5f4a689efcb438532652968f732b11acdf8aa5b01ef2a78a562b28e2d0e7dc98ba387f50924c2ddb2c95