Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 17:11
Static task
static1
Behavioral task
behavioral1
Sample
628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe
Resource
win11-20240802-en
General
-
Target
628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe
-
Size
1.8MB
-
MD5
8e7fc308ff9bf6e84237762d6c71c4d6
-
SHA1
d873da020bede1bc7e9218adbbeb5c7442b65d71
-
SHA256
628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa
-
SHA512
30bea01dfa81312e0eb3edc2942c5076d865ea70d1e8a2ab49bbbf09e8d8c8916ee656c98d09280f8ffd949c33f4b911cb45a426f692f47aedf051c5db8cb46a
-
SSDEEP
24576:DHgxcCP6RRVgSVN/U7xOC4lJPxGROJMrgclx3Wb+Qtdbq7Wd8lHg3CsJhLBz:jgxcKSVgSVtgOTbgMYxGLtsqKehJ
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 7 IoCs
pid Process 1608 svoutse.exe 1588 03ec66b7df.exe 4740 b9ef9a3ba8.exe 1592 e285636085.exe 5712 svoutse.exe 5512 svoutse.exe 5356 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\03ec66b7df.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\03ec66b7df.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2096-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2096-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/2096-50-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 5008 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 1608 svoutse.exe 5712 svoutse.exe 5512 svoutse.exe 5356 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1588 set thread context of 2096 1588 03ec66b7df.exe 90 PID 4740 set thread context of 4684 4740 b9ef9a3ba8.exe 93 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03ec66b7df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9ef9a3ba8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e285636085.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5008 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 5008 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 1608 svoutse.exe 1608 svoutse.exe 5712 svoutse.exe 5712 svoutse.exe 5512 svoutse.exe 5512 svoutse.exe 5356 svoutse.exe 5356 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1096 firefox.exe Token: SeDebugPrivilege 1096 firefox.exe Token: SeDebugPrivilege 1096 firefox.exe Token: SeDebugPrivilege 1096 firefox.exe Token: SeDebugPrivilege 1096 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 1096 firefox.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe 2096 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1096 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5008 wrote to memory of 1608 5008 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 88 PID 5008 wrote to memory of 1608 5008 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 88 PID 5008 wrote to memory of 1608 5008 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 88 PID 1608 wrote to memory of 1588 1608 svoutse.exe 89 PID 1608 wrote to memory of 1588 1608 svoutse.exe 89 PID 1608 wrote to memory of 1588 1608 svoutse.exe 89 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1588 wrote to memory of 2096 1588 03ec66b7df.exe 90 PID 1608 wrote to memory of 4740 1608 svoutse.exe 91 PID 1608 wrote to memory of 4740 1608 svoutse.exe 91 PID 1608 wrote to memory of 4740 1608 svoutse.exe 91 PID 4740 wrote to memory of 2384 4740 b9ef9a3ba8.exe 92 PID 4740 wrote to memory of 2384 4740 b9ef9a3ba8.exe 92 PID 4740 wrote to memory of 2384 4740 b9ef9a3ba8.exe 92 PID 4740 wrote to memory of 4684 4740 b9ef9a3ba8.exe 93 PID 4740 wrote to memory of 4684 4740 b9ef9a3ba8.exe 93 PID 4740 wrote to memory of 4684 4740 b9ef9a3ba8.exe 93 PID 4740 wrote to memory of 4684 4740 b9ef9a3ba8.exe 93 PID 4740 wrote to memory of 4684 4740 b9ef9a3ba8.exe 93 PID 4740 wrote to memory of 4684 4740 b9ef9a3ba8.exe 93 PID 4740 wrote to memory of 4684 4740 b9ef9a3ba8.exe 93 PID 4740 wrote to memory of 4684 4740 b9ef9a3ba8.exe 93 PID 4740 wrote to memory of 4684 4740 b9ef9a3ba8.exe 93 PID 1608 wrote to memory of 1592 1608 svoutse.exe 96 PID 1608 wrote to memory of 1592 1608 svoutse.exe 96 PID 1608 wrote to memory of 1592 1608 svoutse.exe 96 PID 2096 wrote to memory of 4796 2096 RegAsm.exe 97 PID 2096 wrote to memory of 4796 2096 RegAsm.exe 97 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 4796 wrote to memory of 1096 4796 firefox.exe 100 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 PID 1096 wrote to memory of 948 1096 firefox.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe"C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ea0ffbb-20ea-4aff-984d-0e3fcdc743d1} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" gpu7⤵PID:948
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a62b201-d700-4d79-af3d-235cc543176a} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" socket7⤵PID:3560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3284 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5dc848e-931b-4088-966b-da57f6d83fbf} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab7⤵PID:4488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -childID 2 -isForBrowser -prefsHandle 3924 -prefMapHandle 3912 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d64f1877-10ed-49f5-8f42-674fde1ced07} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab7⤵PID:1648
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4780 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f95a6a3-5395-4929-83b5-91b094d5c700} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" utility7⤵
- Checks processor information in registry
PID:5616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5204 -prefMapHandle 5176 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2592abc4-dd6f-4112-9d81-934d4178facf} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab7⤵PID:6092
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65fe194f-ddd5-421f-ba78-791911d9a4a8} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab7⤵PID:6104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5680 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {917da3e2-398c-4e98-a53e-358ba1e7ce1d} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab7⤵PID:6116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6184 -childID 6 -isForBrowser -prefsHandle 6192 -prefMapHandle 6188 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cc3ce01-5626-4f26-bd8b-ffdcf0522bb0} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab7⤵PID:3144
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4684
-
-
-
C:\Users\Admin\1000003002\e285636085.exe"C:\Users\Admin\1000003002\e285636085.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5712
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5512
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5356
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json
Filesize34KB
MD5e914f156c7d69bc9536530a782b14697
SHA14e17974dd669f748872c935278e2a40f1015cb63
SHA256e1dfc10f2a25092dc9ae0543518a0c5ed2128aac88ad77c27e5b590544f5c99e
SHA512dabffbd966296b93c5dcc9b70b11653041838cf0f54f3298055532c9a2fc0acbc5a97e9dc114fffb669ab186d9b56a73eff52a7e421a7688f75115a30f00b710
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5d9d5bc273b1227a7541aecacef3885f3
SHA1b4731b52f864dce72b7748de88efce5a8b3b53f3
SHA256ed50ba46da69904459d7e3e3affe112c78fd56b0e67d059b254026447133ee7c
SHA512e8d60aa18c39a8057ba114954cbfd0e3943a15a30750d95700aeb9fdc0b56786f1ba36a5213f3c7c628d1825a7af44461fe011f7a866de3491f5468b1b5fec17
-
Filesize
1.8MB
MD58e7fc308ff9bf6e84237762d6c71c4d6
SHA1d873da020bede1bc7e9218adbbeb5c7442b65d71
SHA256628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa
SHA51230bea01dfa81312e0eb3edc2942c5076d865ea70d1e8a2ab49bbbf09e8d8c8916ee656c98d09280f8ffd949c33f4b911cb45a426f692f47aedf051c5db8cb46a
-
Filesize
1.2MB
MD596b63367d5d745825ea1db1602bc918c
SHA1b2ae209517ff1a6559fbc8ae160385292d3b9599
SHA256fabb92cb47b41a5bd45a87bf84da8f2a82d266d0d97951edf6cf9e6c9a0b133c
SHA512eda483ee95a9f4ca06857f1ab6925225c0de9fe2e2833560382a72a15e2751576c55823690638abd3e6e937e728bf50c815c326d5d09c36dbcc92dcf7848096c
-
Filesize
206KB
MD537c0f4cb3470a9be701357b194e4a5a6
SHA150799d941cac74ca58b0e6f5d553cc0e31fa7b53
SHA256bb0e9d7b4a99d16519b0967ff905eaef603412b837b070d34e482f9b5ae5bcfe
SHA512ac9605f34dce7617814eee423f3e99c164af5b08d8622b8ed88b59cc96abbd1cf0c87c3f30bb12e13fc4d996ff3f0c27d1034821dba2cb93bbab1b52807158fc
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
Filesize8KB
MD5f2d690279a3cc3a1e88f1b8ab26b1116
SHA1f0a9040631b2de151309a9d7b400498f590fd09f
SHA256c49606b713f79f07276c8b68e850523aa7ac77e683e45aac65dd4e052987800a
SHA512f5c44937b7874a09aa7b4ff936c98c0d0238c3c50aabdf2966a790e39f50cecc88148b9230d83f041a68e88a62739772e9921f21d3fa12768b762cdfd8131794
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
Filesize11KB
MD59482e2a56edacf26688b7a8de72f2425
SHA14c2ab59e97d0a313483c91f1a421f518d7b1f143
SHA256e93fbda60f7f8be09a8247a2e14d69553e121ff014f79f2508eed6f0c66207a2
SHA5127a79b5f8ebbc266ee683120530aada0e4c0cbdb33f7c873438425168a29991e1b923ae9876b8bffe134f90bd6df27a8d9ea986442ee702a8a86fa583ee802576
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD597b9ad56c088466009aa51f4756a8ec1
SHA1b50165430668b6c45305706260712fa5a244b1a5
SHA2563c658f3f333781f67ed73dee3b6e8fba1d2ddc32c3df8f45d21125023e046579
SHA512acf0d4215add565bd2ecb26f56309aa2b7fd89b149485b0e9aaf28255bc9a8dd9bb16cba3cfa10cc188af26c0c105455d50151112d0335597ce4df893bff6569
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD59c68c002d55150f07f90b44b890a114a
SHA1707c2d562881b49c8a0cc6514a90b51a6970379b
SHA25664354414b784d01af1b57d838d8e632e4f2a6306de51a8c606942fcd5fa21bc8
SHA512d2ae3c1487a18c6a24aa62d615e36bbb5ada6bd3d9edbcf6b8c20f2b9ca442f35a7984329ee1ed4da37ac433ac243665fbfc09fb358bd9bac6de29b33b9f147c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5b46d804b709786da554915009bd01487
SHA1019a2790d9b9c009115fd8d3fc0e4c23905d9fb0
SHA2562ba02c2fa6135922691b172e367d31b5e1b6f0178cd7d3e0a355ae1db262d4a8
SHA512d79c7edfca00b718299cc2990d21f0240b375cc11db7a013f46cc62aa0991b7e1c5589629e3e2a52a922c3bbb63e9fece1bfd5e7c1dc383fa89c6554f0f43f97
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5e0176d151bc03e297359f1850f82785b
SHA180b2973fc4c0a58b1ff6ac7dd1010e51242f6467
SHA256fb85c88a463fe7ff9114d63f3dc480fdcd63d5419cfc9805071557f06cdc6d0e
SHA512571758f51a83f69a14d839dafa7cd912b42e26d0ac1f8d8581ea01b3d18f4479c0bc6c26f213f7d403c5747f9ad4cbc034dd66273a64b04254ebf006d4726f1d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\1cfd55ba-5ac1-4603-986a-e679f08951e0
Filesize671B
MD5761db0d7cde5c039935e85a8c68f8165
SHA1e2ba537df98a4c3d048146f3c7e64c70bc5c4307
SHA25649d38ab0f05baf80a384bf7ceb5ddcd611d066ed8903b8d25f5f0ecf22be0702
SHA51263d75708e79cb28f879a1c8b883baa98177067565b7cf766151f8fe2ee8224b6515d587ecec6bccbcc93ace2229d043400a0b1674053f6e3d24b597942fd991c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\bb04288e-2737-40f1-9526-bfdabbd8caf7
Filesize27KB
MD53ebee60acba3e920c579d379e70d63e1
SHA1285f4e8416ec7ca53de98b547fdaaab89cd08f3e
SHA2567b320f17d5c1b8e3ee0e2d6a320bf6aa0cc9ea7b86921eb7b5fd403c08164ace
SHA5122a3a270932a1c5e2c66f4d1e24ac6f7b53d3b97f7ac4fe71db346a7bcc5c94dcd39408fc594e2e46426b3ff8f8fbaa7087d40ff213146ec0a62f1270b365b18f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\d02d475a-e624-4451-acb4-b42df1ffcfc9
Filesize982B
MD512e9d18cbf85c3fbc8203a1cf92f9eaf
SHA150c9b61a141cf65c9746eb1f0c8467d2ee8a9f87
SHA2562c83e4126f0193934d249c55e5c6cb121db349bb0658a35b842f4b6c7c6c4523
SHA512028d00487b56a84e34d5c7bb70a004965a31f866edea4cc76a2e0d1f54759c74965cd7050fccf6c1acb105300c2dc834e44d78bdbb7ef54f297be272561d9b23
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD55fe6ada46b1f164efc08d6fd48cc69bd
SHA13bdf5fc54e05d0a8bcdcc7ad7432608107662c45
SHA2569bcbf298b4f5ec151639812d2026d9ec4a06e40838e5a179e87f1a5a0271b681
SHA512e13fb4c3d5a1e3ef2e2a52551355759c6a1439d41452c147950cff994db3891119157309db8982a58828e1aa4f0bfe998be1290446d9c19c85de3308ce7d98a7
-
Filesize
11KB
MD596aae543fa16b7c0398be4e437b5d221
SHA1464979a6317805002ee28d1dc6a49158715fe777
SHA256accc8341c0565c0571753f2bf589098211bb2ac9f8047672a2f5616fa391493c
SHA512dd5011f108e5acf3d659283b6bd30f0a8e839fcc4794c29f08149a9ccd190a48264af27e3aa8bafb0561330710abbf0cf0d10b3f15c2fa05a98e4a2e4dafa669
-
Filesize
13KB
MD5034af0d08f2246b4eb9f42d40c100884
SHA1f6ef54892a1f46cd341f019b528d8da9232516f8
SHA25684caff9c425dce0c0452889a54591b71e7bd69a3026330205dbb7d8d2231f67e
SHA5120a604e94fec8d6e409255871810e9d975e204ecb1825985e1f9b1103885e2f72360062fea20fbc2d95a613fd9c06885f7390276cac0766af3add1ca807d00b0b
-
Filesize
11KB
MD5bda76d37e2d64752e8f42c6c866e5a71
SHA1eb79134f3beef6669c56f690ef1a3b34da6030d7
SHA256e6ec0b8da484e2d27f8d334315df6576f229a204f4c9920ec4581ae10832a2f4
SHA5128090b1713d8eba91a5c4ed6da935aa7028af62a817afba9dc49642d030c9d84cdeda9759ace9a2b36ec7d437066c7953a4d82e72c136c7810260672e224e777a
-
Filesize
11KB
MD5a44293c65c81dded4fb870d93ea7fe86
SHA18b067c784e89236d8c5f1440b44d548b8e7a517e
SHA256700334daca65dec7a6d1baa1c5ea5c3d9cd51905dc0a8a81e822f38aceebdf3e
SHA51284cc93979e7ae4076b5cbcff5230cb17c0f39334b4c61aad3417ec54b00b627cb565c6c260499215de7fac7f346657d3dfc72416b347c26b607b72ba838340b8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD591f90d1e985a2b9498c2018f29242d79
SHA1d48156cf4fd77dbf93224bc077f28768c418910b
SHA2563265b72b97665bae3a1bccc59e763851c9b6fc20056e9a4acbec8c519ba45c7a
SHA512767cda706fb2703caadeb719ad1a7a05eb2bb34b395f428c6cd14388165ef89253cc23321898d605b6e056171e3d6ea4934852d62368b09e5cc180086d456181
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize816KB
MD577f507f3f9d21b2543ccddfeb02eb882
SHA12d55181157e6b017055e5578eaaa0d5d66a950bb
SHA25660c33a38a5111f4c958b291673d5ef1af720a45db32e531a089dea9146e63ea1
SHA512e730b114324d66c1d6e56fc7ab914d66b8a27f7b49ed010ea2506b168314945d52a2c15842ca537668a4429a783cff24c70ee9b07a2711225385c7d214cbf019
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize816KB
MD5ff1c607716b318584ca3d06db21ed31c
SHA1ae00a11b69502d7ad400640e8473bf1a62538f1e
SHA256ca2adf3fd1d5b5e55c3108adba97ddc22e7b670c795c69552ff891814fa7b97f
SHA5120d3c6d6204d73cd48740587ff98c31cf3631f57a195b21db118d2de47124710d6a234d76772ee5ebd9958500e3d6bd6ee326820d0bc1b714760203489fdfd9f9