Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-08-2024 17:11
Static task
static1
Behavioral task
behavioral1
Sample
628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe
Resource
win11-20240802-en
General
-
Target
628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe
-
Size
1.8MB
-
MD5
8e7fc308ff9bf6e84237762d6c71c4d6
-
SHA1
d873da020bede1bc7e9218adbbeb5c7442b65d71
-
SHA256
628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa
-
SHA512
30bea01dfa81312e0eb3edc2942c5076d865ea70d1e8a2ab49bbbf09e8d8c8916ee656c98d09280f8ffd949c33f4b911cb45a426f692f47aedf051c5db8cb46a
-
SSDEEP
24576:DHgxcCP6RRVgSVN/U7xOC4lJPxGROJMrgclx3Wb+Qtdbq7Wd8lHg3CsJhLBz:jgxcKSVgSVtgOTbgMYxGLtsqKehJ
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Executes dropped EXE 5 IoCs
pid Process 2120 svoutse.exe 2312 11f87f4a09.exe 4416 5124312374.exe 2468 svoutse.exe 5204 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\11f87f4a09.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\11f87f4a09.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2336-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2336-49-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2336-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1980 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 2120 svoutse.exe 2468 svoutse.exe 5204 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2312 set thread context of 2336 2312 11f87f4a09.exe 85 PID 4416 set thread context of 4516 4416 5124312374.exe 102 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5124312374.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11f87f4a09.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1980 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 1980 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 2120 svoutse.exe 2120 svoutse.exe 2468 svoutse.exe 2468 svoutse.exe 5204 svoutse.exe 5204 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3056 firefox.exe Token: SeDebugPrivilege 3056 firefox.exe Token: SeDebugPrivilege 3056 firefox.exe Token: SeDebugPrivilege 3056 firefox.exe Token: SeDebugPrivilege 3056 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 2336 RegAsm.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe 2336 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe 3056 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2120 1980 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 82 PID 1980 wrote to memory of 2120 1980 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 82 PID 1980 wrote to memory of 2120 1980 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe 82 PID 2120 wrote to memory of 2312 2120 svoutse.exe 84 PID 2120 wrote to memory of 2312 2120 svoutse.exe 84 PID 2120 wrote to memory of 2312 2120 svoutse.exe 84 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2312 wrote to memory of 2336 2312 11f87f4a09.exe 85 PID 2336 wrote to memory of 4004 2336 RegAsm.exe 86 PID 2336 wrote to memory of 4004 2336 RegAsm.exe 86 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 4004 wrote to memory of 3056 4004 firefox.exe 89 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 PID 3056 wrote to memory of 1208 3056 firefox.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe"C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3411eb0-af57-4f97-81b7-58d854df2135} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" gpu7⤵PID:1208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab1f32a-4213-432b-a278-b33a5ac06fe2} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" socket7⤵PID:3740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 3204 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c22e5929-2c2f-4c6b-a86b-69970ff301fe} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab7⤵PID:2280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 2668 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d9a4594-6310-433e-a051-4d3f89ee764a} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab7⤵PID:1508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4752 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6f2b16d-7f93-45dc-9f0e-612126e361b7} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" utility7⤵
- Checks processor information in registry
PID:3932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {317b4b13-90cc-4096-ae1f-027537198044} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab7⤵PID:5444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5308 -childID 4 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e8044cf-3ee1-482b-b00b-751fc3eb82ad} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab7⤵PID:5456
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5400 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d1e6f06-eebe-47d0-80f1-fd8ea1f57a15} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab7⤵PID:5468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6260 -childID 6 -isForBrowser -prefsHandle 6272 -prefMapHandle 6268 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f931c5fe-3c24-4167-832e-7bf56b7dda81} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab7⤵PID:4800
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\5124312374.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\5124312374.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4516
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5204
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json
Filesize34KB
MD5000ad41eccec41ff63544862e5dbc684
SHA11d5a641bd740dfa24ddfe4a770dbb01b318b6867
SHA256eacf3f5cd4361eeccd38fa0d71e251f421570cb8f0b4e1fc3340436f09c889b7
SHA512375f8ae6fb3ec39f5d1be7ab7ace272676a7238a3051278daed1d61cebbc2df803f5780c11d085777d94f01c24ddf4f7a7717a362fac565ba51fefe30a7b0023
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244
Filesize480KB
MD51998ef2d58f598f631585cdbcaa45aeb
SHA19b5c71bfb178ea1269a582edb738c073a1c20762
SHA25639e5711217bf8cb6b425e1c7a5f8dcd9d666f2c3decc66aaffad87399125f1bf
SHA5125887c976a647642963667348cca50cf90bb4dc0a17f30673fb79af0fd0926492d4ffcdbdbf24602018131453350a64e1122636e692d5d12d4ad5c30e059d3365
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5e12b1054526962f31c28eafc924641e8
SHA10d159ce128783a0ff1b60bd4d9adc4a65d51bc0f
SHA2563fcae4da8488bfaf0903b7751f998da83c60e366ce14a3cdb900855b8488c06e
SHA512e83ec9f443c1caf2b800156661428db316b8e606f8c0b017d8b4cc0599554fab9b9dd8ece883e286a69e50171dd44adf64e10b3465f54b95ddcf91311d948b52
-
Filesize
1.8MB
MD58e7fc308ff9bf6e84237762d6c71c4d6
SHA1d873da020bede1bc7e9218adbbeb5c7442b65d71
SHA256628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa
SHA51230bea01dfa81312e0eb3edc2942c5076d865ea70d1e8a2ab49bbbf09e8d8c8916ee656c98d09280f8ffd949c33f4b911cb45a426f692f47aedf051c5db8cb46a
-
Filesize
1.2MB
MD596b63367d5d745825ea1db1602bc918c
SHA1b2ae209517ff1a6559fbc8ae160385292d3b9599
SHA256fabb92cb47b41a5bd45a87bf84da8f2a82d266d0d97951edf6cf9e6c9a0b133c
SHA512eda483ee95a9f4ca06857f1ab6925225c0de9fe2e2833560382a72a15e2751576c55823690638abd3e6e937e728bf50c815c326d5d09c36dbcc92dcf7848096c
-
Filesize
206KB
MD537c0f4cb3470a9be701357b194e4a5a6
SHA150799d941cac74ca58b0e6f5d553cc0e31fa7b53
SHA256bb0e9d7b4a99d16519b0967ff905eaef603412b837b070d34e482f9b5ae5bcfe
SHA512ac9605f34dce7617814eee423f3e99c164af5b08d8622b8ed88b59cc96abbd1cf0c87c3f30bb12e13fc4d996ff3f0c27d1034821dba2cb93bbab1b52807158fc
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize8KB
MD53e9aa4ea036de2414e81b6357ab44c92
SHA1462caea40bcd35fcd203e4016b8a23df41b01578
SHA2565ba0805408d0c6ca466bd1d65ef460e809d8e477ea19a3fada9d14dd407ae656
SHA5121f80b77f52387f8605afdfaa5e379af9dfa950f80319a64cbc3cd1c275a3d74e10e10bbc6a9725d554a4ce3d9ba5f916f5609d808c20bf549c40f10fa0c5d8f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize16KB
MD517e67394e505186d2efce7c8e75b7087
SHA19fbac8ebeff8a0445002748c1436d002aad69226
SHA25611167e72a619e116393e942fc5abefc2c46af6f7a6d2ecebea73b18ba8eed366
SHA5124b5f8721fe575e39028b94b769c91cc2d761dfd31821c8b44adb893491c6a82851d1673fa666c217cb52a9e93c685e0e583c53a190bd017d5948040341f7d46f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD521516984324fecf36df19e0f81f75446
SHA1f9d17ebccceadb303deb112314438ab37a41f244
SHA256ee77b960ef5729f70c6fdaa16c269981daee0e23ff9b9e47705b04278597daa7
SHA512ce8b3009c4c9253d910469ef6ffa1309da82ca143bb59c0f420671f9f01f1a15acb76716be6866ce0c7de3abb6b1deab3803b8f1f8b8ba64cacbedf59dc1898d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD51cc8dec48d475d1d7e084c0bc5e9cce7
SHA12ce72044cec2613c8077148c5d0097996e30b1d9
SHA256278d99910e6407d57edb4811a6e5cb72d51b7d2b0b18279296f2f4f9f0975a5d
SHA512ae2b52caf3438f16568d66a55ef99dc52a5a9051503b6f618ce84c42edb3d75e4ce04d843425fd0fc9f876193b99e2d88ccddf96d9595e6b7d1b359fb25e0813
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD53ff088c3aecf6d47fba94219c2def270
SHA10c27d552b5c75666c00a2e3a544caa75b9555776
SHA256d05973402141f38af5d09c0700565a4623a79bf0da83749312834adea95d3cfc
SHA5124a805d8e62f8d2aee7610e636744b4647a4d643a45c7f3904e892cf1b5c1fd37ae36743e20b9aaa041a2f3b429c54ae58b4f7a28b3a2d7267e5080047061f37e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\577b1152-03f1-4d08-9faf-3f3287e14e79
Filesize26KB
MD56a14e77d203b14aeb9ab2b3269c0877e
SHA1c02393721a7c09664713fdc58608ffabea79cdf2
SHA256c8a4687c99cdef9853b3b264eead3468f77fcccd6a31f772f4a1ae36ff085504
SHA5128bd516c533035ff0437f64044378b63ae64f4ca3ef42877f557f7f9d0e7a3a74b285c0371b30a174844a4a8d558754f1a8354082804ab20d18d5a0ab48475378
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\8f7c4f69-ed26-4d2d-b03a-935ae91039a4
Filesize982B
MD5eaff1e7d594b40c625cde4369752214f
SHA1d4159620d486c3152bdbc9f4c77548172aa5b443
SHA256ca25a79e176ae55d1b02a0e6b0ff483f0eb01819a1675543463e89b5dddb8186
SHA5120e42e4a8ea3962343fbdc599c8aadcb10cc5e46f330d136f3253ffe5f59115ad4c70d2990adba7c81ff16cebd1740c8cdbdca93d9300cc9ea5083da6fa0da116
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\ac0ef252-1a16-4ed8-b331-d8dbaf605a4c
Filesize671B
MD571b1b665b8cec26c907c01c3a9fc725d
SHA1c53db9b0ff3d94bbe54c1b73a3b7f36da7b3cb7c
SHA2568eeed4d2327e4ad8cc85a79ef298b8d98997a4326ac04bb3e3d71041a07b964b
SHA512183ce7221097d57cc30de44eca4a8aeedd32b91c8bc964d810eb411269208f38fec6b287386d1fa3b4b109fcb82279b2308ca5f46d822eb05024a25b5c77cc17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp
Filesize1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
11KB
MD534f4c77a148db59960a785a413a1e6e6
SHA1188ff67537147b71c178023f42916caa2f151b0d
SHA2568123e9856d721353d9c27c2a51fa84137ad8e1516435345f81255667067b5d98
SHA512c6e550a397ddb9f514d1ecc16df4eb6b02ce0d4bdda8027ecd0949f921e90cea7150c27079bc2c31c4d3a7259c724de310425621818da0ea21eebc626e680973
-
Filesize
11KB
MD59c617d6496a89d7e0857175387d6fdab
SHA1fa1496da5a0d4bfbf3212c5c5d563d9a83ce6fe2
SHA256c1ada3129330120a4e8b1ba5bf8c3b0f23a286bd7b46d7b9bd703d783d3c4cb9
SHA51223e4138d022cd47dc102fa33e287d9a3d7fa46f53032c55ff4f04199589619d7f93ddd1b0164bd2a6f49522f110b92ff12da3631e7f6d299aa2f77e16bccc60c
-
Filesize
13KB
MD5e70fb5b62c8506ade770d0bd4d7c1a16
SHA178512cd66d7b779b6901da823e9420df3dd37b36
SHA256bbd3f961d735ef6c6d7bda5fdbf26d9fbfcdfe49981f4f548fb009829e80ebd5
SHA51279e51b4f17243b7039ad285c1ca16f2c00a258d3b3dd8e703c76a4aad016504b81d46177a67b4b2f55a53958c61f0dd232c2d9f1c54fbfb7f7c8245fbc754221
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD51982bf7b46df0dda799dd36704e5eeba
SHA110d64807d1c00c5b915454d0290aa60c0b1e3621
SHA256bfc9fb5b812f5a93537b070240580946ac3695c599b39776624a46ce3f9c22a9
SHA512df5c75b4821000c193eae07df6ec4737c52d328395e2e1315aff5878364c86b46febef110aa3afdf26aded861b288a4393eeea7db8c395c757c25c5f6c29484e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize968KB
MD524a62bf69a6e4686f06f05a722cdca92
SHA1e82bc8adb2f1dbd04c5ddaf1bc75c14691a8dbc6
SHA256a48004cfe53ab8b1350c93f154b8c66214154f40a6a0101218a570b01d761e13
SHA5128e042c8c6b7e6733436b4b89c3ebface512de19fa365c2b6d30817f19eac216153129ac81bc0bd15d629f13b7564ac0290e1cbc21aac3b5fc28ce12e1cb9932c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5edd58ad632046de712e19451f1e69d31
SHA1176578e88796cc7c24b353711847e6c4f5a60272
SHA256cecc4a069101dd6f27d031f6d78ac1959a1588820cfa46eabe5a142258b1b9a2
SHA51250afb0def8f26182476d868ae1b22503257b0c76f808c84514ebdd90badecfb65d3a61ab5daa0ec9cedf6020cd320ae36213db483c09ed2847d94e474e36f62a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.8MB
MD5ac4f05a25705b18f1c31ae6f3133c953
SHA1a574897ffb6dee483a798e49ef7ae34a729c64b0
SHA256166e5b0fe70ce43e021d40310204ae76297fc26a74186b148550e31c0017b458
SHA512e2abc116f120733e3f851acc0329e953b44d089ee2b860716df6bf20ce9da7f529d2ed9c0b0656d7b80debbf2aacc6113175aa1673bedef901cf39333ff1051c