Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 13:03
Static task
static1
Behavioral task
behavioral1
Sample
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe
Resource
win10v2004-20240802-en
General
-
Target
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe
-
Size
1.8MB
-
MD5
8bcd388ed9e8762c812ec36614f17982
-
SHA1
fae03863e3f80e04271b7835bcc9ff4865f2c219
-
SHA256
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090
-
SHA512
1e979e850a172431f7b4c814f336cebbf16072b38a6bd8ebb686dfddbbd056a3cd59aae09f7790641b871e6080d1cf357ae3cc2d2771739e7248c3eb86a08764
-
SSDEEP
49152:Z+WmGAH90soxYipeD4FMVlKpPBhwLqINUAyADXnfw7NB3ZynYczB:Z++A6zPpeU+VloP/zA5DXo7NVoYc
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe -
Executes dropped EXE 7 IoCs
pid Process 2056 svoutse.exe 3584 svoutse.exe 3940 bd71fc592e.exe 1068 b83edef87e.exe 2000 6e42bae7ef.exe 1672 svoutse.exe 5596 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bd71fc592e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\bd71fc592e.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3952-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3952-49-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3952-51-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4288 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 2056 svoutse.exe 3584 svoutse.exe 1672 svoutse.exe 5596 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3940 set thread context of 3952 3940 bd71fc592e.exe 97 PID 1068 set thread context of 3640 1068 b83edef87e.exe 99 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b83edef87e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e42bae7ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd71fc592e.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4288 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 4288 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 2056 svoutse.exe 2056 svoutse.exe 3584 svoutse.exe 3584 svoutse.exe 1672 svoutse.exe 1672 svoutse.exe 5596 svoutse.exe 5596 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2200 firefox.exe Token: SeDebugPrivilege 2200 firefox.exe Token: SeDebugPrivilege 2200 firefox.exe Token: SeDebugPrivilege 2200 firefox.exe Token: SeDebugPrivilege 2200 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 2200 firefox.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe 3952 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2200 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4288 wrote to memory of 2056 4288 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 86 PID 4288 wrote to memory of 2056 4288 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 86 PID 4288 wrote to memory of 2056 4288 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 86 PID 2056 wrote to memory of 3940 2056 svoutse.exe 94 PID 2056 wrote to memory of 3940 2056 svoutse.exe 94 PID 2056 wrote to memory of 3940 2056 svoutse.exe 94 PID 3940 wrote to memory of 1120 3940 bd71fc592e.exe 96 PID 3940 wrote to memory of 1120 3940 bd71fc592e.exe 96 PID 3940 wrote to memory of 1120 3940 bd71fc592e.exe 96 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 3940 wrote to memory of 3952 3940 bd71fc592e.exe 97 PID 2056 wrote to memory of 1068 2056 svoutse.exe 98 PID 2056 wrote to memory of 1068 2056 svoutse.exe 98 PID 2056 wrote to memory of 1068 2056 svoutse.exe 98 PID 1068 wrote to memory of 3640 1068 b83edef87e.exe 99 PID 1068 wrote to memory of 3640 1068 b83edef87e.exe 99 PID 1068 wrote to memory of 3640 1068 b83edef87e.exe 99 PID 1068 wrote to memory of 3640 1068 b83edef87e.exe 99 PID 1068 wrote to memory of 3640 1068 b83edef87e.exe 99 PID 1068 wrote to memory of 3640 1068 b83edef87e.exe 99 PID 1068 wrote to memory of 3640 1068 b83edef87e.exe 99 PID 1068 wrote to memory of 3640 1068 b83edef87e.exe 99 PID 1068 wrote to memory of 3640 1068 b83edef87e.exe 99 PID 2056 wrote to memory of 2000 2056 svoutse.exe 100 PID 2056 wrote to memory of 2000 2056 svoutse.exe 100 PID 2056 wrote to memory of 2000 2056 svoutse.exe 100 PID 3952 wrote to memory of 1540 3952 RegAsm.exe 103 PID 3952 wrote to memory of 1540 3952 RegAsm.exe 103 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 1540 wrote to memory of 2200 1540 firefox.exe 105 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 PID 2200 wrote to memory of 2560 2200 firefox.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe"C:\Users\Admin\AppData\Local\Temp\10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\1000001001\bd71fc592e.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\bd71fc592e.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1856 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09efa548-c21d-445a-be4d-40021628d512} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" gpu7⤵PID:2560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7390049-4dac-41b7-bce0-a0e6a8533ab4} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" socket7⤵PID:1200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3280 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f19758d-8045-462e-b2e5-a37aba04942e} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" tab7⤵PID:2872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3772 -childID 2 -isForBrowser -prefsHandle 3104 -prefMapHandle 1784 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d90a923-7e68-4c82-98c2-ea63df4dfb83} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" tab7⤵PID:1620
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef8a9c83-a01b-4c6c-a7eb-27673ab75080} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" utility7⤵
- Checks processor information in registry
PID:5520
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 3 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d937ca3-00f3-414b-8502-39f920e88477} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" tab7⤵PID:2104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5984 -childID 4 -isForBrowser -prefsHandle 6000 -prefMapHandle 5996 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd609c55-2cd5-41e4-86f1-018818d1e262} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" tab7⤵PID:5268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5968 -childID 5 -isForBrowser -prefsHandle 6012 -prefMapHandle 6008 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {589f0f52-4786-462c-bbb2-3c40ceb23fe2} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" tab7⤵PID:5276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6208 -childID 6 -isForBrowser -prefsHandle 6200 -prefMapHandle 6108 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e756a005-bbe7-4d85-bf43-b1b4e7b915ca} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" tab7⤵PID:5292
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\b83edef87e.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\b83edef87e.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3640
-
-
-
C:\Users\Admin\1000003002\6e42bae7ef.exe"C:\Users\Admin\1000003002\6e42bae7ef.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3584
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1672
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5596
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json
Filesize33KB
MD55e6226544d87deb2ca038150909d84d8
SHA17f0bc7e1e15d0dad89fc33e32996e50c21e97eeb
SHA2562490e187b2b10b4236df9a23aef676fdca0e06bcb489fe08423afea4620a401c
SHA5120dfb142871a1a74dee97befd8a35b557abb3800736ab1dfe5addc5d401a51a53f1890327e3b3d4b6f560b51c618c778a2a7b2200aafc6961021f9fe70a375777
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD564084f83970f6d564c83b654b05d9af9
SHA1596a103a15fc47a7c65b2f3aa7ea60a7b328581a
SHA256e2d08f19e3ff1e1f07dbfbf4a05fa31530770e159bfba82da55ed8121dd36d15
SHA5122e15d5034ca3391a1e801b1d77239640ab78494ebd470509b416687f237e055aec3b04a40cc9fe231f04d0e8119bd1048985c03bc312ac5e5a65440c175458c5
-
Filesize
1.8MB
MD58bcd388ed9e8762c812ec36614f17982
SHA1fae03863e3f80e04271b7835bcc9ff4865f2c219
SHA25610afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090
SHA5121e979e850a172431f7b4c814f336cebbf16072b38a6bd8ebb686dfddbbd056a3cd59aae09f7790641b871e6080d1cf357ae3cc2d2771739e7248c3eb86a08764
-
Filesize
1.2MB
MD5fa41e9c2abdb638e8d84e9d7d66631b9
SHA1074348d5018587278822ed0245c02c523af163f6
SHA2569a3c9d1a6a14599ec2423d06c9cd7fc1fff83113fce5149f9b80d9b19377d79f
SHA512d9e90d162fa10da02d579d0c6bb84b0681e603996c11d9ba1f1e6d2df46358bcef3afc0e0e5601efb8f295a440f7fe4fba108b4e0b1c308802e483e7d42f5a91
-
Filesize
206KB
MD5228ea9e6c6e69e92e3436e79b2679589
SHA13330a33ebfc1a7bd60dfda68fb4a53f39006ddea
SHA25668131366f09cfa12a3614bb48ece152d49de8b13465396cd0fc7ff17208e95b3
SHA5126371037377e768144961be670a44a412c7e7bb26ed1f3dabed889d89318890cd8d1a4ee06a5bc06b241076f39693491b029b94079ed8d44b20a6e9f39113fb29
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize10KB
MD5b7744cf185906ad93bb675d4addf3fe6
SHA1e939c3ac4b62bfb8fd3da83cac1dc0c4b8092ac8
SHA25606ecc9fd9beaa52d049efb5cc2795878697665d7c285e1083e28bbc9395a743e
SHA512e10d5c07cbedde134a60cba89be030d1dbaf3865e9334aad84e74ab057073617c6ff45f17bb342e781ad38a6d769b3b12fffcc0c848c48ecb1fa34da540ad820
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5a1cccc9840c99fe1e72278a3c9c0bff2
SHA1bb40a4ec4d93a87223c0aebd736713a60e42d091
SHA2561288a2fbbe8bb202b2fb4673b2ad277b27667b67a0713d68586a9e01a53739b4
SHA512aa55ebaace4e053f8e8b3ffcb7ab0d1f488d30c6d09e43dc0e05b18948b2bfe424985c0d3dcb0e1d222f60e0b446f38a8dd64faa6bca5f2e65c0ee68e1e43edf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5ef13403eb96280a186310190d5cf9a8d
SHA1d18e1749f849041fcce6b30c5bfb882b3ad566ad
SHA256ec95be4cd81e915e18555707e758e56b28b868dbd3fcfd441dda3e7434596ff3
SHA5126bf9af4ef4eeb8b37bd4be7c0d194701caa0b38e0362073322d295396aec38a579de94b6f036782fd3654aaef2065ad8733c9601960f6be9f1876c8a17295992
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5ccc0b1ecc5cbf083d7d1ce981ba59b76
SHA102f211cb3bfd21c16698ec975c49471fe53097ce
SHA256288cc83eadeb8a8df423cecac3da3a8860d1fdc762f1a67bc5c01f529d1990b0
SHA51289ec390393d6278831fe06953f41af8df1c13185b22b6ac93bb556588311156e5341e06e57bfff72774b422d083657f74db706c24af2d10cfbb0b34f9eb86dba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\07e39b49-d7d6-4880-b6c9-c019dadcfcfc
Filesize671B
MD52dfcd715f2502244bcf44ef6c3f8da01
SHA1cc7e3191bb6714169c6056588687577ef303905d
SHA25699322f783be4f54cf733061e4ce0f4d03d906ba1bf9ec3add35c55b9a2e17ac6
SHA512bf3ea9dd2b919e9bb1710bef626377e2ba86a9f43f00701c3c2e717347a151cc68051d5b16d98f080194ee3408363d7b499a4d4408ff472e6e437865a2837b12
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\556b479a-c5c1-43be-9e72-631f0355bab1
Filesize26KB
MD544faafe27e5fa2711baf2558a27d9a91
SHA18b544a4b1e7d267645fad1f7a77c797b6a36f97d
SHA256c21cdaa38b52725e08b3e2983f72bf31257b69b41bf9dd01d8c84eb9540e31be
SHA512a57e7e4917d4d50d59d700d46c5dbcb612fc38d4db7ef2a7edfbfe2543fe4a6b376490cb4577796ef1b820f61ca0c4994edd3cad6e7195f866aeeabf8e71e4f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\a649ba94-3442-4ad8-8551-c53e08038bef
Filesize982B
MD5520943e3498b473e7a1a5f1e5fe431d5
SHA15ed476457c8ab18ff1de5a91c0d70163119bda14
SHA2562f37a653489ac7b87947b04c7bd1640dc972f393752255717d5c757177754ec8
SHA512f87df3ac263e4103c2bcc7e919e0fbbfbcea1899e19e013d45147eaaca680a0394c8dcc739e842221ed8e5cc09a33a938e7aece1be4008039c21437f14cb8bac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD59a060ff15c0a0ae38189baf44fcabfac
SHA1f2562ca2a0dffcde7b51c35f4d172fc15f316682
SHA25666c464133661fe1d6d51fad0087a88f9544fbcc270df1f2547433aaf74393589
SHA51225b0542c3561debb34d3dc53f3547b9e6dad4cfd54b945848ba4b133575e37dce73415f968692237d195325441301162fe6e5561d37e3ca2d087373e3050e1e4
-
Filesize
13KB
MD50b448fd5e1b31e2dd86057da8dc59c4d
SHA1dced4a19ad9a86673e282b7c71145660840b7aa5
SHA25645dd839f1a5a9db856c24fdd295d384aa5c46256006fc0bb50b56981ac140bf0
SHA5121fe0e4a43c4693c237b3da00e59b00e0299a4202baee903a1375e10b8f779896ce3ad925cdfe352608307c6cea5b448da1b5029448a445bf9c0f013a6fb8ae23
-
Filesize
11KB
MD5e1a1317701e9bcbaf0a17e7280979f58
SHA1b55ba46926ab3120df78ce3ad69c7bf5c19a704c
SHA256de1660e306d7518af788f7cd30002a21cbde14300b660159b2d3af7d3159603b
SHA5121650c234582ebb6a19a582ba49aed11a77f8d14e52ed52e9420d3bb49a0a3b2c836000c2d6ee6db627f2ce4674d6b148a2b923ba6bdfc27ac0306040d2d00550