Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/08/2024, 13:03
Static task
static1
Behavioral task
behavioral1
Sample
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe
Resource
win10v2004-20240802-en
General
-
Target
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe
-
Size
1.8MB
-
MD5
8bcd388ed9e8762c812ec36614f17982
-
SHA1
fae03863e3f80e04271b7835bcc9ff4865f2c219
-
SHA256
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090
-
SHA512
1e979e850a172431f7b4c814f336cebbf16072b38a6bd8ebb686dfddbbd056a3cd59aae09f7790641b871e6080d1cf357ae3cc2d2771739e7248c3eb86a08764
-
SSDEEP
49152:Z+WmGAH90soxYipeD4FMVlKpPBhwLqINUAyADXnfw7NB3ZynYczB:Z++A6zPpeU+VloP/zA5DXo7NVoYc
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 6 IoCs
pid Process 1468 svoutse.exe 2720 9969388eca.exe 760 6e42bae7ef.exe 4972 b1b81726d6.exe 2724 svoutse.exe 4476 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\9969388eca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\9969388eca.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2664-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2664-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/2664-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4800 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 1468 svoutse.exe 2724 svoutse.exe 4476 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2720 set thread context of 2664 2720 9969388eca.exe 85 PID 760 set thread context of 2852 760 6e42bae7ef.exe 88 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9969388eca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e42bae7ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1b81726d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4800 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 4800 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 1468 svoutse.exe 1468 svoutse.exe 2724 svoutse.exe 2724 svoutse.exe 4476 svoutse.exe 4476 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3420 firefox.exe Token: SeDebugPrivilege 3420 firefox.exe Token: SeDebugPrivilege 3420 firefox.exe Token: SeDebugPrivilege 3420 firefox.exe Token: SeDebugPrivilege 3420 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 3420 firefox.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3420 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4800 wrote to memory of 1468 4800 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 82 PID 4800 wrote to memory of 1468 4800 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 82 PID 4800 wrote to memory of 1468 4800 10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe 82 PID 1468 wrote to memory of 2720 1468 svoutse.exe 83 PID 1468 wrote to memory of 2720 1468 svoutse.exe 83 PID 1468 wrote to memory of 2720 1468 svoutse.exe 83 PID 2720 wrote to memory of 3504 2720 9969388eca.exe 84 PID 2720 wrote to memory of 3504 2720 9969388eca.exe 84 PID 2720 wrote to memory of 3504 2720 9969388eca.exe 84 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 2720 wrote to memory of 2664 2720 9969388eca.exe 85 PID 1468 wrote to memory of 760 1468 svoutse.exe 86 PID 1468 wrote to memory of 760 1468 svoutse.exe 86 PID 1468 wrote to memory of 760 1468 svoutse.exe 86 PID 760 wrote to memory of 2772 760 6e42bae7ef.exe 87 PID 760 wrote to memory of 2772 760 6e42bae7ef.exe 87 PID 760 wrote to memory of 2772 760 6e42bae7ef.exe 87 PID 760 wrote to memory of 2852 760 6e42bae7ef.exe 88 PID 760 wrote to memory of 2852 760 6e42bae7ef.exe 88 PID 760 wrote to memory of 2852 760 6e42bae7ef.exe 88 PID 760 wrote to memory of 2852 760 6e42bae7ef.exe 88 PID 760 wrote to memory of 2852 760 6e42bae7ef.exe 88 PID 760 wrote to memory of 2852 760 6e42bae7ef.exe 88 PID 760 wrote to memory of 2852 760 6e42bae7ef.exe 88 PID 760 wrote to memory of 2852 760 6e42bae7ef.exe 88 PID 760 wrote to memory of 2852 760 6e42bae7ef.exe 88 PID 1468 wrote to memory of 4972 1468 svoutse.exe 89 PID 1468 wrote to memory of 4972 1468 svoutse.exe 89 PID 1468 wrote to memory of 4972 1468 svoutse.exe 89 PID 2664 wrote to memory of 416 2664 RegAsm.exe 90 PID 2664 wrote to memory of 416 2664 RegAsm.exe 90 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 416 wrote to memory of 3420 416 firefox.exe 93 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 PID 3420 wrote to memory of 5656 3420 firefox.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe"C:\Users\Admin\AppData\Local\Temp\10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\1000001001\9969388eca.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\9969388eca.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1680 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce86c231-7d41-464a-844c-026ac6813019} 3420 "\\.\pipe\gecko-crash-server-pipe.3420" gpu7⤵PID:5656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c45efaaf-5144-4c17-92fb-35d78f0db9c5} 3420 "\\.\pipe\gecko-crash-server-pipe.3420" socket7⤵PID:4784
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 3200 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f39be275-0fb8-4455-a80e-58068f0d6a9e} 3420 "\\.\pipe\gecko-crash-server-pipe.3420" tab7⤵PID:4768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 3916 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9e76e92-0728-4961-a92e-87811220768a} 3420 "\\.\pipe\gecko-crash-server-pipe.3420" tab7⤵PID:3588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4584 -prefMapHandle 4676 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {935fdf52-b800-4979-8f08-1ff9d948c1a9} 3420 "\\.\pipe\gecko-crash-server-pipe.3420" utility7⤵
- Checks processor information in registry
PID:2652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 3 -isForBrowser -prefsHandle 5520 -prefMapHandle 5484 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07b1198c-3350-4332-a4ed-5bdbf56fcf00} 3420 "\\.\pipe\gecko-crash-server-pipe.3420" tab7⤵PID:1668
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {637c1c99-4d3e-4d1b-a735-7371fda3599a} 3420 "\\.\pipe\gecko-crash-server-pipe.3420" tab7⤵PID:5268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 5 -isForBrowser -prefsHandle 5908 -prefMapHandle 5904 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {697998ef-d2f6-446f-bd45-4d1ac2706167} 3420 "\\.\pipe\gecko-crash-server-pipe.3420" tab7⤵PID:5600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6304 -childID 6 -isForBrowser -prefsHandle 6356 -prefMapHandle 6352 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3794732e-4181-4431-8ffb-9c8ef82eeff1} 3420 "\\.\pipe\gecko-crash-server-pipe.3420" tab7⤵PID:812
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\6e42bae7ef.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\6e42bae7ef.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2852
-
-
-
C:\Users\Admin\1000003002\b1b81726d6.exe"C:\Users\Admin\1000003002\b1b81726d6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4972
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2724
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4476
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json
Filesize36KB
MD522b1bea10767892647f1512027a53998
SHA1b2f95de119b4605817a84409f52a1008220a486e
SHA2562d8fd9dac21b141e21fe678ef5b9a8c5ebd1187b77feb986c2108fe5039397a3
SHA512aae0770911f4438b8690d0b3e0019ce710e21f45ac29879c7cb7c821b0518d899e4d6f40f077105ac8b66aefdcc47b48baa050e9713a7009de20fd7bd5032a54
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD57abf0c8f2b31450ae53dd658de7a2ab0
SHA1372cf4f4035d60bab7efb7763b032e4d70fd8b51
SHA25629dc635fa6a97cfa56b9c44b738fd1ecbeb5d51365f6bf4209711b3023090ab2
SHA5126d108554bf8f86b0538b2fd5270b2962d0c6593175f71cbf18b06d2112152f10ee527b07451e457d6617c1b5f11b31e57df5824055a49c98c6eb6cb1846a417b
-
Filesize
1.8MB
MD58bcd388ed9e8762c812ec36614f17982
SHA1fae03863e3f80e04271b7835bcc9ff4865f2c219
SHA25610afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090
SHA5121e979e850a172431f7b4c814f336cebbf16072b38a6bd8ebb686dfddbbd056a3cd59aae09f7790641b871e6080d1cf357ae3cc2d2771739e7248c3eb86a08764
-
Filesize
1.2MB
MD5fa41e9c2abdb638e8d84e9d7d66631b9
SHA1074348d5018587278822ed0245c02c523af163f6
SHA2569a3c9d1a6a14599ec2423d06c9cd7fc1fff83113fce5149f9b80d9b19377d79f
SHA512d9e90d162fa10da02d579d0c6bb84b0681e603996c11d9ba1f1e6d2df46358bcef3afc0e0e5601efb8f295a440f7fe4fba108b4e0b1c308802e483e7d42f5a91
-
Filesize
206KB
MD5228ea9e6c6e69e92e3436e79b2679589
SHA13330a33ebfc1a7bd60dfda68fb4a53f39006ddea
SHA25668131366f09cfa12a3614bb48ece152d49de8b13465396cd0fc7ff17208e95b3
SHA5126371037377e768144961be670a44a412c7e7bb26ed1f3dabed889d89318890cd8d1a4ee06a5bc06b241076f39693491b029b94079ed8d44b20a6e9f39113fb29
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize10KB
MD52cdbdb70589614fc689166036b370bfa
SHA1b6a639f4325e87cf98f3afc8332cc14588a8b98e
SHA256fa455034ac3e639049c420350fda9dfd30d705cac6e84e774202ca36961c795d
SHA512570615d260e0ce5c097b64a1a10038fed99c72328a82bd6524ce60ae55879713d895281f4a9594e38ca29527d9089d52b9512248cb00b27726a606cd10e1017b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a60214fa755c2f89c69e111c169210dc
SHA1f4f2f7f0748ad4f3617c728c63e65888c0e788e6
SHA256675d8627658bf57cde4015b5748e76d6acb6e0035550322ed85d855bb78bd290
SHA5127432ff53b6289df1ca54cc0477ec28ac7b9d648d1856730c9804d518842ceb28523cfc5d4abdd64483f7010834cc8016fa91568e36252a88ab427bffea3cab39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5657f658925cb633f5400923c0817d692
SHA16b6e7c77a06876f8c698e912d23ed647427b50bb
SHA2562d557a29960c83a30722cc98b99eb48ee564c5043f6bbec68e1c8466ccefe85d
SHA51245c97935f871df070f50d477ed05c07599ed51de88b1ea2fa6541f64ad3612e7456daedd7b8b23cb01dca809f3e931e5f5d7cc54bb364787a1c763c6413e88c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5b558483c0a698d143d8fa8909f95b4d6
SHA1f610a5b527cb2a459cb96530bf0e95f9112ca8dc
SHA25639bbaf4fa438bbbc97acd84ada76ce7a2971328b7fb1c6276a3abe704a210f2d
SHA5126ad908944d6c7c18d0b3231ac258dc79530f4429e18cdecb1b32689d88fd7178e1a486dd8a3152b3ac6e814778373ec124caff3f25d24ecbb35ba0d0d9f23375
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\7d9e0caa-6d62-4bb0-a8bb-e3969b8fce1f
Filesize982B
MD5752f3e2dcf2a92475a59013e17302050
SHA11fa1c2c56e5a6ffaf272a209e06c07b4e4e3ff22
SHA256e3c11e30506bfd370c4e8bb3dbc82f2947322b2998b06d8c9946f34e38a120b0
SHA512ffeba699182f4c8f398b1f16c9de952a449b335a7d2def765ac8f7b7c238d969f4b26a253dc43c64ee7e56f9bfdeb83d550038909d8d11dc21cfffef72f8a6a0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\7db076a4-bacc-4824-aef9-0645ece208bd
Filesize26KB
MD57669245bfc113ef6585854f0ac8760f0
SHA102c7807551dfb4ac18ad20f361dd52a82f62b5f1
SHA2566120df919c4fe5157c79ee8c8bd67fa887b37869df5ac85d717e67a2ab722095
SHA51204016673ee14e302ea11340c741ca9b8d8429707e2a2db71e4fb31c3a7981bd00180de3e321b34f732c4a8eb4949934d205e38abfaf065dcd9f78db766fe02f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\d7536940-9add-431d-923b-d076e1c0a7f6
Filesize671B
MD5bb395451074fca541f00f3183dc2087e
SHA13dbb961998da702594ed327d0bd1ef93cd69fa18
SHA256ddd774cdf2e4504cb2fd651d96add0438d15b2ed4c834c448a91aecc7b0c4ccf
SHA512e8ef0e6fa8f5436a46d297471151d0359ad0e4ef6b961106fac01a4a164c9aba5152d08dea7eb120eafdb1c50d81bac1737a3e6e5b3bdd65dbad80f075f49844
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD52963872790db0e25033935a3c597a54c
SHA1a0663dbf3a39d8c7bfa1778e3dd11ecc7dd82216
SHA256d7901fb0d952cbb14e29b126d2aceb950168b716f28badd0478da17cc51686e0
SHA5121783f687453f3721eaf8d435e7b6efc3b277aff41ef5951a5b4a3353a6daa34fb84f4eeec3e214392c3448f520a61ee635987f42f9a870596ac97274b9481299
-
Filesize
16KB
MD54831d7595129981c30f27971577f621a
SHA1e62f36947155f9708eb97cb04c86a0c7e863180c
SHA256d58532fbbd9ed8bb91f75c31372876c87fdc210e720b4408abae0e79b0fcc2f9
SHA51291eadf22382c4cf97af600c2b6d24973f0f9a02b973f0e36c845d2f7e1fd9932351590d83678e2421f3d743260c24667a3bb8bb606fe44aafa72c58b7ffbae47
-
Filesize
11KB
MD52333df2aceea4c7b2595176403c55771
SHA12fc58c0a818634e8133fcd648fd75f056ff10f27
SHA256ce8c5d7e1c72ac390977d24c52412bb0f5c0e74d9c5d86fcc4335c859f369fe4
SHA5129f52b19e974c14dd2096d5e30ea0e7996e06130978b6fbb22410ac7954dafd6cabdd5c6ec475c9fd4f50dc9bb500e3e4e38c387e3bef8b094f0a9d8ce72ad96e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5216e9ea8fcb15d42b160b43256da0a13
SHA19f81cd889e4f45d74bdacb6ad8e9006ed3448e9c
SHA2569cc38530ea701ce429c59416d5648e1f1e2dfeeef53882f0ef3e9bbb473145d3
SHA512abb832231a7a0a93ad8563c10e586ea88b211e131b2d9aa2c900b7f77fb6ffb21edade832d05bff931d194020af5d964b109293137588f1df45b0119e667e150
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.2MB
MD5f6e5da595a388572f1637f8ac22cbc69
SHA1b417e6d0110d3f0d2e057ab0dbfac14e7cb2b5ca
SHA256ff14718a86ad17d0ab26847e5d10e7185ecc9b1447c4555319eeaf83550abff2
SHA512dab30688b6a60acae4760332dec855f693106002852920cbfe277238c50a628b366365aecb09b965778da9f9a292d2efbbb8d8f3dd5aeeb7e2001dcf592c0138