Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-09-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe
Resource
win10v2004-20240802-en
General
-
Target
7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe
-
Size
1.8MB
-
MD5
17501ef864154a07ad62b3b54e0fc9ce
-
SHA1
478c0b532235f76c9036627fdc9286a1e570af92
-
SHA256
7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778
-
SHA512
ed7bdd54e7046de070f348503989518b3517abc391423bd8d161ac305fec2eedd03977e212a5ffe13648fb615ace191b7edba3c3f386ad6552ff050f6c182cd8
-
SSDEEP
24576:1VilaMfuzphJnD5g5ymevG2GF8AkoWho2lY5P4+WjePCy8/URLujliYfnUKsqbKw:bSaMapTnbmmekFKAZn1sR6EwUKPKM
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
svoutse.exesvoutse.exesvoutse.exe41a0a09fb5.exee6a571d3f1.exesvoutse.exe7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 41a0a09fb5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e6a571d3f1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exesvoutse.exe7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exesvoutse.exe41a0a09fb5.exee6a571d3f1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 41a0a09fb5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 41a0a09fb5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e6a571d3f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e6a571d3f1.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exesvoutse.exesvoutse.exe41a0a09fb5.exee6a571d3f1.exesvoutse.exepid process 800 svoutse.exe 4960 svoutse.exe 4828 svoutse.exe 4556 41a0a09fb5.exe 236 e6a571d3f1.exe 1128 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exesvoutse.exesvoutse.exesvoutse.exe41a0a09fb5.exee6a571d3f1.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine 41a0a09fb5.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine e6a571d3f1.exe Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6a571d3f1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\e6a571d3f1.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exesvoutse.exesvoutse.exesvoutse.exe41a0a09fb5.exee6a571d3f1.exesvoutse.exepid process 3328 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe 800 svoutse.exe 4960 svoutse.exe 4828 svoutse.exe 4556 41a0a09fb5.exe 236 e6a571d3f1.exe 1128 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e6a571d3f1.exepowershell.execmd.execmd.exe7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exesvoutse.exe41a0a09fb5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6a571d3f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41a0a09fb5.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exesvoutse.exesvoutse.exesvoutse.exe41a0a09fb5.exee6a571d3f1.exepowershell.exesvoutse.exepid process 3328 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe 3328 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe 800 svoutse.exe 800 svoutse.exe 4960 svoutse.exe 4960 svoutse.exe 4828 svoutse.exe 4828 svoutse.exe 4556 41a0a09fb5.exe 4556 41a0a09fb5.exe 236 e6a571d3f1.exe 236 e6a571d3f1.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 1128 svoutse.exe 1128 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 392 powershell.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
firefox.exepid process 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe 5080 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 5080 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exesvoutse.exepowershell.exefirefox.exefirefox.exedescription pid process target process PID 3328 wrote to memory of 800 3328 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe svoutse.exe PID 3328 wrote to memory of 800 3328 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe svoutse.exe PID 3328 wrote to memory of 800 3328 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe svoutse.exe PID 800 wrote to memory of 4556 800 svoutse.exe 41a0a09fb5.exe PID 800 wrote to memory of 4556 800 svoutse.exe 41a0a09fb5.exe PID 800 wrote to memory of 4556 800 svoutse.exe 41a0a09fb5.exe PID 800 wrote to memory of 236 800 svoutse.exe e6a571d3f1.exe PID 800 wrote to memory of 236 800 svoutse.exe e6a571d3f1.exe PID 800 wrote to memory of 236 800 svoutse.exe e6a571d3f1.exe PID 800 wrote to memory of 392 800 svoutse.exe powershell.exe PID 800 wrote to memory of 392 800 svoutse.exe powershell.exe PID 800 wrote to memory of 392 800 svoutse.exe powershell.exe PID 392 wrote to memory of 4868 392 powershell.exe cmd.exe PID 392 wrote to memory of 4868 392 powershell.exe cmd.exe PID 392 wrote to memory of 4868 392 powershell.exe cmd.exe PID 392 wrote to memory of 2148 392 powershell.exe cmd.exe PID 392 wrote to memory of 2148 392 powershell.exe cmd.exe PID 392 wrote to memory of 2148 392 powershell.exe cmd.exe PID 392 wrote to memory of 3132 392 powershell.exe firefox.exe PID 392 wrote to memory of 3132 392 powershell.exe firefox.exe PID 392 wrote to memory of 5080 392 powershell.exe firefox.exe PID 392 wrote to memory of 5080 392 powershell.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 3132 wrote to memory of 3172 3132 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe PID 5080 wrote to memory of 3348 5080 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe"C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe"C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
PID:3172 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74988bd1-86f1-4f7e-b091-551cce75c079} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" gpu5⤵PID:3348
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e3b97f9-4fdf-4320-85ff-ae6e7f987367} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" socket5⤵PID:1912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 1 -isForBrowser -prefsHandle 1808 -prefMapHandle 1764 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {784b057a-a10d-4f8c-8ede-2afeb169ccf5} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab5⤵PID:3188
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3544 -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 3536 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff8865c3-b6d4-4985-b1c7-c5eac736323f} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab5⤵PID:1364
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4080 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a370847-5bf7-4ee4-b4e7-04c71d664eb6} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab5⤵PID:3032
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4884 -prefMapHandle 4856 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {327f13c7-20f8-4fc4-97c3-b8ac9dfbddfb} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" utility5⤵
- Checks processor information in registry
PID:940 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5356 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ed03795-c5c1-4a95-8dcf-e174866f93b6} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab5⤵PID:1104
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5596 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {359c6c4f-3601-4238-9ab0-1c4caaa3f2d1} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab5⤵PID:2100
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 6 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67dd70fc-fe9e-4843-bfe5-2ce5daaed2c2} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab5⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4960
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4828
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD5e83554a0b495239617641ddf02be43eb
SHA1e0cb93a65c94479b0f626adb4df5a82b3d9594ff
SHA2569c296011b4f74ccfb194d31646bb09f939e6a3d5c346ec2f5da7ee9e07bc7e52
SHA512a39ce64bb5fe5ce2d36147948336e68f555c1de5a31d679ed8690418847a4a45e6bba6180f38f8e691d01403d9051185471ad7519c232af158e6bbf2ec7a62f1
-
Filesize
1.8MB
MD517501ef864154a07ad62b3b54e0fc9ce
SHA1478c0b532235f76c9036627fdc9286a1e570af92
SHA2567ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778
SHA512ed7bdd54e7046de070f348503989518b3517abc391423bd8d161ac305fec2eedd03977e212a5ffe13648fb615ace191b7edba3c3f386ad6552ff050f6c182cd8
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.7MB
MD5b568ff86da616dd1a46d9fbfa9415f72
SHA11f0a299ee6349d54d18b5147ff957544501b66fd
SHA2568e6e5197c7542613f4fcf6dedfdd6a774f1464876cdd2defcfc05d092d169180
SHA512b1e3c0703d317973c6bfda8bcab2c5bc97de12062d0ac908bb9b3e651892244630df1f07076b43d3a4b0da8a0ff7ec10bbaafb1931377542c9c812494b067b29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize6KB
MD58c287d9f69f18f40120992f3733363a3
SHA169123795940d4006cb948732cfa9ddd670045216
SHA25697e7fc47fb836288b8510b6f3a7de38be35e6dae0b46363e2042b9588b6585d3
SHA5126899573bb0ebf268526540558a42a4517bcb411aacf913ae75b4a32dd7dff98d8c8e15320b2a003a8db12952a0a6c0f0c7f650bca89a27f4894d6f67c607dbce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize10KB
MD50499d32eb2a7f6538af740461ca76977
SHA1055087012eea6baeddfb83338241251f7ffd806f
SHA25660a3c184a73ee7ad34eada5cb1105573fb47fd46b99b054fe6d125f5fd1cd0a6
SHA512111eb7b2c32afb1b2e3c85d0d0596db1b78e3846d12cfa89e13038370767e870021e7518fe7ec81c8b8751e12625365870a9b073e342f968fb7d6386ab84d625
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
Filesize12KB
MD55e9d85b0476dbd471a236661ddcf181f
SHA1c50c28ac70e4f49f42d1c66b42d5ea79690a44ee
SHA25648c065e374e2b26762f08e7ba1be1d1f6b79aec054b74aa88c60edb8b6ffd6b8
SHA512ada65ce3cdf18c433cf93a64aca57a5cd570d98be1037f2b8d58e16e03497bcb5dd99d0d8b1add9df4886be33f215d59b4049572f933c7ddf161fb533f20bd75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD536cc00861295f2accc506a87f8f787f6
SHA1a4c50ca56ef89e8ce751694fe76d6d4aa1560cb0
SHA256283352fc775475760bc5c30453d4c5c3a9f4fd007c684bfe40aabb0d8d711535
SHA512b5e4e6fcb1937f61ae6bb5f0c05b5a66ad8aa42cee2039c53dea113a35c19f6fb32a2c4a33f0f21ba42fbc75ab2d18a3f7e4bf820c93fdf2e36c33a0f9c28766
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD527d5188f3a85c6087c63502c18575d4c
SHA15a6f6b0cf0eb798bacdeee72012c6689c6b75e74
SHA256f8c47452ddebebe78bec9c929bfa4b8bfb213c7813d7f3b1d7c12e97669910d2
SHA5120e4239d55f9f7a95411a6698a1e629e0bb3e760261d46a2457af73e9574a4e6e3a2fd51c71ec1bb3e46a5e2e7897bcebe24a46a3c922add216b33d02db231708
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD57853acc70b8ebec29e3a66457f36572f
SHA149c1ec7da65149f86e0f6088991d919594f828e9
SHA2564d76beee56bf356d037c0c9c678a6708fa4df70a23dad59aaa06dede888da144
SHA512b41542fcc41eaa67902ade97a3ddcdfc8295aaf4e6ff57165413a5e33456adaa76579bd1a9745c134885df44783cf57187338e04a9ccce0d949155a705a64c94
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\00f61db4-3449-4a12-9caa-5e5a4608f9df
Filesize26KB
MD5ab426109eb6e25a50610060e854b01f1
SHA106263351b77e549465ee9ed6c72d1fe1bc089452
SHA25651b14f7167af12d93d603b78a6315fb94a05e29f518cde16297edd9a7a8f445c
SHA51242496f7f659018b9de3c80ac550eec1d6fbf4e63c76087fe08986b539b18139e2b338b020196e92a8074a386e008c8fe230d03f579e0abdcb24286aee127647f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\7c2087f4-92bb-4637-b191-a5b75d24a30b
Filesize982B
MD5b9ba820d471273b90eca9f62bb6532c3
SHA143dfec415a7f4948baaf4e25934b31daa374572a
SHA25628619ec23a867ca80af49da1d5a6c7141c33528b432240b1eb44d435c28793f3
SHA512a12b0b1803eb6fd4c3865c1921a8a21f23a132bc3d10a092ad6ffac3c5e5446428fad996426d64e44b96174c3e65cc4cdf82597e97f52458f83384a15b24ebb2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\c2a2f2a6-b513-4482-a81f-9f64435715f5
Filesize671B
MD54e60e6f3c72684f4927fa7c0ecd665c5
SHA1f73cf85e3ab56cc4198d1a684bd9914aad75f006
SHA256200fa98f6eee9ffbd6685cb5b599a9b81b55407f2c09d982db914b40885cfa48
SHA512b200eed78dad586cb484a1b5630826f8a762936d14f800a7ebb18e61a24d69b9d967ec43b02cf8bae5ae533d2d6e273b1cab935b1727b38116a1e04384562259