Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-09-2024 02:34
Static task
static1
Behavioral task
behavioral1
Sample
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe
Resource
win10v2004-20240802-en
General
-
Target
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe
-
Size
1.8MB
-
MD5
656dad33ed55f336051883f756e7d041
-
SHA1
83ff37e0f8badb060900511002fb14e8c4deade8
-
SHA256
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
-
SHA512
ba950f704229070f0515b163630d59fbb9b2ba1b8b775259d84d3828713ab879880a1ee9baa4796898a29a941943868ec8ae111ba38c006fdefb9e12af81316c
-
SSDEEP
49152:ceMiOEiw+JG001x6xaEQtgCnNSjQ7t1xphS80IHY4LVx:cA9+J/awxaDAjQ9pw80IHY4LV
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
23d6aedebc.exesvoutse.exesvoutse.exe263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.exed109cc0999.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 23d6aedebc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d109cc0999.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.exed109cc0999.exe23d6aedebc.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d109cc0999.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 23d6aedebc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d109cc0999.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 23d6aedebc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exed109cc0999.exe23d6aedebc.exesvoutse.exesvoutse.exepid process 3848 svoutse.exe 3052 d109cc0999.exe 248 23d6aedebc.exe 1776 svoutse.exe 572 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exe263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.exed109cc0999.exe23d6aedebc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine d109cc0999.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine 23d6aedebc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\23d6aedebc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\23d6aedebc.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.exed109cc0999.exe23d6aedebc.exesvoutse.exesvoutse.exepid process 420 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe 3848 svoutse.exe 3052 d109cc0999.exe 248 23d6aedebc.exe 1776 svoutse.exe 572 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
23d6aedebc.exepowershell.execmd.execmd.exe263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.exed109cc0999.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23d6aedebc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d109cc0999.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.exed109cc0999.exe23d6aedebc.exepowershell.exesvoutse.exesvoutse.exepid process 420 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe 420 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe 3848 svoutse.exe 3848 svoutse.exe 3052 d109cc0999.exe 3052 d109cc0999.exe 248 23d6aedebc.exe 248 23d6aedebc.exe 4792 powershell.exe 4792 powershell.exe 4792 powershell.exe 4792 powershell.exe 4792 powershell.exe 4792 powershell.exe 4792 powershell.exe 1776 svoutse.exe 1776 svoutse.exe 572 svoutse.exe 572 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 4792 powershell.exe Token: SeDebugPrivilege 1484 firefox.exe Token: SeDebugPrivilege 1484 firefox.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
firefox.exepid process 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
firefox.exepid process 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe 1484 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.exepowershell.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 420 wrote to memory of 3848 420 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe svoutse.exe PID 420 wrote to memory of 3848 420 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe svoutse.exe PID 420 wrote to memory of 3848 420 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe svoutse.exe PID 3848 wrote to memory of 3052 3848 svoutse.exe d109cc0999.exe PID 3848 wrote to memory of 3052 3848 svoutse.exe d109cc0999.exe PID 3848 wrote to memory of 3052 3848 svoutse.exe d109cc0999.exe PID 3848 wrote to memory of 248 3848 svoutse.exe 23d6aedebc.exe PID 3848 wrote to memory of 248 3848 svoutse.exe 23d6aedebc.exe PID 3848 wrote to memory of 248 3848 svoutse.exe 23d6aedebc.exe PID 3848 wrote to memory of 4792 3848 svoutse.exe powershell.exe PID 3848 wrote to memory of 4792 3848 svoutse.exe powershell.exe PID 3848 wrote to memory of 4792 3848 svoutse.exe powershell.exe PID 4792 wrote to memory of 828 4792 powershell.exe cmd.exe PID 4792 wrote to memory of 828 4792 powershell.exe cmd.exe PID 4792 wrote to memory of 828 4792 powershell.exe cmd.exe PID 4792 wrote to memory of 784 4792 powershell.exe cmd.exe PID 4792 wrote to memory of 784 4792 powershell.exe cmd.exe PID 4792 wrote to memory of 784 4792 powershell.exe cmd.exe PID 4792 wrote to memory of 492 4792 powershell.exe firefox.exe PID 4792 wrote to memory of 492 4792 powershell.exe firefox.exe PID 4792 wrote to memory of 1208 4792 powershell.exe firefox.exe PID 4792 wrote to memory of 1208 4792 powershell.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 492 wrote to memory of 1484 492 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4580 1208 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe PID 1484 wrote to memory of 4808 1484 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe"C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- System Location Discovery: System Language Discovery
PID:784 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93f7725b-a337-48b8-9198-940eac4cef66} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" gpu6⤵PID:4808
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b953d106-5a56-4038-b709-c92b080add90} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" socket6⤵PID:2756
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 3448 -prefMapHandle 3368 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4b9d563-b535-4c37-acfd-f9a7a0dc759f} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab6⤵PID:4092
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3528 -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3520 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {013a029e-f83d-4413-b5a5-413f0cfb8f2a} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab6⤵PID:3312
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3744 -childID 3 -isForBrowser -prefsHandle 4404 -prefMapHandle 4400 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9364c73-a1ed-4ea1-ab0a-1a14194b9e42} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab6⤵PID:4788
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5052 -prefMapHandle 5044 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf6b4ed-c597-472a-82e1-c3157acf613b} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" utility6⤵
- Checks processor information in registry
PID:3384 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 4 -isForBrowser -prefsHandle 5844 -prefMapHandle 5888 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10c2688a-b9be-4eb4-a4a0-e9d34e6fb8d2} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab6⤵PID:2084
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 5 -isForBrowser -prefsHandle 6068 -prefMapHandle 6076 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e15bfab-714c-44c1-baa1-43cfcc92479f} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab6⤵PID:3520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 6 -isForBrowser -prefsHandle 6256 -prefMapHandle 6260 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19716d84-1369-4106-8f40-319b3a419e25} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab6⤵PID:1680
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd5⤵
- Checks processor information in registry
PID:4580
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1776
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:572
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json
Filesize26KB
MD50f443e6872312afc7ec08e6b50a60a97
SHA1160b8dad861717bef829efc7b26d6c5d41274b9d
SHA2564a3cd96b11b42adb69a764d5baac309072096e46f92072b5ff0747737b8bdc1e
SHA51239aef4324c2d34ae224fd1a25a01c706d412a9b68e25793984377faf0ad656d68298f4224b82988b23602d7f14341486a5fe5057880bd876ed6b94f9cd6a78d2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD52233c3d379c94190e839304f0aeab9cc
SHA1b6ff2c9e08888478e92035dd6cd124eec50872a4
SHA256890f05040254fe7b3f91c577016433981361086f37be112677a49a004b6cfdf6
SHA5123c0b7eb5aed1ac1c31e64410b32182359ea3deb2ae7b3c049457816002932be362f8fbaedc8081a113a2e7b5506853a5263bace22ec87f5e70aaf6207262c486
-
Filesize
1.8MB
MD5656dad33ed55f336051883f756e7d041
SHA183ff37e0f8badb060900511002fb14e8c4deade8
SHA256263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
SHA512ba950f704229070f0515b163630d59fbb9b2ba1b8b775259d84d3828713ab879880a1ee9baa4796898a29a941943868ec8ae111ba38c006fdefb9e12af81316c
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1.7MB
MD56ec533d4b68b9b65f45160ba3bfc9422
SHA1488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA51299ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize6KB
MD53990ece8196e7f93e84fcde7e6b4debd
SHA15e28c9c6f7c75601b6a9bcf45142c48ad1019827
SHA25627d55963bd21d024a21c14a9eec34b18c9b80f6c60433d3e73f4d88e459e7403
SHA512e0bfce15c10e937d6e6dcb1eb51c504450565fe9fdc046c534d9839d5d49310f75fe51f805a097ae4e67a3c660c1b75732dd133d1035994a62dcd692a7f1721d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize11KB
MD50b51b2a7dc7b471a59dd3b90e9b4a8e6
SHA1f8a47a0d7f28ebd8c024916bc3ab49e024da97f7
SHA256f212c199df12689438c2a7184c7cba224c425f848ab37fd5d97a268362828221
SHA51272bc94f61131b062fd3df5de14884396793c997aa943405e763075114efc97878b07efee2943597b1b95e7676def249038aa8b7fd66b74bbf56fdd27c6e431d7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize18KB
MD52ca14d6e6b2aaac1e42513d213ba0f42
SHA1bdde748fba33b0abfae8bd7b96e38033fd127c0e
SHA256d2e270ef453b8055c25705950069a12435933e9315106854cbc12271b700d339
SHA5121f11add4dea87a75e3652be29573cac50f607443f3e5feca96d5294846b08493a6b33af43eb6e0bb2fc6aced81ecffd3d4dc380c9346657978d46f74caac3c0d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize22KB
MD5303150e2f552422067ce5ab012289145
SHA1db1777e2cad9da419196bc27ca22ef97d42045d5
SHA2564e860ecdc518a8da4fdb760832d2f2437b337d438ea7cfb26c103d4b17dd0fd3
SHA512073bfd99abecfd9da2349116b2ecde7f1b009f985b9eb68d09c9dca95f61c926e353d20dc86ecb9a591ec22b2bc692defd4879dee45cf85944f35bdb1946889e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5e708c210acd73491e9222f3334636ad0
SHA11db0c0068cef07a061a491f91a0d1f3e54f23632
SHA256a61279762b0337a259f129949a591440ba271277df4e9502d787bb6c4b3f0c57
SHA512d91150e0ace835880d5880b35a86dd1c8a97639f98a7de9ac463952a404b3cb3052b025ff6a79d8f36d55f42592c839131b9cf04b3526f1205eda0585bc771fe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize26KB
MD56fd1490a0837052759b539544e4ad806
SHA17b633808eb19cc1ca51aa18495c6b6be15f2a9f2
SHA256de9985e380b8bb45f2e2dff98be9899b2e0b634de525f3e7dd9784e964d57c88
SHA5123c2fee23ef143faa482a540ef99b902278a4e7497a35a9ce457ba5d0c44532b90e9c3dfad78389793a97da68f32a615028c0bd317d879f1bbec07152e1f19413
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD52f57377371fd7bbf68ae4e2eb6399be0
SHA16c97bae6ec323c046a8288e012224f9e2adf9caa
SHA25643dae3e59b42b256a843e1df6a58405919d56f70813419cf515a9544ad526711
SHA5125b6d8b8f2a553acce0b563f6408481cd2b1f81597635f6cb55ce5e38ae641dbb3368592775b9d50fa44a8f2f3388b53c9323bab93ed81cec018f708ccba3482a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\5c82dc28-f771-4af1-b75a-fe872656b42a
Filesize982B
MD58867cbd4f627f1ed9474cb58da3098a9
SHA157daa9e7e61432a45d98737c9f5bd2231628ad31
SHA2568d0f4bc4d2b542ce37a9d50b73e9c314fb198c9e3f987391a619d8ca1bc26c7d
SHA512bd15caefc7c5ee522231358c2b746a7cb01ff1798b3e589b7e12e352dc80993e12415e7bc374488431ec64221a1474602499ec603120cb3e11b2a4331baf398c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\a9004521-e400-4416-8c6d-8b02f7f9bf77
Filesize659B
MD5212e317c9917558501bb3794de32df82
SHA1b08dcba6f9ee26e3cc2ea9a41a75c1441355c7c1
SHA256f57901873eef49dfdf99e959d738beb146e9bd7b276feb5599503dc6bf92049d
SHA512c7457f4607b3ff5ffbe2e6630787d87f24490df2c00baa6851429146092582f17448c041789f02dff80068af996a858aeb4c94b2839a29b19935ffe9d7cd506c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD520e1c10296ba39cbc199527686030c7a
SHA1406e16a32b4cc310b9b6ecaa64add9883b11f728
SHA256c8d7dbb410d9d9d19739d6d83dc8776d37a4c6566d89f5a2c6466cffe6e5397b
SHA512a1730f880df31fe622583a19a7bf97d7ed60bb201586df1e48b8a42e4af1a211ce982e1541c3cdd28fa3e60396748a1fe7e234181b9cbfdd989910ddbbb3bc74
-
Filesize
11KB
MD51beeb004bcf2e887dc5611f7307bb564
SHA113397b6220fc57d3b6ef0fcfb24ebb64d42017ec
SHA25631683d83b05cb90d38b27944fbc598799a5d40b5947412057460119aae3df25b
SHA5121f4d947a00d4f251d806fa5150c6b1bc14f8d4eb24265b7775672633c5df088986fdd85d237009e026569d3b64d3279ac4926820963cddb6ca60585bafe8898e
-
Filesize
15KB
MD5044b65ec6bfc2908781eabc4a68aeb62
SHA1320f3e57aebe71cdb371b311cb624e9b9cd6dcbb
SHA25649e85c41808470f867d08afbe0ebe6977f8a7fdb9fd58cc27c718520f01980b2
SHA512c821c20d9f1e771d1159897a45d2b31f01d28f7c41e35d2e1ba36002b9c2867740167816c6981d00221f78fa6adaf514732e98f8af27f1b4ff636d1cf19ef4c9
-
Filesize
10KB
MD5e8febfb2a365363aa10401cf7c481e47
SHA1950b48fe9ca666a2525da620377c1022d537ef13
SHA25658db33686914031dc943dbcdbb9aaadf0d519f648052805845b1a59961ab8717
SHA512f0bf72dc046a6dc49a692bca80596b20970734af33c3098b3b801d2dc14e5d12162e2e800906e69b5ee2222f9205c744c34993357a48eca4740216ad44bbac50
-
Filesize
11KB
MD5d8b052549f6889d35bb34dd905a29f8d
SHA125a5c1bf4faeb72a764a4edef78057490abe95c3
SHA25655cb84151fbe50d59bc46c083cd6db488533f020b056216692ed1c5536f821c1
SHA512ff9c2c32ee6bc8014dacbc1bc19688b6833332bf1be65ee046493b878ca3c981a70170836d2c0ba1e18ea5aa0e287573f2eecd8c9ef0f2f2ba04b68abb75fbca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5154f7a181c78d4f68f168579f9f19977
SHA1ee42e234796650aeb3d1ad880035762c3958ddb8
SHA256bfd5a870ce7ed4b82f84f9256f579e38a459d1aa98be9d9e21b0cc3b10b77155
SHA512e3e2ffc0553ce5ba3bcc983391200f7942e56a5faf1d40f6967749582b85afb852924d4ad48c00cd802fbb6030a4c5e5fd143a113a1c3d0763566e6a746958dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5b0b0e4b71f3ebe304ece16c8b3dedb42
SHA197952b35686dc66dd20bb0cc9ed8448cb42ccde9
SHA25691d8754b08531e90f409a07eb613b4ec1fcadb7174bf4cdb6316fb11219b446b
SHA5126e0b54dd07151e1f6743fe70eabe591b3f886c1c62942341dda0051592a0a550ea4021af19bb06cfd437f8eef9849fbf66210fe192eae26d26cb2144bd525467
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD576a1ab5423e2620694d99935330239bb
SHA13c74a7eadc9e19245d6d3ff9ed70b985fec1a773
SHA2560da2ce4972a23e24e5b80f93be0e01fe71a3a3fcde3d67229949002cb9103329
SHA512e102693e06ced74c03e9d7ad8690dd801d98aa0a88bc880226f294ab7bb7b4bc14890b6f0472f313e54b08a6aa50bcd21377c5e9b529cc5b1a91b4f6ac1da8d1