Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-09-2024 09:42
Static task
static1
Behavioral task
behavioral1
Sample
e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe
Resource
win10v2004-20240802-en
General
-
Target
e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe
-
Size
1.8MB
-
MD5
4f810a4d5286bf5189823ad3cfacd8a2
-
SHA1
c5c060728031b48834ff5a2739cb173a1879320d
-
SHA256
e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1
-
SHA512
2557369861653779d600bba276e0507e3652da0578f0f40f6a47d2f28b9138cfc39929ec6b20cbe262f36b1a8a4fe1362592a02a936dd07a1eb9a569b1ed6937
-
SSDEEP
49152:SaI6wd/oTMAIR6LNwU+N9UNXx+ameYlJjZA:BedGI8poNeyhZ
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
svoutse.exesvoutse.exee9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exesvoutse.exee8d6e61f4c.exe47ee257e79.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e8d6e61f4c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 47ee257e79.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exee9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exee8d6e61f4c.exesvoutse.exesvoutse.exe47ee257e79.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e8d6e61f4c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e8d6e61f4c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 47ee257e79.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 47ee257e79.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exee8d6e61f4c.exe47ee257e79.exesvoutse.exesvoutse.exesvoutse.exepid process 2736 svoutse.exe 2012 e8d6e61f4c.exe 1460 47ee257e79.exe 836 svoutse.exe 3424 svoutse.exe 1464 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exee9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exesvoutse.exee8d6e61f4c.exe47ee257e79.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine e8d6e61f4c.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine 47ee257e79.exe Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\47ee257e79.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\47ee257e79.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exesvoutse.exee8d6e61f4c.exe47ee257e79.exesvoutse.exesvoutse.exesvoutse.exepid process 232 e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe 2736 svoutse.exe 2012 e8d6e61f4c.exe 1460 47ee257e79.exe 836 svoutse.exe 3424 svoutse.exe 1464 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exedescription ioc process File created C:\Windows\Tasks\svoutse.job e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exee9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exesvoutse.exee8d6e61f4c.exe47ee257e79.exepowershell.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8d6e61f4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47ee257e79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exesvoutse.exee8d6e61f4c.exe47ee257e79.exepowershell.exesvoutse.exesvoutse.exesvoutse.exepid process 232 e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe 232 e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe 2736 svoutse.exe 2736 svoutse.exe 2012 e8d6e61f4c.exe 2012 e8d6e61f4c.exe 1460 47ee257e79.exe 1460 47ee257e79.exe 3372 powershell.exe 3372 powershell.exe 3372 powershell.exe 3372 powershell.exe 3372 powershell.exe 3372 powershell.exe 3372 powershell.exe 836 svoutse.exe 836 svoutse.exe 3424 svoutse.exe 3424 svoutse.exe 1464 svoutse.exe 1464 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 3372 powershell.exe Token: SeDebugPrivilege 432 firefox.exe Token: SeDebugPrivilege 432 firefox.exe Token: SeDebugPrivilege 432 firefox.exe Token: SeDebugPrivilege 432 firefox.exe Token: SeDebugPrivilege 432 firefox.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
firefox.exepid process 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
firefox.exepid process 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exesvoutse.exepowershell.exefirefox.exefirefox.exedescription pid process target process PID 232 wrote to memory of 2736 232 e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe svoutse.exe PID 232 wrote to memory of 2736 232 e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe svoutse.exe PID 232 wrote to memory of 2736 232 e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe svoutse.exe PID 2736 wrote to memory of 2012 2736 svoutse.exe e8d6e61f4c.exe PID 2736 wrote to memory of 2012 2736 svoutse.exe e8d6e61f4c.exe PID 2736 wrote to memory of 2012 2736 svoutse.exe e8d6e61f4c.exe PID 2736 wrote to memory of 1460 2736 svoutse.exe 47ee257e79.exe PID 2736 wrote to memory of 1460 2736 svoutse.exe 47ee257e79.exe PID 2736 wrote to memory of 1460 2736 svoutse.exe 47ee257e79.exe PID 2736 wrote to memory of 3372 2736 svoutse.exe powershell.exe PID 2736 wrote to memory of 3372 2736 svoutse.exe powershell.exe PID 2736 wrote to memory of 3372 2736 svoutse.exe powershell.exe PID 3372 wrote to memory of 5032 3372 powershell.exe cmd.exe PID 3372 wrote to memory of 5032 3372 powershell.exe cmd.exe PID 3372 wrote to memory of 5032 3372 powershell.exe cmd.exe PID 3372 wrote to memory of 4764 3372 powershell.exe cmd.exe PID 3372 wrote to memory of 4764 3372 powershell.exe cmd.exe PID 3372 wrote to memory of 4764 3372 powershell.exe cmd.exe PID 3372 wrote to memory of 1440 3372 powershell.exe firefox.exe PID 3372 wrote to memory of 1440 3372 powershell.exe firefox.exe PID 3372 wrote to memory of 3308 3372 powershell.exe firefox.exe PID 3372 wrote to memory of 3308 3372 powershell.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 432 1440 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe PID 432 wrote to memory of 3592 432 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe"C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe"C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- System Location Discovery: System Language Discovery
PID:4764 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1892 -parentBuildID 20240401114208 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcc82183-7261-4fcf-842b-7ae8552ccd93} 432 "\\.\pipe\gecko-crash-server-pipe.432" gpu6⤵PID:3592
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c50f398-face-4c3c-a33e-6ce6a7b92be1} 432 "\\.\pipe\gecko-crash-server-pipe.432" socket6⤵PID:4732
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 2608 -prefMapHandle 2900 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a61381c-b299-44ae-b07c-b624eccbe160} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab6⤵PID:1232
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3464 -childID 2 -isForBrowser -prefsHandle 3308 -prefMapHandle 2912 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c39f31fc-d546-4371-abc7-a167502c6b31} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab6⤵PID:1180
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -childID 3 -isForBrowser -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae082f25-cafc-4378-9925-f170460655d5} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab6⤵PID:3664
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 2792 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {980cdd6d-f571-4fe9-afba-d2124e0e115d} 432 "\\.\pipe\gecko-crash-server-pipe.432" utility6⤵
- Checks processor information in registry
PID:3748 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5936 -childID 4 -isForBrowser -prefsHandle 5916 -prefMapHandle 5908 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dbc8319-3ada-42f8-9b5b-ed7d410ed149} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab6⤵PID:3296
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 5 -isForBrowser -prefsHandle 6068 -prefMapHandle 6072 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2e7ba23-e1ad-455e-8c69-151f81419b31} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab6⤵PID:2620
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6244 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6256 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a547f62-52b9-4f8f-b170-700459f77df8} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab6⤵PID:1440
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks processor information in registry
PID:3308
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:836
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3424
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1464
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json
Filesize26KB
MD5879753165c1a015b4937a968fde9de18
SHA1e4799cf20d1aa13672093e03732635506b803e68
SHA256db2b96378460a3cd9ed857ea8316c476028ea8c9b5271b6b6ca883319dd9832d
SHA51243927feb1d4946983004a66ae82d5cf4c0d6fce57fdf8474322efacbf95ec0e97655d6a8b0e31fd35cf955c7f004fedf237ec49f531c2f505962da7c91ab2f10
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD5c20a5a68aeea18e1f91ec90b0708b0d4
SHA1d4b69f8dca4bd1882304308b3360e5761ac07286
SHA256407cca4772a04fb67cd479d50161aa26b8f8fb9fadef91cc3210103b9df8213f
SHA512ef8f0952c619a18379ded3a178c645ba2f1dda2b98afa08ef538597d580f35c0330d8af61b5575610d9a03e0522362a38f08493028536eb1df7bd90f7204ccbc
-
Filesize
1.8MB
MD54f810a4d5286bf5189823ad3cfacd8a2
SHA1c5c060728031b48834ff5a2739cb173a1879320d
SHA256e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1
SHA5122557369861653779d600bba276e0507e3652da0578f0f40f6a47d2f28b9138cfc39929ec6b20cbe262f36b1a8a4fe1362592a02a936dd07a1eb9a569b1ed6937
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1.7MB
MD52436f5bc4146385648a72a27897ab578
SHA1daf603434b49d4bf2866a3f53069845f05130fcb
SHA256aee2dcc810b97f1bd7809146f7f33887e806561329c0b6288ecb1d315e4f6740
SHA512e32cede58485391ee8621b939f28e7234095391ad67f944929b8475528f8a08f801d3997138c0935f40d17ec3e703d0d499e7427bcc570102636e1ea8cff2a92
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize6KB
MD50922cd20e6a3a48fbedb34831f790623
SHA154285baa7aedd8a5cf3c690875d51c7106190376
SHA256f717f8d001434e49d84d9e13b456c51b42edffc40cf0bdd0fbbc1be6fe2dc2b9
SHA512fe896afc859cb28c98de0ac25777f441fb91e22965a56109fa04955c282c8ff8ce0bc6858412b92e3fe44e5e8b8ee0953720063e3046182d490d5647f591be2d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize25KB
MD5e9c5e0c765b5e4da8a60ce26c6c54f08
SHA11167acf787f96af81d4bb1fb0a7f38b928bcdc34
SHA2566f3b2e9abc5b6fe267a51906a2e297f7a72e2e063f16f0ce40d21debf0c3ff4b
SHA512336f258dafceb6d03891cd1d4eeede9becb5c785a0f0ef43252d8bbb7ed8068d1b4734589fa85c6cb3f2c433fab0126f82b79fd92034c97a9a575dbc6c8214d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize10KB
MD5ab4d576e80dd9db75fc423f070431ed7
SHA16c32fce29557b0011770af2b36da54afea86ad13
SHA256929c1d404b8dd78dbdc71332111b5de74def33bfc1d1b29bf6facb6437f73926
SHA512e3319fae9d85bfa1ab1a8623ea5c681c5e46eaee959a0cbd4e2ead50e2595eff6e163c0bc174d67d1eab1b7868642c6f19b8775e514e735458a63ad946662ab2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin
Filesize13KB
MD50690f1b13b2691ce31916cc9be8a7c17
SHA1242a70c28e2133ab641471e9e036017acc68a37d
SHA256483e99f379c21676ca79650cbc1f8fe086962eeda0192ed915ecd6b66ef1c0f6
SHA512f538ce484a295ef27352326480b5f8f56096cfbe6b2442734a46935b8e20477c95b7c10125f9edd20c19786d35d25567638b23c7f3241f730ac344bb8d3fe1f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5b3b110571bb4e7eacf1b4c696fdaf348
SHA15fcf7da86094d10d2561a9195de7378d003fe77a
SHA25664bedc705c82a09f6aa25520a62eae11aa373f2f6ce4de77c60ccee9b7c281ba
SHA512900c1bff878d16fc79b93abbc43e6a3940763d7b92183123b108d8e51bd799b4d1b424e893e7b9c5e44f77fceb81ada4b9df8fd78bae4045188d4ef1576dfcd2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5aa7a55517f3af5b65614d5d4882a1782
SHA128a54d5003b7cf9bf0a1a69082276c51c5692dd8
SHA2564cc6e74e80e242eaa75a2bc7c4b2169c61289f00039a746fce4508ae171841b3
SHA512f030c2f93dad1aaffe991c44e00d4f82e7b1205c5d776453b2dc1f269c702fb40b56044ca72f4519d36b2fffa5518432199d58a054e95d237cd96866081d42c0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD57c97717fee2a52e266e45eabaf43f1ea
SHA1c25d1ad40ec25fcbe7c9df7fe85454a2b921306f
SHA256899c41071488b9c79cbb497f8f97d8f9d7ae7b405aa6a8020b0370c8f4bc173b
SHA5120ea3926fc3a9089fb8dd2d8ebb0fd4e16e765a543792026e0b12ead61bcac5533e930f5d22a09732c5d476ccab3c79639224d34e7b8f363d7667b4b9f1cc76b1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5afa847962497f033a05b9d25b7cc04c1
SHA184d8ecdc103df1ce8c8a41ff011e3a5732d9958f
SHA25647a60dc19e02fb9a05e92f8018e1895a52e11d62526f8dc3bf81c95ecebe3a52
SHA512c7ad9b3eedcf3ce524b85598ab878c225b0ddb2fb78efc428155994973e823d6c2b4a3e6bad8a420e1cf1a3f225f28293d04d446df529cdf2cf27e8b1082cce0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD55f6ad7b2391a543e8ba519afd01bbe93
SHA10c424a05ef7ba92bec110261aa749239359977b4
SHA2562fb57d8a360abb73d8e6d92b0bfe22232ab55f8ac3720ae92f042f2d895f816f
SHA512686c6b9230c0284fd725e472ee5cdffd84302681a26e2cf6f59cbd0e55120f93bda98fd041a53a48e482589fee82fb6adcbce11ceb9547f2e7a8bdf93f0f45ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\2db5da34-62ca-44b3-a708-7327b2a0204b
Filesize982B
MD564289ac984faaf8a214d09a2f4296bb0
SHA143ef623355e17331a0b965a5a1c7d56f4bf00555
SHA2565e8e972867f792aab56ec1125e1c92a8067a7b21781fe44f5edd193714914933
SHA51295785f8bf4d3be19eb038d294cc93847ecfc92801d99a2e838dfa89d32f5ca0b165a0731133e67c4bfe61ee88545d93806bd888520bc584993d52900674ac8a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\95ab4c7c-6d10-4d12-8b63-8cfdaba3eef2
Filesize26KB
MD5c25c0d8039a888a6ddd53067681a8965
SHA172e364152b18d2a4d2df9d2757746ea4364cd933
SHA256ec32927c9fddd99dd41013769f30f01ee550680abe656ad23c6a7711f2a9c176
SHA512fc7c198c24a2c2360df0ce88ccfa75ad29071991340fd88993034a74462794dfd2f174aaf579447c73cdded8feaa33a8e2b62c18fbf6e048178c5e2180305399
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\f720c149-62bc-4447-ade3-8a8afae84bac
Filesize671B
MD588a42c0bb9a2543a542c1a0052c00ff5
SHA1054b0f156d43ebf445ef216504aba67334067fb0
SHA2563193c2da4e12d7a342ef52739515d50aa38ed50ac41bce986aeb42fa7db04d17
SHA51298cc865fff8aaea8dcba3786ad5d5aa967ad7b6b0ca6aa0a4945be83c9a28861e2c059b00b5a154eb8a9855d73beb475b9503d3475c32bd7cd99109a22b3e063
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD514ccbd41e37ad7ac0b223db0e8640f9e
SHA1eaf4bdaefb362c88a383a02a24a380c130f95cd7
SHA256dd12fc2564a128e1e3eef50f9a1fd37c9833f9eeeada00e14c4f00a12a514ef6
SHA512e1181bd4f22628fb5bf12bdb0e606b16c04f2070e18ff217c79a67d319d7ea18c1de74ba1bc0a697190070a7184829f4b21764cb441a758935aed0fe9c00e30d
-
Filesize
15KB
MD5ad135fe319ade5e1fd361c021c792c86
SHA1e98b752547a4cb32472fbf8369b2a55e9ed3e5b0
SHA25600da7e8f7e29260cd9398f87dd71fa2564b66a5ca0774563f669e4290eb4a76d
SHA512514f26692c60b863ef2aee3d708d82138384f7ce8c6400e8ec1f482db0adf9ce22dc6b2e21c240dacec2b6cd775de1bca854c7059ab59ce0ef884910c2ca71e7
-
Filesize
12KB
MD542ff4af2e6270ad9fb78bcc4fc2e7e75
SHA178082344b08b7b315c7df6397a7f9bf16347f76a
SHA2569f8abcf64c92173278b07d628bd96f36551b769a0d4c1a59455c7dfbd5085a17
SHA5120e985babc13d7af39282a5dc8f0ae7e17dea52876bf98e9b677cc25ec4e3efcddd30d4b9b7dcaa975c03247201a14b0bf09edb4fa8cb75711de5ba0d5df84a46
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD556a208cedda2368ffdace47373b70316
SHA136e1cc40abe35870dc8d11d6beaacbddf44b11ca
SHA25645a66da2ce5bb02264c855b3b308ccbf0057a48505bd626fec0c74e4836fa1f0
SHA512315176502f1f43152dd80a1bdd834b1a9283bf8d96f69cbb63f810035e8113484957e88009d1e690b0d7ec081458894818e0e6794363e817864dc11bcb6e12bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize392KB
MD5bba31576cadd7695b5ac582301b88ef2
SHA1e65d99b7da2be3355caf84e22de28bab1e046db2
SHA2569b14b0d8f9ed1414221a5ca7fc9a9385ce0e857bd429bb1b342f208b9114aa83
SHA51217f67646d1d2dd261a10911d800473059aebe6907f9094b847fb7cbc5cc194044fb57b6e9706bfd5bb0e04bc64baafc548456a480e1ee270b8982914cac8d862