Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 02:41
Static task
static1
Behavioral task
behavioral1
Sample
b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe
Resource
win7-20240708-en
General
-
Target
b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe
-
Size
1.8MB
-
MD5
770569784896b9f4265199290d40887b
-
SHA1
bee501ab46012b693f825446bc92f0b5a21f8851
-
SHA256
b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e
-
SHA512
ffbbdab985370c1ed504b796ff956f789f3dbb2fb7f75cb8dc740d773e082d3db1ca67781c6e78930592e4d06d431053339b1885cda8207fe516542be1a262ce
-
SSDEEP
49152:mcKca9Fi9hD+TeUdG/X+rQVZ5kNRsETkKn7ay:m5uhD20/XmQVZ5kNRs+kKn7a
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 768c2dd02e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d693e7cb58.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d693e7cb58.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d693e7cb58.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 768c2dd02e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 768c2dd02e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
pid Process 1236 svoutse.exe 1056 768c2dd02e.exe 4920 d693e7cb58.exe 4004 1eba50acc8.exe 4488 svoutse.exe 5976 svoutse.exe 2624 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine 768c2dd02e.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine d693e7cb58.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023446-60.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3328 b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe 1236 svoutse.exe 1056 768c2dd02e.exe 4920 d693e7cb58.exe 4488 svoutse.exe 5976 svoutse.exe 2624 svoutse.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1eba50acc8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 768c2dd02e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d693e7cb58.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 3328 b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe 3328 b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe 1236 svoutse.exe 1236 svoutse.exe 1056 768c2dd02e.exe 1056 768c2dd02e.exe 4920 d693e7cb58.exe 4920 d693e7cb58.exe 1952 msedge.exe 1952 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 4188 identity_helper.exe 4188 identity_helper.exe 4488 svoutse.exe 4488 svoutse.exe 5976 svoutse.exe 5976 svoutse.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 2624 svoutse.exe 2624 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4004 1eba50acc8.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
pid Process 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe 2464 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3328 b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 2464 msedge.exe 2464 msedge.exe 4004 1eba50acc8.exe 2464 msedge.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe 4004 1eba50acc8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3328 wrote to memory of 1236 3328 b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe 86 PID 3328 wrote to memory of 1236 3328 b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe 86 PID 3328 wrote to memory of 1236 3328 b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe 86 PID 1236 wrote to memory of 1056 1236 svoutse.exe 91 PID 1236 wrote to memory of 1056 1236 svoutse.exe 91 PID 1236 wrote to memory of 1056 1236 svoutse.exe 91 PID 1236 wrote to memory of 4920 1236 svoutse.exe 92 PID 1236 wrote to memory of 4920 1236 svoutse.exe 92 PID 1236 wrote to memory of 4920 1236 svoutse.exe 92 PID 1236 wrote to memory of 4004 1236 svoutse.exe 94 PID 1236 wrote to memory of 4004 1236 svoutse.exe 94 PID 1236 wrote to memory of 4004 1236 svoutse.exe 94 PID 4004 wrote to memory of 2464 4004 1eba50acc8.exe 95 PID 4004 wrote to memory of 2464 4004 1eba50acc8.exe 95 PID 2464 wrote to memory of 4240 2464 msedge.exe 96 PID 2464 wrote to memory of 4240 2464 msedge.exe 96 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 4528 2464 msedge.exe 97 PID 2464 wrote to memory of 1952 2464 msedge.exe 98 PID 2464 wrote to memory of 1952 2464 msedge.exe 98 PID 2464 wrote to memory of 4348 2464 msedge.exe 99 PID 2464 wrote to memory of 4348 2464 msedge.exe 99 PID 2464 wrote to memory of 4348 2464 msedge.exe 99 PID 2464 wrote to memory of 4348 2464 msedge.exe 99 PID 2464 wrote to memory of 4348 2464 msedge.exe 99 PID 2464 wrote to memory of 4348 2464 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe"C:\Users\Admin\AppData\Local\Temp\b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Roaming\1000026000\768c2dd02e.exe"C:\Users\Admin\AppData\Roaming\1000026000\768c2dd02e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1056
-
-
C:\Users\Admin\AppData\Roaming\1000027000\d693e7cb58.exe"C:\Users\Admin\AppData\Roaming\1000027000\d693e7cb58.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\1000028001\1eba50acc8.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\1eba50acc8.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9777146f8,0x7ff977714708,0x7ff9777147185⤵PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:25⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:85⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:15⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:15⤵PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:15⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:15⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:15⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:15⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:15⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:15⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:15⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:15⤵PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:15⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:15⤵PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:15⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:15⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:15⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:15⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:15⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:15⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:15⤵PID:3168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:15⤵PID:1736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:15⤵PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:15⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:15⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:15⤵PID:5340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:15⤵PID:5656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:15⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:15⤵PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:15⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:15⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7700 /prefetch:15⤵PID:5924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:15⤵PID:5900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 /prefetch:85⤵PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,10801529338013539218,6195626191958809952,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2144
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5976
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\51e56f66-ea82-47b6-9183-d0e36212ac80.tmp
Filesize9KB
MD52cdcd444a0b8ad312c5a8fadaef25528
SHA16735525ed3fa11456fff9dea2a4658b826dd0fc5
SHA2560cca5b8efffc2465525002b17d2a7f48880f574ddb86c671c7425a3f2f6b635e
SHA512af0ebc3de5fc906aa3d03f8e31c9b1d9ad09cc4d5d2a0757b24ca6fee5cb68f147bee5e34e4801ba9375a7d99a5c6a66b0c3841a4a8c8923e03e1c9545c41e0b
-
Filesize
152B
MD50352a9f576d45473442298647665b11c
SHA10f9f863d738268a21cdc76136b2e75f720735cc7
SHA256bb48cfff0d7b7839202a799cabefb4769f51548fcc471346c7fcf40918d2d16a
SHA512320caaf5481a047d64e8d27597d57acac040ddf3103f233b1a591b2d32d134592d620300fbd59d75c9a1978b96e23c3d60f83ec644c23fb42cdf91ad8359a636
-
Filesize
152B
MD5c47553e718e3a36caf53c350adad5929
SHA1c1a188649a9fb8a26865738bff2df27c8bbbd371
SHA256c9dee1e51bda266949585a2154019e0feb6e7176e750f2077054a2282c1bebe8
SHA512489f341b51948aa4f28f0b3c4d4e5bd9075731fd5780588286809fb457249c798280ef6ed554a36358b0af0b949eedef8fa5d8dea21683505cc19a8c42278ca4
-
Filesize
152B
MD53d6f7921d10eb061af217a3d7742399b
SHA120b34d429dbbba73a99a73777f8fbc7fc9ccb940
SHA25686122af264afbd66dd7a2f12eea7b259b940f46749d0f27adef3af3e894963e8
SHA5127613420e68cb4251490670ded6d02755671c69fd79213df91a08faa990aacfa7fbe3aa1b5b1f68da1f01ba3791c93e505e6fee945ee1b37eeda3c2989acd3317
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\02d8a59d-ecdd-45d8-b75d-5c81cf95733d.tmp
Filesize4KB
MD553e44254f0dd42b3aa12da339d6d3471
SHA123bbb6ac7429e4b53e19d0efab0c1c37a9699c33
SHA25621cededbf5e4045c8a944ec063c270d23fd59f5896831e0e12a3c9aabb8a8712
SHA5122759e02b02f544e2e954899594c1e19b318bb6e650806bf2165140dbacf7568e5aae420e8c1f9cbec4c1f8aa75cff4262ec416f7c6a6cf0a27ad1bdde2cb37e3
-
Filesize
1KB
MD5e89214a3a644400b2bdcaae0983f12a0
SHA18bccfc43704124bc5bd31b2d69694b5a74ec2455
SHA256f4b0143ecbf2aaae9e7dc331466000e8e7edbb3ff0d4e1507495d5801c890911
SHA512096d9d0600f6a97e5c988782e870af0e7f0604035db4293ba62d0f6c3dfd8e4e22914c32081067c7b2dc5b0a5d49e9107a4a8e24c724ab4626fab78e11a56427
-
Filesize
4KB
MD5204351f0316675dd0b28c833a44367a4
SHA11904c9abdda3292bc3d3cf5e800848ecd16017d8
SHA256fe0028c71946b3b4985908e881d33a7abf4bc0150f02f4a6a28942250bb42d7d
SHA5122a2f167e33387b3792bfeed31ceba716752917e967325793415e08d10a0741a157daa3bab464d7d472a499d299690a92a16e3773a7bb293e61884dfc071e9844
-
Filesize
4KB
MD5b4701daec1ed5a3d640cc8a2d8a853a3
SHA1e01efa43404eea2e476ab9bb3c8df90774369119
SHA256d06a3458c7f766be7c73ca987588008ec4979217417ebb6a1210f18cad9eeadc
SHA5122280c827b9c141460446242e3c585bfd85790392c1de4988bc30100970e63e3a689bea3edb9790c16317cd05326237358e1297f35e38021eaf2e5b6440f55eb7
-
Filesize
24KB
MD5fac2ac205f945037c0a4818e0141a668
SHA183a2c4be627c7c0b88d5b7897a46b47232b5e2f4
SHA256860a75abfc32ebf769e5bd8279f955e0123f5957d9a081e34bac806b60641b8f
SHA5125edfd2b067e1f51f6781410f50cef255d966fe58bdc553315c591ed87019e1a26e77d992894b809d088a2262c2eae8c01b016e29a51506ea215447433c85ad0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57cb5e.TMP
Filesize24KB
MD5d576223e2bff643a17c22de7b111ed47
SHA10972daf1203ab86c02998581161f1eebf1fa21e8
SHA25697298867944c343c53a3e7226f1380495240b768502311e6f7ba494c610e46a2
SHA512a43484d564016d9523c90e055e0d41ed03dd7b78f0ba9c7acc0cd366a64cf33c95e4a66c224a059de4a68ff27130312b5f747d1caa6139ae5e93dde3adab138c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1.8MB
MD5770569784896b9f4265199290d40887b
SHA1bee501ab46012b693f825446bc92f0b5a21f8851
SHA256b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e
SHA512ffbbdab985370c1ed504b796ff956f789f3dbb2fb7f75cb8dc740d773e082d3db1ca67781c6e78930592e4d06d431053339b1885cda8207fe516542be1a262ce
-
Filesize
896KB
MD58a9ad4f8bd8c551d33a535fd15cd3a0b
SHA1eff90fe4949bc37c511aa3795822435f9182a3e7
SHA2568b01cff608f4625233e56ee33347e12ece06141046133c2cf38beffcd658b7db
SHA512358b0c9e08747de3974587591ba4bfb0d111ee4ac277249898ef1e99a4029816e997a33023d04f48ecf6f26c7197fec30df6b2a29f7cb884978b9d7b0dc6edf9
-
Filesize
1.7MB
MD5a0f1a3fb687a03fc519f656904fa3c3a
SHA12e38364f4ee4e4306895ccbada109c9c960fb303
SHA256f8366120d820594290cca65aa7165b6582a5f3442fb66d7992929c821c217c3c
SHA512c0e4488765d0e1e4f8d5a1218439bb73a6d4e4deacd5f5c7e0f90d137aa8d85021ae0ce385934933b942b47fb56438e4d70e8cdab2853fc7d3a1e97fd7dfab1f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MAC9PUOOYGSMR7JAZI5X.temp
Filesize3KB
MD5f99f673b0c809bed53d827a1d6088ef7
SHA103d29c8c1de6d56ee42da785a5e71aed4361e81c
SHA2564f685cb3d4dbcfcafe1920bb9cb904865bc70cc972f69f7f4c4f2f2fce017fe3
SHA51241a1be54a85c17693d993feea8a866605e1a2a91bbc49c24e45e42764676ea319477a05dad889175cd7e964911bb0491e680fb047d53ec5b44a0f24a97e3d0ea