Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 11:47
Static task
static1
Behavioral task
behavioral1
Sample
bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe
Resource
win10v2004-20240802-en
General
-
Target
bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe
-
Size
1.8MB
-
MD5
a95f656967876bb1e09fc882e5e2fd57
-
SHA1
80539c31b4c982bfd8bb0f932130a3cfc96b89d7
-
SHA256
bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd
-
SHA512
0d5a50a9ec1e445184c75b7381130cdd70c015da96543edc5a69d4568dadd278ca44845f7fae2755ce35a2cb3245751a2b4dd6b87a640b9d15f0510dcf6dbc08
-
SSDEEP
49152:siW7tiKRO+iy4JlTtHq9DFQDkbjCmXiHNT18NMZ4Ms:siEtBRO+ibJl5KdF3SaMr
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
0411144cca.exesvoutse.exesvoutse.exebbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exesvoutse.exe7c6a013554.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0411144cca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7c6a013554.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0411144cca.exesvoutse.exesvoutse.exesvoutse.exebbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe7c6a013554.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0411144cca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0411144cca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7c6a013554.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7c6a013554.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exe7c6a013554.exe0411144cca.exeb65e535902.exesvoutse.exesvoutse.exepid process 396 svoutse.exe 4856 7c6a013554.exe 372 0411144cca.exe 4628 b65e535902.exe 6092 svoutse.exe 5028 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
7c6a013554.exe0411144cca.exesvoutse.exesvoutse.exebbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine 7c6a013554.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine 0411144cca.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0411144cca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\0411144cca.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\b65e535902.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exesvoutse.exe7c6a013554.exe0411144cca.exesvoutse.exesvoutse.exepid process 840 bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe 396 svoutse.exe 4856 7c6a013554.exe 372 0411144cca.exe 6092 svoutse.exe 5028 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exedescription ioc process File created C:\Windows\Tasks\svoutse.job bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exesvoutse.exe7c6a013554.exe0411144cca.exeb65e535902.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c6a013554.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0411144cca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b65e535902.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exesvoutse.exe7c6a013554.exe0411144cca.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exepid process 840 bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe 840 bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe 396 svoutse.exe 396 svoutse.exe 4856 7c6a013554.exe 4856 7c6a013554.exe 372 0411144cca.exe 372 0411144cca.exe 2156 msedge.exe 2156 msedge.exe 1876 msedge.exe 1876 msedge.exe 7032 identity_helper.exe 7032 identity_helper.exe 6092 svoutse.exe 6092 svoutse.exe 5028 svoutse.exe 5028 svoutse.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b65e535902.exepid process 4628 b65e535902.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
msedge.exepid process 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe 1876 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
b65e535902.exemsedge.exepid process 4628 b65e535902.exe 4628 b65e535902.exe 1876 msedge.exe 1876 msedge.exe 4628 b65e535902.exe 1876 msedge.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
b65e535902.exepid process 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe 4628 b65e535902.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exesvoutse.exeb65e535902.exemsedge.exedescription pid process target process PID 840 wrote to memory of 396 840 bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe svoutse.exe PID 840 wrote to memory of 396 840 bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe svoutse.exe PID 840 wrote to memory of 396 840 bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe svoutse.exe PID 396 wrote to memory of 4856 396 svoutse.exe 7c6a013554.exe PID 396 wrote to memory of 4856 396 svoutse.exe 7c6a013554.exe PID 396 wrote to memory of 4856 396 svoutse.exe 7c6a013554.exe PID 396 wrote to memory of 372 396 svoutse.exe 0411144cca.exe PID 396 wrote to memory of 372 396 svoutse.exe 0411144cca.exe PID 396 wrote to memory of 372 396 svoutse.exe 0411144cca.exe PID 396 wrote to memory of 4628 396 svoutse.exe b65e535902.exe PID 396 wrote to memory of 4628 396 svoutse.exe b65e535902.exe PID 396 wrote to memory of 4628 396 svoutse.exe b65e535902.exe PID 4628 wrote to memory of 1876 4628 b65e535902.exe msedge.exe PID 4628 wrote to memory of 1876 4628 b65e535902.exe msedge.exe PID 1876 wrote to memory of 1012 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 1012 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 3276 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 2156 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 2156 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 1368 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 1368 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 1368 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 1368 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 1368 1876 msedge.exe msedge.exe PID 1876 wrote to memory of 1368 1876 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe"C:\Users\Admin\AppData\Local\Temp\bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Roaming\1000026000\7c6a013554.exe"C:\Users\Admin\AppData\Roaming\1000026000\7c6a013554.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\1000030001\0411144cca.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\0411144cca.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:372 -
C:\Users\Admin\AppData\Local\Temp\1000033001\b65e535902.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\b65e535902.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d0b046f8,0x7ff8d0b04708,0x7ff8d0b047185⤵PID:1012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:25⤵PID:3276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:85⤵PID:1368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:15⤵PID:1224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵PID:1912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:15⤵PID:1460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:15⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:15⤵PID:2676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:15⤵PID:744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:15⤵PID:2112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:15⤵PID:4828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:15⤵PID:2172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:15⤵PID:3052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:15⤵PID:5180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:15⤵PID:5188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:15⤵PID:5196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:15⤵PID:5204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:15⤵PID:5212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:15⤵PID:5220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:15⤵PID:5388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:15⤵PID:5396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:15⤵PID:5408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:15⤵PID:5416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:15⤵PID:5604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:15⤵PID:5788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:15⤵PID:5796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:15⤵PID:5844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:15⤵PID:5860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:15⤵PID:1664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:15⤵PID:2320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7640 /prefetch:15⤵PID:4560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:15⤵PID:3312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:15⤵PID:6560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:15⤵PID:6568
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7652 /prefetch:85⤵PID:6816
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7652 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:7032 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10540077680998733328,7648125895435251677,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7460 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4092
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2736
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6092
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\289239b5-3452-4f70-8c03-a301c702a906.tmp
Filesize9KB
MD5bf77548624ec042e3b7a02d0461c7c11
SHA13769191c3e9aeb6bad68ecc3e4873ae9d857774f
SHA256efd582fe14d807ca345352b21d74deb276b1af39b18ab9b24e371252611abb61
SHA512f9aa673deae0e24fa2fde1a69911000934e7739ed48ca3a985a639d8eceddaf57aa0b57dafded2e947e853e7c1c32fd88de88f3aa80660b807675da22d4477fc
-
Filesize
152B
MD5890b259d7581977ae95e4c43b1d4a452
SHA17c047b5426d4d482c20b295b89fbfb7842c45dd0
SHA256a0caca4de6d70941dc6a95e75f709d5e84fef86194756f0834a064e68c590570
SHA512506c86c562eb6996495ff2c888ffa1c3213272339252e1b12ca9fc066c60e0be7da527daf2892bd1d822b101760a1539d6ec2529e10028f3be9eeefeb60cc182
-
Filesize
152B
MD5b1bba7c201d9d467094154d7fea4c0eb
SHA15de8c17021c3ae2cc9b770c3cd6a9f84f359f064
SHA256143b36b5abbc770804ac48883d4d284652702084ec8804da86e7270a3b21641f
SHA5120552ef32b53aafa262616375ead8d88c74c5255a1aac49e63316170abffce92a3ce00bf4b2da61054458c9de5430cf5c7fbd36f1abcd0f9a453c67faf0f530e4
-
Filesize
152B
MD58e0973b1873084faa3d45f021dfa00f1
SHA1beb0933377fc41a9b9c1d919522cebb29dd968a3
SHA256a71c1ac9c82d3ddbca31c96cd7b8ed82df9c0828d2a09f940cbc0be494e44039
SHA512c24994598c63d36082e96d94c54b6bfe13c48dfbd83e81b3017da9194ca2489ae3a098f751f84ca7d39ff14f82986caa4ef8a4cffd777cd00409e5e74c6f127d
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\2177ea35-eb12-4504-b2c5-eddc07f2b45a.tmp
Filesize4KB
MD547d87c7cfbe9465c985152854e620453
SHA1075d91966c494cec1b655eaefc78adb1432be6e3
SHA256f93b9b7063c3c12da06e3914792cd6d0c03b805be9574c8c459c4900ba04928d
SHA5126bd17e2dd2408dde885422ad25b8187172a7d07efd2ad2a05a4e9d7f58836a926f7e3578b42d29aa93997e586a489df9f3870f56d962bf0a3632db501849faa3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD50c0062b959499b547a4ef8acde9f36b4
SHA161e0c0e214b59292295a137b59bc13ff8bd02df6
SHA2569a6f468eb8d409d9ac4c90bd9be327a3757761f54492ae146a16e4e663b40554
SHA5129da0f4aef97e698ce377de5ac59b6fc7f8fb0804832a96d80fb5eeac00a07971d6280f16e08c0e1e8cc4a0d06919df96927ec262e67f8076a3dbaf34acaec781
-
Filesize
4KB
MD59dc78eae49700328e2f5613c0ec8e003
SHA1fd60cd4d0edcbb88febef1997ccb0769eb7bb348
SHA2567468d24947980fc27ec4709721bbd0ac5312252f587d9adc054cb0fd20ca1dba
SHA51219bbf71347bdce662b90a81c9d3fc3c7edc4c9290113db42bc6da96d49fd6a2bb65d3d8b6e919b500e68f71928b1bdd28685fe66768f41167fbcdd07ba21e8f9
-
Filesize
4KB
MD5210d3a8e69396664f0154bb8d4143699
SHA11cc4c3652fda96b779fdb1f1aec867abfc6d3a1f
SHA256254ba47542ac0ebede5a58f6a928e09a80501d3285466c1ab9c4a74fd7d61205
SHA5128fca1644a4d8dff38733ef3d3ff399307f5d03fd3ee249ae86e216dfa1e7bb2d432b07edc579585fc37d401f68554c839387ac012f5292648a052dcaa86c8875
-
Filesize
24KB
MD5ee9a16fd7a669c7e1f5bdf5b080052ba
SHA114513d809185ce5d5f2984d9284125d854ab3841
SHA25620e69e635393ae4a7c0a285077a9799172eaf524f696076aaa6678a3dcff5500
SHA5123e3a901c625900ba1ecef086c311f065a0680b295206d08d1461ca5e2f51556a9e06e39d39f6ba72413228872095eb9f340f7ae9a0bb03c8a1f6f1c22bea70f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57cdc0.TMP
Filesize24KB
MD56431f9e35187999a7bbae3816c50232d
SHA1f2d464cc40cb18f890cde346ec75535c1d120139
SHA256d535e11fd04bdbe2203ccf79a9365eeb92abbc78a85e53e06aca965759cc0993
SHA5123daa620a7bf67be0c27801db1497926e273aeb6d615935f30bc9ea7abbfae561136224bc31f00f010247ed1667f4343a0f7acd6889c361c654082cb43b5aac88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index
Filesize48B
MD51df248f7ab145b0d9f54f01c5e5553e2
SHA13ce71739f7b9e3e0cff1f2a5fa8dcb67a54016d0
SHA2569707d3fdb1dc8cad3ac1c4b5fb309b9a91912c4cd8958773e90b4e539bc3bd11
SHA5129ec90914c179c04508b4915de4baa45600b159c044f8a8814ca0b0864b61250bb80c807eaa988ba1862fb813d36ff8e1ac8be34ff27ac5e43c47d9c1090b08d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1.8MB
MD5a95f656967876bb1e09fc882e5e2fd57
SHA180539c31b4c982bfd8bb0f932130a3cfc96b89d7
SHA256bbad8a2761f1a01b46d06467cf1b0788d99432eabc0a5f154aca73329c1e22cd
SHA5120d5a50a9ec1e445184c75b7381130cdd70c015da96543edc5a69d4568dadd278ca44845f7fae2755ce35a2cb3245751a2b4dd6b87a640b9d15f0510dcf6dbc08
-
Filesize
896KB
MD5dc549e79ccffdfe60455ce30d525e3dd
SHA1e7b184b95cede040275e379132ac4cf7a7969840
SHA256c40a4c1ac2b63630b79c3201dc82aebe63282bc636a5060371a366365b8f7594
SHA512a4e4f3fa3998b0170fa70cc486b0bbc90c58c382ddc8c590caa72de5d71a3db0f3cf2b215af76445fc7bc987aa9a4b09f5dfe4326bd91c64c82728210e01a84b
-
Filesize
1.7MB
MD5c06c4e6ed6f4c67541e9cdacb508f653
SHA10a587b8151e8634a48dd686157b45a2e0477093c
SHA25675406b44f46f30aed814150ed323b10f34d6e68b585a75b6e9796f556f1cd691
SHA51293f7d6ee59b28bf72d1bfe16c5482d9fa0e1eb0f8ce9b901dc31a66b07e2e65cf21972723c90d5f86826d2cad53d126f18f1ae085416cc203059fa3c13d71440
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3L6BENH3XE3TKQFAJ2DK.temp
Filesize3KB
MD5e6d6be7e0606c53b6d260bdd809641c3
SHA14de64f71788a9e852c44eb5f5a8122ead3663e07
SHA256c9a82042c96848e48032a971d588858a28db27396042545659a8aaf5c31a0434
SHA512e2c199a2fbf8aeea609956a7e53f68431c2ad1f089973a6086c78e54bfd16e12ee25ee335c067f1053f7a44845ddceb9020f7ec3572e226b806ac871a47113ec
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e