Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 13:01
Static task
static1
Behavioral task
behavioral1
Sample
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe
Resource
win10v2004-20240802-en
General
-
Target
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe
-
Size
1.8MB
-
MD5
26166cfdb67a25db0273b7840ca4d9f7
-
SHA1
b61401f3e1e789d805aa23137a3e9e3b78da59bd
-
SHA256
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f
-
SHA512
66ef7f10c1d5bcdac62891b14ee09eb75211712dc1f2283a0db1317500facc17de9e6e652f0d03c5469fc0edaf6b362b57ab720b162facdc369b48d20e4ce36a
-
SSDEEP
49152:azoquA+/nmvOcqak2PsYbpI80cLKAha3+:azDuAImvOcqCEYbhzLlho+
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
f929341d7b.exesvoutse.exesvoutse.exe4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exesvoutse.exe6872f6481d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f929341d7b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6872f6481d.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe6872f6481d.exef929341d7b.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6872f6481d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f929341d7b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6872f6481d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f929341d7b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exe6872f6481d.exef929341d7b.exebab3876a48.exesvoutse.exesvoutse.exepid process 1404 svoutse.exe 3460 6872f6481d.exe 384 f929341d7b.exe 2688 bab3876a48.exe 2592 svoutse.exe 5748 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exe4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exesvoutse.exe6872f6481d.exef929341d7b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine 6872f6481d.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine f929341d7b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f929341d7b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\f929341d7b.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\bab3876a48.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exesvoutse.exe6872f6481d.exef929341d7b.exesvoutse.exesvoutse.exepid process 2652 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe 1404 svoutse.exe 3460 6872f6481d.exe 384 f929341d7b.exe 2592 svoutse.exe 5748 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svoutse.exe6872f6481d.exef929341d7b.exebab3876a48.exe4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6872f6481d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f929341d7b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bab3876a48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exesvoutse.exe6872f6481d.exef929341d7b.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exepid process 2652 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe 2652 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe 1404 svoutse.exe 1404 svoutse.exe 3460 6872f6481d.exe 3460 6872f6481d.exe 384 f929341d7b.exe 384 f929341d7b.exe 3872 msedge.exe 3872 msedge.exe 3972 msedge.exe 3972 msedge.exe 5952 identity_helper.exe 5952 identity_helper.exe 2592 svoutse.exe 2592 svoutse.exe 5748 svoutse.exe 5748 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
bab3876a48.exepid process 2688 bab3876a48.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs
Processes:
msedge.exepid process 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exebab3876a48.exemsedge.exepid process 2652 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
bab3876a48.exepid process 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe 2688 bab3876a48.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exesvoutse.exebab3876a48.exemsedge.exedescription pid process target process PID 2652 wrote to memory of 1404 2652 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe svoutse.exe PID 2652 wrote to memory of 1404 2652 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe svoutse.exe PID 2652 wrote to memory of 1404 2652 4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe svoutse.exe PID 1404 wrote to memory of 3460 1404 svoutse.exe 6872f6481d.exe PID 1404 wrote to memory of 3460 1404 svoutse.exe 6872f6481d.exe PID 1404 wrote to memory of 3460 1404 svoutse.exe 6872f6481d.exe PID 1404 wrote to memory of 384 1404 svoutse.exe f929341d7b.exe PID 1404 wrote to memory of 384 1404 svoutse.exe f929341d7b.exe PID 1404 wrote to memory of 384 1404 svoutse.exe f929341d7b.exe PID 1404 wrote to memory of 2688 1404 svoutse.exe bab3876a48.exe PID 1404 wrote to memory of 2688 1404 svoutse.exe bab3876a48.exe PID 1404 wrote to memory of 2688 1404 svoutse.exe bab3876a48.exe PID 2688 wrote to memory of 3972 2688 bab3876a48.exe msedge.exe PID 2688 wrote to memory of 3972 2688 bab3876a48.exe msedge.exe PID 3972 wrote to memory of 1052 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 1052 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 2672 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 3872 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 3872 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 3148 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 3148 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 3148 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 3148 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 3148 3972 msedge.exe msedge.exe PID 3972 wrote to memory of 3148 3972 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe"C:\Users\Admin\AppData\Local\Temp\4627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Roaming\1000026000\6872f6481d.exe"C:\Users\Admin\AppData\Roaming\1000026000\6872f6481d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\1000030001\f929341d7b.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\f929341d7b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:384 -
C:\Users\Admin\AppData\Local\Temp\1000033001\bab3876a48.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\bab3876a48.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdda0446f8,0x7ffdda044708,0x7ffdda0447185⤵PID:1052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:25⤵PID:2672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:85⤵PID:3148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:15⤵PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:15⤵PID:4064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:15⤵PID:2304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:15⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:15⤵PID:4600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:15⤵PID:4004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:15⤵PID:1804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:15⤵PID:2752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:15⤵PID:5280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:15⤵PID:5288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:15⤵PID:5456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:15⤵PID:5464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:15⤵PID:5472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:15⤵PID:5480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:15⤵PID:5488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:15⤵PID:5496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:15⤵PID:5504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:15⤵PID:5512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:15⤵PID:5520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:15⤵PID:5528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:15⤵PID:5536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:15⤵PID:5544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:15⤵PID:5552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:15⤵PID:5560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:15⤵PID:5568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:15⤵PID:5576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:15⤵PID:5584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:15⤵PID:5592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:15⤵PID:5600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:15⤵PID:5608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:15⤵PID:5616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:15⤵PID:5624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:15⤵PID:5632
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 /prefetch:85⤵PID:4072
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16532355173340251854,17467562972430369413,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5952
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4448
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2592
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\10c27bfe-9c0b-4312-9ac4-a8f8d5a9dec8.tmp
Filesize9KB
MD5972ca3bba3c97d468a3ee14e1973e56c
SHA19c6b5131c396d108f645a4f158d66c8b0d7a3669
SHA2568deb4288286b799efee87ae13532d50f2609ae1255c3f801615e20f1567711ca
SHA512f6d38708a2a60d629196258ea1b0ab845ce0dcce329b2295a420ae70453f3576f406a76d916b78dc76f357e9872fa1b8a1be90bb1f072d1a70fa286fe95f4296
-
Filesize
152B
MD558901d800fc4e63fc33f29106baf6da5
SHA1f3b02f06041706eca702bd4ed5edcda261858783
SHA256514c07a87bada78c12f3631cdd37670096d0190c752da14286330eb605882c82
SHA512fbffc6195f71bdb9319ebfa069174a70b420e81f5e0f85a09dc17c47977696e16a9a70bd5f1ed92e8de689d71d283438f76571872cd4b4ee27d22bfa7093d899
-
Filesize
152B
MD5a00d8b83c4426ea66170a7ca0f553dd2
SHA10375913efc98fd4c1fdddcf81dadd3ad74c1ee15
SHA256400052567110765d9756094fb0c75567916d37554eceb60be73b0cb6afb9e609
SHA512bfbcb985ae0d1ab6106538b529719c4bb23746277b440b4a06e1aeaec98d9b370e0432e4587ca38b6c286ed9f508344de5f334865efc1d3aff9113e5a084a5f8
-
Filesize
152B
MD56aeaff6a4b292bbb7fc7ec813e699520
SHA17045741f571d687b1d9e8d720c0603d5bed5dbad
SHA256518b7a540cbfa878c8112dce9692849897945a2236fd9086281e4c034f40ba84
SHA5125410c2e0834e1f678cba1bc0450ac00b91b4867b7d3631da59c9d41bc42435bf1de5ed66a3ba160c57f5307998da915d07ff76c5e229fb473dfa5c4bd7a335c6
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\37d88ccd-0ccb-4e19-b116-03aafe0f5f2b.tmp
Filesize4KB
MD595c8fbe793c2983927f1e7fcfbefbd1b
SHA1c8ce51903f8f124bb470f5898b6825971b3c52aa
SHA256525e51e18c0c63bb72e8389a70ee2b3ad17ed024eee8ec8a2064a0a6c3f6c372
SHA5122bc5f7c215efbef8ac401630809474e3f50df78f0d145c5e428514d4bfd24339628fc066fb052d252103110b1d4ad47add57623d30a2c352cfe6a3647897c93f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5d1185ed3277343b7f5042a0b0d3f9034
SHA13539cf807e0d4b314cc8d57543ba84ca073d7665
SHA256926520b637194833bbd35c63f0d87cb475066f4596fb1dd393bcd01ee94972c2
SHA512fc08c1816a751a434cae9b8dedbcab6f00a8f72ced45fd93c3789f1644bbf0b74cb570ce20baad31c2e6e6774ab9b3d4b1af6da47f1ca7e67730f38c4a2fd77c
-
Filesize
4KB
MD57674d5cb8e4b0f4912f8a32a75bc3a15
SHA153dc9de5539c3fa67958dcd217664fcb984ff1e9
SHA256d8a00552a280034da94ea0330d7383af228394291c6b6291d2a7587d106cdca5
SHA512534857941a2d6cf293e9c4471655cc6aff6394af8184d55cf9a8d3f8efef94d450bf943485f4050d114e39d8b7038fadd517b64dc00de1a69f956a38b9c680ae
-
Filesize
4KB
MD55a44344dcaaf098a60e9a3b37d3bf6d1
SHA1f27180bdbef56fc7b414750a76f1feb5a0450071
SHA256adc7572bb06c595e85194146682f9aa952c80805db10baff4269f4598c7c62a4
SHA512fd28ccfb1cc894d81dbaa45e971954c93a49c967f855d67eb28e89e0ffba5c84d27eaa924175d9def6d7623bd6dd9d9388465ed28ab8a32c0b25e61be3f86d40
-
Filesize
24KB
MD5a2d2317bb7327a9d8e66f8b8faac3222
SHA18150fbf1be3b685efd833c9c3a759381e84dc2e6
SHA256d19204bb5996b65dff1416396d3da491d05c5d4b1fdf01fc4c701f6c494f8d6e
SHA51261b63cfac05a243f8e6b9adb5fb8dbd8e4c9f93952c668224a533fe158b51ce44db3e5817a35ba9231f1303d18c34ff8940fe0d3da7da492924331b20731183a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe5824b9.TMP
Filesize24KB
MD5a1f700cca95c24aee138a506f3a3deeb
SHA1016bbfc84bfb81914782d01c1caa045b6edcd5f6
SHA25657f992d3ae579043ab9dec3949b96368a4a36400230fe0eb6f54f079598aa430
SHA512ce199ae634d56a26ac91d6c92463110a56267518df5d77e34d0356a640f5e1a04dbf6b270e7fbe89aa29429ab9cf54080eca9aedc5f6a683235d30d64a351234
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index
Filesize48B
MD5d359dc607d668943a34b54503a8f7bc3
SHA19139cf8f420ee9de3193eaa6827fdef88a213c7a
SHA256f1eec44291adc7500341a6cbc030fd055461e7f1192c79b6b4816c6ae4549a98
SHA512addb234e4b0c7f0b76ddf33a49ef992bcd8639d113b15502f34021a3b2de1aca4a05779fb74a3c55e3fa59bc69e9b008d2f5ffcfc74a7efa3a6366f55f626368
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1.8MB
MD526166cfdb67a25db0273b7840ca4d9f7
SHA1b61401f3e1e789d805aa23137a3e9e3b78da59bd
SHA2564627b125e316b49fbaa83c3c6132ec06b15d67bb6493552316decae452b9000f
SHA51266ef7f10c1d5bcdac62891b14ee09eb75211712dc1f2283a0db1317500facc17de9e6e652f0d03c5469fc0edaf6b362b57ab720b162facdc369b48d20e4ce36a
-
Filesize
896KB
MD50df4978ab22502c7ae122ab13a255448
SHA1845169633a45d0bc64c4799c0b5118ce6148131f
SHA256e2a03fd46d56cb79ec4c0cbef9e6fe2bd3067418f81f77355c908cfeae03ee76
SHA512d1b2a6ac51348f698f4d06ba62be48150fc7e1c0fdb1a99853caf555c3afcf76eea26a5862768c54a113bef2d5ee84d8c5f49c1903fecc7e15ee0282b903a69a
-
Filesize
1.7MB
MD5c06c4e6ed6f4c67541e9cdacb508f653
SHA10a587b8151e8634a48dd686157b45a2e0477093c
SHA25675406b44f46f30aed814150ed323b10f34d6e68b585a75b6e9796f556f1cd691
SHA51293f7d6ee59b28bf72d1bfe16c5482d9fa0e1eb0f8ce9b901dc31a66b07e2e65cf21972723c90d5f86826d2cad53d126f18f1ae085416cc203059fa3c13d71440
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\30AOUN8UXNZ197R73C8B.temp
Filesize3KB
MD5cd834b61eeb8375de552adb66405460b
SHA14b09e60d0ec5878bb2543956f5e3021d567c867d
SHA256ad8490b042937137018b3c9f2ac86a9a65bc5ca9273c3e7c27da632deea1d064
SHA512b2b66e02fe8a92db98530064aa2561ddcba928565ff2201a3def59248f567664e87c138c11cf78a058c09c3f3caa05fa64145f01eaa3367e1c251372b11348f0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e