Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe
Resource
win7-20240903-en
General
-
Target
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe
-
Size
1.8MB
-
MD5
34c7ab92d1a35ce4ba88bc394e2a25f2
-
SHA1
72cec5d2f3bcd4c72a8bac0824655446220d0cf7
-
SHA256
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476
-
SHA512
e77e2efa1db8152eb8fdbd5247e6e399930ef77d3dc6fba0cf6098308415292949884f59fc895e3882baa2e333ecd0c55f9d55c043cfa846e3edddfab77076c0
-
SSDEEP
49152:dWY7UJXY0VXFJPjp4r9XSafQW8JGdjJw6FBPx54R3PGCNf:fcT7pa9iafQpJGFJ1rstf
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
svoutse.exe2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exesvoutse.exedf41356fb1.exe96783aaf7c.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ df41356fb1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 96783aaf7c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exedf41356fb1.exe96783aaf7c.exesvoutse.exesvoutse.exe2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion df41356fb1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 96783aaf7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion df41356fb1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 96783aaf7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svoutse.exe2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exesvoutse.exedf41356fb1.exe96783aaf7c.exe5486b08c45.exesvoutse.exesvoutse.exepid process 728 svoutse.exe 1052 svoutse.exe 5084 df41356fb1.exe 4844 96783aaf7c.exe 4752 5486b08c45.exe 4416 svoutse.exe 3580 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exedf41356fb1.exe96783aaf7c.exesvoutse.exesvoutse.exe2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine df41356fb1.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine 96783aaf7c.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\96783aaf7c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\96783aaf7c.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\5486b08c45.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exesvoutse.exedf41356fb1.exe96783aaf7c.exesvoutse.exesvoutse.exepid process 4832 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe 728 svoutse.exe 1052 svoutse.exe 5084 df41356fb1.exe 4844 96783aaf7c.exe 4416 svoutse.exe 3580 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exedf41356fb1.exe96783aaf7c.exe5486b08c45.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df41356fb1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96783aaf7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5486b08c45.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703617726891803" msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{10C16691-5760-4565-AC34-855441DF5CEF} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exesvoutse.exedf41356fb1.exe96783aaf7c.exesvoutse.exemsedge.exesvoutse.exepid process 4832 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe 4832 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe 728 svoutse.exe 728 svoutse.exe 1052 svoutse.exe 1052 svoutse.exe 5084 df41356fb1.exe 5084 df41356fb1.exe 4844 96783aaf7c.exe 4844 96783aaf7c.exe 4416 svoutse.exe 4416 svoutse.exe 1796 msedge.exe 1796 msedge.exe 3580 svoutse.exe 3580 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
5486b08c45.exepid process 4752 5486b08c45.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs
Processes:
msedge.exepid process 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe 1796 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe5486b08c45.exemsedge.exepid process 4832 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 1796 msedge.exe 1796 msedge.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
5486b08c45.exepid process 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe 4752 5486b08c45.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exesvoutse.exe5486b08c45.exemsedge.exedescription pid process target process PID 4832 wrote to memory of 728 4832 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe svoutse.exe PID 4832 wrote to memory of 728 4832 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe svoutse.exe PID 4832 wrote to memory of 728 4832 2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe svoutse.exe PID 728 wrote to memory of 5084 728 svoutse.exe df41356fb1.exe PID 728 wrote to memory of 5084 728 svoutse.exe df41356fb1.exe PID 728 wrote to memory of 5084 728 svoutse.exe df41356fb1.exe PID 728 wrote to memory of 4844 728 svoutse.exe 96783aaf7c.exe PID 728 wrote to memory of 4844 728 svoutse.exe 96783aaf7c.exe PID 728 wrote to memory of 4844 728 svoutse.exe 96783aaf7c.exe PID 728 wrote to memory of 4752 728 svoutse.exe 5486b08c45.exe PID 728 wrote to memory of 4752 728 svoutse.exe 5486b08c45.exe PID 728 wrote to memory of 4752 728 svoutse.exe 5486b08c45.exe PID 4752 wrote to memory of 1796 4752 5486b08c45.exe msedge.exe PID 4752 wrote to memory of 1796 4752 5486b08c45.exe msedge.exe PID 1796 wrote to memory of 4488 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 4488 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe PID 1796 wrote to memory of 2792 1796 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe"C:\Users\Admin\AppData\Local\Temp\2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Users\Admin\AppData\Roaming\1000026000\df41356fb1.exe"C:\Users\Admin\AppData\Roaming\1000026000\df41356fb1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\1000030001\96783aaf7c.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\96783aaf7c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\1000033001\5486b08c45.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\5486b08c45.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff95e63d198,0x7ff95e63d1a4,0x7ff95e63d1b05⤵PID:4488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2228,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2188 /prefetch:25⤵PID:2792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1844,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:35⤵PID:4852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2500,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:85⤵PID:964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3500,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:15⤵PID:3868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3508,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:15⤵PID:1416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4508,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:15⤵PID:1576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:25⤵PID:448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5004,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:15⤵PID:1300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5020,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:25⤵PID:2980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5288,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:25⤵PID:1676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4092,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:25⤵PID:2852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4024,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:15⤵PID:4456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5468,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:25⤵PID:100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5852,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5864 /prefetch:15⤵PID:2308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5916,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:25⤵PID:5076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6120,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:15⤵PID:3228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6140,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:25⤵PID:1752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6156,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:15⤵PID:5144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6460,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:25⤵PID:5152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5628,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6696 /prefetch:15⤵PID:5168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6408,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6832 /prefetch:25⤵PID:5180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7256,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7268 /prefetch:15⤵PID:5500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=7244,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7388 /prefetch:15⤵PID:5508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7272,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7624 /prefetch:15⤵PID:5516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7300,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7752 /prefetch:15⤵PID:5524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7284,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7768 /prefetch:15⤵PID:5532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7356,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7884 /prefetch:15⤵PID:5540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7348,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=8000 /prefetch:15⤵PID:5548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7648,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=8064 /prefetch:15⤵PID:5556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=8120,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:15⤵PID:5680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=7528,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7604 /prefetch:85⤵PID:6044
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6544,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:85⤵PID:6016
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6544,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:85⤵PID:5124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=560,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:85⤵PID:4544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6444,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6984 /prefetch:85⤵PID:2500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6916,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6980 /prefetch:85⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3708,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:81⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4416
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5fd378e12828a601468e10e0e8717ba9f
SHA177719bef6afe2751bc310f0e44885105cfebf334
SHA256cc5feaf6335281788dbf6704a488f142a511838eb92fc75da2b55a35a9f97067
SHA512fe6d4816de386f388a2415ba59078b93c7f2e7b6119c3005a7b5b3e31087df3cb040730bfc16f0237c60d67a884d306ef9d6e77c1312a5aec7f5bf293408c413
-
Filesize
280B
MD5b3609d3ffb4f086643a750f55455572e
SHA1e6d24c9e310d3e4158c8a9f1354bb41354e9f7d6
SHA2562e286f0dad1cabebb97d0263a63bac374f2b00737e7766eb9fb916826ad5b751
SHA51257856dda527458c2bbaa480436f0b09213bb4e5d31f47e31f813764172c5627f9c766dfd9d31707c8c68e49b30c2abca80648496d4a907c9dc35ef563dffc2e2
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0dbbbc12-fd6f-4601-81ea-ea1d917cb71c.tmp
Filesize23KB
MD5de341bdf00e66d51459180e23645b5f5
SHA158bf7e75921972703616d5cad5bed8029ef32412
SHA256950989df71d3e66b15f206154cdd33c2b6acf9c93f65db10128b8c0c177c247c
SHA512158b1f87a91a9dcf487952f440ac15de6b04d6576d4b6c2904a7e88f018890b074ca9a13de58c337f9741508f5fa6039a16cff3d35a9305d1644b2fef3f773c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD5784fe5c23f9e86683e2d498aaefa8598
SHA137602903e8a5ef506c2dba253abbd5dab051abdd
SHA256cb47062998a6e9cb61434c02db4c9cc59897b08d6ee0a8b45f96a6484d6d64d3
SHA51261b3d5e9a9f4f3557f4c2ce4be29c66510501e1ab7b24ffc44670d9d63b2ceaebdfcbb8e6c48d0eadde153f0b50099d0788d7cfa7637758b30cf1d6bfca3da2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index~RFe596e02.TMP
Filesize48B
MD56a4e4a238dce439cf8178e7d30ae5661
SHA18c10166805ce530f987a7b582a81bd2f15e226ad
SHA2566f1158652683e2e89e541923600ee522c4ceefe03facd8ddac433b6d303ec5d6
SHA512d762c978ff123c719498b4131a14c4916f509206e52f3c203d3b8aea7f5afd77eac6790ed9189dcd5ce767b9862f12f1929708ef8e2e341eb8e9eceffd54d5a0
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State
Filesize627B
MD50474af744c5b19175399e919e6528252
SHA1b0716c65a9ee3512d1a056be1090f331bfb62674
SHA2561f36c2844d4af2b4bd76c4aea1db365fc2433657b937efcf8de99c670cdb6564
SHA512c94a043684093601847b20b30dae59e12d3cc9e14f9d703ec928872adc890de2b7a741e988bd18dcb90703d4ff8032f9418b6da5d5d0fa6cb98d85247052236e
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5286246b987d65087b18fa8779f909592
SHA1d9a8be8b722913fa20e9f0768ed222102aee43f3
SHA2564c037e012a2a585b7087d2af86f44d5565c9f4b3fb5ab921ef5a2c284c090a8b
SHA5122be2e9dd31048528312781525d6e51db06637d9e36d6155c3fe7573d1805a417b9e96711c80edd3e6c1b3d6f133c24a428c379f19390f177ba7583aebbbd23a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index
Filesize72B
MD51ad050e836ed26c2d03545467873823d
SHA12a078ca68939662266e73b72c84723774189aa9f
SHA256b5171722557a16570e21f4b0aa6e5f8e4573e1ff00479283047ed4ad2e6c244a
SHA5126f4205889521a467da91278fdaf061110f637d3881e2fd730bb7179dab02351428eb834c704aa20703ed622ebb2dc9c7d81d18553e4a1ef756a4ae0b3eebf0a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\c9e40296-92d9-4d58-8d26-0d9d7e5592d9.tmp
Filesize6KB
MD5a2f17808a0267739aa027a46e8111199
SHA182fba0c3fb602d835de0f227fee48e921aa2e51c
SHA256bb9c0cc9038a3702d0e08b0e71782abfb69ae955d32589c24a5256aca307a1a4
SHA512d1545225195434f5fa900b58c712581738e2450b36a30c690b5aef166d9f41b1900625dbe536518dba5748c2b4910eb6499b1350ed2976ce2f5a6b456a646718
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
27KB
MD548b562cf57f8e3b33d9ad9a9b32b4b4c
SHA1d3421c28d88986dba1301e291b920dd23f73b689
SHA25631b565854b971c9a0df9c9a70ea0dfa367359608594764f13f4f431920d5b1b9
SHA512c8bda1c7a04d409f478a4b7d16d7e5cc8ad33f00d8b19c913ef74504d6bd764a5b037d748bbe6b9c24a19e8284a5527cea4ee70662869ad975005e2e3908f173
-
Filesize
1KB
MD5cc41fc2c569e63fb8d2d42a328e28969
SHA13db1da9e726441c6f0aed985836a860faf30ef08
SHA2569fed9c6be63a14685b18d455ee1d445bc4326d579f55cfdef0b10a5e486cddb9
SHA512f6f2bce81c5ea8ce6847362280e8f50d65432dac9308369aded23ea9637271974487c0dd98bd78a1e501fc4003444242dc4f8bc9a9b4fabbad68607c3976bb95
-
Filesize
3KB
MD5858325d6470b8335cb125062d33c55ff
SHA17ade8fc4e9fd43c7f9bd471b9c7efbf720d2c535
SHA2561b7b4815288544379a048b3b898afc64d325006f74dc545c6d0d8731a2868704
SHA512befe30ef288321b6b11e5f8dcc8eb6b382dc7f486295792c0ed3e57eac65e52edc41a65297408ec1561fa97a9901433415e98e24331a8fae859e08a865d6ebbb
-
Filesize
23KB
MD57f982d4b1d804321890ce8de8b2cc58d
SHA1339fb2efee4ae180e1c8d9990e617ea704f8c493
SHA25673f083e4a5181de1c331ebecbd1ad50d2b78e135c780658001c35606425824a6
SHA512e36a4fbebef9d759296411b21e2d7da3599e0ead72787d8ab6e648e26e4f80c1559e1726770f3151393d96c3bdcc2079d3385fda0b0c414abae7b794bca713ac
-
Filesize
4KB
MD5e074eb617a04296d6501535edf7f5e61
SHA186d271383a1e044ca3658630006785e00276bf80
SHA256a4b26671a8eb5dd7819841d5877aa7735b4a747cc2b6bcca151f7bd263b26e7d
SHA5128fe8c941f892800038aa0f3c2dce0589bce167fb1393d66a9eb3e032a7a2c12431e5f28108112ea0e635180b92651fad2b074579c8d270265512af30ba49d9d3
-
Filesize
1KB
MD5945b5984f32ac21f06c72f43ed2e466f
SHA1f305b46170b976556c4afba9801409c56fb3aa47
SHA256bde6e97aeba349fa546b682672dbf40bb052fc3203caf5979ef154a7fb233543
SHA512f628baa7cbbdba3f8dc990cda44e1add7dcb4078ae96e39e9358f8569c3e8b762987a486326b4c6134bee47775e119a8e3977360bd139ee440a600e4d54fdfa0
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD526611dbf21d501cda706e9e66f502401
SHA12b5beedfe55e59a50f3bc28b4346736f7a41b96e
SHA256c43d77ece6dd64c9a3f4bd83d550839e56f790117c72c9ab36a0bc596ef94982
SHA5128c50fb98615c1776e8796f84914264a5517a1fd9890098e8b2aa4b55cd41a30f834cdb304d5ec151286942171038fc41f797c8a61737a123916e6478bfa2bbf5
-
Filesize
1.8MB
MD534c7ab92d1a35ce4ba88bc394e2a25f2
SHA172cec5d2f3bcd4c72a8bac0824655446220d0cf7
SHA2562202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476
SHA512e77e2efa1db8152eb8fdbd5247e6e399930ef77d3dc6fba0cf6098308415292949884f59fc895e3882baa2e333ecd0c55f9d55c043cfa846e3edddfab77076c0
-
Filesize
896KB
MD50df4978ab22502c7ae122ab13a255448
SHA1845169633a45d0bc64c4799c0b5118ce6148131f
SHA256e2a03fd46d56cb79ec4c0cbef9e6fe2bd3067418f81f77355c908cfeae03ee76
SHA512d1b2a6ac51348f698f4d06ba62be48150fc7e1c0fdb1a99853caf555c3afcf76eea26a5862768c54a113bef2d5ee84d8c5f49c1903fecc7e15ee0282b903a69a
-
Filesize
1.7MB
MD5c06c4e6ed6f4c67541e9cdacb508f653
SHA10a587b8151e8634a48dd686157b45a2e0477093c
SHA25675406b44f46f30aed814150ed323b10f34d6e68b585a75b6e9796f556f1cd691
SHA51293f7d6ee59b28bf72d1bfe16c5482d9fa0e1eb0f8ce9b901dc31a66b07e2e65cf21972723c90d5f86826d2cad53d126f18f1ae085416cc203059fa3c13d71440
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5abda5d4cde3d102eaa488a24002ad6c8
SHA171b3d712ce43bf0807602e15ad3e5193da7ffec1
SHA2561b591792d844af3b39c58b4d040d5152f1ddbc5e9d5bdf0ef37ee0e69ce01713
SHA512446dd9ff61886672ea0a207fe23a15b02bb96f8eb9ec4570c66e5fa66c4ad552faee22be066a6c16cc6b3ad87d010efb5c48d9471fbac18b20a91f03d71b522e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e