Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe
Resource
win10v2004-20240802-en
General
-
Target
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe
-
Size
1.8MB
-
MD5
d5fcf8cf3ca99a694ee9b8a97776e64a
-
SHA1
07542ce45f902bdc773702e17621cc600d3df50b
-
SHA256
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
-
SHA512
90da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e
-
SSDEEP
49152:Bjnly4R2PVRilKbs9cRs+Ams7U9N2hk1:BjljR2dol0sMfzKhk1
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
svoutse.exe08ad955ded.exe99cc787ee0.exesvoutse.exesvoutse.exec583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 08ad955ded.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 99cc787ee0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exesvoutse.exec583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe99cc787ee0.exesvoutse.exe08ad955ded.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 99cc787ee0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 08ad955ded.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 08ad955ded.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 99cc787ee0.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exesvoutse.exe08ad955ded.exe99cc787ee0.exe99cc787ee0.exesvoutse.exesvoutse.exepid process 4664 svoutse.exe 3880 svoutse.exe 1372 08ad955ded.exe 4844 99cc787ee0.exe 4608 99cc787ee0.exe 3972 svoutse.exe 2884 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exec583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exesvoutse.exe08ad955ded.exe99cc787ee0.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine 08ad955ded.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine 99cc787ee0.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\99cc787ee0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\99cc787ee0.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\99cc787ee0.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exesvoutse.exe08ad955ded.exe99cc787ee0.exesvoutse.exesvoutse.exepid process 3600 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 4664 svoutse.exe 3880 svoutse.exe 1372 08ad955ded.exe 4844 99cc787ee0.exe 3972 svoutse.exe 2884 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exedescription ioc process File created C:\Windows\Tasks\svoutse.job c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svoutse.exe08ad955ded.exe99cc787ee0.exe99cc787ee0.exec583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08ad955ded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99cc787ee0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99cc787ee0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exesvoutse.exe08ad955ded.exe99cc787ee0.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exepid process 3600 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 3600 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe 4664 svoutse.exe 4664 svoutse.exe 3880 svoutse.exe 3880 svoutse.exe 1372 08ad955ded.exe 1372 08ad955ded.exe 4844 99cc787ee0.exe 4844 99cc787ee0.exe 3504 msedge.exe 3504 msedge.exe 4416 msedge.exe 4416 msedge.exe 3860 identity_helper.exe 3860 identity_helper.exe 3972 svoutse.exe 3972 svoutse.exe 2884 svoutse.exe 2884 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
99cc787ee0.exepid process 4608 99cc787ee0.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs
Processes:
msedge.exepid process 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe 4416 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
99cc787ee0.exemsedge.exepid process 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4416 msedge.exe 4416 msedge.exe 4608 99cc787ee0.exe 4416 msedge.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
99cc787ee0.exepid process 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe 4608 99cc787ee0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exesvoutse.exe99cc787ee0.exemsedge.exedescription pid process target process PID 3600 wrote to memory of 4664 3600 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 3600 wrote to memory of 4664 3600 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 3600 wrote to memory of 4664 3600 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe svoutse.exe PID 4664 wrote to memory of 1372 4664 svoutse.exe 08ad955ded.exe PID 4664 wrote to memory of 1372 4664 svoutse.exe 08ad955ded.exe PID 4664 wrote to memory of 1372 4664 svoutse.exe 08ad955ded.exe PID 4664 wrote to memory of 4844 4664 svoutse.exe 99cc787ee0.exe PID 4664 wrote to memory of 4844 4664 svoutse.exe 99cc787ee0.exe PID 4664 wrote to memory of 4844 4664 svoutse.exe 99cc787ee0.exe PID 4664 wrote to memory of 4608 4664 svoutse.exe 99cc787ee0.exe PID 4664 wrote to memory of 4608 4664 svoutse.exe 99cc787ee0.exe PID 4664 wrote to memory of 4608 4664 svoutse.exe 99cc787ee0.exe PID 4608 wrote to memory of 4416 4608 99cc787ee0.exe msedge.exe PID 4608 wrote to memory of 4416 4608 99cc787ee0.exe msedge.exe PID 4416 wrote to memory of 4016 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 4016 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3000 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3504 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 3504 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 4084 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 4084 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 4084 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 4084 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 4084 4416 msedge.exe msedge.exe PID 4416 wrote to memory of 4084 4416 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Roaming\1000026000\08ad955ded.exe"C:\Users\Admin\AppData\Roaming\1000026000\08ad955ded.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\1000030001\99cc787ee0.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\99cc787ee0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\1000033001\99cc787ee0.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\99cc787ee0.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbee1246f8,0x7ffbee124708,0x7ffbee1247185⤵PID:4016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:25⤵PID:3000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3504 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:85⤵PID:4084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:15⤵PID:1292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:15⤵PID:3928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:15⤵PID:3124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:15⤵PID:3704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:15⤵PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:15⤵PID:3076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:15⤵PID:2080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:15⤵PID:4220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:15⤵PID:948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:15⤵PID:4776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:15⤵PID:4856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:15⤵PID:3468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:15⤵PID:556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:15⤵PID:1644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:15⤵PID:116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:15⤵PID:220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:15⤵PID:3820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:15⤵PID:1528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:15⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:15⤵PID:2324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:15⤵PID:5016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:15⤵PID:524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:15⤵PID:5128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:15⤵PID:5136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:15⤵PID:5156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:15⤵PID:5164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:15⤵PID:5172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:15⤵PID:5180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:15⤵PID:5188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:15⤵PID:5196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:15⤵PID:5756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:15⤵PID:5796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8032 /prefetch:15⤵PID:5156
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7324 /prefetch:85⤵PID:6000
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11510054031048855456,336799601486973634,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7324 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3880
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4324
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3972
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\44aa2434-d031-44a6-9495-2b340a781e67.tmp
Filesize9KB
MD5ca23024e18b5abfcc0f97adb75d62170
SHA186af723c1c75fa76c80d6ccb0e57a5b7a1fa41d2
SHA256724299d7840dae5302522bf256ac1764fa07090d7ad47f9e7fc4215200d019b2
SHA512a10874e7ddd3ecf979bdf89c956cb1954305e70b13c94407226532863c3fd4cc195adeb40c25db890587c5ecba296adc7ec8b77dd66573be912cec8745a1b627
-
Filesize
152B
MD548f21a709a35429a693230ddf7f40dd5
SHA1124fac3753fb327c36a64e1a0cef8470948d8322
SHA2567f0b1bae29fc94c6a6210f3a73bb871c91ffa2428dac1b55965cd5db17bec9ee
SHA5123fa13d590b9d5e57941ce36ab17bd7e341de0d7aa08fb16d267f6abf7167c36abb0b1fd39e2f3b7c430d8f3c6930683cce2b0f1ac52afe99b76a15ba6b3ab669
-
Filesize
152B
MD590aff6a94b27c8982017de5cbff48294
SHA19b14bf60854936580fdd10bd9b4ffeb76bc38e44
SHA256eb9839b44fa1cde42a687000023f6b6cfa4ed58a6a0720054c6e633f55addb67
SHA512cf619e0e9dff2a8bb11156c66a84addb8de296326e953469102100a3b1cf17f7dd71fdea56dd783c96050b395185c67ae0f61cdf5e7d618bb8e772a4dc28bdc1
-
Filesize
152B
MD5e9f216ace133839e4796862f246813e2
SHA1d794fd916c59a21ff13adfb0654769e7e038b71b
SHA256b5f873cf68b5dbf6646ba38d782a4181f55e3c82c38631c2986e62d5b7a890c6
SHA512c3171c2a871be7fe06eefd923da61dd092b215b1e91058084cc137bd0b9d2f042ee7d0a402792c977ee5dec2643746e60a1705bb2f7622c33c32c8609eaef7fb
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5cc119fc8aa3bcb5117d64652a051d9e1
SHA17209dd4eac13c7ab02190624c8b6e2a9a51cf12d
SHA256197dd6cc2c5f9f88ea6290e9a5b4af762c17cbc0dabc662d1995caf03d75ead1
SHA512fb139e1b1dff92b14798bcea5557f18b7d811720647b88251c8131513a9d4a7a5e76c738532f10b69b7a4d282dfbbe5025a79229a7721192e62b542f1726e143
-
Filesize
4KB
MD508718aba83d1699ff19eb56e643e4d14
SHA1ea2e687f112c4d8c48167cfd76d4bc2ede36be88
SHA2561fbf0f6c61622c39cc16720cf1129893ec1f28a2b59367ae0c26bf45ef944a42
SHA51222932cc357ca58bae4dc97a3e59713eca576856f3c14a2996cb942d0c4405738f55db7b36a2526aa1470650afb3277e9915ceeeb745746d6f7fcb8b936780c22
-
Filesize
4KB
MD5f49fce02b09c71eee081bd13f9a633e0
SHA13e6291fad2ccfb9567fb9489b28661682347d88e
SHA25604c42c7d8ce5893e0ac6c09ca092d08161c2b218f26b40b6f46e5f003b572b95
SHA512c616f6ccd898f8177de40fd3925f8c797d00e6da0438996994f39ebb8362e771b34186bd01b7ffdf3e8ddf300c3ddc498877648ac00a598893c45cadba6222a1
-
Filesize
4KB
MD5a0f31586fd598328abfdd35e9f4d5429
SHA1aa21a42a940e656351c7b90099dff8e5f731540f
SHA256557bb9ad4bacd96fdc927b10a7b3f59ddfb7a29bc0431a20aa9d9b9866ba7675
SHA512aa8b2289b721dbb0f24a54c62410b7f1aa599b95a234766afb06a817c3e064625823c1c16b5e9885e66fba4202d6ad76cfc9408b6f6f52ffde566b407d4391e4
-
Filesize
4KB
MD5811262096e001a5244e12b9b39dffbef
SHA1dfd0286763f22c77164a60446d2fe233a91ca1b6
SHA2565889fdf6c90449b0b31d537a1dc0645f45e3ad79c8b14fcc3a2f0c63e40cb51b
SHA51231c5b922f40da2d99329b33a88ce67fd93041ca430675d71cce253316817885c06c1c6ed0360058ba9686ce0e0637bf968be279fa8373d61cf006d5c884bb8f0
-
Filesize
24KB
MD5d59110565d09167e68d51600cd44f599
SHA13316f8462bc6fcef854ae47471eb220e89c755b9
SHA256c42ede860eb783aa2a7df379b787857058482238a46e42c15c43cb2d7c4608a9
SHA512a92d84dabe11b6fd73b689681c4081727116edf9f021614fd1469a7602ba38726840de6ddec462c89734b544b2c9a69c3f0d08d9fc9e16654c9e40ccebbd77e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe5861f1.TMP
Filesize24KB
MD5504237ad0e94e644e5c3447a70cb04bc
SHA188fc321a17ce27a0d8c6db8edc69cde07e399f08
SHA2569a954565832f5fef87dfc0fe239fe83ad780c31ed0dbb4142e8e076be947c2d4
SHA512d0107966dbf53f2fe581091c7987d841525d8ef5db9f593aad6a473fc9957a93e3bad976d758ac0a4be622e292200613510c00d295316a054bcf7590e1553731
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1.8MB
MD5d5fcf8cf3ca99a694ee9b8a97776e64a
SHA107542ce45f902bdc773702e17621cc600d3df50b
SHA256c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
SHA51290da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e
-
Filesize
896KB
MD580351281b65e08b2ce36f4f40df8a5f1
SHA1fc5458c1c2b72403509f9c9c0a33801d92650424
SHA256e597fb772319a806f79e33ebe4faaeca8497afbbc3081c9379ea6e9b3c1756b7
SHA512e9aa6ac8cc70a1e8af9d0620906e9f53999bab86965e21affbb53bc6e52a28ab3da8d5924c2f877262e8103807762cd6ffea82e0262fa907fbc3fac159734973
-
Filesize
1.7MB
MD5110750350e3f833d4de59ed0c7dd1b08
SHA1ff21c68dad2c4733ced39aabd130e0406a56ed58
SHA256d89f747d96c84dcd1a704731dd4261f6eb69f1498a05cae00a4635169ce5ec20
SHA512df963df25b627e0aa446c0170acbfd3589d0b243eae8c34d84cd77940ee1d58b90f4a4739c10053eedd3dc1036a20aaf8cf202c8ed991b487712137ec0d52493
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T9VNYHSHNAWQADGVBNXA.temp
Filesize3KB
MD53591e00e7ae8ef9dc10d7aa138aa8856
SHA13b8b4a5c03d42ab236f35c4da527e6ab80eac733
SHA256b7c067b98c11595f989f033b6a51c44a55abec9091256402562aa577c808baaf
SHA512116152e89de2b8817df2bd8eaffbac523642f862a877c4c87b3bb1bd596fdd173da9f90608db47435d20587128ca6deb6e4c0b1d3ddccf30d1acc85928ff89d5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e