Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 15:25
Static task
static1
Behavioral task
behavioral1
Sample
d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe
Resource
win7-20240903-en
General
-
Target
d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe
-
Size
1.7MB
-
MD5
fce0e8e783b3a5376920ae6a4ecebe77
-
SHA1
8c545284615c0675ce9136895ab7d510aef5bbb2
-
SHA256
d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423
-
SHA512
33e2fe5f66f465cf584476efaff5642cbc6c056324293d6b0532c9d5fb707ac7e13f29d4f185ca5f609da8d5fe4219dac314ba43927c836c84dcfa02fc93002d
-
SSDEEP
24576:DLK8L87DESeyOAd5HT6aXZDjp/mqfTpdiHF4KtGyVdsdrvo4HY7F6f2IF:DLKrDOy2QBZTGFFtGMspRb
Malware Config
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
svoutse.exefa95c0d4a4.exee7b6b37b53.exesvoutse.exesvoutse.exed2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exeIJEGHJECFC.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fa95c0d4a4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e7b6b37b53.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IJEGHJECFC.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e7b6b37b53.exesvoutse.exesvoutse.exeIJEGHJECFC.exesvoutse.exed2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exefa95c0d4a4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e7b6b37b53.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e7b6b37b53.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IJEGHJECFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IJEGHJECFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fa95c0d4a4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fa95c0d4a4.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exeIJEGHJECFC.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation IJEGHJECFC.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
Processes:
IJEGHJECFC.exesvoutse.exefa95c0d4a4.exee7b6b37b53.exe643ec47040.exesvoutse.exesvoutse.exepid process 4652 IJEGHJECFC.exe 4284 svoutse.exe 2576 fa95c0d4a4.exe 2060 e7b6b37b53.exe 4636 643ec47040.exe 2284 svoutse.exe 332 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
e7b6b37b53.exesvoutse.exesvoutse.exed2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exeIJEGHJECFC.exesvoutse.exefa95c0d4a4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine e7b6b37b53.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine IJEGHJECFC.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine fa95c0d4a4.exe -
Loads dropped DLL 2 IoCs
Processes:
d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exepid process 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e7b6b37b53.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\e7b6b37b53.exe" svoutse.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\643ec47040.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exeIJEGHJECFC.exesvoutse.exefa95c0d4a4.exee7b6b37b53.exesvoutse.exesvoutse.exepid process 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe 4652 IJEGHJECFC.exe 4284 svoutse.exe 2576 fa95c0d4a4.exe 2060 e7b6b37b53.exe 2284 svoutse.exe 332 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
IJEGHJECFC.exedescription ioc process File created C:\Windows\Tasks\svoutse.job IJEGHJECFC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeIJEGHJECFC.exesvoutse.exefa95c0d4a4.exee7b6b37b53.exe643ec47040.exed2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IJEGHJECFC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa95c0d4a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7b6b37b53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 643ec47040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exeIJEGHJECFC.exesvoutse.exefa95c0d4a4.exee7b6b37b53.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exepid process 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe 4652 IJEGHJECFC.exe 4652 IJEGHJECFC.exe 4284 svoutse.exe 4284 svoutse.exe 2576 fa95c0d4a4.exe 2576 fa95c0d4a4.exe 2060 e7b6b37b53.exe 2060 e7b6b37b53.exe 3892 msedge.exe 3892 msedge.exe 3044 msedge.exe 3044 msedge.exe 5500 identity_helper.exe 5500 identity_helper.exe 2284 svoutse.exe 2284 svoutse.exe 332 svoutse.exe 332 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
643ec47040.exepid process 4636 643ec47040.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
IJEGHJECFC.exe643ec47040.exemsedge.exepid process 4652 IJEGHJECFC.exe 4636 643ec47040.exe 4636 643ec47040.exe 3044 msedge.exe 3044 msedge.exe 4636 643ec47040.exe 3044 msedge.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
643ec47040.exepid process 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe 4636 643ec47040.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.execmd.exeIJEGHJECFC.exesvoutse.exe643ec47040.exemsedge.exedescription pid process target process PID 1292 wrote to memory of 2268 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe cmd.exe PID 1292 wrote to memory of 2268 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe cmd.exe PID 1292 wrote to memory of 2268 1292 d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe cmd.exe PID 2268 wrote to memory of 4652 2268 cmd.exe IJEGHJECFC.exe PID 2268 wrote to memory of 4652 2268 cmd.exe IJEGHJECFC.exe PID 2268 wrote to memory of 4652 2268 cmd.exe IJEGHJECFC.exe PID 4652 wrote to memory of 4284 4652 IJEGHJECFC.exe svoutse.exe PID 4652 wrote to memory of 4284 4652 IJEGHJECFC.exe svoutse.exe PID 4652 wrote to memory of 4284 4652 IJEGHJECFC.exe svoutse.exe PID 4284 wrote to memory of 2576 4284 svoutse.exe fa95c0d4a4.exe PID 4284 wrote to memory of 2576 4284 svoutse.exe fa95c0d4a4.exe PID 4284 wrote to memory of 2576 4284 svoutse.exe fa95c0d4a4.exe PID 4284 wrote to memory of 2060 4284 svoutse.exe e7b6b37b53.exe PID 4284 wrote to memory of 2060 4284 svoutse.exe e7b6b37b53.exe PID 4284 wrote to memory of 2060 4284 svoutse.exe e7b6b37b53.exe PID 4284 wrote to memory of 4636 4284 svoutse.exe 643ec47040.exe PID 4284 wrote to memory of 4636 4284 svoutse.exe 643ec47040.exe PID 4284 wrote to memory of 4636 4284 svoutse.exe 643ec47040.exe PID 4636 wrote to memory of 3044 4636 643ec47040.exe msedge.exe PID 4636 wrote to memory of 3044 4636 643ec47040.exe msedge.exe PID 3044 wrote to memory of 4764 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4764 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3752 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3892 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3892 3044 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe"C:\Users\Admin\AppData\Local\Temp\d2933695af37c10388ff102f6193b2749545ece3b2e13dbc8c3c715396658423.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\IJEGHJECFC.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\ProgramData\IJEGHJECFC.exe"C:\ProgramData\IJEGHJECFC.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Roaming\1000026000\fa95c0d4a4.exe"C:\Users\Admin\AppData\Roaming\1000026000\fa95c0d4a4.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\1000030001\e7b6b37b53.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\e7b6b37b53.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\1000033001\643ec47040.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\643ec47040.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe3546f8,0x7ff9fe354708,0x7ff9fe3547187⤵PID:4764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:27⤵PID:3752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:87⤵PID:3188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:17⤵PID:4072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:17⤵PID:2004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:17⤵PID:4272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:17⤵PID:4204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:17⤵PID:2144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:17⤵PID:4644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:17⤵PID:3968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:17⤵PID:1160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:17⤵PID:4348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:17⤵PID:2968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:17⤵PID:1108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:17⤵PID:2688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:17⤵PID:1516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:17⤵PID:3840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:17⤵PID:1388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:17⤵PID:2468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:17⤵PID:4464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:17⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:17⤵PID:5184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:17⤵PID:5192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:17⤵PID:5352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:17⤵PID:5432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:17⤵PID:5440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:17⤵PID:5448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:17⤵PID:5576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:17⤵PID:5644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:17⤵PID:5792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:17⤵PID:5924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:17⤵PID:5180
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:87⤵PID:5144
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2835300797839461460,5295129919901892726,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:5500
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5176
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:332
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5d5fcf8cf3ca99a694ee9b8a97776e64a
SHA107542ce45f902bdc773702e17621cc600d3df50b
SHA256c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
SHA51290da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\5044d8d9-4998-42a1-bff9-6f3c004e5ed0.tmp
Filesize9KB
MD5377407b84673e46cc62324e961eb2bbd
SHA170363ce9e43e2ea7b4e88fa0fc83d8a7d8728aef
SHA2565875ebb45ffeb42b44b16d12a8668fc3724243e91e534140700d5bedd5c6a096
SHA512094103b8394aa7f025c10664ddcd8bcc9da3018c09f87886616138cef786bb444bdd957bb68e8eb178a48a077dc2402e92bd301765671a2f44077861145e3708
-
Filesize
152B
MD5d3f5d3285dbefbb83e86f8473211d3d8
SHA1724135ccb88b0eb1301cdaaae39999c7bd55c37b
SHA256edfcc790114449647112df191be0a59f3afc1bfb7fcc701a378fc55b743cadcb
SHA51268b524e56e06e1ea0cd15dbe6e9ff6838aef45bf3400d5523b49cc4f0a23aafde28fd4b539795e77099dbec35c62107c30d1eef3c90ea05bd904eb77d2d4ddf6
-
Filesize
152B
MD5462b68539ba60c97d36eb87605d7ac4f
SHA1822cacd4b1fca3bd63e7d7697e718e905bac64b0
SHA256ad4998e256920621a384b92b361e564c3badead3c55d62e42f477a74475ff6dc
SHA5129026e5447bcadf53059fcfa7f968684a69b0b6e8ecc432ef4e435ee8372a32f39c2bc8a57c6548f81633d78cd323219e05abbf88c01cd3713d3bbc051c564ca9
-
Filesize
152B
MD56b27209b7f21c8a58dc31c0541681883
SHA131ec98644bf2d7eca71064abfdfea400ea11f5fe
SHA25688dd08a2ee1438430e2115906110abb2e520fb187700b7b432d3a6bb2105121c
SHA51203b3669abc114a36123fe34a570a449319756dfb43d7a6a769e8ec31df0b5d85162640983b1a820682c5b1f4f00786fd6c1c0a4bfeed038dfd42b2eac4c6a830
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
1KB
MD5fd298e8c63355f3c475494b2ed353aee
SHA11f636ee1f84de40b7f6bd36a137e129dce8f2acf
SHA25626c1105d7b098b383a504df9e9ac49234ca9204eafa15de9a2f89d2a16a839c1
SHA51216227e372556259452af44e2ea74d159777ce85e555d8cd47e931195bc4f12ca41c1569faa034652ede8f169710120dc324eeed9b7514d26f230ce3e3ef20851
-
Filesize
4KB
MD52005f0d8a045f54d72c5c75c2c9813be
SHA17c539827f8488461377f753855fa8a37144655e5
SHA2566aeee1d2ab1e511572186ae5555c98eee965a119d379ff8832ef5efe6e943637
SHA512395c80049d32d59982984821d2d44b6b76330dfa53a54403c2d3847921f2721dc38604acb6e89e07cabbcf1c04d32a17403aa1f981f157e4e05eeee234ffb8ca
-
Filesize
4KB
MD5553dc19b5714bda6e7a8135437c94872
SHA1b5d18ba9ae580263eee89f8a5d7c9f9dccbe7cc7
SHA256c33235d510afd0477e8e3c34444f6d06c9b0b28a8bafec9950e387ce117d36a1
SHA5125559dfc4926f26342cef002d87d556e63f83da55181f750e1357940f4f0ca0ba20fd3f360c53f8c741f79f95852d4c2f64679e77fa1b63191b53671da9dd3cd6
-
Filesize
4KB
MD5f1ae11714ba6367acd88dba9a16c79f8
SHA1fbd03552756c44338c80cf576ca469c723dc5f7e
SHA2562f10ba3624d0275309aae3921f18524aebb8ec068ddb15af29493146cd3b9e13
SHA51257db2da60f8ec0900873abbf823993fd0c048004a8e85690cc54d7fe6fd3597641f0e4c9d98d9aa384cef1c15296fa2c08f6fc8d7102eace0701e1d1d1380001
-
Filesize
4KB
MD5d30df5798ec5e2b977998b7f3499db8e
SHA1042a4579447bc1afe071c397646ca0de03646317
SHA256fbd5f67b6b9e800291248e3c3d3d763fab3fe5d55b6c673c6bddd87ece32d658
SHA512b07091149a7a3d90d103ed6311b7793b140aa50b2329e0fc656c07ff97274fed475854d085d14380a1b37e42dd2b4f9a2bd72cfabbe0095d0ccb7fd35bcb4149
-
Filesize
24KB
MD555c958fa621514eadb5b65ddb8f053c3
SHA168e2dec2f5827ce25c27d3375f3ef7b78eb21667
SHA256c26ff53785c8db7dbfc154b37767cca0f4d0d617a3ce335ad6713743794bff24
SHA5121ce3b30ad4f33a0cc2500982be9e2906cac20ba9ae04d899595ab4b716ee1c678bf5b50b83eca1af9c3eaa39a996a5f90a5567500b2c59f949f9f32c71c26c5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe58535b.TMP
Filesize24KB
MD5f7881f2455557f08427f4edff489764b
SHA13cb95620b6c18e72464ee63c5c519192d044c62b
SHA256ceacb4639581a3a6a5aed5fe9784e217a07f4b5c37b57da657f351c206ce3693
SHA512ab544c357615db7becd22d06a1ed50b3b46b95b5b1a78451c1930b5fe9aa8639a05377584a18fc5ee8c68813ca599c859bb7911864a14531583230e29f8bf8d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
896KB
MD580351281b65e08b2ce36f4f40df8a5f1
SHA1fc5458c1c2b72403509f9c9c0a33801d92650424
SHA256e597fb772319a806f79e33ebe4faaeca8497afbbc3081c9379ea6e9b3c1756b7
SHA512e9aa6ac8cc70a1e8af9d0620906e9f53999bab86965e21affbb53bc6e52a28ab3da8d5924c2f877262e8103807762cd6ffea82e0262fa907fbc3fac159734973
-
Filesize
1.7MB
MD5110750350e3f833d4de59ed0c7dd1b08
SHA1ff21c68dad2c4733ced39aabd130e0406a56ed58
SHA256d89f747d96c84dcd1a704731dd4261f6eb69f1498a05cae00a4635169ce5ec20
SHA512df963df25b627e0aa446c0170acbfd3589d0b243eae8c34d84cd77940ee1d58b90f4a4739c10053eedd3dc1036a20aaf8cf202c8ed991b487712137ec0d52493
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H4M9ERHUZBABUINZBBV1.temp
Filesize3KB
MD5ac8f9fcb49048547d507141dc67adce0
SHA1f6a528be8ba227eca2f5dcd915b0f71ddc8440fd
SHA256557bab397e7f3e28e4c912446e056037e236b59b39bae3445f9437258c36c9df
SHA51281e17bdb93287af51a7b7c8983292955dd4e16c8cdb911bf520f729081f20f149252e7d9e2e1ff2eb8106467c8fab5a2af0254e83ffa0a5acdf62c1111d4b1d2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e