Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe
Resource
win7-20240903-en
General
-
Target
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe
-
Size
1.8MB
-
MD5
30ac84841a731fa47a3ce25033db8449
-
SHA1
7c2c107362576bd653e0dc6f96be4d7295d70889
-
SHA256
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4
-
SHA512
d56c10c8af777e516ed343544c7b17eb5b1a9553c283da53728013adf1e5d572cf290be6502d25b42f8b617b36a754c39a320dfa4eb545e382de3689a3547e9f
-
SSDEEP
49152:g5kAmXhdOEgEjSVfpIfEA9fXK92mGWuYn7KU5:gW/sVsdWLnGU
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
svoutse.exefea1a3ad69.exe01745eeb65.exesvoutse.exesvoutse.exesvoutse.exe07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fea1a3ad69.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 01745eeb65.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exefea1a3ad69.exe01745eeb65.exesvoutse.exe07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fea1a3ad69.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 01745eeb65.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fea1a3ad69.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 01745eeb65.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exefea1a3ad69.exe01745eeb65.exedb1b7c8a58.exesvoutse.exesvoutse.exesvoutse.exepid process 4832 svoutse.exe 388 fea1a3ad69.exe 1892 01745eeb65.exe 4828 db1b7c8a58.exe 6068 svoutse.exe 1576 svoutse.exe 3960 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
fea1a3ad69.exe01745eeb65.exesvoutse.exesvoutse.exesvoutse.exe07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine fea1a3ad69.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine 01745eeb65.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01745eeb65.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\01745eeb65.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\db1b7c8a58.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exefea1a3ad69.exe01745eeb65.exesvoutse.exesvoutse.exesvoutse.exepid process 4984 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 4832 svoutse.exe 388 fea1a3ad69.exe 1892 01745eeb65.exe 6068 svoutse.exe 1576 svoutse.exe 3960 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exefea1a3ad69.exe01745eeb65.exedb1b7c8a58.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fea1a3ad69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01745eeb65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db1b7c8a58.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exefea1a3ad69.exe01745eeb65.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exesvoutse.exepid process 4984 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 4984 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 4832 svoutse.exe 4832 svoutse.exe 388 fea1a3ad69.exe 388 fea1a3ad69.exe 1892 01745eeb65.exe 1892 01745eeb65.exe 4772 msedge.exe 4772 msedge.exe 5020 msedge.exe 5020 msedge.exe 5400 identity_helper.exe 5400 identity_helper.exe 6068 svoutse.exe 6068 svoutse.exe 1576 svoutse.exe 1576 svoutse.exe 5804 msedge.exe 5804 msedge.exe 5804 msedge.exe 5804 msedge.exe 3960 svoutse.exe 3960 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
db1b7c8a58.exepid process 4828 db1b7c8a58.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
db1b7c8a58.exemsedge.exepid process 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 5020 msedge.exe 5020 msedge.exe 4828 db1b7c8a58.exe 5020 msedge.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
db1b7c8a58.exepid process 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe 4828 db1b7c8a58.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exesvoutse.exedb1b7c8a58.exemsedge.exedescription pid process target process PID 4984 wrote to memory of 4832 4984 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe svoutse.exe PID 4984 wrote to memory of 4832 4984 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe svoutse.exe PID 4984 wrote to memory of 4832 4984 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe svoutse.exe PID 4832 wrote to memory of 388 4832 svoutse.exe fea1a3ad69.exe PID 4832 wrote to memory of 388 4832 svoutse.exe fea1a3ad69.exe PID 4832 wrote to memory of 388 4832 svoutse.exe fea1a3ad69.exe PID 4832 wrote to memory of 1892 4832 svoutse.exe 01745eeb65.exe PID 4832 wrote to memory of 1892 4832 svoutse.exe 01745eeb65.exe PID 4832 wrote to memory of 1892 4832 svoutse.exe 01745eeb65.exe PID 4832 wrote to memory of 4828 4832 svoutse.exe db1b7c8a58.exe PID 4832 wrote to memory of 4828 4832 svoutse.exe db1b7c8a58.exe PID 4832 wrote to memory of 4828 4832 svoutse.exe db1b7c8a58.exe PID 4828 wrote to memory of 5020 4828 db1b7c8a58.exe msedge.exe PID 4828 wrote to memory of 5020 4828 db1b7c8a58.exe msedge.exe PID 5020 wrote to memory of 2164 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 2164 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 3612 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 4772 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 4772 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 4144 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 4144 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 4144 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 4144 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 4144 5020 msedge.exe msedge.exe PID 5020 wrote to memory of 4144 5020 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe"C:\Users\Admin\AppData\Local\Temp\07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Roaming\1000026000\fea1a3ad69.exe"C:\Users\Admin\AppData\Roaming\1000026000\fea1a3ad69.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:388 -
C:\Users\Admin\AppData\Local\Temp\1000030001\01745eeb65.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\01745eeb65.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\1000033001\db1b7c8a58.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\db1b7c8a58.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff122546f8,0x7fff12254708,0x7fff122547185⤵PID:2164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:25⤵PID:3612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:85⤵PID:4144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:15⤵PID:3544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:15⤵PID:2448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:15⤵PID:4300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:15⤵PID:4428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:15⤵PID:4468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:15⤵PID:3900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:15⤵PID:2400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:15⤵PID:2484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:15⤵PID:5164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:15⤵PID:5172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:15⤵PID:5216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:15⤵PID:5224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:15⤵PID:5352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:15⤵PID:5360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:15⤵PID:5368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:15⤵PID:5376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:15⤵PID:5588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:15⤵PID:5596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:15⤵PID:5604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:15⤵PID:5612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:15⤵PID:5624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:15⤵PID:5768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:15⤵PID:5776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:15⤵PID:5868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:15⤵PID:6092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:15⤵PID:6128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:15⤵PID:6136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:15⤵PID:3432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:15⤵PID:2144
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7300 /prefetch:85⤵PID:1048
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7300 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3770771143997650306,16606634338508789043,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5804
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4052
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6068
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1576
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\10107ee9-e79a-472b-80ad-dd17e851c354.tmp
Filesize9KB
MD5a979f84c22ce858ef217c0ad5e9d42db
SHA16a662aefcc591fd8f12e1a1fdfa67da653246335
SHA2565f4d2de9c593394f7c68fd63057ff0f9b1b61efd75c44e68abc0434fb71ef1ad
SHA5126635ce976835416b7d33f1858db3ee3d5de607b7323f36439947253c642e8aa3ce029c9c2401a44cd446d5736d35e449106042494c215bfd5276ffe11e2676bb
-
Filesize
152B
MD55e33f94ef10c5956171919958bea096d
SHA113b082a62f8cd74e8c3f4022b33d7f0869e80464
SHA256841b98b5771ad108607c0ebe599732ffc6e4ea66cb6758f4c79a9e76da3dcf02
SHA5123a0a03bb35fc79f21c7bd7ab46ab43be908097690541ec9f6edaee1a26ece73ffe1d44096b046f32c44552439f7c55c422c1a5e61f8a1ff770b29117e1abfa7c
-
Filesize
152B
MD534a1ca97e745e9e093301217e4b961d5
SHA111434215f317125b09b5d2eb49a65900b9380563
SHA256b9318dcc888aeb20903067355ac0cd2d204520b37e32e32fd80cd0b5b506bc46
SHA512e228da07cb1c252769b6aa4b70e07993561e009924c50700fdfd7b00c99146b4a3da5d9fa3b0a1f2ed76067d40b038b30e10f009b393d99ec5cb8e71af9457e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5521911fa322bef3154d15a7362e3f543
SHA1c5997efbeb4f3b33252abc7ee43206bacb254ae8
SHA256c4fd87f5c9ab07faa6d52ebc234f22aa61d400eef2fd58dd3bc60317feb0bab2
SHA512587d1cd11afa6f8c3942df9aa7ab21c6eed093be5b8e40200380446802ebd532e2443e6848231940b352c5930f90793f01130b7c3c9178e64f6265999df4a22d
-
Filesize
4KB
MD5e5ed3e68f0a89e35ca41c8cc5c39b3fa
SHA1b0dfd49e9a6035397788290258db3403a4697752
SHA256ebab32a824c84b58a7b2ee70dca890581366414dbb0052462cfc587886a4c036
SHA5120daa448a9b85950fb127e3dd556518b3c1cec575cea5bb86ec9ccdbd342fb215e09119c9927fa857c15605ec50deaa42510414c192f71abfd91810a4642121cf
-
Filesize
4KB
MD52edf11698e732d3adc906a2588b44b55
SHA13d91d93229053e60cb25674a7d76b43b5f7f4649
SHA256ba1452e35866ef2169fb2e1b183414d7516819e28c7fb1a6ab6bf6e180b2df4e
SHA512cc9eebe0bb6b4a78e617c4bb25f77bc7bd79e7fb7db9955e9079957860d75f04d42193a2b5680fcd1a08aef058b632df74bb592bf76683145d613f3d42831fa4
-
Filesize
4KB
MD509bd631f34811276d423f53a53bb4c16
SHA17877a528c13a8e1e381931630284e27a5cc7052a
SHA2566db40c17636f2e2c1c49830533e7ec9a32861ca26420e909f2cb9f7e1364e1ae
SHA5122d748b9ff409f0dc786f75e5dce04170463d2abe6427880faeceb0c1697a11df85cdcb414f8c269bf99a18bffe35baa76abce720a819e4f2f75318753a9bb7b9
-
Filesize
4KB
MD516de468e5ff55e0f5683b446d2caa833
SHA1260d3c720f6891ac5a058f87386399d3f151deb9
SHA256d03c2754556da23b792aa29dd15bb52387fdb52701d401ba5f74ba3e9ed1f3d9
SHA512d10fbd104f3001ee42672f38049cd50c3b1e828fe2c8630512cb8e1fb5a186de9f82ee6301bb15468b45d67200836c2069924aac77ed50461f0fa7839bc10c76
-
Filesize
24KB
MD5d951e411b8fe71a15422b7d512d8afdc
SHA1849f5c9964741c6fd79b453b14d6b74d4bfbad70
SHA2565357a4a3afa8399423361d02fba48a7b6ad0fb54399c2d7638cc493d36523a7f
SHA51256acd9fc4ff32e1448b5ac7a6f341bddf4c0cede05a41b2e32adeafbda20a98b4b824e3ce608dac89809d60de93505cb50a9156c04286a8c678636eb211386c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57fd2c.TMP
Filesize24KB
MD5c510878f8c8705e7c7b4457a0280e7ae
SHA15a445ee568b7512585bfdf7db84daeed1b3d3cc8
SHA2565024a9020046204858d077520b9bfc997ef7936786966bd8fdfaeac86ab4bb96
SHA512bf76038bb2b49b4c74d81ec348cf0c25ffb4f69e1f5c7963dde3e3f736b076781fec9e3053ed9588f10e7353d21f90bbfd5aafde38cfdc6a7e1bf0e119a45ac1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1.8MB
MD530ac84841a731fa47a3ce25033db8449
SHA17c2c107362576bd653e0dc6f96be4d7295d70889
SHA25607669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4
SHA512d56c10c8af777e516ed343544c7b17eb5b1a9553c283da53728013adf1e5d572cf290be6502d25b42f8b617b36a754c39a320dfa4eb545e382de3689a3547e9f
-
Filesize
896KB
MD5af850fd36ef4f28bd1c92fd30feec5d1
SHA15854cc232850fe8ce0d475c51ec14bf8e0f761ad
SHA2567605e6672cf788c7e666ce3855dad7a0aa7f69cff512ff22105ea3f189c2c382
SHA512dd4c84e6b632058596207a5fbe675765c638b6fb0cf2d274ab387936d581153247b6e1ed51e746f87895489cd9a6d43913d38aec24e338de27034604505239f6
-
Filesize
1.7MB
MD5110750350e3f833d4de59ed0c7dd1b08
SHA1ff21c68dad2c4733ced39aabd130e0406a56ed58
SHA256d89f747d96c84dcd1a704731dd4261f6eb69f1498a05cae00a4635169ce5ec20
SHA512df963df25b627e0aa446c0170acbfd3589d0b243eae8c34d84cd77940ee1d58b90f4a4739c10053eedd3dc1036a20aaf8cf202c8ed991b487712137ec0d52493
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ADNYGQJ3M3GTFNDHKA7P.temp
Filesize3KB
MD5f07751c0ef5120f26e4b57812afba768
SHA1e2d47ff556e3d3cbcf46f9788a9b200b05c2eea7
SHA256898c84d7f1836b6e59811ca5eeff357f9c705a34b836ab8ba23dd3e1974033e6
SHA512fa72165966fd1f83dcc5ca090c8c7fdd5121613c895a01f78958e8a62200a0468f526e614fea92015439b828c40bc83d2e8a847c615a1862d58a55e1542c7b9e