Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe
Resource
win10v2004-20240802-en
General
-
Target
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe
-
Size
1.8MB
-
MD5
667ebda9be3da6ee8b9f1cc419d336ba
-
SHA1
fb42333e24aac8e4d2989950cae402d7960f69b1
-
SHA256
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44
-
SHA512
aa83123064683405ba88663dc56ca3011961fff14acb9de47130099ceb98a060f74ce5e3fb8e73425bc6755e51c8cb488381640f4aeed13aaff7fb117921753c
-
SSDEEP
49152:pPfiL6HREBxRnthwen62ZVG2SKqe1p6PVYRZcotq:pPfc6HsJwC60G2SKV1kV4w
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exesvoutse.exesvoutse.exeaacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exesvoutse.exesvoutse.exesvoutse.exe4e1a1b0c94.exepid process 3204 svoutse.exe 4460 svoutse.exe 3480 svoutse.exe 1436 svoutse.exe 4864 4e1a1b0c94.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exeaacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exepid process 212 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe 3204 svoutse.exe 4460 svoutse.exe 3480 svoutse.exe 1436 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exedescription ioc process File created C:\Windows\Tasks\svoutse.job aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exe4e1a1b0c94.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e1a1b0c94.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exemsedge.exemsedge.exepid process 212 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe 212 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe 3204 svoutse.exe 3204 svoutse.exe 4460 svoutse.exe 4460 svoutse.exe 3480 svoutse.exe 3480 svoutse.exe 1436 svoutse.exe 1436 svoutse.exe 2920 msedge.exe 2920 msedge.exe 3248 msedge.exe 3248 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe 3248 msedge.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
4e1a1b0c94.exemsedge.exepid process 4864 4e1a1b0c94.exe 4864 4e1a1b0c94.exe 3248 msedge.exe 3248 msedge.exe 4864 4e1a1b0c94.exe 3248 msedge.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
4e1a1b0c94.exepid process 4864 4e1a1b0c94.exe 4864 4e1a1b0c94.exe 4864 4e1a1b0c94.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exesvoutse.exe4e1a1b0c94.exemsedge.exedescription pid process target process PID 212 wrote to memory of 3204 212 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe svoutse.exe PID 212 wrote to memory of 3204 212 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe svoutse.exe PID 212 wrote to memory of 3204 212 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe svoutse.exe PID 3204 wrote to memory of 4864 3204 svoutse.exe 4e1a1b0c94.exe PID 3204 wrote to memory of 4864 3204 svoutse.exe 4e1a1b0c94.exe PID 3204 wrote to memory of 4864 3204 svoutse.exe 4e1a1b0c94.exe PID 4864 wrote to memory of 3248 4864 4e1a1b0c94.exe msedge.exe PID 4864 wrote to memory of 3248 4864 4e1a1b0c94.exe msedge.exe PID 3248 wrote to memory of 2784 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 2784 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 3712 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 2920 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 2920 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe PID 3248 wrote to memory of 5100 3248 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe"C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe15646f8,0x7ffbe1564708,0x7ffbe15647185⤵PID:2784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:25⤵PID:3712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:85⤵PID:5100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵PID:1472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:15⤵PID:4540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:15⤵PID:3924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:15⤵PID:2200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:15⤵PID:4720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:15⤵PID:2532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:15⤵PID:2336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:15⤵PID:2112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:15⤵PID:4240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:15⤵PID:1220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:15⤵PID:2004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:15⤵PID:3860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:15⤵PID:2592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:15⤵PID:1392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:15⤵PID:2384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:15⤵PID:1132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:15⤵PID:2164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:15⤵PID:4936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:15⤵PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:15⤵PID:436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:15⤵PID:5040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:15⤵PID:4128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:15⤵PID:3600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:15⤵PID:4888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:15⤵PID:4692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:15⤵PID:3980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:15⤵PID:5060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:15⤵PID:5464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:15⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4460
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3480
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1436
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5064
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD520e073a3d4663b708ef62631b043010f
SHA1d5585f23a1c1327728535ef3b072c600665b51bc
SHA2566c1319d0f7edfeb2ba2f9a9dc60c0b9061524d811927161dfb96350ffae67318
SHA51223373a01d5c5c3c9384bdad18f07fc1ab25ed07f3551668e2956ced3e20f444679cf0d2ba968a2627b42d542b8afe34cc6db24b4a6818d50fbbf1a146c5cf664
-
Filesize
152B
MD5008d38c2eacc9b4f0e8d35f482581b56
SHA163feffc34d5e4b9959b6193ca8a6ab5e9c76cb70
SHA256a073f441a11c2611a2931957bff925751f800eb357ed1fdf46e905594fa5a75d
SHA512e1b6f0a2285eb95a4b9ac9034db66b75312b65b0be7850a6ffc8c01b3a6605f29a349d1a93379f228048b2e3d6a89d21cf36e44c40373a1f02a16df7d4f83a68
-
Filesize
152B
MD5b5724059afdf989311e66c7d73cfcf03
SHA11b4f14863d585436d77cc6cc57d1aee6334d7e57
SHA2565b8dd679f1fc08b2d25db0afc7745eed4e75bfb00156746369d69227e05535b2
SHA51287db7ee3cb6789cb419fde65998a293059d656fbd0207db23dbd5ecc42a20f70d810e82d104b294071e246715b53159f8d971004db5a0fe621630a2783a5a848
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\5d50c520-fc69-4329-917e-43d80ddb0c3b.tmp
Filesize4KB
MD56f80ec29edf127ff37ee7f78a1bb6b09
SHA15f6acbcaec76a861977a86cebcdaa61ddcaff368
SHA2568ca2e43412f67c32f4d462df1ea0cf79d0f2af0c2eda19af1acf92b88ef202b3
SHA5121b3abeb1442bfe448704e041c38449eb853ddb836702132734ef256550f14162fdff3f9497c8c4095aeb18d9f8ae5fc7072edd3c2d167506856ff27f38f54cf5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5ae5869682bbd3617f32931ef2035119d
SHA1907b81e89600dc24bb8b73700a335883f7ebb17e
SHA256f49e40c66869ad6c870a35016f1fde4e7ca55f3b583342a7d30f88c8a66464c9
SHA512c9d9cb7dc126e365c5fd91f0c104ca3f07345d3548162f0748b9ab3bd8a7c8d723359217d82d04286ad2a1af5dc2a3bb771e40806ba532a99ed3d66848ac292a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1.8MB
MD5667ebda9be3da6ee8b9f1cc419d336ba
SHA1fb42333e24aac8e4d2989950cae402d7960f69b1
SHA256aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44
SHA512aa83123064683405ba88663dc56ca3011961fff14acb9de47130099ceb98a060f74ce5e3fb8e73425bc6755e51c8cb488381640f4aeed13aaff7fb117921753c
-
Filesize
896KB
MD5ea94163d40e5cb504778dc729ef519f1
SHA1febde4e5f6373200e5daae74277adf576c76158a
SHA2560c19bad7c0ab86a954f8d5cb8b0fc410bb8a792fa0a63140197db4f65e6af6c5
SHA51246f2cdff5a9c72f18b268ed32f75e05d0262d1f12fcd155fef0e98ab9875dca752da4b1a58d66177c0daa8ed3b987da4c26be443391ac89b0e2f96d990891159
-
Filesize
848KB
MD505896b9173ba7d70b5c76e9b32eff7ed
SHA18db04d03ca6fe3f374e4d03dc5ae5ec4fc7cec06
SHA256b1dd9111721686ce097b06601dd5d07de00ec3327d67bb84f735fc065349442a
SHA5127216dcd7b9f29249e98a98613901434f6f9d41620a1ddee9bc1b17f0e96c739c800a9e8782eeb884ff4842300e1b8e7a3548609359c165c43a893f46670ede25
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e