Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe
Resource
win10v2004-20240802-en
General
-
Target
ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe
-
Size
1.8MB
-
MD5
4141269cc71160518d53bd4232546645
-
SHA1
f6cab15b6c4cba08991ad7ef9c0143ef62bc8992
-
SHA256
ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e
-
SHA512
3f18ccaff54ea45bc560bc33db9ae00051423f22835f366c9991e8459157d4d22c2f33d090164f589b7e8f42648a624e799e3165faf7550448f85632b876589a
-
SSDEEP
49152:wsCoAvp/tZTkFQCSEIYDtIzJcqSngDBAZPbb:wsNsp/tyFQVh8edblsPbb
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
svoutse.exesvoutse.exeba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exeba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exe99b8991cfa.exea174aaa6a9.exebaf7b9c504.exesvoutse.exesvoutse.exesvoutse.exepid process 3656 svoutse.exe 2604 99b8991cfa.exe 3668 a174aaa6a9.exe 2044 baf7b9c504.exe 5052 svoutse.exe 4448 svoutse.exe 5480 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exesvoutse.exeba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a174aaa6a9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\a174aaa6a9.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baf7b9c504.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\baf7b9c504.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000036001\baf7b9c504.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exepid process 1156 ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe 3656 svoutse.exe 5052 svoutse.exe 4448 svoutse.exe 5480 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exedescription ioc process File created C:\Windows\Tasks\svoutse.job ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3120 2604 WerFault.exe 99b8991cfa.exe 5400 3668 WerFault.exe a174aaa6a9.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exesvoutse.exe99b8991cfa.exea174aaa6a9.exebaf7b9c504.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99b8991cfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a174aaa6a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baf7b9c504.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exesvoutse.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exesvoutse.exepid process 1156 ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe 1156 ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe 3656 svoutse.exe 3656 svoutse.exe 3036 msedge.exe 3036 msedge.exe 4228 msedge.exe 4228 msedge.exe 5976 identity_helper.exe 5976 identity_helper.exe 5052 svoutse.exe 5052 svoutse.exe 4448 svoutse.exe 4448 svoutse.exe 5264 msedge.exe 5264 msedge.exe 5264 msedge.exe 5264 msedge.exe 5480 svoutse.exe 5480 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
baf7b9c504.exepid process 2044 baf7b9c504.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
msedge.exepid process 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
baf7b9c504.exemsedge.exepid process 2044 baf7b9c504.exe 2044 baf7b9c504.exe 4228 msedge.exe 4228 msedge.exe 2044 baf7b9c504.exe 4228 msedge.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
baf7b9c504.exepid process 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe 2044 baf7b9c504.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exesvoutse.exebaf7b9c504.exemsedge.exedescription pid process target process PID 1156 wrote to memory of 3656 1156 ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe svoutse.exe PID 1156 wrote to memory of 3656 1156 ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe svoutse.exe PID 1156 wrote to memory of 3656 1156 ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe svoutse.exe PID 3656 wrote to memory of 2604 3656 svoutse.exe 99b8991cfa.exe PID 3656 wrote to memory of 2604 3656 svoutse.exe 99b8991cfa.exe PID 3656 wrote to memory of 2604 3656 svoutse.exe 99b8991cfa.exe PID 3656 wrote to memory of 3668 3656 svoutse.exe a174aaa6a9.exe PID 3656 wrote to memory of 3668 3656 svoutse.exe a174aaa6a9.exe PID 3656 wrote to memory of 3668 3656 svoutse.exe a174aaa6a9.exe PID 3656 wrote to memory of 2044 3656 svoutse.exe baf7b9c504.exe PID 3656 wrote to memory of 2044 3656 svoutse.exe baf7b9c504.exe PID 3656 wrote to memory of 2044 3656 svoutse.exe baf7b9c504.exe PID 2044 wrote to memory of 4228 2044 baf7b9c504.exe msedge.exe PID 2044 wrote to memory of 4228 2044 baf7b9c504.exe msedge.exe PID 4228 wrote to memory of 4496 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 4496 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2552 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 3036 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 3036 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2016 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2016 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2016 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2016 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2016 4228 msedge.exe msedge.exe PID 4228 wrote to memory of 2016 4228 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe"C:\Users\Admin\AppData\Local\Temp\ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Roaming\1000026000\99b8991cfa.exe"C:\Users\Admin\AppData\Roaming\1000026000\99b8991cfa.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 10164⤵
- Program crash
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\1000030001\a174aaa6a9.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\a174aaa6a9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 10524⤵
- Program crash
PID:5400 -
C:\Users\Admin\AppData\Local\Temp\1000036001\baf7b9c504.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\baf7b9c504.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab67246f8,0x7ffab6724708,0x7ffab67247185⤵PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵PID:2552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:85⤵PID:2016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:15⤵PID:1624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:15⤵PID:1296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:15⤵PID:4212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:15⤵PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:15⤵PID:1352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:15⤵PID:2020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:15⤵PID:440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:15⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:15⤵PID:1240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:15⤵PID:2928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:15⤵PID:2844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:15⤵PID:5116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:15⤵PID:2704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:15⤵PID:4232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:15⤵PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:15⤵PID:2416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:15⤵PID:1096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:15⤵PID:3104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:15⤵PID:4556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:15⤵PID:212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:15⤵PID:4908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:15⤵PID:1136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:15⤵PID:4608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:15⤵PID:5052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:15⤵PID:4912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:15⤵PID:5132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:15⤵PID:5140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:15⤵PID:5148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:15⤵PID:5160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:15⤵PID:5708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7608 /prefetch:15⤵PID:5880
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:85⤵PID:5576
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11195205177690644493,3004723207907661899,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3872 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2604 -ip 26041⤵PID:1036
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1532
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3668 -ip 36681⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4448
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\3d5c5318-276f-4551-b7ce-278b2a589311.tmp
Filesize9KB
MD5f80328543d5cfac9812ef0543a633f3e
SHA109c23d195797c90d2b13a87bcb06f3200f406698
SHA256d8609a9291859961b9e68cbb255fa4e73ba9cf38e58ffc9809f15623ded25b3c
SHA512d9992a143b2b0326428882d40678908840c329624b3259a2bd08a76c618ebfe4e0c786fe9ac90a1531dcb78f6e4fa7286faab10431fbba304c22871ae9f11485
-
Filesize
152B
MD5af6090f2dd9e25199a7f6bb47e938a9b
SHA189e5d620a3bda39278e4a9ca6ca0edd938f9a8f4
SHA256f369a8828e2d1db1968f422e6f9b80644d4f7985088f8480fd29a3394d5eb1c4
SHA5125cdca8fa94b910c94d796739db7333e82df45bd3d2cbd5810482bf3ad85a9bb4371814823b27ec8a477d64280e7c2289af2eb9417dfe52278f89d42d6d7d5e7e
-
Filesize
152B
MD508b2b94cd30296020231e01afd46cb66
SHA1961b6956c4be4050857bfdd399ca12e95fcf07bf
SHA2565ae3a504b031b041558e25cac2430b79618e38c966be2b1bd683ece236599812
SHA5121a2dde0fa4a1a545af3d1be93972e060be7ea6d1d17547d781a2586f1ab0c908d8bba5e695ec62b0a6688935b99bc82aa806b7bc25c3f849cbc9719af40b1a38
-
Filesize
152B
MD5fa6bd9852e04f257a92df92fc0fa8ecd
SHA16a06d78824be9fb2185fd9f47772ead7c86cc457
SHA2569cd58267953888ea88ca7a66384da137cab4d09b0904800b5fd4b34bb1054d7b
SHA512468497966165d6e82c4f9e5a216095f16eca74b27202cbcad262682375f59af7b72a7c2de12d022fa4a20840a141b5dea8ceedee6d60c4a511e5f9f6517be8e2
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\762e9b3b-b9b8-4a9f-ae83-3a8a483446fa.tmp
Filesize4KB
MD527410bff153209c88dfd620bd7f23fe8
SHA1f0f049c07cd0f8e884b78e12087540d9636c8e05
SHA2567e5242626112d6843c8d9c930c8f1b2b2a59a121955fc61b7b6bc87e6f2105e9
SHA5123826427364a172c868355a2eeae49d48b3be131762a39e22c0404107964c325ea497ced4eac400dd7bee7ecc75c45264570fadc5b2b0d817e79f1f58a2a58f1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD57e6bcc457e3c43726cf7bcf630aa8ea8
SHA10f9e9c8b1b3228e270da37e99f2d8aace4dfddbf
SHA256a323f0e2c40b2d22e3429750198a513af6327501bd667f4e82d5229ab2a3c43f
SHA512ed65b01961a2cf5dda83077a0c16f209c8f5c7da99bb2b1e052b4382205b4ea7903a7b91634368c16adc40c4b472384d312aed104fc22742b751e7ec1f6fdf63
-
Filesize
4KB
MD5210d952e2f9364acde2c6555dfad6c50
SHA1ce11294866ab4a5d674f7cde5bbd30e2ea89181d
SHA256d641041c90c43637fd678154a61ac869b8486c4a06256baa3a08f63dab40a6ed
SHA512be21e2e4ee139dc3c7f92ef48f792e3a48582c4e82488073ebdce5b2e659c9d58ab3de648d03964b379af3e351893afad74bad8f92c1bb0cb777154f8dc79da6
-
Filesize
4KB
MD5b3c9fcffd8857bd56544d42f50844b92
SHA1d31bd4be03798a1f4305d6af389e43928f27d746
SHA256821434decd92b369909d8eb237d17de5d56549f77d7d3945f01af24807aa2eb5
SHA512b6ecce27d5e8a395412632a09965eeaba3a738a122d4d5f3090acc19319f418a8d4beab8d7ce9e3f62e2ebf27f874db7ac3df47cc820ac9e8e4b192747cb630f
-
Filesize
24KB
MD523e960241c1009461dbd242ddc402de1
SHA16c803ea1659c3be7e80b85a9a62031ae73b8007d
SHA2569e980bf9dc39aa8724e9c36e428b0d715fa15eb14bb40a64aa9d5abaf976de25
SHA512a5aee198a7356adc6f95080e30aa4beb8065852f2bb79972ced7dbd943b61fe765aecfbf780e68365eecd8826548c621aae073dea94505662ff13232c13be251
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe5b9660.TMP
Filesize24KB
MD52e401292ae2ea403fc16459c7ffde051
SHA1157872abe5fae6c4ccde32a79649cefff6666f8c
SHA25685bde54bdf8e01effd94cc14797bfec6d02b3edc34d9174086605235144621d2
SHA512a1fb492cee17f78879660af87a2fb483f31110d63664c45d71420c5655523cbe72006e7d1cb8825e3e86194018714d1950e2aa58437df345069442b36d693b07
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1.8MB
MD54141269cc71160518d53bd4232546645
SHA1f6cab15b6c4cba08991ad7ef9c0143ef62bc8992
SHA256ba61747e77322718715fb1f01ad332580046b9ed0092a64877c2ae62e90d5c9e
SHA5123f18ccaff54ea45bc560bc33db9ae00051423f22835f366c9991e8459157d4d22c2f33d090164f589b7e8f42648a624e799e3165faf7550448f85632b876589a
-
Filesize
896KB
MD538f98be80e6670f46efc8544d762cfd4
SHA1fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA51260a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ZOJSX6PFFKCB4LK401E.temp
Filesize3KB
MD550f8b2ce3c806aa14f8f7fb4909a5ca7
SHA113ccd684b9ea4e273e3a0df8204be2d5c885368b
SHA2562a7ad222dfdb8258663721f3f2874e75ece302c8d2875f2641fde6bc773b9e72
SHA512b5970fd0863ffc02be76be5500f595ac4fc86a89c8fd27590e3f278cdea0eec89a121916fbcedecbb9cac4a3099a1da7d3ed0533848ac2bc2ea8e711ab333f52
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e