Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 04:28
Static task
static1
Behavioral task
behavioral1
Sample
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe
Resource
win10v2004-20240802-en
General
-
Target
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe
-
Size
1.8MB
-
MD5
1f168ecf05a514a49417ac8cf81523f1
-
SHA1
4675d4458cdd7b48bdeaaedb954e17b28afc5503
-
SHA256
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469
-
SHA512
cec0800341c266fe8edfbae52b8f098f3e474ee4c2912f23abb08bf3184e5f70dc191cd0257e6356b5bf193b8da9140c9dc5286a6da32abb7b403f1e8cd59722
-
SSDEEP
49152:HMUbhF5mBfInDR9Iz/ULx/NP3Thua3P9HtWksuQ:nhF5Kwn84LXP3FuaPHsu
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
svoutse.exed9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exed9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exe08708a82a9.exe799de67533.exe292feb6f6e.exesvoutse.exesvoutse.exepid process 3228 svoutse.exe 3896 08708a82a9.exe 2408 799de67533.exe 436 292feb6f6e.exe 2552 svoutse.exe 5948 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\799de67533.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\799de67533.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\292feb6f6e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\292feb6f6e.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000036001\292feb6f6e.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exesvoutse.exesvoutse.exepid process 5100 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe 3228 svoutse.exe 2552 svoutse.exe 5948 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exedescription ioc process File created C:\Windows\Tasks\svoutse.job d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 752 3896 WerFault.exe 08708a82a9.exe 5988 2408 WerFault.exe 799de67533.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
292feb6f6e.exed9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exe08708a82a9.exe799de67533.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 292feb6f6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08708a82a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 799de67533.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exepid process 5100 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe 5100 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe 3228 svoutse.exe 3228 svoutse.exe 432 msedge.exe 432 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 2436 identity_helper.exe 2436 identity_helper.exe 2552 svoutse.exe 2552 svoutse.exe 5948 svoutse.exe 5948 svoutse.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
292feb6f6e.exepid process 436 292feb6f6e.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs
Processes:
msedge.exepid process 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
292feb6f6e.exemsedge.exepid process 436 292feb6f6e.exe 436 292feb6f6e.exe 220 msedge.exe 220 msedge.exe 436 292feb6f6e.exe 220 msedge.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
292feb6f6e.exepid process 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe 436 292feb6f6e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exe292feb6f6e.exemsedge.exedescription pid process target process PID 5100 wrote to memory of 3228 5100 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe svoutse.exe PID 5100 wrote to memory of 3228 5100 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe svoutse.exe PID 5100 wrote to memory of 3228 5100 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe svoutse.exe PID 3228 wrote to memory of 3896 3228 svoutse.exe 08708a82a9.exe PID 3228 wrote to memory of 3896 3228 svoutse.exe 08708a82a9.exe PID 3228 wrote to memory of 3896 3228 svoutse.exe 08708a82a9.exe PID 3228 wrote to memory of 2408 3228 svoutse.exe 799de67533.exe PID 3228 wrote to memory of 2408 3228 svoutse.exe 799de67533.exe PID 3228 wrote to memory of 2408 3228 svoutse.exe 799de67533.exe PID 3228 wrote to memory of 436 3228 svoutse.exe 292feb6f6e.exe PID 3228 wrote to memory of 436 3228 svoutse.exe 292feb6f6e.exe PID 3228 wrote to memory of 436 3228 svoutse.exe 292feb6f6e.exe PID 436 wrote to memory of 220 436 292feb6f6e.exe msedge.exe PID 436 wrote to memory of 220 436 292feb6f6e.exe msedge.exe PID 220 wrote to memory of 1188 220 msedge.exe msedge.exe PID 220 wrote to memory of 1188 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 4488 220 msedge.exe msedge.exe PID 220 wrote to memory of 432 220 msedge.exe msedge.exe PID 220 wrote to memory of 432 220 msedge.exe msedge.exe PID 220 wrote to memory of 3852 220 msedge.exe msedge.exe PID 220 wrote to memory of 3852 220 msedge.exe msedge.exe PID 220 wrote to memory of 3852 220 msedge.exe msedge.exe PID 220 wrote to memory of 3852 220 msedge.exe msedge.exe PID 220 wrote to memory of 3852 220 msedge.exe msedge.exe PID 220 wrote to memory of 3852 220 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe"C:\Users\Admin\AppData\Local\Temp\d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Roaming\1000026000\08708a82a9.exe"C:\Users\Admin\AppData\Roaming\1000026000\08708a82a9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 12204⤵
- Program crash
PID:752 -
C:\Users\Admin\AppData\Local\Temp\1000030001\799de67533.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\799de67533.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 10684⤵
- Program crash
PID:5988 -
C:\Users\Admin\AppData\Local\Temp\1000036001\292feb6f6e.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\292feb6f6e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92fcb46f8,0x7ff92fcb4708,0x7ff92fcb47185⤵PID:1188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:25⤵PID:4488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:85⤵PID:3852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:15⤵PID:2284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵PID:2780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:15⤵PID:2388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:15⤵PID:1180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:15⤵PID:5080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:15⤵PID:244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:15⤵PID:1136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:15⤵PID:1564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:15⤵PID:4360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:15⤵PID:2948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:15⤵PID:4384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:15⤵PID:3776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:15⤵PID:5156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:15⤵PID:5164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:15⤵PID:5248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:15⤵PID:5256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:15⤵PID:5272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:15⤵PID:5280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:15⤵PID:5352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:15⤵PID:5360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:15⤵PID:5504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:15⤵PID:5604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:15⤵PID:5612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:15⤵PID:5620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:15⤵PID:5628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:15⤵PID:5780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:15⤵PID:5848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8180 /prefetch:15⤵PID:5856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8312 /prefetch:15⤵PID:6112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:15⤵PID:3636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:15⤵PID:2756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8512 /prefetch:15⤵PID:628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8524 /prefetch:15⤵PID:5680
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:85⤵PID:6060
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2523303224153515344,14056151755642219465,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3036 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3896 -ip 38961⤵PID:448
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3888
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2408 -ip 24081⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD55018365fc37461d624f0f990ca231fdf
SHA19e4511dec0f19b7d564389f9a3dbd5aa37722321
SHA256eee42354c3f1e93df719b06ac75eeb4bfab62b8af0cc534940234a0a7d18f0cc
SHA51274b1f10a6d4907c5fe90d7f201a79a59bed6bdc7f7d1fb8392f835c763d6bd24bc3c0961ab76249a0c37c57765eed0b1a3b2e32b18acd28a50b3bfd7764bef4b
-
Filesize
152B
MD5e9ebb8a980cdec87927e3ab67fc713d1
SHA1d93a07c2e041e5530a87af64fe44dab3d8ed2a5d
SHA256af8f5c327f2df7f13605bf3110bab80dc23ad822f98133930239017b8d044ac8
SHA512e3cac121d843aa6206ee304071850df8dc159b4211b32030136286439d652a8de294ce3cd50e04800cd86d0ca7ba3467c39b4d03ef62e8fea8c946e180302b9a
-
Filesize
152B
MD5add833069b75a0fa0e26b3624909709f
SHA1a766c651e47538e8b19cb01f6191293f537690b8
SHA256223a142cf7848020d51c4eafc8bd07a088ce55278ebf629e840a04abd74cbab6
SHA51291834adafa1d2b9cc4f15fbfcd90e163973d9837028b6219c4799be846e0bb02b71a6d67fb96e0f7f86ae78c683a6d5c4d9262c118dbfd0841a2199f10cb272c
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD51a258fa0c208068ad31c274808484c51
SHA1173f2f01125f086dfd2b32602896cee14cc070df
SHA2560ad83df3e0cc0fd13f235fc99a48f9ba2d55276157de25a29101c8bdfdc6e1a7
SHA51269411890d2d594d17878288646f9110cff2e147b8c3915bdca3dd4565567c839c2699597bc5d96b7f3398c872ddf61872f468e3308614585f2264646ee89b0e5
-
Filesize
4KB
MD5fa496deeb9b4d11c780cb1cc4544cd13
SHA1f786ef1ac44cfd024ed2a30ceaca398610563c5a
SHA256f4698d00fc4d5040a8ea55e36f42ee12c199c1f3a7db1dfa3e4b2e7d967a6088
SHA51265bc177ceb9dc1101c23d948bd3776a20f7ccff9ff363d31048559ec62967945bf0025a45ffac9dc7aa1ea6d12e4d0817031856596f9f5d7e11310d9e84f7576
-
Filesize
4KB
MD56f58bf6d7d4b2c4b6f2e75a71f776597
SHA13a020e8ae30fab8c893ef4f2cce1dab9e81bf867
SHA256d09c02f622e3226656dec517bc575ff7c8e2191fa01c7768fe1bd9307882786a
SHA5129a6794e6d9ed71380abffe5510bd96a2536bafdc6f9cb0ba053ae6bb83d0db252cea2baee5d8b12485178697ac571088bc9cf979ebed9806173ab8db3c90925f
-
Filesize
24KB
MD5d9c4de1c530253aabc452f488d49aca5
SHA1954a39425b0cfccaab2334ebc86b0d6899994765
SHA256da0941da5091b4b27390b0e6c1a0a595499ec8606c4b59d1bd00152e88fee3ea
SHA51202b033f7a565aa168c54e5147613d1891d03e5c5868141781b7051b4de328f1dad3a1e6dd50c44d7d9d01ad7227488d63269db25a1dd16f66fb394aeb053f83d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57ed00.TMP
Filesize24KB
MD519aed8b21bf70b40cb65f0d749c0ef80
SHA1fabfe5ad3044e9d824c5024fadf0366a6e646596
SHA256046ad0987cd060556f04141c3b6b09ce96294f765422c17db958ccd6cfaddb02
SHA5126c82d3ab9cbddf9624c7b124cae622fce22b41ace93ba9a8399f2951252785dde0011d8e9160d58a7ab71a579cbbe6eaa38745ac5c7c6b04bc7a274bcf14f816
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\bfb1bbe7-fc83-4f29-9982-3368fb248b5d.tmp
Filesize4KB
MD59911a988305d5a008c93ec7f5702f6e6
SHA14c186039bf7472f94b9c7b4d2830636ffbca3389
SHA256cc26fe66378ffd844eecc5752e535f97128b1e19e109ece616d7452455f760e8
SHA5122b068419590ce45c6f7ac042e5bbaf94334572ae89130ac2caa72b8aa80d8cf00cb7f1b6d71192a4e4c412d06eecddaf6c19f8614f335e52504f355d04be04ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\c8431748-5eb2-4f95-9ea6-d4c5e1b74ad9.tmp
Filesize9KB
MD560b1f144edd0ba4570842c9f60d7d536
SHA1ef3a3e1ecbc11c73aca3aea8657cf94307c42521
SHA256c4503955ee94456537a88d6275e28ad216b6fabfdefef461c25985f64324e416
SHA512af721dcf65d55348db07b4232fa04c5cff72e6d0987107dbb7bc4e069bb47115d84af572a6d473b429f5cae6312b95b92917d862b9b3eb163b198db585aca628
-
Filesize
1.8MB
MD51f168ecf05a514a49417ac8cf81523f1
SHA14675d4458cdd7b48bdeaaedb954e17b28afc5503
SHA256d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469
SHA512cec0800341c266fe8edfbae52b8f098f3e474ee4c2912f23abb08bf3184e5f70dc191cd0257e6356b5bf193b8da9140c9dc5286a6da32abb7b403f1e8cd59722
-
Filesize
896KB
MD538f98be80e6670f46efc8544d762cfd4
SHA1fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA51260a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HINP51UAIXLG1KQC8YON.temp
Filesize3KB
MD5d14804ea2db475eda46a9d497918ee13
SHA149f162d314dcb1945b26631372d62eb990950292
SHA256402313e24fef47dbdb92deb0813860a92dc0b0d321fc5abba3e2af513090be95
SHA512a01f8ca8ccee458fb1d9215edd173dd90bcf6c3018c587154527302ae6076c7a92be31d38eb51d2149d83ff9bb0c29d15aae76222f29ea6e375e784fbf2cf9d5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e