Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 06:16
Static task
static1
Behavioral task
behavioral1
Sample
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe
Resource
win7-20240903-en
General
-
Target
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe
-
Size
1.7MB
-
MD5
13a7ce03877b76aeae5920065b34a7ec
-
SHA1
ead077227858fb9404d1857d25567849b9e77c92
-
SHA256
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f
-
SHA512
fdf6c139a89a9c988fea0620a81718dca1a64bd3ae07fb4bc097b0ccb3f3ebee057a82f72922b66937f031ff29a5ac08e2aad32d4c1cdd099426bb52090243bf
-
SSDEEP
49152:NRB3UgNCnW0CZ3KcYveQEgRuIo6/iTDi/2nuVViWQtp:xU2Z3KcYjHRuTHiYehQ
Malware Config
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
svoutse.exesvoutse.exesvoutse.exe407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exeHIDHDAAEHI.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HIDHDAAEHI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exeHIDHDAAEHI.exesvoutse.exesvoutse.exesvoutse.exe407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HIDHDAAEHI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HIDHDAAEHI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exeHIDHDAAEHI.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation HIDHDAAEHI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 8 IoCs
Processes:
HIDHDAAEHI.exesvoutse.execb360b9376.exe264c3cc630.exe4464686541.exesvoutse.exesvoutse.exesvoutse.exepid process 4176 HIDHDAAEHI.exe 4944 svoutse.exe 4628 cb360b9376.exe 1356 264c3cc630.exe 5072 4464686541.exe 4032 svoutse.exe 4032 svoutse.exe 3540 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exeHIDHDAAEHI.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine HIDHDAAEHI.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe -
Loads dropped DLL 2 IoCs
Processes:
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exepid process 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\264c3cc630.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\264c3cc630.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4464686541.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4464686541.exe" svoutse.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exeHIDHDAAEHI.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exepid process 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe 4176 HIDHDAAEHI.exe 4944 svoutse.exe 4032 svoutse.exe 4032 svoutse.exe 3540 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
HIDHDAAEHI.exedescription ioc process File created C:\Windows\Tasks\svoutse.job HIDHDAAEHI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3992 4628 WerFault.exe cb360b9376.exe 2420 1356 WerFault.exe 264c3cc630.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
264c3cc630.exe4464686541.exe407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.execmd.exeHIDHDAAEHI.exesvoutse.execb360b9376.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264c3cc630.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4464686541.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HIDHDAAEHI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb360b9376.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exeHIDHDAAEHI.exesvoutse.exesvoutse.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exepid process 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe 4176 HIDHDAAEHI.exe 4176 HIDHDAAEHI.exe 4944 svoutse.exe 4944 svoutse.exe 4032 svoutse.exe 4032 svoutse.exe 4432 msedge.exe 4432 msedge.exe 1672 msedge.exe 1672 msedge.exe 3272 identity_helper.exe 3272 identity_helper.exe 4032 svoutse.exe 4032 svoutse.exe 3540 svoutse.exe 3540 svoutse.exe 5564 msedge.exe 5564 msedge.exe 5564 msedge.exe 5564 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
4464686541.exepid process 5072 4464686541.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe 1672 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
4464686541.exemsedge.exepid process 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 1672 msedge.exe 1672 msedge.exe 5072 4464686541.exe 1672 msedge.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
4464686541.exepid process 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe 5072 4464686541.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.execmd.exeHIDHDAAEHI.exesvoutse.exe4464686541.exemsedge.exedescription pid process target process PID 1072 wrote to memory of 1868 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe cmd.exe PID 1072 wrote to memory of 1868 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe cmd.exe PID 1072 wrote to memory of 1868 1072 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe cmd.exe PID 1868 wrote to memory of 4176 1868 cmd.exe HIDHDAAEHI.exe PID 1868 wrote to memory of 4176 1868 cmd.exe HIDHDAAEHI.exe PID 1868 wrote to memory of 4176 1868 cmd.exe HIDHDAAEHI.exe PID 4176 wrote to memory of 4944 4176 HIDHDAAEHI.exe svoutse.exe PID 4176 wrote to memory of 4944 4176 HIDHDAAEHI.exe svoutse.exe PID 4176 wrote to memory of 4944 4176 HIDHDAAEHI.exe svoutse.exe PID 4944 wrote to memory of 4628 4944 svoutse.exe cb360b9376.exe PID 4944 wrote to memory of 4628 4944 svoutse.exe cb360b9376.exe PID 4944 wrote to memory of 4628 4944 svoutse.exe cb360b9376.exe PID 4944 wrote to memory of 1356 4944 svoutse.exe 264c3cc630.exe PID 4944 wrote to memory of 1356 4944 svoutse.exe 264c3cc630.exe PID 4944 wrote to memory of 1356 4944 svoutse.exe 264c3cc630.exe PID 4944 wrote to memory of 5072 4944 svoutse.exe 4464686541.exe PID 4944 wrote to memory of 5072 4944 svoutse.exe 4464686541.exe PID 4944 wrote to memory of 5072 4944 svoutse.exe 4464686541.exe PID 5072 wrote to memory of 1672 5072 4464686541.exe msedge.exe PID 5072 wrote to memory of 1672 5072 4464686541.exe msedge.exe PID 1672 wrote to memory of 4696 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 4696 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 3632 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 4432 1672 msedge.exe msedge.exe PID 1672 wrote to memory of 4432 1672 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HIDHDAAEHI.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\ProgramData\HIDHDAAEHI.exe"C:\ProgramData\HIDHDAAEHI.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Roaming\1000026000\cb360b9376.exe"C:\Users\Admin\AppData\Roaming\1000026000\cb360b9376.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 13206⤵
- Program crash
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\1000030001\264c3cc630.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\264c3cc630.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 13046⤵
- Program crash
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa499546f8,0x7ffa49954708,0x7ffa499547187⤵PID:4696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:27⤵PID:3632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:87⤵PID:2040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:17⤵PID:628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:17⤵PID:860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:17⤵PID:2112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:17⤵PID:4520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:17⤵PID:756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:17⤵PID:1812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:17⤵PID:2600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:17⤵PID:2168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:17⤵PID:1996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:17⤵PID:4956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:17⤵PID:2676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:17⤵PID:4736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:17⤵PID:4560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:17⤵PID:1888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:17⤵PID:1068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:17⤵PID:3596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:17⤵PID:3568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:17⤵PID:1064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:17⤵PID:5228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:17⤵PID:5236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:17⤵PID:5276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:17⤵PID:5448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:17⤵PID:5456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:17⤵PID:5464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:17⤵PID:5616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:17⤵PID:5624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:17⤵PID:5844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:17⤵PID:5128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:17⤵PID:4088
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8164 /prefetch:87⤵PID:6012
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8164 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7556 /prefetch:27⤵
- Suspicious behavior: EnumeratesProcesses
PID:5564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4628 -ip 46281⤵PID:3976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1356 -ip 13561⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4644
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3540
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51f168ecf05a514a49417ac8cf81523f1
SHA14675d4458cdd7b48bdeaaedb954e17b28afc5503
SHA256d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469
SHA512cec0800341c266fe8edfbae52b8f098f3e474ee4c2912f23abb08bf3184e5f70dc191cd0257e6356b5bf193b8da9140c9dc5286a6da32abb7b403f1e8cd59722
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
152B
MD555667d9b15a3dc87c3b4128c4063ffda
SHA1acde26fe63a3e6284a8b683acbdece0c6d1d8458
SHA256980c9b7edbb313c75a7c6283644262fbc0d9288f2e508e3e502270e7b65a2bed
SHA5122a6cd78410c994471b0a98b2bad95e385f2f3c6d9cc54122426c13c05ed903bb05a7b63da308f96fdd22f667c86b60c268ce04baa7aa2de4f3d672007f17d73e
-
Filesize
152B
MD5f38bf577ebbf03540e1665564ec217ee
SHA1914f3dbb336dfdd62f7508ebc78c4fea591e081d
SHA256d79a22b8f5ca4a35159f281eb031d23774d80ba71e7dae5bdc76e5476b5d8820
SHA5124585f8a4b2174087469fa1595d3111ff7ee49459bb7ca76008281da605576e6992bea280e80e8e7d19d8c2b10b5f4698c32dc013cb3ae98022978f2f1344f447
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD56262f60b222e12efba697da5e081aefe
SHA12dde5f0d11cdd739e3a0daef9807ee6001751e08
SHA256e47f33b686ccb326b4f04a73e51e1e25755fafea48a27610fca59bdde78ac645
SHA512aa24420c6dc6aaeb9a50b1d0b4c112894b128dff3c6337f27c16a58e8b3d9733164961c35c731e4d1465c467673acea91a04d4e417f156c819cc5c496fde3562
-
Filesize
4KB
MD5167afc3f406ccb8e4669ea84dc72a59f
SHA1032999e0af63a9ef5bbc12579d4465ea54b229af
SHA256b7e8dc888832b5ea28e579dce72b5c0d9d724de916264dbfc1fc500dcc8995d1
SHA512cdb524e4f91797e868d96d23c367b063367238df81fdcc4e381abb0644a03eba00c5d44770031f0da59374f5415ea403ad2990aa3d71291c41d3ae318ecc2435
-
Filesize
4KB
MD58cc6840cfa12b6b760f440aa28975b3c
SHA169450aec21fcdda7c29dd3a458ca657e145adf77
SHA2568204c0780ebf3986fd327a2c49584812ed2d430e9950dc4e621a7be9571241a5
SHA5120a60a356056767f97821c82d828a815292a894662e64a28647aa9880ded796f7770480709afd9dd67e4530b14cae1b6ef4d4c98bcf98b70bee6ba65fced28f10
-
Filesize
4KB
MD57ab4d1f2f43e280ea5ec3d797aa684ca
SHA1aa8d1b9c5a2c8468ba041af73c7e55df8ca98b20
SHA2569d8f81eeb66a33e68d76b3293283b8dcf3ef16376eea73db9eb1a76e8717073a
SHA5126732d990b2dcfb957a7990b6fb078b9ea746729a5ed3e225a63b6732a182cfbf3510112ba34c5aa59f450265679bedae9debb445f11a1867f1c7174df24b7b21
-
Filesize
4KB
MD5540805d13e116ffcded0ee0c2f0d396b
SHA1b10f839bda807e82ddee565dc8a1d01dc35f08ac
SHA256f8cb9e2d4157e817dc6761a81a0d79df18ac24c90caba4173c28fc81cbc654bb
SHA5129922e381146eb00bab564e0f510986fa1324ae64e74b2e5daa4601579f6464cdb50b4c75d069ea541dddca485eb0bfeaa38ceb0ac19e4cc5b6c3a32c82f314ba
-
Filesize
24KB
MD5e45cbc63bd6a8212b4f0044dd6b0f10b
SHA135c6c97af7d46f30fbf55feaa297507f537696da
SHA256103487b36f6f1267405ed7bf38b3854da939c932a17938394c4b77320086c064
SHA512e14536c0b81a953ea8c090a3628be020d7738ebda24b49ee6966361c160bf5cea7286325ad40a9831913dfd4fe79354efc4a76fdab4cecb4c68efcbd7c720af1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe581e03.TMP
Filesize24KB
MD57ca0ff70821e564c2ed47e13146f451b
SHA1824fc115137e953cc6b2192e141c78549a5d68fe
SHA256cf09279c2497b64ec3987e9f7c0c2e8017dd8e73a4963449b0964316ed0f18a6
SHA5124ad53895f8e1d4b778d17dd94e266a6ac95a000d24f92508a5cab3a3a0d91ae5cb3806cf65bf9cd356029191ddc03d5ea16a72d9fafc9a730ef4e23c4ea99c93
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index
Filesize48B
MD5bcbd53cb82f7b17357bc5a71b167d17e
SHA1a7ad2fbb25c6a2be9fbef18abeb676669d59796e
SHA2568c4b32c2386fb130ae125e40cea6de0f287b211a98d781584d0caf85f6ca4f2c
SHA512a1b2a85a4de4a0b6277dc4aa27a36b7d58883ed352630592ffa20d443a068968b9c2bc0238514a9de1bf05c94987262274b6802aef770fc57aaec58065247ee3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\c115530c-0441-4edf-82ee-03f66d1f2f0e.tmp
Filesize9KB
MD5b45e584d0cf0deddb8c78045043cc9da
SHA1604a4bfa76ec2105a2dd40720112f0a2a314765d
SHA25625d853ad131d29d1b14b3eac0a7e0948c1d3f47616a8578dd5a09c0ce2cd56f6
SHA5124ae42b05dc6555441dc06d72274050b976746aedabe12903286d8c11d1ea3389aa6e3d35438b2df564511032166a10edc11fa8405b063a7b06266467308a606f
-
Filesize
896KB
MD538f98be80e6670f46efc8544d762cfd4
SHA1fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA51260a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XS0XG1C1AD3MZSP288GS.temp
Filesize3KB
MD53ca00a115ba973004ed6fe586127a9a3
SHA1dbcc7a43fb0a6910f97cff1181717f2b648539ac
SHA256c49f1056283bcee031b72e9ccf6ff9c9f70eabd7a9398447d62ac2b0491ecf31
SHA5129041276b596200ec068b735aed51f0b39c9ad40dabaaeaeab2544999ba36c151c688fc036ec5bb17e48251b2de2d0628702f2524a61d6985e977e3fcc0fe1c6a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e