Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 07:00
Static task
static1
Behavioral task
behavioral1
Sample
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe
Resource
win7-20240903-en
General
-
Target
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe
-
Size
1.8MB
-
MD5
82ddd34be23d13d4fe950d51df9f1a9a
-
SHA1
5518b021fa41c05fd6031ff377331c718c458ae3
-
SHA256
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b
-
SHA512
29d277a18ce99b8a80a1cfb9ea880c7d3c30a399fdd0c9af6249435231c26d85f5b7160154d2033539b68a601bc302463a9ce659504eda76c6371f97710608a1
-
SSDEEP
49152:WX+klqZySQ0gltPWH21lgbBteJWvd/zDcl2d+jE6d:ClqYkgltg21l4OJWl/zDq2dbE
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exe454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exe377a4a0525.exe4f843eb5fb.exe6d2c111a89.exesvoutse.exesvoutse.exepid process 1168 svoutse.exe 4400 377a4a0525.exe 1420 4f843eb5fb.exe 4568 6d2c111a89.exe 7160 svoutse.exe 5548 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6d2c111a89.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\6d2c111a89.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4f843eb5fb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\4f843eb5fb.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exesvoutse.exesvoutse.exepid process 4664 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe 1168 svoutse.exe 7160 svoutse.exe 5548 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5396 4400 WerFault.exe 377a4a0525.exe 6296 1420 WerFault.exe 4f843eb5fb.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exe377a4a0525.exe4f843eb5fb.exe6d2c111a89.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 377a4a0525.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f843eb5fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d2c111a89.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133704252363135253" msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{9ABC1BBF-C464-4A86-8C60-8D098D60F01D} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exesvoutse.exemsedge.exesvoutse.exemsedge.exepid process 4664 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe 4664 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe 1168 svoutse.exe 1168 svoutse.exe 7160 svoutse.exe 7160 svoutse.exe 2780 msedge.exe 2780 msedge.exe 5548 svoutse.exe 5548 svoutse.exe 6792 msedge.exe 6792 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
6d2c111a89.exepid process 4568 6d2c111a89.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
Processes:
msedge.exepid process 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe 2780 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe6d2c111a89.exemsedge.exepid process 4664 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 2780 msedge.exe 2780 msedge.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
6d2c111a89.exepid process 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe 4568 6d2c111a89.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exesvoutse.exe6d2c111a89.exemsedge.exedescription pid process target process PID 4664 wrote to memory of 1168 4664 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe svoutse.exe PID 4664 wrote to memory of 1168 4664 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe svoutse.exe PID 4664 wrote to memory of 1168 4664 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe svoutse.exe PID 1168 wrote to memory of 4400 1168 svoutse.exe 377a4a0525.exe PID 1168 wrote to memory of 4400 1168 svoutse.exe 377a4a0525.exe PID 1168 wrote to memory of 4400 1168 svoutse.exe 377a4a0525.exe PID 1168 wrote to memory of 1420 1168 svoutse.exe 4f843eb5fb.exe PID 1168 wrote to memory of 1420 1168 svoutse.exe 4f843eb5fb.exe PID 1168 wrote to memory of 1420 1168 svoutse.exe 4f843eb5fb.exe PID 1168 wrote to memory of 4568 1168 svoutse.exe 6d2c111a89.exe PID 1168 wrote to memory of 4568 1168 svoutse.exe 6d2c111a89.exe PID 1168 wrote to memory of 4568 1168 svoutse.exe 6d2c111a89.exe PID 4568 wrote to memory of 2780 4568 6d2c111a89.exe msedge.exe PID 4568 wrote to memory of 2780 4568 6d2c111a89.exe msedge.exe PID 2780 wrote to memory of 3268 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 3268 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe PID 2780 wrote to memory of 1636 2780 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe"C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe"C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 13044⤵
- Program crash
PID:5396 -
C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 10124⤵
- Program crash
PID:6296 -
C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffa1f0bd198,0x7ffa1f0bd1a4,0x7ffa1f0bd1b05⤵PID:3268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2336,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:25⤵PID:1636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1784,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:35⤵PID:5108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2212,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2468 /prefetch:85⤵PID:828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3424,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:15⤵PID:4536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3432,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:15⤵PID:1048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4540,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:15⤵PID:5436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:25⤵PID:5444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4980,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:15⤵PID:5492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4984,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:25⤵PID:5540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5416,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:25⤵PID:5592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4528,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:15⤵PID:5604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5580,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:25⤵PID:5636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5832,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:15⤵PID:5652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5756,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:15⤵PID:5660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5896,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:25⤵PID:5668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5556,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:15⤵PID:5684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4192,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:25⤵PID:5700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6412,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:15⤵PID:5724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6664,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:25⤵PID:5740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5836,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:15⤵PID:5768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6940,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:15⤵PID:5776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6992,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:15⤵PID:5784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=7120,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7244 /prefetch:25⤵PID:5792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7136,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6960 /prefetch:15⤵PID:5800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4156,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7524 /prefetch:25⤵PID:5808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7736,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6648 /prefetch:15⤵PID:5816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7840,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7848 /prefetch:15⤵PID:5824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4552,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7788 /prefetch:15⤵PID:5832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=5020,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:85⤵PID:5624
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7264,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:85⤵PID:5568
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7264,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:85⤵PID:5996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5044,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:85⤵PID:6288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5048,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:85⤵PID:6276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5244,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:85⤵PID:3992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6964,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6996 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4400 -ip 44001⤵PID:5720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:81⤵PID:5612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1420 -ip 14201⤵PID:6272
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7160
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5139819725ce469afe3e83cbc3b47dfa7
SHA117b43c9717be9ec49c78bd029b34f841b99ae4f3
SHA256deb59c40cbbbe8c86f0d81a259ad3876ea61cd4634aa65f8fb09af2110abe015
SHA512cb5edde7d378997b6f248363743c027e9d08726a14a717a3fa23d7ace7b14e2b386e9ef221fbd3939d4c1f4b8d1294eef4b04c755700fb8f0080b58a0890176f
-
Filesize
280B
MD5c3b9bc8aa208260a01ec20c23baaff6d
SHA19c3c2c01f758bd63f27b0474716f9b3343ac9a21
SHA2567e06ca53f4654b5f862d0da54035b540119e330a0d9a80bc7e591b1f96eb086e
SHA5121460c6a8c810178e75a39b76f7a5f8e992bbb43c3fe047b598651ae9d2edf74bc9dbeecf884f357cccebb7ab3032c010af3129366b8081a799bf0630d7008fba
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\42b74d03-bf70-41d9-b43d-8e2e6cddf2ea.tmp
Filesize6KB
MD54babe1c084fe4977f98ca322fb9bc0b9
SHA1ca0a06c63302ecc21ce9c2a7159dd437c1833eb3
SHA25684d47426c101e717dc8f2c794654da61f5185cc9b44d412a50cc8d146e3d27f1
SHA512b6ac063d79d56fd6891a58b5d550047d898f2ca0e414dff5c47cd2eea4696feb02a6d20894598fc0b207ef4763b1a4f690bb5e0cf1d397333f13403baef2b8ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD5f0ace2f9c70cd5ab9a9478ba98535474
SHA1a21993fa0cafa6aedb79b74d33f3700aef7cc745
SHA256e8d1863e17b073f523aee22748717058c8055217132f55d8fd36858dd36d5d24
SHA512fa561809772d6501458a775d74fbc164e335acd2efc8c1ff478b0b52eb97a05c77611e7ce6ca5a3e490fe8a277b90fc50481b596abf8e61b2d56124188593a25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index~RFe58cafc.TMP
Filesize48B
MD549498679d3c577908b943e6c7b63c467
SHA1d823bb2047ea75c4ed186bc9ce75a019a898314b
SHA25691039832cc0c4997c3f50ed1c886876c4f7c8983c19889181ef0ca39a749d39c
SHA512a0b1cee30bc0815319b1bf4ba4c158f03cab0ac626a442a8a7cbb7178a00d98712b90afaffc821f1893b409ed44cf240554cc8a315b450bc8b1a1559d3091071
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State
Filesize627B
MD5d980ec948de88e3f920acd801d9c6b92
SHA1b6faf07e5a47714eb66a134ab649300818258e3c
SHA25671b94d6420ffea71b01255dcce1672cdb01eb63ed2695dbcd880076a03fc37e7
SHA512b6d7683d90a14dff280a7789681c486dbfba9a0313aadd8ec6b965e062af2ef7a0470fb8732e8014ef821e69953adfe69ca6dd2940f0b294492d39b12e7c8338
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD5a79b0e2e6eedbe7c4c4a3a85d34d02dc
SHA1fe937e15a2b20ec706d81e3a9691c0ebd445bc25
SHA256d50eeecc88b1bc8e67714b83207728e3542b71003f62de3adc70dd2d1acd498b
SHA512b3ddc9a4f38715ed47a697801e47623d3c0620ffbf31cf6ade42acf1ac8e676a1feb1e7a2d27460f8238eff2921b1e4a469d556a829979569eed5ca4ac3f6ae3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index
Filesize48B
MD58a4d0d26ee4fdaa347fa72bc766b72dc
SHA1e4a586e3f909c79da6b9b24e162e29ba7db50f98
SHA2565a25e96f6d278c672ac5c52736cdb92fb9bf3fdc00e13cf120043ea5f502e303
SHA512d32f24b71d0ff5c01eec3aa1cff0b8db1a4d8058c6b447572743fd599ca8bc37b7b5b429abda2bb212179a4359168cf3e54d78b16b63d7b83bd1cfdd68bbdd34
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index
Filesize72B
MD54896bed5a4c678225139f734f1aa4412
SHA1df166e1874e91b6c79921ee63be8de73b64277d8
SHA256ea489c9b0fb81133541e82130f8ed1e1d1833f5e5a9063512c392102815afcbe
SHA5122efe167e8fd432a615ba6f0f2d715c79e5b61da90c7ee8e6242d6a40c89d193496abbf5db8f7b839d37982dd7c359c949896ea18b88df5850895e36ad10bca8b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\a9d85a6f-22c4-4c3c-be48-2df282854858.tmp
Filesize23KB
MD51a5e0af4b0a05afbe05b62015ef6d8a7
SHA1658b3a9a6f9bc367a852d648c5cc2c76a898e893
SHA256fd0b3588bac327069bc9a58b30b146cd8f372ae69cd92f715ca74edd2a7486fd
SHA5127700cc9bfdeb200b8ec6e65b73528db8c955b12ccd9218f56226c02678dd9acc85406e5730782e96db8e2ec055d2f7ac8ff431c82283039f9e08dbf933806889
-
Filesize
1KB
MD5cb396f33a772cc93aed8b9bf680c5295
SHA1c75f698064647e6ab566d1da4f1e766ee022bd39
SHA2562a1d4d7222c08e757f09d03edad647e0ee4936c11e977b4447cec7870c0ed6d1
SHA5120a6d8e55feb2e44963446ce7bd34915b11f7fd2263e9975d01836aed75cb5e5ea9e63a13a60e260ee0dc561a261de90a8d769da6a2bb5ef288adabb848a69cac
-
Filesize
3KB
MD5ff564cc6f27f65afa4066544430cc7e1
SHA1aa4a2f889d669c38b7a5a614411d1c0f324a9ca9
SHA256ccb7011aecfbbfcf26fe228426a504b7efaae9422fe92ee03fc57b5354253f81
SHA5122ac205a1df6421c1dc1081c3513e5e126291ed42a031b39008d9f2a8d535cd345d4a1e996687a1cdfd41397b13c81f41f7b83e4c8410aff2e18d08a9b2eabb8f
-
Filesize
4KB
MD5e5e5204ed08fdc172bda33b98d548272
SHA1bf126e3321cd3eb490a4485eb7f462a833f29637
SHA256861f1b57a8b74451dbcc7d6cbf95bccc2a0f476b6a7ace5b1d5a4cb4883d51d8
SHA5129fae3f9c9a44bc0d091ce7ea304fb64c392bc968981fbb5afeea4166774f1dbd0a3e0cad23cab7a8195adef697b7ca686eb4102e778894a7efc0da2d934a844b
-
Filesize
23KB
MD51ec6ab731c09be09ca7aec3f5d6dfe72
SHA19913bacb265af3a5fd6d38e8b05d2ff5127ee750
SHA2561db9b9b728e41d5dd384c5c1956cf4c3ae5e3891f5a7b27cbb9443e72f1fea0d
SHA51261444d3a9bbbb88bdcf4d464b62b93e3a181d38c2847c505f37b83041bcf1c73045cbc88d8b53a1f20356526877d4bff09e113d7c7be96463d317b576740296e
-
Filesize
27KB
MD5792e70385bbfd78b8050bfe4b4b2a99f
SHA1ccde2eeea4e7f22d785196f4f42d20c3c3c04376
SHA25633550373a56be0ee0d3a1cc20a1f61b211d69ddfd5dff017616878b509f774a2
SHA51211bd4c558e337c75ca0a9c98e8b76fc1357e923ec46f044da0b856f3555b7bb92e2aff568b02bcd9286755eef4a18db61bc55a903bc047c85a96384efa3ead5d
-
Filesize
1KB
MD562ef1daa264b69b41dd7bf17deeeae3b
SHA15fdba40fda661723ffca72b0ef6384814fb75182
SHA25618acef6ffac71883800641213515e31ad9527be0fc9f44852b2f1863f554c43e
SHA512ed9ca4ae9e3f3e30d69963b2d2e27eb20aa0b32aca1524f4cad40ee9d3bdbb8d25edd42aa30c82e6a6e76a0b9cf75cfd3559180cc1aa692ecfb6f2161c7beea0
-
Filesize
1.8MB
MD582ddd34be23d13d4fe950d51df9f1a9a
SHA15518b021fa41c05fd6031ff377331c718c458ae3
SHA256454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b
SHA51229d277a18ce99b8a80a1cfb9ea880c7d3c30a399fdd0c9af6249435231c26d85f5b7160154d2033539b68a601bc302463a9ce659504eda76c6371f97710608a1
-
Filesize
896KB
MD538f98be80e6670f46efc8544d762cfd4
SHA1fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA51260a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD50ce629508117d3448c3eea10b1fda819
SHA1a703d6766e9b79c24d301c589de3a9e54af18bd3
SHA2568cac2042947a06a2f348f31db79817e811f175f184a93777e09e1ad11f1ea8ab
SHA512f51b39720c672601ec39caf5c4e79aee152104cc58b7673ddfeea006bd6bb55b9f4e895e81eebddfe2dc213715fa3c2039668ab04f2147c651c898316f4a4d82
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e