Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe
Resource
win10v2004-20240802-en
General
-
Target
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe
-
Size
1.8MB
-
MD5
bfc685780b8aa05d0f9fa713cf4ae14b
-
SHA1
630d419e10382c75511edd57184e24bea454fc42
-
SHA256
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3
-
SHA512
508131b3e029dbd6f99286649ad9777c083cb4e1e4e83acd897abf9f64f048788968f9e0a0609ffe94dd981188d6b6deefe009f81faaa6db8fe2e30f364aedf9
-
SSDEEP
24576:IKVMSiugnf7PrtfNtnZFSNXQK3gmNpKyXNS3TuuoOh1e+rKxSo3Zzs/QB5QWLQ5j:Imqugnf7PJNtZYNXt35X9H+h1JGZKL
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exesvoutse.exe1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exe46cd856517.exef38517831b.exe5163d94cda.exesvoutse.exesvoutse.exesvoutse.exepid process 1360 svoutse.exe 2776 46cd856517.exe 3140 f38517831b.exe 1676 5163d94cda.exe 2700 svoutse.exe 5524 svoutse.exe 5312 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f38517831b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\f38517831b.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5163d94cda.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\5163d94cda.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000036001\5163d94cda.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exepid process 2072 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe 1360 svoutse.exe 2700 svoutse.exe 5524 svoutse.exe 5312 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2640 2776 WerFault.exe 46cd856517.exe 5872 3140 WerFault.exe f38517831b.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exesvoutse.exe46cd856517.exef38517831b.exe5163d94cda.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46cd856517.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f38517831b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5163d94cda.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exesvoutse.exemsedge.exemsedge.exesvoutse.exeidentity_helper.exesvoutse.exemsedge.exesvoutse.exepid process 2072 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe 2072 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe 1360 svoutse.exe 1360 svoutse.exe 4072 msedge.exe 4072 msedge.exe 868 msedge.exe 868 msedge.exe 2700 svoutse.exe 2700 svoutse.exe 6036 identity_helper.exe 6036 identity_helper.exe 5524 svoutse.exe 5524 svoutse.exe 5552 msedge.exe 5552 msedge.exe 5552 msedge.exe 5552 msedge.exe 5312 svoutse.exe 5312 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
5163d94cda.exepid process 1676 5163d94cda.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
msedge.exepid process 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe 868 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
5163d94cda.exemsedge.exepid process 1676 5163d94cda.exe 1676 5163d94cda.exe 868 msedge.exe 868 msedge.exe 1676 5163d94cda.exe 868 msedge.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
5163d94cda.exepid process 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe 1676 5163d94cda.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exesvoutse.exe5163d94cda.exemsedge.exedescription pid process target process PID 2072 wrote to memory of 1360 2072 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe svoutse.exe PID 2072 wrote to memory of 1360 2072 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe svoutse.exe PID 2072 wrote to memory of 1360 2072 1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe svoutse.exe PID 1360 wrote to memory of 2776 1360 svoutse.exe 46cd856517.exe PID 1360 wrote to memory of 2776 1360 svoutse.exe 46cd856517.exe PID 1360 wrote to memory of 2776 1360 svoutse.exe 46cd856517.exe PID 1360 wrote to memory of 3140 1360 svoutse.exe f38517831b.exe PID 1360 wrote to memory of 3140 1360 svoutse.exe f38517831b.exe PID 1360 wrote to memory of 3140 1360 svoutse.exe f38517831b.exe PID 1360 wrote to memory of 1676 1360 svoutse.exe 5163d94cda.exe PID 1360 wrote to memory of 1676 1360 svoutse.exe 5163d94cda.exe PID 1360 wrote to memory of 1676 1360 svoutse.exe 5163d94cda.exe PID 1676 wrote to memory of 868 1676 5163d94cda.exe msedge.exe PID 1676 wrote to memory of 868 1676 5163d94cda.exe msedge.exe PID 868 wrote to memory of 2208 868 msedge.exe msedge.exe PID 868 wrote to memory of 2208 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 3540 868 msedge.exe msedge.exe PID 868 wrote to memory of 4072 868 msedge.exe msedge.exe PID 868 wrote to memory of 4072 868 msedge.exe msedge.exe PID 868 wrote to memory of 4548 868 msedge.exe msedge.exe PID 868 wrote to memory of 4548 868 msedge.exe msedge.exe PID 868 wrote to memory of 4548 868 msedge.exe msedge.exe PID 868 wrote to memory of 4548 868 msedge.exe msedge.exe PID 868 wrote to memory of 4548 868 msedge.exe msedge.exe PID 868 wrote to memory of 4548 868 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe"C:\Users\Admin\AppData\Local\Temp\1b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Roaming\1000026000\46cd856517.exe"C:\Users\Admin\AppData\Roaming\1000026000\46cd856517.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 10124⤵
- Program crash
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\1000030001\f38517831b.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\f38517831b.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 10164⤵
- Program crash
PID:5872 -
C:\Users\Admin\AppData\Local\Temp\1000036001\5163d94cda.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\5163d94cda.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbec346f8,0x7ffdbec34708,0x7ffdbec347185⤵PID:2208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵PID:3540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:85⤵PID:4548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:15⤵PID:644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:15⤵PID:4436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:15⤵PID:2888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:15⤵PID:2188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:15⤵PID:4432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:15⤵PID:4316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:15⤵PID:3632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:15⤵PID:2192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:15⤵PID:1684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:15⤵PID:2800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:15⤵PID:3260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:15⤵PID:4208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:15⤵PID:5048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:15⤵PID:4476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:15⤵PID:4080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:15⤵PID:2504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:15⤵PID:5180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:15⤵PID:5188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:15⤵PID:5228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:15⤵PID:5236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:15⤵PID:5340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:15⤵PID:5364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:15⤵PID:5372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:15⤵PID:5380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:15⤵PID:5404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:15⤵PID:5844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:15⤵PID:5912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:15⤵PID:5920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:15⤵PID:5928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8420 /prefetch:15⤵PID:5720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8484 /prefetch:15⤵PID:5968
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7860 /prefetch:85⤵PID:6096
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7860 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6036 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9503697586414757630,484975884257023356,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8392 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2776 -ip 27761⤵PID:2456
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2036
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3140 -ip 31401⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5524
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD584d0309bca6a826a9a700a6e24f8cd12
SHA1a397b50eefe83dbebc5799b16e0f5d942b1a57ac
SHA2565d8c8fc79086d24c1db349b5f51339028c20f9bf03d25584e479c7522baa1429
SHA5120516925e49ce16a64d3d85cf0fcedb86f81601c88ed3517253679afc0ddf5c2d2d7f7a5e4c35e1d8c5c8ae243fc6959e955d7729dbbdd5cde756a49d2ee552d0
-
Filesize
152B
MD5c5c7b9b3a15ca21581b48c59b850ed0f
SHA12f307a020f8c8fe452732267be9ad63c736d3fce
SHA2569391a624da0973b09d88326d9a9b4c6914f1efbafefc766633f8cabbf8e02130
SHA512cf20753edc5250f1a4a5e97a62af2a8f945ea950ca86ea3047f9b204704f299aa4f977deb9c7dc89d3ee5d3e75fd219c72a7a0e8a7f3748cfab7796ef4a07ef4
-
Filesize
152B
MD58fdeb0ec556755aec3b2ae3a37c3164b
SHA11df8e2cbb7d35223834b0e843d057a7ddd905c6b
SHA2563de9ff0201f21975f7568becc791e9f5ac3bf66a49d3b7d8bcf33ca5e426777a
SHA512b9ec9e2812f5a6d089afd0b9abd502d03836707583a2f0dbc1c24699871f0149647491b4946aa0eeb2ea6830cedc03f7954816b0c93c8d61c5d3f749233efd64
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\251d2d93-1064-4709-8156-5f6c6b3a0ae6.tmp
Filesize4KB
MD5c34fc021a126a2c9d8b642322c6add94
SHA18317d6d4d55ea23c55a1e4baf0ac3a06ad51cbbb
SHA256e388d63b872269ca424f80a7ab4e2b9f9b90d2c22543a93472f3974663e9ddbb
SHA51284e83bfff2789cc7c5d8832b174553574ccbbb4ad8c468e941f03d5344686d26d44a229b4c2be0475d76f7a3410dcb9bfad752e288cfdfd5dc8905dff0433e11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5f6e5d4b64c4d48ab227eedad849c8239
SHA126d8188b637fee22e30f536c650bb5a7bceeab9c
SHA2569c8db9e0859703785368b5f0c0b5466d3732ecf2463716b0672c48cc5d87a999
SHA512c6a015c7a408495745cefff5d8bf181ddda0f1c4e7813e87ebf3c09ddb5468fd20847ec58d16b797650a94208f90c007a306fd30c9b923c8d78ed863a5139649
-
Filesize
4KB
MD58bb31d69b08155612bdcc86d41b40e7e
SHA15a078f1a4cc18a86d77910e414867e76edaa2a71
SHA25686030d956fee44efb1dd1b90a2c98d9b080e0769d5ecfb66cfe2fc1e3830a6bb
SHA512e08c5cba6e88e06052370a2e2482d46fd5d6f6dcd5cc6500a897cb7e77214bdced13b0ada8b7b701177d5426f864fad285375a229b03676594bc2488a2e36d87
-
Filesize
4KB
MD5a235e0026921d6740d1a14b94882393e
SHA1363e1a69c502f9cfe17d0636b11eb52e926086e7
SHA2563ac0d06af286e7c92d4ea6429ee2f6ecf8a597a64ade28a78d9b14cd9ef2db92
SHA512511205fc23d9a64c5c036bdba3125801fe33848305035bb64923480612a74010764c53cf0dcb85595b1a976224eb99de03a17e72cbd1c138a5f95dc74d37bf54
-
Filesize
24KB
MD5e55b31236a07d5c8150ef3c4fb2a740d
SHA11a22be867e5bcbf6ccc3b43b20db0e3c0808d8f3
SHA2563581e4ccdb2851b30a044f33a6671470a9bf0938dea06e37c64296b0541b71e2
SHA51258294e9874980b78da3197248c1bc5a829b65f5a33f64b936a92358076f884f52e449a8f3f621499b96fc416ace67d5eddfbe6642ffee0dfe55df7b836d1f2ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57d205.TMP
Filesize24KB
MD5c5184f3daf49aa88be341fff52476f57
SHA1f22c6fe12862122acb2f5a189d5b9151ae7036a5
SHA256ae049eb705f0a6b0a8eb08c97173191053ce8924b9f0928539ed438ab63476f7
SHA5123e7520c4a24cdc2ed8c8c384fc1306ad5c3de505576ca923768dd9622fde2ecca13f85440ebf29ed4b08d55b3beaa1e28697bae2f8b988033f54ae69397b7bff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\afadbaf3-c17c-4530-9c61-95d9d61cc61a.tmp
Filesize9KB
MD506c0ec908e2d28287f4d7472f50f8cd1
SHA15f0bb3221c88bab77e6008ba97d172278af8f1dd
SHA256227f56d63e98983bec31265ea8c0b2cbde8d119bf8642d74018a9df0d39aebcc
SHA5121c1556108395f32947e577e3b95f367fafc9d7664ee63b6968cad2fb8011f394d1a11e3a419883eb6c8ad6a464f7dbb7bc3b1db1ce7496257cb3ae70e2dc4186
-
Filesize
1.8MB
MD5bfc685780b8aa05d0f9fa713cf4ae14b
SHA1630d419e10382c75511edd57184e24bea454fc42
SHA2561b4ea9e6e51cee478601ead6d4749263552def041cafff0af2b4b5b39798acf3
SHA512508131b3e029dbd6f99286649ad9777c083cb4e1e4e83acd897abf9f64f048788968f9e0a0609ffe94dd981188d6b6deefe009f81faaa6db8fe2e30f364aedf9
-
Filesize
896KB
MD538f98be80e6670f46efc8544d762cfd4
SHA1fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA51260a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H3TA20FT6PDXYRVAKYC0.temp
Filesize3KB
MD5585e10d1cae7cd63bd7e9de57e0395a4
SHA1f4cfbeb8038f9fb8a57d047e3fadf15f899f262d
SHA256f347fbfbff3f9e26f7b0ead5425bcb13f98b64e5a71dbcb3743ad5392ace8b6b
SHA512657a3d5e0be9b5977309675061ddfd55458bc701f670207ddeb2f737704aa5e2fd6c8d79ef2590cc8d036d4c5698ef12dad3081c213a41066b69a5ac0469e521
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e