Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 09:22
Static task
static1
Behavioral task
behavioral1
Sample
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe
Resource
win10v2004-20240802-en
General
-
Target
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe
-
Size
1.8MB
-
MD5
5bfca15aa84b99438a129e0ecaca71c9
-
SHA1
85105b5989d512fcc2e3b221ecceb1e71b6585b3
-
SHA256
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608
-
SHA512
55af92d4906f1c3f5e2156f4c7090996859514ea44d2adf37b2dcec8d12e03bfef3d366eb6fed55e96079f86c3e92f4a033d6a68aa810460113abbe9affd6231
-
SSDEEP
49152:RwlsOTS+WEawXwvwfU/ISghvH6HO2OgDujjCEYdz3Q6y:63pwYO+hvH6HO2O5jjC9U
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exe0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exe58b49406f3.exe5330f2cf0d.exe150697483f.exesvoutse.exesvoutse.exesvoutse.exepid process 5076 svoutse.exe 4996 58b49406f3.exe 1084 5330f2cf0d.exe 1524 150697483f.exe 3776 svoutse.exe 3840 svoutse.exe 1528 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exesvoutse.exesvoutse.exe0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5330f2cf0d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\5330f2cf0d.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\150697483f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\150697483f.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000036001\150697483f.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exepid process 640 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe 5076 svoutse.exe 3776 svoutse.exe 3840 svoutse.exe 1528 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4296 4996 WerFault.exe 58b49406f3.exe 5256 1084 WerFault.exe 5330f2cf0d.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5330f2cf0d.exe150697483f.exe0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exesvoutse.exe58b49406f3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5330f2cf0d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 150697483f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58b49406f3.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133704337645974416" msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{4E187177-A848-437E-A314-60CE6C9FDC1B} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exesvoutse.exesvoutse.exemsedge.exesvoutse.exemsedge.exesvoutse.exepid process 640 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe 640 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe 5076 svoutse.exe 5076 svoutse.exe 3776 svoutse.exe 3776 svoutse.exe 2456 msedge.exe 2456 msedge.exe 3840 svoutse.exe 3840 svoutse.exe 6072 msedge.exe 6072 msedge.exe 1528 svoutse.exe 1528 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
150697483f.exepid process 1524 150697483f.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs
Processes:
msedge.exepid process 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe150697483f.exemsedge.exepid process 640 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 2456 msedge.exe 1524 150697483f.exe 2456 msedge.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
150697483f.exepid process 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe 1524 150697483f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exesvoutse.exe150697483f.exemsedge.exedescription pid process target process PID 640 wrote to memory of 5076 640 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe svoutse.exe PID 640 wrote to memory of 5076 640 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe svoutse.exe PID 640 wrote to memory of 5076 640 0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe svoutse.exe PID 5076 wrote to memory of 4996 5076 svoutse.exe 58b49406f3.exe PID 5076 wrote to memory of 4996 5076 svoutse.exe 58b49406f3.exe PID 5076 wrote to memory of 4996 5076 svoutse.exe 58b49406f3.exe PID 5076 wrote to memory of 1084 5076 svoutse.exe 5330f2cf0d.exe PID 5076 wrote to memory of 1084 5076 svoutse.exe 5330f2cf0d.exe PID 5076 wrote to memory of 1084 5076 svoutse.exe 5330f2cf0d.exe PID 5076 wrote to memory of 1524 5076 svoutse.exe 150697483f.exe PID 5076 wrote to memory of 1524 5076 svoutse.exe 150697483f.exe PID 5076 wrote to memory of 1524 5076 svoutse.exe 150697483f.exe PID 1524 wrote to memory of 2456 1524 150697483f.exe msedge.exe PID 1524 wrote to memory of 2456 1524 150697483f.exe msedge.exe PID 2456 wrote to memory of 588 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 588 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe PID 2456 wrote to memory of 1912 2456 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe"C:\Users\Admin\AppData\Local\Temp\0036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Roaming\1000026000\58b49406f3.exe"C:\Users\Admin\AppData\Roaming\1000026000\58b49406f3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 10204⤵
- Program crash
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\1000030001\5330f2cf0d.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\5330f2cf0d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 10324⤵
- Program crash
PID:5256 -
C:\Users\Admin\AppData\Local\Temp\1000036001\150697483f.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\150697483f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ff850dfd198,0x7ff850dfd1a4,0x7ff850dfd1b05⤵PID:588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2244,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:25⤵PID:1912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1860,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2300 /prefetch:35⤵PID:1020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2424,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:85⤵PID:3092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3320,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3344 /prefetch:15⤵PID:2448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3372 /prefetch:15⤵PID:3912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4476,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:15⤵PID:2344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:25⤵PID:5128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4656,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:15⤵PID:5136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4784 /prefetch:25⤵PID:5144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5016,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:25⤵PID:5152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5180,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:25⤵PID:5196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5320,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:15⤵PID:5208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5340,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:25⤵PID:5304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5492,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6036 /prefetch:15⤵PID:5364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5508,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:25⤵PID:5388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5392,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6308 /prefetch:15⤵PID:5396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5540,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:25⤵PID:5408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5776,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:15⤵PID:5424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5784,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:25⤵PID:5468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5800,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6832 /prefetch:15⤵PID:5476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5736,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:25⤵PID:5496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6700,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:15⤵PID:5124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5788,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7388 /prefetch:15⤵PID:5212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7364,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7412 /prefetch:15⤵PID:5208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7632,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7432 /prefetch:15⤵PID:5396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7736,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7772 /prefetch:15⤵PID:5428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7748,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7796 /prefetch:15⤵PID:5488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7764,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7800 /prefetch:15⤵PID:5508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6424,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7792 /prefetch:15⤵PID:5516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5216,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6420 /prefetch:15⤵PID:5204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=6156,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:85⤵PID:1884
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4804,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:85⤵PID:2340
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4804,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:85⤵PID:5380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5660,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:85⤵PID:5944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7052,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:85⤵PID:5968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5672,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:85⤵PID:5776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=7988,i,10339527885578989513,12180451786339286287,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6924 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:81⤵PID:3684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4996 -ip 49961⤵PID:4844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1084 -ip 10841⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3776
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5d6af0a5e387e931af608eb8d6790ff00
SHA1898b92b6b53c3f8d8e62e501d044c7b9b71eea65
SHA25664c9499183ec7ea5a770103015b1771f9900c30f6676547befb90fa7ce3efee0
SHA5123a7042a8528630f0f5ddba0e639c3827fde7d0ff4fff472f8457cea1bee4bc69cba158f55c428dcab5eba3178805367268cebe73f408bb03b143840f62c0a5ea
-
Filesize
280B
MD55b57eb18c876dc8ce83f272a13abcd96
SHA126f1535e898c0089ac47ab872d068f069414f7ac
SHA256a347c3bb8590973a8157fc689afb2a3458d0be3b85007d5e964db8bafdc09092
SHA512b02c1e7e16eee43052297bb00daa625de6bd56769dfaa47dcc686cac79df591ce07743156b24695f42e04b70a14b4631bf45c831420d3235f45f83bd3d0bc91d
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\097deddd-bfc4-47d2-a9e3-378adea134c9.tmp
Filesize23KB
MD55fa8eb5cbffdf6e30b2c77117ae8f235
SHA1e7f9916bcd2322bf46ae59c623498016cdc146f5
SHA256d2981bd9e82a86d671df9c1035cb04f00f86faf06e555eefdd52a43ce6819b69
SHA51251375b2485d96751674c1766d8f3551faac9e741a02e1ea88299849a26745c90bf600f65007326d0a112056213aaebbaf5203c27efb2e8c164930a3836866806
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\582b0b12-5a8a-4a4e-b750-e7176b8b8ad9.tmp
Filesize6KB
MD514321ea7d58c33f36a2c0cbd2c14cce9
SHA14b4387dd81e9b376bd236736c4296448a4fcdaa5
SHA256fc24fda70b4df5aec7bb333242e26ae96cdc792b9e53162b438c13769105ce17
SHA512ee890615aea81648b7c42726aee91a07dbbfcb1b52c4655fb3d05bf7a84e3cc8cbae3f48162d7c1b306777bff5b112bbe3f33419899f9679ea1852c08150bee6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD5bedbe591977edc359f1a25c71e2074a3
SHA166e3e5777d687da816085fd6bc134fdf005e80c4
SHA2563ef5c4240755ca3451f6abd90857b54603bc1250fed1d1a9ccf131c27315d949
SHA5127bc3e6816175a577f3ea122612dfe69bc754d42312c7bdaacc73b0b3f669cc4c9e3858779e8343f17e53fae670744f646a0e8e29cd3c64f2b407fbed3707f4db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index~RFe58a2c3.TMP
Filesize48B
MD5f995ad334b9e9b4ffe1412cd73b0f6a1
SHA132499d15930aa89a8a8b877d8699beb870b3a64a
SHA256f10e528ab83de646c7585da383d205d0fa772b2db33107b2f73a3bd2d43523b1
SHA512a014c19422110b6e0493546a47bad630e900eed2031a038a07fda227e3df3cdaaa3834fe5d72055207067ee96e697160a1231e7d9b31e04ec45fc2c8f52f51d5
-
Filesize
256KB
MD5235671cd49fd91cb93806cedc61144ca
SHA1b336b10da0f032fd7888cb91a0f1f21cf5f05eda
SHA256525db64e8aac9e699e2ef32d5e67984a19861fffc012f483c8ca9216de44cdd5
SHA512f88ff73805b2e8dd5b3969f097951eaf4d459c6c2017de99c22d97e32b649c5859d3a51caa871de6cc58f79bdf7faef98608099e33e5605b4fd33c12346fbd2f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State
Filesize627B
MD5fe8e2eeca47a32aaeb376eccafa59459
SHA188b8bd6d1337fee21135bd3fd7dd541ebcbc5cd3
SHA256e227d2dc33bfb57872de8815f4700f4e52be607d770cd648f884e7e115a5e3c3
SHA51256783d5890c9bfd1f45d596a4eeaf1abc221d29e17f79c86156a8f936fa5841a06abb051390cd7736cd915361401de978e94d7e66459ddb27be8378db17ec5de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD57e8adba352f1011a5b19699709807a11
SHA161ce4d26e28883acfd935f9a9276c59f1e716923
SHA2569da374e9e1c78fb9b43612b6fa53d994a1c0d259c5279682b68f82f09a9a79f3
SHA512d0449730ee3584afa9f5736da60aea48414112f5ec0b0e0c155e1b2b35903c734876bb29b3c34a26144531b34720879352641c3453ee522538fde14969373405
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index
Filesize72B
MD59f76864b0de2d66cdc29aecee551d08a
SHA183afe4b781ce358030703900ccac01cf07560fd6
SHA2560ca7f7630662ba8705d1fd14dc4f4898cd4f2297a73a357cc2a51d60132f1671
SHA5123be2081d592b3e4e00add3aad9578f7b2262dc16901e563b431bd83299f786fd4a8ac5f5edd070bfbb2dd8be009ea38fdfd4b29630cd457ff8879840523fca14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index~RFe58a1e8.TMP
Filesize48B
MD5dbc7336c2cb7e3f2c98481b7aa7cd809
SHA1cb420d79984f82328a159770ec6595ab0a3b9e83
SHA2564ef6698c5ba82ef9a5f3293ae1d245f4da79aab2591dfef58e8f9a0102fddd5f
SHA512433820992200e724aadfa17b5f175f5650c24a743aa04b59248d9d3e7f31d9026817fdd900929cd4c5605ce42d0e04825662a0a38afbca1f829f0816f8ba82c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnWebGPUCache\data_1
Filesize264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
1KB
MD55bbe09d664b12a1b63f37c7c4ed49eb6
SHA170490662e3d2561f9ea287f01be293791c8371e8
SHA25694d513349c3c72516d9ca9a0dfd1697f5806006d9da9c5d4b37b2c96ea3d9dd7
SHA512d323f8c4b0cfb7f346f03da9c150d567efdcfc2bac84d6e8b9011123e8d30fc33a97647e0ed561f212b97203dec2030cbfd08fc806b55b6221656bee43767190
-
Filesize
23KB
MD54eb45ad7fe3ef3cb405ae5890c50bdf7
SHA153bc0cc9879da89cd22347975aae56219a299768
SHA256623d2aa22d55fd6876b59f2d725a63b08f8efa24a96219d5a94eff2ff888da1f
SHA51260beea3773c6377788b98857cd13b523bb41f4debc5cb8fc45ac43fed97c05835420e2832fe4e551b738058e6cfdbe9012ba141e4bb1b4bb55eff60133ffe0d5
-
Filesize
3KB
MD5ad499de477d8ce988b8ff4324ee5c163
SHA14ac71798e8a5d85d93991b1e84042d274c8ff51b
SHA25691e80d5d1a3edda3ceac830efb634ecb6591822f195e34a0ed2db9e6cd40fc06
SHA51281a823db0d8ac46593b3ca0bda0e7b8dd9c3951da4470db4c551d661f6082ed83d2eaec8cfaf903f0f01adf6c714a4c0c495685ea67c48bfbd70668aaffeb6c8
-
Filesize
4KB
MD50cca8f12e2689d7e7847a1366d133363
SHA149eff8f40948e84aa674102faa1cf68f883787dd
SHA256ba83fcf138545401e5df5bcd178aac88f0d220e5451cd5985834b70f07a11996
SHA512b41649dba10e88d6eda8acedaf35be007909327f37d1099d9e8e3f63b2e076954077466d57a70dd3d93779bc00e4d8f9fa6e2e958f37db41c59be14db4a4099b
-
Filesize
27KB
MD58ff6bc945d8df4880a917da8a2be17eb
SHA148271fb156c72a6a21f44eb20115320f23de4b9a
SHA256d7e022ff79cb3ef890240e2113939e2f0a7ef4a2133bdc61b0a007e39266d663
SHA5120ee2aa06c97bbbabf51da7e9a60ae27f924e1d04ffc5ff11b02b8cab38a7ed955cbc6e24243af2736148b5f64f22607026c57aa2e0e15bd13600dad45a076969
-
Filesize
1KB
MD5e9cfe5dd32e3b9e71b0187959f8a676a
SHA17e92cc46a5e2eb00dc4765598bd12ae710c00505
SHA2569c80ae45b3459cf6fe9b0206fb90b6dd80de78d8df9d43786edc7ec689ef0e9e
SHA51228ac872b79463d3108eec514c83b8e764decb5eaa29c4e339eeaffcc2833c77c479f8617248cf317a2e985a94323cd4feba1d8d2a8e9f532721382acd13a6c8d
-
Filesize
1.8MB
MD55bfca15aa84b99438a129e0ecaca71c9
SHA185105b5989d512fcc2e3b221ecceb1e71b6585b3
SHA2560036da167596292c2f220a56d91f927b6d8998018904fc0cf8dc6e4e4fcbc608
SHA51255af92d4906f1c3f5e2156f4c7090996859514ea44d2adf37b2dcec8d12e03bfef3d366eb6fed55e96079f86c3e92f4a033d6a68aa810460113abbe9affd6231
-
Filesize
896KB
MD538f98be80e6670f46efc8544d762cfd4
SHA1fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA51260a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5a3323e9c395b2b30222879502b684f6d
SHA12054698347664ac0fc8f5484cd13cb62bae2d338
SHA2561a2ef92b6aecce133671c032f5ddf7523dcbac5aceafe0e98851653000573df4
SHA512e9292dd0dd521cdd2c1236f0f770c50e6ea57950994ef393a55f500610f59a8227f955f26612282881b18eb4d5263b30cb189b05a9c6dab783fafac9e7c32bb2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e