Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 02:02
Static task
static1
Behavioral task
behavioral1
Sample
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe
Resource
win10v2004-20240802-en
General
-
Target
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe
-
Size
1.8MB
-
MD5
5aa843af1eb61da84c361651443815c5
-
SHA1
df0e8611d4c9632c1ef438ffe4e33b9bcfd5279a
-
SHA256
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4
-
SHA512
dba5ca6332fbb5b4aa25ff725f3e5d8973c17b41699d2facc9b4650d0f9e31522867f44a6a52cd01d9262d318299a5942b4b93ce7a21a797629dcbb20d7a7230
-
SSDEEP
49152:md6cJmI1l+3dOyD7zsx432yG78XlrZR6DtU3:mRcIOD7z6432J7MGw
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exesvoutse.exe3fbee2a1ed.execfb191a9ca.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3fbee2a1ed.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cfb191a9ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exesvoutse.exe3fbee2a1ed.execfb191a9ca.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3fbee2a1ed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cfb191a9ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3fbee2a1ed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cfb191a9ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exe3fbee2a1ed.execfb191a9ca.exee4fdda1da6.exesvoutse.exesvoutse.exesvoutse.exepid process 2396 svoutse.exe 1884 3fbee2a1ed.exe 2200 cfb191a9ca.exe 400 e4fdda1da6.exe 4048 svoutse.exe 4988 svoutse.exe 5364 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exe3fbee2a1ed.execfb191a9ca.exesvoutse.exesvoutse.exesvoutse.exe5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine 3fbee2a1ed.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine cfb191a9ca.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfb191a9ca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\cfb191a9ca.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e4fdda1da6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000040001\\e4fdda1da6.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000040001\e4fdda1da6.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exesvoutse.exe3fbee2a1ed.execfb191a9ca.exesvoutse.exesvoutse.exesvoutse.exepid process 1704 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe 2396 svoutse.exe 1884 3fbee2a1ed.exe 2200 cfb191a9ca.exe 4048 svoutse.exe 4988 svoutse.exe 5364 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e4fdda1da6.exe5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exesvoutse.exe3fbee2a1ed.execfb191a9ca.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4fdda1da6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fbee2a1ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfb191a9ca.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exesvoutse.exe3fbee2a1ed.execfb191a9ca.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exesvoutse.exepid process 1704 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe 1704 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe 2396 svoutse.exe 2396 svoutse.exe 1884 3fbee2a1ed.exe 1884 3fbee2a1ed.exe 2200 cfb191a9ca.exe 2200 cfb191a9ca.exe 3472 msedge.exe 3472 msedge.exe 4852 msedge.exe 4852 msedge.exe 5900 identity_helper.exe 5900 identity_helper.exe 4048 svoutse.exe 4048 svoutse.exe 4988 svoutse.exe 4988 svoutse.exe 5584 msedge.exe 5584 msedge.exe 5584 msedge.exe 5584 msedge.exe 5364 svoutse.exe 5364 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
e4fdda1da6.exepid process 400 e4fdda1da6.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exee4fdda1da6.exemsedge.exepid process 1704 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 4852 msedge.exe 4852 msedge.exe 400 e4fdda1da6.exe 4852 msedge.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
e4fdda1da6.exepid process 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe 400 e4fdda1da6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exesvoutse.exee4fdda1da6.exemsedge.exedescription pid process target process PID 1704 wrote to memory of 2396 1704 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe svoutse.exe PID 1704 wrote to memory of 2396 1704 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe svoutse.exe PID 1704 wrote to memory of 2396 1704 5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe svoutse.exe PID 2396 wrote to memory of 1884 2396 svoutse.exe 3fbee2a1ed.exe PID 2396 wrote to memory of 1884 2396 svoutse.exe 3fbee2a1ed.exe PID 2396 wrote to memory of 1884 2396 svoutse.exe 3fbee2a1ed.exe PID 2396 wrote to memory of 2200 2396 svoutse.exe cfb191a9ca.exe PID 2396 wrote to memory of 2200 2396 svoutse.exe cfb191a9ca.exe PID 2396 wrote to memory of 2200 2396 svoutse.exe cfb191a9ca.exe PID 2396 wrote to memory of 400 2396 svoutse.exe e4fdda1da6.exe PID 2396 wrote to memory of 400 2396 svoutse.exe e4fdda1da6.exe PID 2396 wrote to memory of 400 2396 svoutse.exe e4fdda1da6.exe PID 400 wrote to memory of 4852 400 e4fdda1da6.exe msedge.exe PID 400 wrote to memory of 4852 400 e4fdda1da6.exe msedge.exe PID 4852 wrote to memory of 2064 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 2064 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 4748 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 3472 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 3472 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 1792 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 1792 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 1792 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 1792 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 1792 4852 msedge.exe msedge.exe PID 4852 wrote to memory of 1792 4852 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe"C:\Users\Admin\AppData\Local\Temp\5fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Roaming\1000026000\3fbee2a1ed.exe"C:\Users\Admin\AppData\Roaming\1000026000\3fbee2a1ed.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\1000030001\cfb191a9ca.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\cfb191a9ca.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\1000040001\e4fdda1da6.exe"C:\Users\Admin\AppData\Local\Temp\1000040001\e4fdda1da6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d49f46f8,0x7ff8d49f4708,0x7ff8d49f47185⤵PID:2064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:25⤵PID:4748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:85⤵PID:1792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:15⤵PID:3052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:15⤵PID:4196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:15⤵PID:4664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:15⤵PID:2320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:15⤵PID:3420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:15⤵PID:3040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:15⤵PID:3800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:15⤵PID:1628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:15⤵PID:1364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:15⤵PID:3512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:15⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:15⤵PID:3876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:15⤵PID:2664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:15⤵PID:4472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:15⤵PID:2180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:15⤵PID:2808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:15⤵PID:4408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:15⤵PID:1432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:15⤵PID:4532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:15⤵PID:1884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:15⤵PID:1584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:15⤵PID:2436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:15⤵PID:2232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:15⤵PID:5508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:15⤵PID:5516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:15⤵PID:6132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:15⤵PID:5768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:15⤵PID:5784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:15⤵PID:5792
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 /prefetch:85⤵PID:6104
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5900 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,984809320128701577,16442063317330763245,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8216 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5584
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4784
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4048
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5624acf77e4088a16dfad9a160a2c4e67
SHA1ba429441e6fe8fe2e2bb4452064ddb8012efe039
SHA256113953e247fb555768fdb1c895210a64f76d838e02bff52faf34922d5dbd9dff
SHA512c5a34154222b5824a9150882f48e53cacc01376907c8483783ba1727b5d76e692baa572173cb22b545ac059488a5f31cb6bec15b5310f25b17c5f838765880b6
-
Filesize
152B
MD5bc790a8a50e69a0895f0b54b5b65c0ae
SHA1f35c44034a031b2f6c5a4c72264e56f470e2e6ba
SHA256298281f35c7fb4fc048e4bf423b8332012b36e6dce4ba9bff0adf3adcaf56f10
SHA5124449ef4a11db4ec35563d0248cb47d8cdb45a723b23426a3a66840dbe120daa0ed593f8f0ecfce17d4767c8f97b9c57f3890f0484545724d6004dd7c90ec259d
-
Filesize
152B
MD5bbfba22696dbf1a159dabc82d0c7f546
SHA14c07f8e816cec96e5dcad37e9e84b34a9f692359
SHA256a0d4e9cb29a01b85d122a13d0d20c0e33062dd2fd390463ad1bdb6fb385ee281
SHA51267aa5af271177c1c08e677ced48dc9db6641ea11c9521f18407e92d19905fac96f78b8524140a51790e464eb6feb9b0de594d1cbaef258155f75f8dd42ae0ee8
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
1KB
MD5de2c7039687cbb2e4884ed0545fb3bbb
SHA1f87dbbe1f793f2f2ee8a281bac91f2ac4e119f37
SHA25613cd65a5bd9a6aac04320be87950018dbf1fc3f6b97c6bef7c296655cc42ae34
SHA512b438d16fc1aeeffcceb26c64837afa978a3ef50b2ef13531908fc36021efee44b094566a80bfddd4faacb7e865fbb1085647b3fda700891bab0cb491c53988db
-
Filesize
4KB
MD599a6e39315a7f31b1dd4a9edd6c2c8c8
SHA11a2d6ff59207f618f71cf9b9a81add46a7d564e3
SHA256b30569decc97671cf9d5ef92cbd24b3c64324719db845b564ddc12ac41a1fd6e
SHA512856859326e52360dc20a63fc872369cfedb5ca1a2f7d0dcf349e9c5893927305cd517d04f3da71ba60a3c4f7b8c5029c2a03106fa21b6162e16a9afefea1893b
-
Filesize
4KB
MD54736d52594854da51a2e12c1aaca67fb
SHA1e4d4c624d97f920da9b1024cfa5bf3e453f23c39
SHA2566f3dc2397f0030e1c7315903a6eaeb2a7cf346c96add7ae4c55f85da15e98dcd
SHA5127375b06e5102bcf42eb329c657d82a47d6111f76c16dcd300991ab2cef9c5bfadb6f4bc8cc745471fdf94c845a881753ad2da43d06897d9e630d9fc0c9f516c2
-
Filesize
4KB
MD5f3cad2f5d2aa1fd7b0c127d6d12b1d1b
SHA171de149ae5fae077f9c90d755ec97810e604c616
SHA256a0ca6fa5f024bd73ecfa63e780ea958ba7766f35178f708daa2e0750d210b570
SHA512aa10b3240d71ab1abf1330dafb850a02f689677dd4f4f84ee927c489d89efd2cb2126e7fe54dbef748c68e96977c6b96c76666282d24094788a56586faa216ee
-
Filesize
4KB
MD5afa28c5ef2b202bc7ac61bbb146cb4cc
SHA1cb3b13556d3cb7ce0cf7098b6655734e4329b410
SHA256b78dd35e372f1f4047feef241ecf70258c04bcc82547f5bacddc92b8b722402f
SHA512593ffbec1363bbb0137ce30f734def922b7dd9993ca305be6861cc0ced7416f8d6be0aedadd8f22a34083864f0618c877b6c588ceb7cc47b4ba6e41f5c606143
-
Filesize
24KB
MD582a369d8b534f95e62ec1657db154d45
SHA19a32dff0c03ef1310ce4862f2cae844875324dd2
SHA256e9bc1dbc2d57400f3a648fb48e5ebc6f9b8a2ea3d09b40f7688feaad3a08807c
SHA512f6d6952c03461428b8cbf26dc1d6daa46e35a323728b03a54fc6de7a830161ddc5c52985f0057b565e896b47b9be92ac581b87748dd84d02fbca9ed2fe6433a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe581cf9.TMP
Filesize24KB
MD5d4db4aff7cd60188b0a1af3b74729cd9
SHA1f7b01d6ce7d54d1637ee1b5532ecec4c9a9666ad
SHA256815f7af7e11ac5d44ca92e9449235bf1ccd2f9158a79e04cc2052e6bc20c5f99
SHA512f434afe65db71a67faeda67056ebb61aa3b4602b79d0a9e725e5a6dfdebd35c823d76e2bccf6f1dcafe105a6a13e0933e8f8bbe214de2e3bcf50f74a83beb644
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\be091548-b6a9-4d2e-ab24-e918f02d4553.tmp
Filesize9KB
MD5de2a53dd93167f0ca6399d3e7161a9e2
SHA16b9356187bce83475db7aebbfafa19e2d2af9206
SHA2567318e9cb7a8811b5f509f0e770bae79b8f6ec8bb779d7cbe15e387107a9b784b
SHA51218f8866b7884e92d31504007a3f8fffabe426b1567f29fadd02d070ca15de6a51cb66639856fe810509c5d9c566d58676480d2c32b5a8091c37d9a0b1ccd27d9
-
Filesize
1.8MB
MD55aa843af1eb61da84c361651443815c5
SHA1df0e8611d4c9632c1ef438ffe4e33b9bcfd5279a
SHA2565fb0e65c758a99ac6c4acd3833a2b7c457dd1d2307d246dfcf97bbc225e526b4
SHA512dba5ca6332fbb5b4aa25ff725f3e5d8973c17b41699d2facc9b4650d0f9e31522867f44a6a52cd01d9262d318299a5942b4b93ce7a21a797629dcbb20d7a7230
-
Filesize
896KB
MD56ca9ba147fcf085d7f828da983fd946f
SHA1e7fedc40f0cbbe1ba28d52b4c25d2840a0004002
SHA256df465e0e7a01e93a8ed0f4a96fcba84506e0789f329fac2419d17f65bd1749c8
SHA512626c5f47f2da8bfcd805d0fb510beb1800359596b304a90afdbc2f7d381c2df42751f3659b12c30d4e430c6e46ee1ef9be2c2d1a6779dac13399d7511b2121f0
-
Filesize
1.7MB
MD5582c09e30698672fd833e6e6c0dc506e
SHA137dafeb7ea62e155ff3f2d47f84011b24ef8ba2b
SHA25699e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af
SHA512495525e62560e397c0bef9c7f17358c08547c34930e772c8e59476ec50b7196eac28a0cbba83d0d90ebcc4282e210e0d140292cf4bfd52262cba45e2a9d6a1c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZF5LFPKB98IBIEI0EROX.temp
Filesize3KB
MD5ce0c5bb9d4dabfa3d46f25de4fac2192
SHA1fb6dcc04cfa61dd4fad7aa356d1c6193f0e6a0ef
SHA2561b1ce66444ae7dd55fe68d3935ecdbff11d53b3ccbbf2437b1af994b78703ff6
SHA512ec692cc53a13792cf76ec268c044d9ac796f42cb3046695809378e7add8d8cddda72e5ac6335fc7be63a6ecbd1c96a2373d6ae4e4e35216f2dd5f0a659b69e00
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e