Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 03:42
Static task
static1
Behavioral task
behavioral1
Sample
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe
Resource
win10v2004-20240802-en
General
-
Target
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe
-
Size
1.8MB
-
MD5
73f3d06a3027d3f7e86b6e44ac5eb905
-
SHA1
e0608353485f123b49e7a18b880971be24584046
-
SHA256
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b
-
SHA512
5722e0b54a6e8dd56b2f3f9f2b56d82ed48f867231c9faad4f716000d495bb231184e511cd277f697a49094e92a3e38569c770d3f56d45f7363723a9e3128ad3
-
SSDEEP
49152:oWvri3EAd+FLt8onSN6aNIY5dZfi21tRYIpUXQBP:ni3NdUi6al5Xiei6P
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
svoutse.exeea9bf65e03.exef5c0d9b66e.exesvoutse.exesvoutse.exe4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ea9bf65e03.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f5c0d9b66e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ea9bf65e03.exesvoutse.exesvoutse.exesvoutse.exef5c0d9b66e.exesvoutse.exe4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ea9bf65e03.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f5c0d9b66e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ea9bf65e03.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f5c0d9b66e.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exesvoutse.exeea9bf65e03.exef5c0d9b66e.exef5c0d9b66e.exesvoutse.exesvoutse.exepid process 1800 svoutse.exe 3816 svoutse.exe 2124 ea9bf65e03.exe 4928 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 3028 svoutse.exe 5568 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exesvoutse.exesvoutse.exeea9bf65e03.exef5c0d9b66e.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine ea9bf65e03.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine f5c0d9b66e.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f5c0d9b66e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\f5c0d9b66e.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f5c0d9b66e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000040001\\f5c0d9b66e.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000040001\f5c0d9b66e.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exesvoutse.exesvoutse.exeea9bf65e03.exef5c0d9b66e.exesvoutse.exesvoutse.exepid process 4528 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe 1800 svoutse.exe 3816 svoutse.exe 2124 ea9bf65e03.exe 4928 f5c0d9b66e.exe 3028 svoutse.exe 5568 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exesvoutse.exeea9bf65e03.exef5c0d9b66e.exef5c0d9b66e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea9bf65e03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5c0d9b66e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5c0d9b66e.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exesvoutse.exesvoutse.exeea9bf65e03.exef5c0d9b66e.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exepid process 4528 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe 4528 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe 1800 svoutse.exe 1800 svoutse.exe 3816 svoutse.exe 3816 svoutse.exe 2124 ea9bf65e03.exe 2124 ea9bf65e03.exe 4928 f5c0d9b66e.exe 4928 f5c0d9b66e.exe 4232 msedge.exe 4232 msedge.exe 2248 msedge.exe 2248 msedge.exe 5712 identity_helper.exe 5712 identity_helper.exe 3028 svoutse.exe 3028 svoutse.exe 5568 svoutse.exe 5568 svoutse.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
f5c0d9b66e.exepid process 2008 f5c0d9b66e.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
f5c0d9b66e.exemsedge.exepid process 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2248 msedge.exe 2248 msedge.exe 2008 f5c0d9b66e.exe 2248 msedge.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
f5c0d9b66e.exepid process 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe 2008 f5c0d9b66e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exesvoutse.exef5c0d9b66e.exemsedge.exedescription pid process target process PID 4528 wrote to memory of 1800 4528 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe svoutse.exe PID 4528 wrote to memory of 1800 4528 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe svoutse.exe PID 4528 wrote to memory of 1800 4528 4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe svoutse.exe PID 1800 wrote to memory of 2124 1800 svoutse.exe ea9bf65e03.exe PID 1800 wrote to memory of 2124 1800 svoutse.exe ea9bf65e03.exe PID 1800 wrote to memory of 2124 1800 svoutse.exe ea9bf65e03.exe PID 1800 wrote to memory of 4928 1800 svoutse.exe f5c0d9b66e.exe PID 1800 wrote to memory of 4928 1800 svoutse.exe f5c0d9b66e.exe PID 1800 wrote to memory of 4928 1800 svoutse.exe f5c0d9b66e.exe PID 1800 wrote to memory of 2008 1800 svoutse.exe f5c0d9b66e.exe PID 1800 wrote to memory of 2008 1800 svoutse.exe f5c0d9b66e.exe PID 1800 wrote to memory of 2008 1800 svoutse.exe f5c0d9b66e.exe PID 2008 wrote to memory of 2248 2008 f5c0d9b66e.exe msedge.exe PID 2008 wrote to memory of 2248 2008 f5c0d9b66e.exe msedge.exe PID 2248 wrote to memory of 3088 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3088 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 3620 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 4232 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 4232 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 2108 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 2108 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 2108 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 2108 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 2108 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 2108 2248 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe"C:\Users\Admin\AppData\Local\Temp\4cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Roaming\1000026000\ea9bf65e03.exe"C:\Users\Admin\AppData\Roaming\1000026000\ea9bf65e03.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\1000030001\f5c0d9b66e.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\f5c0d9b66e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\1000040001\f5c0d9b66e.exe"C:\Users\Admin\AppData\Local\Temp\1000040001\f5c0d9b66e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe313346f8,0x7ffe31334708,0x7ffe313347185⤵PID:3088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:25⤵PID:3620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:85⤵PID:2108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:15⤵PID:3916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵PID:4436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:15⤵PID:1464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:15⤵PID:1720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:15⤵PID:3368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:15⤵PID:4012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:15⤵PID:3496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:15⤵PID:4628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:15⤵PID:728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:15⤵PID:2916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:15⤵PID:2724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:15⤵PID:1100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:15⤵PID:5028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:15⤵PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:15⤵PID:2908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:15⤵PID:3600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:15⤵PID:1852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:15⤵PID:1360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:15⤵PID:2136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:15⤵PID:5128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:15⤵PID:5284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:15⤵PID:5292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:15⤵PID:5304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:15⤵PID:5444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:15⤵PID:5452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:15⤵PID:5528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:15⤵PID:5812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:15⤵PID:5600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:15⤵PID:5616
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 /prefetch:85⤵PID:6116
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9413544694235940557,7180599916419543480,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8016 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3816
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3980
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3028
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51f924f788d410e16843b6e9737546202
SHA1ddd0cc45bfb6e4d7cd194d9cf79d7fe0d768809c
SHA256209a6f8ce3156a2b01cb87e27b69a5427ef80e8e68368790b328affc5b3b58c1
SHA512862a5d8eff3474797beb123e9f0c56528656f014ec88f1536f142838d2f5c80822fca0843289810881b08417eab29645c9d2b54d2582290643b5e8949e9336b2
-
Filesize
152B
MD52fe27ff8edde28133b4cfdfc5ffaecd5
SHA1ab6070606079c1ad7ce5b959283735ba226331a3
SHA256c47d8da14416c18fff5d5bd4816e94839f239ecdfc88b942faa0fd39c374a1a2
SHA5126299a89089a991d7dfcbb1b65fd3fc28ed31b49ec2912a992acb02e1c26e0d3c075af91bd17b9348176f69259ed009d03eb4bd1993456c5f09a8da5d74502673
-
Filesize
152B
MD5dca3f0548b81b6d35d313e19043ff321
SHA1f7a37942ab0e9761b96c7aa066d504aeb2760b40
SHA2560b18d3f9ff30f9f83bf39cda75f816331df6d60ff99ec629750d3218abc83227
SHA51288b13dc72b6b5d47dd84c0a91ec192066d7954a13d512c0e0161c25f342b8825478c7daea1d8fec0ec7fd37cce83d929d9de17770cf81a84713aed85d60683d6
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\317e048c-fe93-4b89-91a6-c1bb3764788c.tmp
Filesize4KB
MD58f930011231164e999651e68d728a869
SHA13e885b6d1e8918ef1a0afb6a89070552d3d7833b
SHA256327a64cc48254dab147405997bcc9b8519fdbde73631faf2b1b88a32e35aa134
SHA51272baea8cbee82faad2fd43f69e1daf1b8ca6b84f75772ca4df3a56500cea30251119e598db498a69297c6d366142e688647908f30dd9573aa8ff25365a67a548
-
Filesize
1KB
MD57831c40c306765cb50cd9915aca49d9f
SHA128e2f523024567606348668e9d098bbb6a994f00
SHA25690236cc0c095a57a3ad54fd6e7ae11f4fc4aa25b88cbff5168491b810c955ede
SHA512ed054d4883350d743aac97eb8fd630cccc653175186870ecfc62a0bfe225c15b69e11642ee4a4d7afa0c67c18c40882a144f72b3fc72a880aaa352f5f7ca63ad
-
Filesize
4KB
MD5c330d79ad303b1bb008074d7cb533588
SHA18a1084c44964426ecd4922bfc083b3ab48ae5629
SHA256761e75dfc00c8e28f759dc8461711a69e6edfd503ac5b3f9dff437acb25454b4
SHA512682df19119de9f9e70e72dfc76d6dbae10d99d96db4e7d098fd5447dfa705c2d2cbc05da6e666648fb4c0a8945f98cdd1c1ae2ed7cc41fbd32cfed8f252b9c9c
-
Filesize
4KB
MD569532a299874447447c551606a555f03
SHA1020c4bafec36a7f54e3ae73705394a6361332622
SHA256f09b2292f5671d5a3ef3520e81933a7d7b819bade253f97b7cd2f8888904a28f
SHA512e6c3651c19bf51ef10cbab4fa66caa67aac98d56e196e28dc08d1f3affc2ab4d2c1ce10480f0168f5e7202da6abb65ae8629e5a4972eed8de01e68046f5b60d7
-
Filesize
24KB
MD5bd38a187f97b5e05fe0dcb6147cc457f
SHA1919f51bb20f386831a3e7a04042a5ac01966469c
SHA2561572f48c11903f7dad9b53be131726ef8a1325b88c1d3949ff70ae78d358ff3b
SHA5127a6c7a65b1ab9aa44f48e3ac6f040ce74009eb57c1144512e50866e0c9fe1dcf74cbf0cd323786876fc80feaeec22b06d3ad4ee93731b4a02417950943bd7765
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57c709.TMP
Filesize24KB
MD50ef3df3c17fdeb2cf3b2262e051da04a
SHA1a1454a717adb176f500d97ae6e77fa706e8d3721
SHA2566910fe582b1fd9bce75a093e527d2d0a090d1604b54c0dd743b70b51aa2798f9
SHA5126ddeb618080ff01a22d264ae2cec4496ddbc7966104d76461f9b2faa509cf1f124fd004af39693e5f5ce5d8f7eee9c62287a2caaf89eba8adbbd66c70397e44c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index
Filesize48B
MD54fbeaeb81e8cf89d1cf5bc6711864f87
SHA193657904fd6c3ee856a985b23fb17802a6cfd1ab
SHA2563af7bf4f087f277b847c7a8b2540228763af48187bdc00ec255458563c0cafb3
SHA512f2031c0ace0aeb3a749953a2e4fbe595017fbc5029fdf071a3d17fd9a2a2e8178066c80d1c76ce1d74435e310e6271328890fdc224901fed43669dafcb776c8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\f8b0680d-e278-48a7-bca3-4298f53d4d98.tmp
Filesize9KB
MD53ab022d56c57c83430a698a4373780d3
SHA1cf49fa6aa6305dde230c7d295ae879d4a146550a
SHA256ab689cbd6983c1fa2447c21f8fa806f6127409c8570a5bd72402ec3751b41eae
SHA5124f7c1899717e63d752d15e4955ac4a46422181481333eee669d15d3e335409837f2906f1c5c1b41be7a89fa5dc183813c5e6399d4cc3db6837d941e2dd0360c7
-
Filesize
1.8MB
MD573f3d06a3027d3f7e86b6e44ac5eb905
SHA1e0608353485f123b49e7a18b880971be24584046
SHA2564cd700c07d346e16f4d802b9d7a59201fef4b209deef6bcae26bc2b8b6c0ca1b
SHA5125722e0b54a6e8dd56b2f3f9f2b56d82ed48f867231c9faad4f716000d495bb231184e511cd277f697a49094e92a3e38569c770d3f56d45f7363723a9e3128ad3
-
Filesize
896KB
MD5c5090cfde317cb004d4ee929fbe966bf
SHA162707964fb1e4b3003a208c088a7976cd317d374
SHA256b736c6b7105621cabf5402e769b37818e51fb96a2308413c959a0a642cd603f2
SHA51249c2219ccd4058277d298b023ca3592e97e9fb2e4df33a5971b042dc632546158439aa37a1ed6a5096cfb23af45cfdd07b2fb84a411f6464e120d7764bd687a3
-
Filesize
1.7MB
MD5b3a239beeb5dedb7629a68e9ed216d4c
SHA1f8092284123f59a72267611ef31fb60759eafbdb
SHA256f539c6ebab703708ab993bacab000fd97274d49364bf0d58a2df6857d7d5d1d7
SHA51205fcdb1089cf89b6cce19f6535a4e42adf8b2feefb6a273ab082180a3c43cbb55e0ab60a23bc00717e423228144a8825497b62dfecb469d142558148f6455459
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SF7S9H3T3UT8S9KE453F.temp
Filesize3KB
MD55f80002d080ea8ac3584a7ffbc2476fb
SHA13fc4775d73097676591eb7313a7ac2b9f49d866e
SHA2565baa76011597c8182f1157e1304875f8afc0b0814d0154c89979d5545993920d
SHA512400457ffdffe5a67416a0db3ebf16576af41a0b501c746a84cf2459f28f2aacdc740388a703dadba9dfad957d59098c45630489bde2bddba7c35febeeae9243d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e