Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 07:33
Static task
static1
Behavioral task
behavioral1
Sample
d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe
Resource
win10v2004-20240802-en
General
-
Target
d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe
-
Size
1.8MB
-
MD5
3bdc7e756889b37a74b5004d7c07be4f
-
SHA1
521d481d6e8f8bbb9b9e73270fb574e32651cb53
-
SHA256
d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16
-
SHA512
5c17e749b2c4aad764d143fc1e489eb7e5241a6d01c7a5d0e35b8ea815b62f9a95dcdc35638b782888922af2011963f199a9a9dd66d890317957829f56dd8c5d
-
SSDEEP
49152:spWu9EytQgpXB8xV34984FV/vCeY8Vl39:XoEytQg9Bk68ghCu9
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
svoutse.exe0bc302b8e5.exe4fe99256dc.exesvoutse.exesvoutse.exesvoutse.exed3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0bc302b8e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4fe99256dc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exe0bc302b8e5.exe4fe99256dc.exesvoutse.exed3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0bc302b8e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4fe99256dc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0bc302b8e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4fe99256dc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exe0bc302b8e5.exe4fe99256dc.exe4fe99256dc.exesvoutse.exesvoutse.exesvoutse.exepid process 1688 svoutse.exe 4340 0bc302b8e5.exe 216 4fe99256dc.exe 4408 4fe99256dc.exe 5860 svoutse.exe 5400 svoutse.exe 5428 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exed3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exesvoutse.exe0bc302b8e5.exe4fe99256dc.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine 0bc302b8e5.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine 4fe99256dc.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4fe99256dc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\4fe99256dc.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4fe99256dc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000040001\\4fe99256dc.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000040001\4fe99256dc.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exesvoutse.exe0bc302b8e5.exe4fe99256dc.exesvoutse.exesvoutse.exesvoutse.exepid process 1268 d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe 1688 svoutse.exe 4340 0bc302b8e5.exe 216 4fe99256dc.exe 5860 svoutse.exe 5400 svoutse.exe 5428 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exedescription ioc process File created C:\Windows\Tasks\svoutse.job d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svoutse.exe0bc302b8e5.exe4fe99256dc.exe4fe99256dc.exed3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0bc302b8e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fe99256dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fe99256dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exesvoutse.exe0bc302b8e5.exe4fe99256dc.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exesvoutse.exepid process 1268 d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe 1268 d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe 1688 svoutse.exe 1688 svoutse.exe 4340 0bc302b8e5.exe 4340 0bc302b8e5.exe 216 4fe99256dc.exe 216 4fe99256dc.exe 4436 msedge.exe 4436 msedge.exe 4736 msedge.exe 4736 msedge.exe 6056 identity_helper.exe 6056 identity_helper.exe 5860 svoutse.exe 5860 svoutse.exe 5400 svoutse.exe 5400 svoutse.exe 5916 msedge.exe 5916 msedge.exe 5916 msedge.exe 5916 msedge.exe 5428 svoutse.exe 5428 svoutse.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
4fe99256dc.exepid process 4408 4fe99256dc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
4fe99256dc.exemsedge.exepid process 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4736 msedge.exe 4736 msedge.exe 4408 4fe99256dc.exe 4736 msedge.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
4fe99256dc.exepid process 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe 4408 4fe99256dc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exesvoutse.exe4fe99256dc.exemsedge.exedescription pid process target process PID 1268 wrote to memory of 1688 1268 d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe svoutse.exe PID 1268 wrote to memory of 1688 1268 d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe svoutse.exe PID 1268 wrote to memory of 1688 1268 d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe svoutse.exe PID 1688 wrote to memory of 4340 1688 svoutse.exe 0bc302b8e5.exe PID 1688 wrote to memory of 4340 1688 svoutse.exe 0bc302b8e5.exe PID 1688 wrote to memory of 4340 1688 svoutse.exe 0bc302b8e5.exe PID 1688 wrote to memory of 216 1688 svoutse.exe 4fe99256dc.exe PID 1688 wrote to memory of 216 1688 svoutse.exe 4fe99256dc.exe PID 1688 wrote to memory of 216 1688 svoutse.exe 4fe99256dc.exe PID 1688 wrote to memory of 4408 1688 svoutse.exe 4fe99256dc.exe PID 1688 wrote to memory of 4408 1688 svoutse.exe 4fe99256dc.exe PID 1688 wrote to memory of 4408 1688 svoutse.exe 4fe99256dc.exe PID 4408 wrote to memory of 4736 4408 4fe99256dc.exe msedge.exe PID 4408 wrote to memory of 4736 4408 4fe99256dc.exe msedge.exe PID 4736 wrote to memory of 3544 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 3544 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4324 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4436 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4436 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4088 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4088 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4088 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4088 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4088 4736 msedge.exe msedge.exe PID 4736 wrote to memory of 4088 4736 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe"C:\Users\Admin\AppData\Local\Temp\d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\1000026000\0bc302b8e5.exe"C:\Users\Admin\AppData\Roaming\1000026000\0bc302b8e5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\1000030001\4fe99256dc.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\4fe99256dc.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:216 -
C:\Users\Admin\AppData\Local\Temp\1000040001\4fe99256dc.exe"C:\Users\Admin\AppData\Local\Temp\1000040001\4fe99256dc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5a6246f8,0x7fff5a624708,0x7fff5a6247185⤵PID:3544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵PID:4324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:85⤵PID:4088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:15⤵PID:1028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:15⤵PID:812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:15⤵PID:3556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:15⤵PID:1444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:15⤵PID:4708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:15⤵PID:1000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:15⤵PID:2464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:15⤵PID:452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:15⤵PID:4176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:15⤵PID:1776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:15⤵PID:4252
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:15⤵PID:852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:15⤵PID:4904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:15⤵PID:1932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:15⤵PID:3132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:15⤵PID:1588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:15⤵PID:5284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:15⤵PID:5296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:15⤵PID:5364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:15⤵PID:5372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:15⤵PID:5404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:15⤵PID:5552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:15⤵PID:5560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:15⤵PID:5568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:15⤵PID:5736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:15⤵PID:5780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:15⤵PID:5788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:15⤵PID:6092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:15⤵PID:512
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7968 /prefetch:85⤵PID:6084
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7968 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3790658456262840560,5966659427396839859,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5916
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1284
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5860
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5400
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD511eeb7090e22709c9e54e2f954b7b174
SHA1bce0dd8550f7d7c5ad2c28b1fc57582c3bbdbd0a
SHA25615da74d6f8e6430589ca255c5e0ea6655cf652b7761b532e70466444e6b71538
SHA5120141b678731e99b57a204d0090b04dbed1a24597793130980b59015faf717b46d72b81f8e12aef5a6ea3a8830d93f5737c04ab1959c67ed7001e882323a56e0e
-
Filesize
152B
MD517341290dfe4a40ef78fecc5c610cae6
SHA1755fbf929a7651e8231076a3af9a6dd2a70dc6d0
SHA256f25f43865a361e08a7320c8a77807300527e529fe69e0deab63b1198af4f6cd6
SHA512b32daadc9e98c79d2a93ceff89900dc08f3e278221b9cbb220a6b8703822676743efb58a167eabda6a31b5f902cf1d5b0b0ce08ceeab4839ea82060fe409610c
-
Filesize
152B
MD5d78f8a49ef14fbb3cac1efde1fe12614
SHA19090d541381d37d1b5a108551e2784f3143ad03f
SHA2561d2c5bb2de34fff82468088d09d0ab9f9991dd1fcb2903a0fab24466c5d05dd9
SHA512d6141d8dd97a7979f0f30508ab6c78ba22fd015bc0a3cdc205d71157835316bf5460b9525f6f18f71974e3e7d18b48114d74679e3c91e07a3d304b5558d50667
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\6d584bd5-87a0-4830-9590-2e7957ed3513.tmp
Filesize4KB
MD53c2fa33c8cf95dfe4a3259c4b10e9ff2
SHA162bf301e68cf8e3c16f9d6f05607d89c19e7f404
SHA256cadc824fc64e5d38866529a8d652b7bba105eb52c7f9ea40cba7ab8cda4f7cd5
SHA5123783612ebdf0927c896b3bf0c28e17dac5a71a7f203be3f79bde34ebe775f0c4eb01152354ad7d5aa02be19e44e422cc456cf900866bb14efb34ac7e9d4da9de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD581a39624ecabdc0ec2e44dce41344896
SHA126d8e1054956de635b70934081a57eadcfd718e0
SHA256fa135430f00e154b33dbadc701d8da02559f93f7435b5e56859d1e3c0c57afdd
SHA512f3c46a71522eec01a073307e0ab6141180de27271457f1b125635d33566d5d8dd2d1d948c78920bc945fcd65a64c99c13085e830a099d08127d4145f8fb1621d
-
Filesize
4KB
MD5b3f90ab54dd5e45188710bae13ba9f19
SHA1b0b9d304913c91db614ecf8784cd90573f6ab601
SHA256760d5b29b3551ad4163d203f8fc08560a8ba053e9b9fb5650eba6b8a93eb876e
SHA512a213ce840fda95757deddd4f5ead42f111e21e2408f0bc61beeac8a590c723a75533179ddbe2fbd027e2c692334aa14d9d5de19812d71ee17baca1f177e0c836
-
Filesize
4KB
MD512f9c74a74000efaa89abceb3204e5c8
SHA15eebbd667b512589c468a83de2818a900ec3f4fa
SHA256a65da8a41feff88cc7cea69df8ec2c69f624a7f385dad4d2d39787aedd6f2c66
SHA512c5ed9a4bed1a1b0b1e1d60e52aaa0107caa2d4df9035dbb39132360cab40707b91fc34a58eb4fd9fca62fe53abc5d71aa46f94b42bf06a58d790e530be667913
-
Filesize
24KB
MD5f55ce7334221d62634dde33a4c2e310d
SHA14b116224312e4ee95532e538deffeebdc4a53b03
SHA256385f70aa8be2594ade49061d38fd8cd89a4182335443c01836be6b7bec84aef3
SHA5124ecac1948caf444640560058ea56a692ad8985daede89cf489195bd49d2136594d9955d47f0cb234db5a5649fdf1d39630c079b6ead692738e6fca7cb03b7efc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe580f0e.TMP
Filesize24KB
MD51870005eaa110c327ff410122fa0b3c6
SHA1ce37f285fc8a5fe3400ab0e934bb5c554a2f2c74
SHA256301c8c05a70926fc897b571b748e4ed17d9228ad5360833637f8d6a6038088ca
SHA512ac54fc7ddd6d429a71868787fe2ab1d214d9d11ac0677d8ba82c6e71358f5d51f8da3ef529018b264bb20f2175405f1e58e17c487e0aef002b6ea18076e7748f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\aa82ea12-49e2-43be-a736-21306e8f18fe.tmp
Filesize9KB
MD5c0a01cde7ed9c237988a2ea9851bfba2
SHA1dd89aeb33e3922265b7530790bc7b3f2e1ffbf7a
SHA256deacdceecd65c52882ea93bcacc302bdf6f638ff2ca34ae83f8d06b6cbc05c4a
SHA512bbef50dbda599a17c5983284081f3ba20598247a2398ebd9cbdb35cf55e86d2a452b53a70176bff6b5942a1cf71955a101c27a0eac815ce80e8d2f2b8f07f838
-
Filesize
1.8MB
MD53bdc7e756889b37a74b5004d7c07be4f
SHA1521d481d6e8f8bbb9b9e73270fb574e32651cb53
SHA256d3d9c29e91ab395b758f67c897c209b2f64ad2de6f8a2ef2b62965a995cbbf16
SHA5125c17e749b2c4aad764d143fc1e489eb7e5241a6d01c7a5d0e35b8ea815b62f9a95dcdc35638b782888922af2011963f199a9a9dd66d890317957829f56dd8c5d
-
Filesize
896KB
MD5050d26eeffe6efea8fede3819008d0ec
SHA1ff47f67781789840950a438ca17e9ff5ab90c2f1
SHA2566010ea1717d7d8686b599dc76f56ba73200d7a468fdf8ac15f62c93d7474ca6d
SHA512da160342c781f44a0c632b62c795b5ddb917c1a213bc36bd481d84ef1ac72300b92724ff802b1fad1525728238ef692a049289c913ca3c1fc04450ffcc67e259
-
Filesize
1.7MB
MD557c6e06abd1cc20c23a17b53710c0443
SHA1758a300c82d765a895f14552977e491884eaf7dc
SHA256bf2775113aa41adedc67907cfbeb8bc1372cc00b39b65841dff1ab604f3f9c99
SHA51217c898f97990267afba851ccf4125b74f4a965469d1c73d26b501474acafee64e41f1863a438115ec705f3927b298c30050cef4571900f89a01e736f0eda1e23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VJ3T63GWRNRSDKHB0TP.temp
Filesize3KB
MD5c0898c7f150926cf57507b178b5c3f73
SHA19439597b82aafbc4b848a1b04691755e28456676
SHA256b783af64bda6acc14223779030b3858b8cbb513606d99e2dc1e3a4ef29099304
SHA512470da7b5de8483a14e61995d7d6a60fe2c1639af812d10f61881878ad5682109ccc2969afe16b0f7316ffa999f9c99969bce9b7e76a1b64e8e0ddd7a01bf0a98
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e