Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe
Resource
win10v2004-20240802-en
General
-
Target
d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe
-
Size
1.8MB
-
MD5
2dc5b1c2a0728e55da15ca822725e1c7
-
SHA1
482947a5e11b281838a2427b08311b29b4c63b88
-
SHA256
d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5
-
SHA512
0d2e2b2ccad99c7dfb9b40de3d03064e7661919a1810fb383e86cd9d61d8ca37663df139f8357dd38883bd5c9112a63c95ccb187ea460c4c4dda41a438e6e93b
-
SSDEEP
24576:LDr1u4CdhUAJ8JfZ3iamHB6Q6bUEFDa164cdSdpfMKmNUMsa1nFi9ikpNs5hph:zk4Cdhi3iasBrsPDa1PP3O1r1qk5hp
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
dfe4c41411.exesvoutse.exesvoutse.exed5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exesvoutse.exe26d081364b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dfe4c41411.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 26d081364b.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exesvoutse.exe26d081364b.exedfe4c41411.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 26d081364b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dfe4c41411.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 26d081364b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dfe4c41411.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svoutse.exed5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exe26d081364b.exedfe4c41411.exe508f2178a1.exesvoutse.exesvoutse.exepid process 412 svoutse.exe 4372 26d081364b.exe 2112 dfe4c41411.exe 2672 508f2178a1.exe 3404 svoutse.exe 1352 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exesvoutse.exe26d081364b.exedfe4c41411.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine 26d081364b.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine dfe4c41411.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfe4c41411.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\dfe4c41411.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\508f2178a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000040001\\508f2178a1.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000040001\508f2178a1.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exesvoutse.exe26d081364b.exedfe4c41411.exesvoutse.exesvoutse.exepid process 3344 d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe 412 svoutse.exe 4372 26d081364b.exe 2112 dfe4c41411.exe 3404 svoutse.exe 1352 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exedescription ioc process File created C:\Windows\Tasks\svoutse.job d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dfe4c41411.exe508f2178a1.exed5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exesvoutse.exe26d081364b.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfe4c41411.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 508f2178a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26d081364b.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exesvoutse.exe26d081364b.exedfe4c41411.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exepid process 3344 d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe 3344 d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe 412 svoutse.exe 412 svoutse.exe 4372 26d081364b.exe 4372 26d081364b.exe 2112 dfe4c41411.exe 2112 dfe4c41411.exe 4776 msedge.exe 4776 msedge.exe 1892 msedge.exe 1892 msedge.exe 5756 identity_helper.exe 5756 identity_helper.exe 3404 svoutse.exe 3404 svoutse.exe 1352 svoutse.exe 1352 svoutse.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
508f2178a1.exepid process 2672 508f2178a1.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
508f2178a1.exemsedge.exepid process 2672 508f2178a1.exe 2672 508f2178a1.exe 1892 msedge.exe 1892 msedge.exe 2672 508f2178a1.exe 1892 msedge.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
508f2178a1.exepid process 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe 2672 508f2178a1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exesvoutse.exe508f2178a1.exemsedge.exedescription pid process target process PID 3344 wrote to memory of 412 3344 d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe svoutse.exe PID 3344 wrote to memory of 412 3344 d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe svoutse.exe PID 3344 wrote to memory of 412 3344 d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe svoutse.exe PID 412 wrote to memory of 4372 412 svoutse.exe 26d081364b.exe PID 412 wrote to memory of 4372 412 svoutse.exe 26d081364b.exe PID 412 wrote to memory of 4372 412 svoutse.exe 26d081364b.exe PID 412 wrote to memory of 2112 412 svoutse.exe dfe4c41411.exe PID 412 wrote to memory of 2112 412 svoutse.exe dfe4c41411.exe PID 412 wrote to memory of 2112 412 svoutse.exe dfe4c41411.exe PID 412 wrote to memory of 2672 412 svoutse.exe 508f2178a1.exe PID 412 wrote to memory of 2672 412 svoutse.exe 508f2178a1.exe PID 412 wrote to memory of 2672 412 svoutse.exe 508f2178a1.exe PID 2672 wrote to memory of 1892 2672 508f2178a1.exe msedge.exe PID 2672 wrote to memory of 1892 2672 508f2178a1.exe msedge.exe PID 1892 wrote to memory of 2460 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 2460 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 3644 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4776 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4776 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1936 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1936 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1936 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1936 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1936 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1936 1892 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe"C:\Users\Admin\AppData\Local\Temp\d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Roaming\1000026000\26d081364b.exe"C:\Users\Admin\AppData\Roaming\1000026000\26d081364b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\1000030001\dfe4c41411.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\dfe4c41411.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\1000040001\508f2178a1.exe"C:\Users\Admin\AppData\Local\Temp\1000040001\508f2178a1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc34846f8,0x7ffbc3484708,0x7ffbc34847185⤵PID:2460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:25⤵PID:3644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:85⤵PID:1936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:15⤵PID:4316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵PID:4128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:15⤵PID:8
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:15⤵PID:1480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:15⤵PID:3696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:15⤵PID:64
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:15⤵PID:3004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:15⤵PID:3512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:15⤵PID:316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:15⤵PID:2224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:15⤵PID:1052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:15⤵PID:3268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:15⤵PID:3216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:15⤵PID:4288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:15⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:15⤵PID:4516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:15⤵PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:15⤵PID:3272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:15⤵PID:1016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:15⤵PID:1788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:15⤵PID:4952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:15⤵PID:2308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:15⤵PID:3756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:15⤵PID:4460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:15⤵PID:3004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:15⤵PID:5144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:15⤵PID:5152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:15⤵PID:5556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:15⤵PID:5712
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7432 /prefetch:85⤵PID:5572
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7432 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,7227794422065782140,11115692388384481401,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7856 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3992
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3404
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\6293c91b-1d53-4f97-a2d7-9f459fd1e0d7.tmp
Filesize9KB
MD5b4af6704215e88e00fafcd356a255481
SHA10325fcb4d44cb8e7d3545e62b398e94cbdc0e99c
SHA256db67fb3bb8ba8d17490a873b096fce1aa6baa0e4c77c67b8f1f403f5c0c2946d
SHA5125ea2160c503e4a18429602934ec91134518c7b2dd67152002033810ad68a8420f5b243cd4ccef8b473ea4914e58929c6d0142094361a21f6233bb8938f8a30c7
-
Filesize
152B
MD5a079c914570ed6871ea2dd66ac006edd
SHA16473e8d688aeef2f222d89b913e5b30b623ce696
SHA256685f0345d658b2a3192fb4a985648b1b01d849237d57211b4b53e49d4f0c73dd
SHA512d9d4f3985769cb49f998d4cc61746e7dc25689edb4621c759d10dc869d3251b75ac7ad8911da6d8be390b9382401d2b471e3fbf0cf2f38478d0f3d684c3e4767
-
Filesize
152B
MD5aea6d5fadd05a7e4e16f71a4a1ef46d3
SHA19e4bfa43557d5311be1aef3d5eb52d20d29417ae
SHA2568181e65e756b6ce0e337f66fb3e2d3df9cd1057f7da4379fa3234f7aba7bb29d
SHA512105fc8c10e6003c3cc660c0f7ed5bba347f70d95b174df6d877cb61511395765f8e9f2ee1f2e44564a912a315c4bf3c381683aa4b93131c332fd0030216bffef
-
Filesize
152B
MD5c3149db6d38eeddf21a380d88cafa6ae
SHA1d6b83ac5a895ae6a75ade55878aeedf540d069e8
SHA2564eafb0fd852f99f70502bc22dcd286f5e1d8674c8691734983ea189bfa2b22b8
SHA5122b69b8679d3801cd87b8801c16491c5718887232ad3908c12b2bf354b8701e59136d030fa6d3939516ef5f3c70faa581e2ea89f98c694ebcd0696d410e525883
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5b8293a266c92e46394c4a4bc9edbb269
SHA1f86c8cacc39fd25ae3ee8a327f9df2e8f8445dee
SHA256b493dc27c0307ee7f5cd7b70081e40395fc9e0f8ac6e587160dad545f9f28a78
SHA5126c3f653c8537fefec10f7487d891cca1a4d7134a9bfb1b32410dc949eabc59353d9b1eac68e15975d38b53f3fbeb22a10306eb586c75cf3da262f6e7478d3778
-
Filesize
4KB
MD585b909f1cd19ffc7fe26a7b51204d2d5
SHA12b0130e8f4b749854ceab9366f1d62e538184190
SHA2567552624599e4c7557934ff6e5071461fdcde66142626ccd2611d1d0f8e9740e8
SHA512744614e84664e64bbd203bf6a473eed13d19f99df39f488b7132bc146e1195fe18313a9eec6314a333660eb8dcd29d19bf65959a8cf56f35a262b090b91fd743
-
Filesize
4KB
MD54859fc8449a3b93399e8fe3d252327be
SHA1e96cd2dff6acfe5bde261d41484b4175196185e2
SHA2561bb7aa7f83c600c228c53a43fe39624f8448005a64501d7439fc0612a3ee26dc
SHA5124542aa88f2825517d3c63ab3bb9d26e75a7f95020d5c569eb63d2da06805c711c90cb3d105568eb67ef7c3870c91f03f31148462923ed3442dcb7ad3c76ffbdd
-
Filesize
4KB
MD5d652747ddb0534faafcc883a1d62e03e
SHA1426df311f737ac4551fe86d8b56a38aab79600db
SHA256f96e2000a9d3efd18ffba4008455abd63c86acbd4cde35e16d07856fa969ae92
SHA5125e055bae6a74b06331fc1f0175486b71d7ea9172bdcc41d0fffe34d92df83ffe4b36d275cd754652b61a6baab821c1b42560c2238d33c7e8efba2beb0eb93fd4
-
Filesize
4KB
MD5b24cf2ca9a1c34715187119c54e9fc95
SHA1fc4980c3bca42e4c1926ea7a41e53343ab17f79c
SHA256e3463b3c25771a4b8bcb723036f3180a2d80eb83b8bd45b110dc1cf8ec66a84f
SHA51278332dd463e339a7a891fa634933f107480b73c020e361d848e11104278143f2bcda12fe3931910830631388de1db95a41524101df92a28e3a3c4dbe4f913b76
-
Filesize
24KB
MD5d30e009c82bed4e406c3ab0b4148ba86
SHA11fe41e4fa6ffffdb291ce5717813423a620504f5
SHA256f53fc3c45d1ff4a4bca535df7ec22901ec49e96e5fb57fbf143973ec41184d96
SHA51251247a490ae004f858650a14d6ccb829685a5c2887f6b9eb339024b106e7c9fcd6b733fd6fc3277ccd2e861ad38bebd30ab29cc13a68ede113116bf40a6acfec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe581671.TMP
Filesize24KB
MD5e99a53b61e689c9f703dc6dc1e792a56
SHA1fb9cb1b68068c4bd81142dc1e4bcfb543adbe4eb
SHA256722828eec9f3faca5e1c1ad9b3ca6196a5ad3e8377c68c078ac058a3be495c1e
SHA51281a9cf699df88a219448ed9c586a0848377034c07f2f70f2b702193e41f8cc4fa10e6a6c7afd66ebb485a97acc5cef296b04ae83899dc130fa7418c8dc18bd64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1.8MB
MD52dc5b1c2a0728e55da15ca822725e1c7
SHA1482947a5e11b281838a2427b08311b29b4c63b88
SHA256d5bb00a8a963b74b9db3ea39e270713ff9bf3cba4b1c70a7495381c945f779e5
SHA5120d2e2b2ccad99c7dfb9b40de3d03064e7661919a1810fb383e86cd9d61d8ca37663df139f8357dd38883bd5c9112a63c95ccb187ea460c4c4dda41a438e6e93b
-
Filesize
896KB
MD5aeb3199842bd01689c760b56f68ddfbe
SHA16977fa5ec8c7d0908dcfce3202ba5ca5905c75e5
SHA256a6d9dfa485815059b536ad37b38717e89688e28b59209bc41599372836175bf0
SHA5128b0e6ed3e7be9c309431bca91bd7282afcbbb0aa725645e24ab5cd311490e61d9ade6d40375085659e08218ecba516e5ea0bd68eb4fb9d82c6e83d23751c9951
-
Filesize
1.7MB
MD596191b63d5798d518923727a443b583a
SHA19d4ecfcca685c739f621d55628c74823cc31ff46
SHA25623413b888fbcb25c4b8fdd07b60c95402ea09d4b7d591e786c906c64690be46e
SHA512e0ef6083166ea2752c10a43ef7ad3b73223124b1c38586f8032148d02f8883f40c5a111df1bcb7775d8e4b1b1994ac284b098e1f8da6ddbab82bc10712517875
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DRDA9XN65RZJBW8L43R4.temp
Filesize3KB
MD55a85d1c5dcb336da56370aec197b494c
SHA1560b8e6f4d442cb1c09651a17033185993f2d3b4
SHA256be61082a70279b5d954c797ab647f697ac9a4a3716677350b010388ef0640476
SHA512f9005fed637f469a90dcabfd1f6496ee547f7313df46f6aaa1f8f389160b561237f6d52226041ed868b8ff1dad2509adac0d425c231a5004b0e9b3924aa0bf7e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e