Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe
Resource
win10v2004-20240802-en
General
-
Target
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe
-
Size
1.8MB
-
MD5
16eba1f939a7c8d10aa7a300cf48658a
-
SHA1
d291806bdd49d3016994f05834ed4100b042aa95
-
SHA256
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e
-
SHA512
a7c69ae67d0a53eb384f35f126f12a0e92937a900e5b7ce718746eeda0cfb4061f81ba34c68ac97de3f80ff6ef4a161cd8c6e629c69b76443d18bb0c9b89051b
-
SSDEEP
49152:WxmJVsjaD3cB0mYz0QAhpwlgqN/YkuNgC48MQ7nt:WxaijaD36Y09QlgEIyLhQ7nt
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
svoutse.exeeb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe8da6e1077b.exe8abc3153b2.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8da6e1077b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8abc3153b2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe8da6e1077b.exesvoutse.exesvoutse.exe8abc3153b2.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8da6e1077b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8da6e1077b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8abc3153b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8abc3153b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exe8da6e1077b.exe8abc3153b2.exe186b3c82b0.exesvoutse.exesvoutse.exepid process 2136 svoutse.exe 2712 8da6e1077b.exe 996 8abc3153b2.exe 1880 186b3c82b0.exe 3252 svoutse.exe 5356 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exe8da6e1077b.exe8abc3153b2.exesvoutse.exesvoutse.exeeb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine 8da6e1077b.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine 8abc3153b2.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8abc3153b2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\8abc3153b2.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\186b3c82b0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000040001\\186b3c82b0.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000040001\186b3c82b0.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe8da6e1077b.exe8abc3153b2.exesvoutse.exesvoutse.exepid process 4208 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe 2136 svoutse.exe 2712 8da6e1077b.exe 996 8abc3153b2.exe 3252 svoutse.exe 5356 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exedescription ioc process File created C:\Windows\Tasks\svoutse.job eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
186b3c82b0.exeeb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe8da6e1077b.exe8abc3153b2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 186b3c82b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8da6e1077b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8abc3153b2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe8da6e1077b.exe8abc3153b2.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exepid process 4208 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe 4208 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe 2136 svoutse.exe 2136 svoutse.exe 2712 8da6e1077b.exe 2712 8da6e1077b.exe 996 8abc3153b2.exe 996 8abc3153b2.exe 4424 msedge.exe 4424 msedge.exe 3516 msedge.exe 3516 msedge.exe 5512 identity_helper.exe 5512 identity_helper.exe 3252 svoutse.exe 3252 svoutse.exe 5356 svoutse.exe 5356 svoutse.exe 1532 msedge.exe 1532 msedge.exe 1532 msedge.exe 1532 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
186b3c82b0.exepid process 1880 186b3c82b0.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe186b3c82b0.exemsedge.exepid process 4208 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 3516 msedge.exe 3516 msedge.exe 1880 186b3c82b0.exe 3516 msedge.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
186b3c82b0.exepid process 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe 1880 186b3c82b0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe186b3c82b0.exemsedge.exedescription pid process target process PID 4208 wrote to memory of 2136 4208 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe svoutse.exe PID 4208 wrote to memory of 2136 4208 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe svoutse.exe PID 4208 wrote to memory of 2136 4208 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe svoutse.exe PID 2136 wrote to memory of 2712 2136 svoutse.exe 8da6e1077b.exe PID 2136 wrote to memory of 2712 2136 svoutse.exe 8da6e1077b.exe PID 2136 wrote to memory of 2712 2136 svoutse.exe 8da6e1077b.exe PID 2136 wrote to memory of 996 2136 svoutse.exe 8abc3153b2.exe PID 2136 wrote to memory of 996 2136 svoutse.exe 8abc3153b2.exe PID 2136 wrote to memory of 996 2136 svoutse.exe 8abc3153b2.exe PID 2136 wrote to memory of 1880 2136 svoutse.exe 186b3c82b0.exe PID 2136 wrote to memory of 1880 2136 svoutse.exe 186b3c82b0.exe PID 2136 wrote to memory of 1880 2136 svoutse.exe 186b3c82b0.exe PID 1880 wrote to memory of 3516 1880 186b3c82b0.exe msedge.exe PID 1880 wrote to memory of 3516 1880 186b3c82b0.exe msedge.exe PID 3516 wrote to memory of 2704 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2704 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1300 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4424 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 4424 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1172 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1172 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1172 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1172 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1172 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 1172 3516 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe"C:\Users\Admin\AppData\Local\Temp\eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Roaming\1000026000\8da6e1077b.exe"C:\Users\Admin\AppData\Roaming\1000026000\8da6e1077b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\1000030001\8abc3153b2.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\8abc3153b2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:996 -
C:\Users\Admin\AppData\Local\Temp\1000040001\186b3c82b0.exe"C:\Users\Admin\AppData\Local\Temp\1000040001\186b3c82b0.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e2b946f8,0x7ff9e2b94708,0x7ff9e2b947185⤵PID:2704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:25⤵PID:1300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:85⤵PID:1172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:15⤵PID:692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:15⤵PID:2316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:15⤵PID:1996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:15⤵PID:2712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:15⤵PID:3196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:15⤵PID:1712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:15⤵PID:1812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:15⤵PID:1352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:15⤵PID:2960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:15⤵PID:3136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:15⤵PID:2036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:15⤵PID:3648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:15⤵PID:4768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:15⤵PID:920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:15⤵PID:4220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:15⤵PID:692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:15⤵PID:400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:15⤵PID:2256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:15⤵PID:2192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:15⤵PID:3280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:15⤵PID:3556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:15⤵PID:1720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:15⤵PID:220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:15⤵PID:4224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:15⤵PID:4904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:15⤵PID:4744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:15⤵PID:2904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:15⤵PID:3236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:15⤵PID:2400
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8696 /prefetch:85⤵PID:5996
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8696 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5512 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,12172939536811801921,15957193297148580124,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3176 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1900
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3252
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\13c32f3d-c0a4-49ba-ab9b-250cd9fc59af.tmp
Filesize9KB
MD52a5deb1b6f8567e53ccbd6b762f6adaa
SHA150733f945e858b92c528f18bdf8e4100aa4f66a7
SHA256cbc22f4b622eaf5eecf011953238c613acff95827c35c2af8482a0ac935b58cb
SHA512f965bd2080cdaf3e3f340e9c45a2c40abc5b0f83e7cc803fbe5c9181aa79c5d4ef1439d09cc1bd083e99457f63c380b0248477017696c4edcf7bbca153291fbc
-
Filesize
152B
MD5cb1ad152ec0a1b8be843f38dcf5f00ea
SHA13c7e130169489c70cc68399ae22ff746daf62f91
SHA2569558e282634e1c61c8218db3974ba75774bf5652623441ceb1f363f3d8a60349
SHA512adef2451edf0d933629697a7d706d58ade266394321d7163b83ec6befbf5f744d771a6e19d76a66c229b5e89d3485b1fcc7561999f9a310c8efcefe7ba468de6
-
Filesize
152B
MD5f5b2550242c88e130046ac7f0fedbe56
SHA198cdd31c3acc3234bedf5e21dae641dc9bf07158
SHA25674a9687fcdf144c08577cb25410411de4ceec72f120842f5eb70bc93101aca11
SHA512e82e1883c9dae519be5852f8d75e6c89aee6166ee346458552aa836165cedb2fe0bfe2107ddff89ec7288876c80c4ebf7694b63274beaf300487045a6168f9d1
-
Filesize
152B
MD5302ba5772d6a858227a7bce25fbe3b50
SHA1348184a3d15136681a6b3183f0b164c8593cec6b
SHA2560973f53d82931e9a35757b736dfa0f6e0230acb31199c97f6274e73b07ebf89e
SHA51221d0c758d9aa4af99215de2fcd0ba8d4604d44f630c6197d958641d3324665f699d7fef077f7f385558bde1574501ac80bf190c3bea66b23a3cb128b93e87e32
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\33ba62ff-4a63-4366-b29b-2a8c6c255400.tmp
Filesize4KB
MD524031b8997a9cfc6321413a7e03a4568
SHA1489bd2c4d92a8661396c36752fae80f432ab3ddf
SHA256fa3a767482d5decd8ec5a91d759e4c90eca3539de11a1516d569a7a52b4b1e2d
SHA512ff5ff50f8c4f597bf5e6a82a27f576197aef3bce364d1bedc09ba8659ed8cd5c8bbbdf567ad69214e675299914f5d148b73d037adf8c93ce8da785a8c26deff7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5b0ba7d2c58a443ba1035844f56f5d31a
SHA17beea39f3078106cc128d93fad73e03faf8f25dd
SHA256f68521a882d7875a9c67afbae320146e93b84285b9860f134bb978de78258b16
SHA512dea946e14ebd36b4bf62d1bdd45418edc865bc8250fb70448c7a873e28c60fb4be044b34c24f87beae4b3c9eca269cc9bfccfd4c936db56cf0924add75d80cdf
-
Filesize
4KB
MD553784c8b3ac0a8554c8b5c5b1b17da68
SHA11a46cd074e3fce2faee7fb4e48c04e83c1f15f23
SHA2562608851757d1e03e0e57c5c77ce3cbc43df71fd852999c771fd4b042aff603d9
SHA5122fe60e77de823da3f7f8ebb901f05ea316c4103e852222dda732a40ca746e73a55b9ad73bb6fc6659364a420a85d3e8595601445a346a36eccf9c7524433442a
-
Filesize
4KB
MD5c9e89d683dcc767aeb4fc5979b5f4608
SHA1c2adb45ed7583b8fc7bca2cb81cbaa54847de88a
SHA25616921808616749505bcd0c52caf99826f26e7779a8097384db74a1272dbe6014
SHA512dbe97f8134f1e8e013dd312e0c3393aee5d9576a1356b3e1b56ea46363bde49b5734d84851e31aef5639d7d02b3993aec8ed8c73e343cdc423d5734ff7ad1381
-
Filesize
24KB
MD541481c49f23f55bdfd6868d08ec97b12
SHA1bd307195593c01d1ddb270d048eb3a187584d19b
SHA2565d2c59480d7bce1d392099ad8ddbfbb6e5f15c2980f7e6ecb6795c702d2531d6
SHA512de0ff3d92d2172088b867ba9deda57aa2064d4c2f5ffa6c086243a1eba4eda5fd71ef565526a7110ae0f50c74cac93336049fb7912b48a352c6951a518cf329d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57b258.TMP
Filesize24KB
MD5f5d4bf89fc3f49849bd746546e20e61b
SHA1701275d68dc82dc45beca98a3b95c1b9c907c57e
SHA2563cf3dab8f836748925aacf7a8f27664e5eccdc82b275e44994b451a6933bf914
SHA512a1cb74f1c3f1e196afe59c3577cefba63f45812954303205a7272c3ab96302bd7b6a6dcf6ddea97d8902b87ad6e50884ea60948aa87f40e33de2566dad457c0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1.8MB
MD516eba1f939a7c8d10aa7a300cf48658a
SHA1d291806bdd49d3016994f05834ed4100b042aa95
SHA256eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e
SHA512a7c69ae67d0a53eb384f35f126f12a0e92937a900e5b7ce718746eeda0cfb4061f81ba34c68ac97de3f80ff6ef4a161cd8c6e629c69b76443d18bb0c9b89051b
-
Filesize
896KB
MD538164e376726862f321ff8405edbb017
SHA19369f0d472e9356375a90c770960283023f46746
SHA256656c621b640e591916a685e4fc7f3171bd756ff85aa98872557cf6b22b09db79
SHA512a2af12b16f5faa4d63c7b5b5399b03708172c998d3f83c088cb62feea1695c66aed1559f779bce1e6a223c5ea26e9c0e19690fd90cfadc03d2f8382e766fccd2
-
Filesize
1.7MB
MD596191b63d5798d518923727a443b583a
SHA19d4ecfcca685c739f621d55628c74823cc31ff46
SHA25623413b888fbcb25c4b8fdd07b60c95402ea09d4b7d591e786c906c64690be46e
SHA512e0ef6083166ea2752c10a43ef7ad3b73223124b1c38586f8032148d02f8883f40c5a111df1bcb7775d8e4b1b1994ac284b098e1f8da6ddbab82bc10712517875
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CZ8EOXH12RMD44EIB8EC.temp
Filesize3KB
MD544272c885b7a9857e229d3264c415780
SHA15c9cdcd8869ed4c0053205a3d1bb478474d187f8
SHA256719be15fc83db794308cb0ba1313dda3dfc320619398220977b3899090b63500
SHA512f36c191055b951999977b8d20f3f827f403cbfab12122751bae71b2334714ce89e774afe1ff367da8d6e4af828f99df5f28e6273d3659ec22502b0243dfb09dc
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e