Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 10:12
Static task
static1
Behavioral task
behavioral1
Sample
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe
Resource
win7-20240708-en
General
-
Target
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe
-
Size
1.8MB
-
MD5
16eba1f939a7c8d10aa7a300cf48658a
-
SHA1
d291806bdd49d3016994f05834ed4100b042aa95
-
SHA256
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e
-
SHA512
a7c69ae67d0a53eb384f35f126f12a0e92937a900e5b7ce718746eeda0cfb4061f81ba34c68ac97de3f80ff6ef4a161cd8c6e629c69b76443d18bb0c9b89051b
-
SSDEEP
49152:WxmJVsjaD3cB0mYz0QAhpwlgqN/YkuNgC48MQ7nt:WxaijaD36Y09QlgEIyLhQ7nt
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe8cdec30fe7.exec6eaddd9b1.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8cdec30fe7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c6eaddd9b1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe8cdec30fe7.exec6eaddd9b1.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8cdec30fe7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8cdec30fe7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c6eaddd9b1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c6eaddd9b1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exe8cdec30fe7.exec6eaddd9b1.exec6eaddd9b1.exesvoutse.exesvoutse.exepid process 2052 svoutse.exe 4596 8cdec30fe7.exe 4440 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 3104 svoutse.exe 5540 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
8cdec30fe7.exec6eaddd9b1.exesvoutse.exesvoutse.exeeb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine 8cdec30fe7.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine c6eaddd9b1.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c6eaddd9b1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\c6eaddd9b1.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c6eaddd9b1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000040001\\c6eaddd9b1.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000040001\c6eaddd9b1.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe8cdec30fe7.exec6eaddd9b1.exesvoutse.exesvoutse.exepid process 4864 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe 2052 svoutse.exe 4596 8cdec30fe7.exe 4440 c6eaddd9b1.exe 3104 svoutse.exe 5540 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exedescription ioc process File created C:\Windows\Tasks\svoutse.job eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c6eaddd9b1.exec6eaddd9b1.exeeb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe8cdec30fe7.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6eaddd9b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6eaddd9b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8cdec30fe7.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exe8cdec30fe7.exec6eaddd9b1.exemsedge.exemsedge.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exepid process 4864 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe 4864 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe 2052 svoutse.exe 2052 svoutse.exe 4596 8cdec30fe7.exe 4596 8cdec30fe7.exe 4440 c6eaddd9b1.exe 4440 c6eaddd9b1.exe 3644 msedge.exe 3644 msedge.exe 4452 msedge.exe 4452 msedge.exe 6044 identity_helper.exe 6044 identity_helper.exe 3104 svoutse.exe 3104 svoutse.exe 5540 svoutse.exe 5540 svoutse.exe 5448 msedge.exe 5448 msedge.exe 5448 msedge.exe 5448 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
c6eaddd9b1.exepid process 4284 c6eaddd9b1.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
msedge.exepid process 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe 4452 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
c6eaddd9b1.exemsedge.exepid process 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4452 msedge.exe 4452 msedge.exe 4284 c6eaddd9b1.exe 4452 msedge.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
c6eaddd9b1.exepid process 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe 4284 c6eaddd9b1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exesvoutse.exec6eaddd9b1.exemsedge.exedescription pid process target process PID 4864 wrote to memory of 2052 4864 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe svoutse.exe PID 4864 wrote to memory of 2052 4864 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe svoutse.exe PID 4864 wrote to memory of 2052 4864 eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe svoutse.exe PID 2052 wrote to memory of 4596 2052 svoutse.exe 8cdec30fe7.exe PID 2052 wrote to memory of 4596 2052 svoutse.exe 8cdec30fe7.exe PID 2052 wrote to memory of 4596 2052 svoutse.exe 8cdec30fe7.exe PID 2052 wrote to memory of 4440 2052 svoutse.exe c6eaddd9b1.exe PID 2052 wrote to memory of 4440 2052 svoutse.exe c6eaddd9b1.exe PID 2052 wrote to memory of 4440 2052 svoutse.exe c6eaddd9b1.exe PID 2052 wrote to memory of 4284 2052 svoutse.exe c6eaddd9b1.exe PID 2052 wrote to memory of 4284 2052 svoutse.exe c6eaddd9b1.exe PID 2052 wrote to memory of 4284 2052 svoutse.exe c6eaddd9b1.exe PID 4284 wrote to memory of 4452 4284 c6eaddd9b1.exe msedge.exe PID 4284 wrote to memory of 4452 4284 c6eaddd9b1.exe msedge.exe PID 4452 wrote to memory of 4396 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4396 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 4864 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 3644 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 3644 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 2216 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 2216 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 2216 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 2216 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 2216 4452 msedge.exe msedge.exe PID 4452 wrote to memory of 2216 4452 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe"C:\Users\Admin\AppData\Local\Temp\eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Roaming\1000026000\8cdec30fe7.exe"C:\Users\Admin\AppData\Roaming\1000026000\8cdec30fe7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\1000030001\c6eaddd9b1.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\c6eaddd9b1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\1000040001\c6eaddd9b1.exe"C:\Users\Admin\AppData\Local\Temp\1000040001\c6eaddd9b1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe138c46f8,0x7ffe138c4708,0x7ffe138c47185⤵PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:25⤵PID:4864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3644 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:85⤵PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵PID:3520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵PID:2864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:15⤵PID:4652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:15⤵PID:1344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:15⤵PID:1704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:15⤵PID:4780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:15⤵PID:3184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:15⤵PID:820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:15⤵PID:3104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:15⤵PID:2484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:15⤵PID:2900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:15⤵PID:2552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:15⤵PID:2352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:15⤵PID:4308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:15⤵PID:1476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:15⤵PID:3164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:15⤵PID:3900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:15⤵PID:2300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:15⤵PID:5152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:15⤵PID:5160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:15⤵PID:5192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:15⤵PID:5200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:15⤵PID:5208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:15⤵PID:5308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:15⤵PID:5316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:15⤵PID:5648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:15⤵PID:5828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:15⤵PID:5888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:15⤵PID:5996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:15⤵PID:5848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:15⤵PID:5856
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:85⤵PID:2528
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1887485323152915968,4527701691639539847,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5448
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4904
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3104
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f6e324fb1803f375ac0919f4b9652e43
SHA15baa8f7923521fbf900da5f0f3e303d3bfbe1519
SHA2568a6f9dc704002126a5396650a86acaaae26d7295af0d7c94b4d6ffee12f74162
SHA5129b46ae13fe8df585e562261bc3722c98f2cccbc3cc96da4c350902563b453cd7cbbb3a43b8f8110e9fe6df6394d1260d6adf108c28b9d13292026dda4adb3091
-
Filesize
152B
MD5d53cd5a8f2e6050521eba068f2220788
SHA1d6fb770fdad2cf51191cfec9ab133832016e6fe1
SHA25632950fbf8b12e47bf514c798b53b9422de71c1371b6884920d212c9f358fb598
SHA512718f9cd53920b6af3a154248bb6337118d0c1d26415396af3e7247d355a75bb4f5ba6b77a1387d9e2ef84c9b0703b2323dce6dc80af7877c4340a888edca6ef9
-
Filesize
152B
MD51ebee206945b9caa43096c1d136abaf6
SHA147bed20f02e4673e1238277ae9600800a3cbc03f
SHA256ac38da21a38b29654a2e4817f59c428046ce0ee6a3b60292048aa863a7e78ab1
SHA512097cc8c56598957ad1b75c7c0a6e5c9266cb6b0edca4ff6457bf3aa3fd0aa2dfa4fe6f60be2c994373e85d39132cb0ced048ffc074853852f2ddc5b60c41acfd
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
1KB
MD5ab05ce270f39094583b3e96a5eda8fce
SHA1269cb875fd4861ec594f3345a026435b330bbe8c
SHA256c72e57722b36e3ba0a7ed39b9d744aaaa800f8ddb412c9cac278b6af7fc47ff0
SHA512462b834325e3f757254c3922355c4a08e46349414391b48681f90ea5f36a4e1ae2b6059e092f9db6e14cb2ed6a70c0667c31025d5b82fe5873325bf1ec2b7c09
-
Filesize
4KB
MD57712fe29a8b30d571b278a82443f3cb4
SHA1e1081d1c5ea137453872675d81abb0d9cf47c0ce
SHA256b06da4b5ce59057781971337635a25871cbbac606e85cb8fbf51e12b720b9fbe
SHA512b14a535457a9108f9986bc62507a29f4ae2c2b6585a247d3d190b6ae978f256b7c5a57187018fa8a7f700bc21addd75c792e83de419e33a4c5765e9925d50b00
-
Filesize
4KB
MD5c3f7d83099c4536e5c9c2ed344996bda
SHA1dd4f8042e89b3d6e05932287b00b42262a0dc39f
SHA2569934bf26e08210f297d7f089b67119608c11bfb137f46f6c1cafa9e8501e5032
SHA51263dd9bc9350b27c237645567cccba174b4dcfc91a287cab859e718383476e18264a94e7dd3156a8c50e9c8f305d508d10c8057e069e406b9b8b496e7d365b743
-
Filesize
4KB
MD5d39c6e940aadc8848aa757e356482cff
SHA19e35077a43d7baae557f3c1baae0df33dd1020a6
SHA25651b767152ce26be2df2bc6bc58111af2255db81bf1c2e159326fd0e9e6c0b0d7
SHA512cbfe8613f044f26f36b7b08191e1baaf18b2876516768940864c0bc93ebd670572cfdaa3d68a74c3935933c03adf5280c54ba5fef3acf28f4597d68ac25ab724
-
Filesize
4KB
MD575550c24fd106f721fe3713929c23696
SHA1a0b5c020035ec5f9c36277cd5d2b6943372f9241
SHA2566baab38158b79507938b40728850d5d99a16f8d2e9e21293349298729fa69184
SHA51242766b00b11200f143ab09cad5bcfca9806c302f22770f38105089a50e0b9a5879c739a0c9bc9e4c6409905e29bda3dc1ea68f450c3ae1252fd31a28ce49b7cf
-
Filesize
24KB
MD5a8c803fd0f1e76ab90144f88f140bd8d
SHA1c7a6d705f539e855031d6778dfb40c8d0ab04ad2
SHA2565c16efb7aa2ac22c726681189c5f274b9ecd48ec163aaf67018518683fd63977
SHA512e4cbdeae663dc983d7dd6cee030621dd14e9ee3645eae9864b77ec9698bf72024f21a6d9db1f9a83a72ffca6770fe3183363210cecc2dc5b1370cb225a06b42a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57c15c.TMP
Filesize24KB
MD5f42191f1ac1442f61e08d6d3028accf4
SHA1c2710bc9c08b412ec9b835f754e77446984e4f2c
SHA256c9edb39e5ef2eedd18be77d947008de2228e39cf1b4de51459c83d26240d8a4c
SHA512eda2d966b3b567c06940cfb9d3f85ba31970f2c7e8f33615a27e4376260a030ffd4393699a225b65b6278adaf735ed1036eb2864f08cf92f2a79213052b7c068
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\c873d9ad-54ca-4c22-b88f-583a9496a28f.tmp
Filesize9KB
MD5528637ce2d0bd852dada0be921115993
SHA1608c48e97412773697420402515f03f168c52a1d
SHA256d104796a083a27f68483d1df3d8efb643df6cfaa595d79719f139eee9e52ac23
SHA512b7ea2084a40d4e400ce8d509d17e6fd4eb94ebbf349639f217788110902b8bf09d7cdd00545655b1868141c1e57dcaa84ce5b7c66fe4db3a85aa9a8e1bc43352
-
Filesize
1.8MB
MD516eba1f939a7c8d10aa7a300cf48658a
SHA1d291806bdd49d3016994f05834ed4100b042aa95
SHA256eb2869650996d4e220e3fd063aa269bc83a5f0ca42125f3a8c1f7d5e62af9f4e
SHA512a7c69ae67d0a53eb384f35f126f12a0e92937a900e5b7ce718746eeda0cfb4061f81ba34c68ac97de3f80ff6ef4a161cd8c6e629c69b76443d18bb0c9b89051b
-
Filesize
896KB
MD538164e376726862f321ff8405edbb017
SHA19369f0d472e9356375a90c770960283023f46746
SHA256656c621b640e591916a685e4fc7f3171bd756ff85aa98872557cf6b22b09db79
SHA512a2af12b16f5faa4d63c7b5b5399b03708172c998d3f83c088cb62feea1695c66aed1559f779bce1e6a223c5ea26e9c0e19690fd90cfadc03d2f8382e766fccd2
-
Filesize
1.7MB
MD596191b63d5798d518923727a443b583a
SHA19d4ecfcca685c739f621d55628c74823cc31ff46
SHA25623413b888fbcb25c4b8fdd07b60c95402ea09d4b7d591e786c906c64690be46e
SHA512e0ef6083166ea2752c10a43ef7ad3b73223124b1c38586f8032148d02f8883f40c5a111df1bcb7775d8e4b1b1994ac284b098e1f8da6ddbab82bc10712517875
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9VHDNWDCEI0K089IHBIT.temp
Filesize3KB
MD5d409c8fb80bb63f42e0da83743cf5724
SHA1b66221302b5fd46e8a0a10b80de1f8dcbf2e49fc
SHA256d86ccadc5d2f3023abc9fac785bdcc570135fb6e55baff5a36f167bbafe6320a
SHA51233800b48df27502cfa291ac05056ca9217e4cfe62bd8d9563da1ac8221973072a47eec97e6d77882d45cc67e303d17d4bf841bca3f054d4c52e10214b6c1cbbe
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e