Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-09-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe
Resource
win10v2004-20240802-en
General
-
Target
aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe
-
Size
1.8MB
-
MD5
f645fa36f7935209df0b4b98bf3e8b95
-
SHA1
97eab88b378f08e14be341069bd069c8e2fd27e4
-
SHA256
aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5
-
SHA512
386457e610b392df6c298bd57d46b317d19d8af5b0821e3988ad28316cf7a6c370e6c7132c51563b6889ae6bbae552efa8f26aa31dce992c4557bff32f26189f
-
SSDEEP
24576:XUTx3otZZ5+3TtNDTx5knvThLBVryjBOGSmWIXJXxlWj20k6yR0thEuJzgJTVLR+:XUFoXZ5En15knpvycrqD5wcb1O9bHIc
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
svoutse.exeKFCBAEHCAE.exesvoutse.exesvoutse.exeaa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KFCBAEHCAE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KFCBAEHCAE.exesvoutse.exesvoutse.exesvoutse.exeaa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KFCBAEHCAE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KFCBAEHCAE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exeb60349b782.exee517595cf1.exedfc09ceb09.exeKFCBAEHCAE.exesvoutse.exesvoutse.exepid process 2208 svoutse.exe 360 b60349b782.exe 4072 e517595cf1.exe 4504 dfc09ceb09.exe 5020 KFCBAEHCAE.exe 5800 svoutse.exe 5348 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exeaa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exesvoutse.exeKFCBAEHCAE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine KFCBAEHCAE.exe -
Loads dropped DLL 2 IoCs
Processes:
b60349b782.exepid process 360 b60349b782.exe 360 b60349b782.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\e517595cf1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\e517595cf1.exe" svoutse.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000033001\dfc09ceb09.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exesvoutse.exeKFCBAEHCAE.exesvoutse.exesvoutse.exepid process 3472 aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe 2208 svoutse.exe 5020 KFCBAEHCAE.exe 5800 svoutse.exe 5348 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exedescription ioc process File created C:\Windows\Tasks\svoutse.job aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5188 360 WerFault.exe b60349b782.exe 5564 4072 WerFault.exe e517595cf1.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dfc09ceb09.execmd.exeKFCBAEHCAE.exeaa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exesvoutse.exeb60349b782.exee517595cf1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfc09ceb09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KFCBAEHCAE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b60349b782.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e517595cf1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
b60349b782.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b60349b782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b60349b782.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exesvoutse.exeb60349b782.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeKFCBAEHCAE.exesvoutse.exesvoutse.exemsedge.exepid process 3472 aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe 3472 aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe 2208 svoutse.exe 2208 svoutse.exe 360 b60349b782.exe 360 b60349b782.exe 3128 msedge.exe 3128 msedge.exe 2108 msedge.exe 2108 msedge.exe 2108 msedge.exe 564 msedge.exe 564 msedge.exe 360 b60349b782.exe 360 b60349b782.exe 1620 identity_helper.exe 1620 identity_helper.exe 5020 KFCBAEHCAE.exe 5020 KFCBAEHCAE.exe 5800 svoutse.exe 5800 svoutse.exe 5348 svoutse.exe 5348 svoutse.exe 5460 msedge.exe 5460 msedge.exe 5460 msedge.exe 5460 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dfc09ceb09.exepid process 4504 dfc09ceb09.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 2108 msedge.exe 2108 msedge.exe 2108 msedge.exe 2108 msedge.exe 2108 msedge.exe 2108 msedge.exe 2108 msedge.exe 2108 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exedfc09ceb09.exemsedge.exepid process 3472 aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 2108 msedge.exe 2108 msedge.exe 4504 dfc09ceb09.exe 2108 msedge.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
dfc09ceb09.exepid process 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe 4504 dfc09ceb09.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exesvoutse.exedfc09ceb09.exemsedge.exedescription pid process target process PID 3472 wrote to memory of 2208 3472 aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe svoutse.exe PID 3472 wrote to memory of 2208 3472 aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe svoutse.exe PID 3472 wrote to memory of 2208 3472 aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe svoutse.exe PID 2208 wrote to memory of 360 2208 svoutse.exe b60349b782.exe PID 2208 wrote to memory of 360 2208 svoutse.exe b60349b782.exe PID 2208 wrote to memory of 360 2208 svoutse.exe b60349b782.exe PID 2208 wrote to memory of 4072 2208 svoutse.exe e517595cf1.exe PID 2208 wrote to memory of 4072 2208 svoutse.exe e517595cf1.exe PID 2208 wrote to memory of 4072 2208 svoutse.exe e517595cf1.exe PID 2208 wrote to memory of 4504 2208 svoutse.exe dfc09ceb09.exe PID 2208 wrote to memory of 4504 2208 svoutse.exe dfc09ceb09.exe PID 2208 wrote to memory of 4504 2208 svoutse.exe dfc09ceb09.exe PID 4504 wrote to memory of 2108 4504 dfc09ceb09.exe msedge.exe PID 4504 wrote to memory of 2108 4504 dfc09ceb09.exe msedge.exe PID 2108 wrote to memory of 4316 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 4316 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3132 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3128 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 3128 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 4840 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 4840 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 4840 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 4840 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 4840 2108 msedge.exe msedge.exe PID 2108 wrote to memory of 4840 2108 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe"C:\Users\Admin\AppData\Local\Temp\aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Roaming\1000026000\b60349b782.exe"C:\Users\Admin\AppData\Roaming\1000026000\b60349b782.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\KFCBAEHCAE.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4748 -
C:\ProgramData\KFCBAEHCAE.exe"C:\ProgramData\KFCBAEHCAE.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 360 -s 24404⤵
- Program crash
PID:5188 -
C:\Users\Admin\AppData\Local\Temp\1000030001\e517595cf1.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\e517595cf1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 13684⤵
- Program crash
PID:5564 -
C:\Users\Admin\AppData\Local\Temp\1000033001\dfc09ceb09.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\dfc09ceb09.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcde453cb8,0x7ffcde453cc8,0x7ffcde453cd85⤵PID:4316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:25⤵PID:3132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:85⤵PID:4840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵PID:2332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵PID:3524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:15⤵PID:2256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:15⤵PID:3192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:15⤵PID:708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:15⤵PID:3184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:15⤵PID:1664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:15⤵PID:1232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:564 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7320 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,10750140737437128856,2283613823942730776,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3996 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5460
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1920
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 360 -ip 3601⤵PID:5144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4072 -ip 40721⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5800
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5348
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\66e6f312-e05b-4110-bf35-56e5b319c096.tmp
Filesize9KB
MD5c854a925a06227deeaf4ab8d7bca72af
SHA1544d51fffc2c8a9db88a8a7fa1b0889c73e94208
SHA256a5a16281dac7673b322e32366401c3090f13e28e79e5785b8eafe4f83a936316
SHA51224088fe31c5785b0d07d0b2c527c9be2cd664d819a1fe81d3da64bf0537bc2e05408f0b72248770907e3b6a4ff28e9f0c99b3f680c3ae3c5d260bcfb8936b48e
-
Filesize
152B
MD530c4b91d643972ce05e5a4f5958d5828
SHA166d510e22027c0b9f407a60fc80704a343272b25
SHA256eeb14b29cca9285b64a6291ca92548a323068568a0df54ee0343069305d0f981
SHA5124f14829facb58d7e6633525256ea191d6395c0fc4964499d5aed725338268be8da5aea0e7ea9972559e7202972a16506d0bd67c8326e50d127dfec962a7c5126
-
Filesize
152B
MD5b8245f0525316f4756a7db9cd46d5fb1
SHA1cfab0b2f557329f293cb4ca566de312f7987ce52
SHA256211f1fddd0878ff32aa4d50feba8d7c1bbec79093d9bd86a4364402150a4f377
SHA512202df0149f2e716d0fa8131f9ff27daf87f982bd6674b1809c8e6e55f84208fa380debf5bba3bb057caa99706cedeb3b29a53bbec82ef6eab587bc78847edf8d
-
Filesize
152B
MD5c6f71849b68404c695258ffe565567c0
SHA1800eb258f3322c6e135e6c54a42f6a078a25392d
SHA256f9f1327f8889d993994755376e08206f408fdacdb02323ff5abc6d750cbb65e6
SHA51283665c8dbe8ef0f1e7703179bd8337216ffaaf6e686e9597b26d007736384618c95220ba7d25e4701096a7a40906f048a38db171e94e2d543528375e090d75a5
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD55da49ae72abc78505938b9047853fe9f
SHA17bc61ff35c191fb4e52f7521411414852395e866
SHA256f24a7ae6b2a9db93fbefaacfe0fc86b3b1747bc696553f9258d90245d9a4f85c
SHA512554bbbb9310e960f6084ee6e3ff33b99cea8efe09fd7a8a118c7b5e66d8ed3249f03d35a003497f1c9257eb2e398baa176d731413903d333ab05648f5099b1fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD5977691b86906f50c1112a4aa5897b658
SHA1f304f15b579536b83985559cee101c45c31cd4c5
SHA2563e4c86f67dabaff675322c7704f131e691c51d5def0d545b904a94a4b5861f2c
SHA512372f250f90da684746d9c7b89c6dfb87f24a1a1b1056121a78b0a004b6421e2ad3f7b615992cb78e4684f6d3d85a672beaf807c812304102df3f98437ab53f1f
-
Filesize
1KB
MD5f7d8b659cfe25820c8420bba489d1ed1
SHA19bfed6c43eed4f532f6a30526862237677a5f88c
SHA256328b39a2729250ba577d9b2595fee546ecfb95299748afa5a527cc3ac645769e
SHA5125749254b9ee879417153ccda47e88228cf03b0f17dbd7da9c68a6b0cd712d975045c9e7ed2db32005420b83bf33322127943f9ecff0d523397c69bb4632cc923
-
Filesize
1KB
MD58e9c0c98a3106740a076795a6ec9b9bf
SHA13726276789db85342506ecb2bba3d0b7e184839d
SHA25626ce491391ed9883dcc1964d5838f7780c9b556cfe4b7044a33a9ce8faffef58
SHA512b574b66c08b4bb98b3edfd623edaeb1a24a324c4486dff6b7fce69c87f65354e83afa2a333f9852890627d415299ca943b09806eb760d81be4e8c7e4f940c447
-
Filesize
1KB
MD50ba432d0d960aeae01914191085d514a
SHA1b55599689bba60b7be078b325a2f06a62ab42381
SHA2569f861c3ab39c05bf74bb039342b5464a7f5da197f7f917a2b9bb3e388dd541d5
SHA512f28b26cc52813db9f069140c9e579bef45d582fc6e74a923efa90e24885dff447b598e408c0129ec279bbe9a3754c6ad9df3684d2b396db0de82ce19e5df817e
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
3KB
MD5b5456521ab010abba899a3cbb495f4a7
SHA1efd2bdb146906a1e1e2ef4783f825490ad99b5d6
SHA256cbb9931e784fc3c760305bf4423bce8d33be3b434978de05f489859bde4ae2b9
SHA5125f2a03342c48f39279ac3be1aa787471686ac7b08125b5dac2404834eea57f22d6f79e1329985f5f4517bf4e2594778d6f1866d36894480b2ab725653ece14fc
-
Filesize
4KB
MD542da59aab1f583ac821ebdbd43e8d28a
SHA1c5e3fd15295fc090fb4137775b8f9e618b18f277
SHA256406e8887b0c61c1e0e64753c92a559a086854ccab7ce85aa30c446885523fda0
SHA5125d4af2281d838dc699e75c8ce4e14313448ccf13274fdcddeb0381e79e6b0cc7bb6d455cf27e753ba594388d2bd7d8a043df1755cd9126918398eaa7288092a2
-
Filesize
4KB
MD5f58ce133308b0ea7c4036baeddca34f5
SHA16ddcf43baf3bf47071162436f38230f4eb13f933
SHA256981f49132aaa7dd654aa998dff8fb5deef2136ad074f4fe1db3b275bc02bd006
SHA5124a7e9b8d94d819d940f32725ef902072ebd4ee699af8903e4ee67058a95b6e03d506ac4fb22dca297c4e3ef2c8d7ba07794690d314e54fba1c7defe908b3da46
-
Filesize
3KB
MD523191b1a1386c68ecf99893cdca46c76
SHA11ca74fee8049722d440bf13b398a1777e4e8b5b3
SHA256e3ba15a5fc44cced22620e83b720c4f407bbfeb187fd23a7f5ae269b0033c52a
SHA512cadbd44da8f509640ee0756c16392b9ec4e7767a5b57c14523d8976611f532f5bec4046ddfc60ffed604f022db294a3896e1daa11ada4071dd51982e5b0782e0
-
Filesize
26KB
MD5f5058bf512ece2bf597c7524d750668e
SHA12b6e6334aa7323fe7ae415211a2429dbb7d1ce17
SHA256985a152cebe1f2d49097d5a0a4f5b8c183f807372d2c70285add522c115443a3
SHA512b528f91c6bc4fb08c2c65a0f9f4ed064bff00bc1ca1fcd1eeab846daea1da5f574eea1bcc6cd39c85b68e62ee4267b324e8017fd8aa44640a734a72660ef1cb1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57e148.TMP
Filesize25KB
MD50d390fd879ca00d7544bcdb173fdc796
SHA1d777a60274f34b13329d7a19a852e8e77c536fe3
SHA256eaab121ef396742c5eeeb6d9166453ee97a1dfc8df504cb0c1aa306eaa557b34
SHA5126730c19f71056403c1e54a1fd800941babf174ff1f5145bd9513ad71d2297eb3cd272659e4908b76660a4928306f76470750a3f0a4f70ed54229af607d71e3d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
203B
MD5ba0e79935436373b8a7e5858e0bb5583
SHA1fce5b9585166342b5ccf768ebbf4182caffe9d1a
SHA2561bbd9337f2da0599701bac000f160267f25c4b42f4007d23103bb016044ce0f1
SHA51281c828f9371697326ca881177ee3ac9edfe5c2f75967f3584a4b92cf4776a6ebff73a5e5930459a447af848f63ca25920dcfa5f3c9b5e419924b9e727c1c6a28
-
Filesize
203B
MD544a8f17cb43c50b7d8fb1c489b579e2e
SHA1dd205a28f76fec66e26fb624280d004dd70f0b51
SHA256b8d7a189fb202845ffe9e5966d33db173b9304568b569716fc628ab8c0dc1913
SHA51297f61e2cfa7df14d989c6b17ba42f7b3b29ba3757d38dddb78b8e15ba6a609d0b40bde36931288ab5e67f6ed6d727b51e84f6a3fedfd510c60e7f580b74fbddc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
1.8MB
MD5f645fa36f7935209df0b4b98bf3e8b95
SHA197eab88b378f08e14be341069bd069c8e2fd27e4
SHA256aa0306be10a9a2d84b64d6b6d36b917266c8bdf577411a9de60962579576cee5
SHA512386457e610b392df6c298bd57d46b317d19d8af5b0821e3988ad28316cf7a6c370e6c7132c51563b6889ae6bbae552efa8f26aa31dce992c4557bff32f26189f
-
Filesize
896KB
MD5333582f7841dd7d701b7c6ac8ee4ebe6
SHA17bbb42817dc444a8f88ab735f63d1722bccc5255
SHA25678f4bcd5439f72e13af6e96ac3722fee9e5373dae844da088226158c9e81a078
SHA5124ae6e1bb724080ec7eb86b848a1b78a3d40f11c5de90cfffd4917892d9823167a2ce14986c066aeb72edaab41dec8b8a4306a0580bface974ad4846cbc73eff2
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge (2).lnk
Filesize1KB
MD5657374c9488ed435c950106d1f459eb8
SHA1b78ffa5828cb71dc6d62242923cb83df18dfb997
SHA256f6d3a55329eccbdc3b2c2eb4f7702ece3c0c6c2d1a08600a3c0a49370502ee61
SHA512ecb83967fc82bfcba1a3f4618c05dae149c7183394e64257ea1e443605d20738bb11d8b3f80f4a9b9207c4f0c73550992f70f9c13eb5f1cde7be95b552486632
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5cd165914ec350e44f99219ddce8df3df
SHA193c17703503df475bfa97ac10b992491f5699432
SHA25636e61fe03940b7fe37de6ed062726b30b42be77c85106bd16f6f380ce2a43091
SHA5124b68cbc0ebec9012975b553eabea31f8ffe2eaaa8d09e8453dced3ed1be1b48647690c24456bf646418fd49140b5a96652f6e55039c480849f24278886decfd2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e