Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 13:21

General

  • Target

    2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe

  • Size

    1.8MB

  • MD5

    34c7ab92d1a35ce4ba88bc394e2a25f2

  • SHA1

    72cec5d2f3bcd4c72a8bac0824655446220d0cf7

  • SHA256

    2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476

  • SHA512

    e77e2efa1db8152eb8fdbd5247e6e399930ef77d3dc6fba0cf6098308415292949884f59fc895e3882baa2e333ecd0c55f9d55c043cfa846e3edddfab77076c0

  • SSDEEP

    49152:dWY7UJXY0VXFJPjp4r9XSafQW8JGdjJw6FBPx54R3PGCNf:fcT7pa9iafQpJGFJ1rstf

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe
    "C:\Users\Admin\AppData\Local\Temp\2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Users\Admin\AppData\Roaming\1000026000\df41356fb1.exe
        "C:\Users\Admin\AppData\Roaming\1000026000\df41356fb1.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5084
      • C:\Users\Admin\AppData\Local\Temp\1000030001\96783aaf7c.exe
        "C:\Users\Admin\AppData\Local\Temp\1000030001\96783aaf7c.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4844
      • C:\Users\Admin\AppData\Local\Temp\1000033001\5486b08c45.exe
        "C:\Users\Admin\AppData\Local\Temp\1000033001\5486b08c45.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4752
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
          4⤵
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff95e63d198,0x7ff95e63d1a4,0x7ff95e63d1b0
            5⤵
              PID:4488
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2228,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2188 /prefetch:2
              5⤵
                PID:2792
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1844,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:3
                5⤵
                  PID:4852
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2500,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:8
                  5⤵
                    PID:964
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3500,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
                    5⤵
                      PID:3868
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3508,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1
                      5⤵
                        PID:1416
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4508,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:1
                        5⤵
                          PID:1576
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:2
                          5⤵
                            PID:448
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5004,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:1
                            5⤵
                              PID:1300
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5020,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:2
                              5⤵
                                PID:2980
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5288,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:2
                                5⤵
                                  PID:1676
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4092,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:2
                                  5⤵
                                    PID:2852
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4024,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:1
                                    5⤵
                                      PID:4456
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5468,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:2
                                      5⤵
                                        PID:100
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5852,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5864 /prefetch:1
                                        5⤵
                                          PID:2308
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5916,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:2
                                          5⤵
                                            PID:5076
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6120,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:1
                                            5⤵
                                              PID:3228
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6140,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:2
                                              5⤵
                                                PID:1752
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6156,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:1
                                                5⤵
                                                  PID:5144
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6460,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:2
                                                  5⤵
                                                    PID:5152
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5628,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6696 /prefetch:1
                                                    5⤵
                                                      PID:5168
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6408,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6832 /prefetch:2
                                                      5⤵
                                                        PID:5180
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7256,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7268 /prefetch:1
                                                        5⤵
                                                          PID:5500
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=7244,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7388 /prefetch:1
                                                          5⤵
                                                            PID:5508
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7272,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7624 /prefetch:1
                                                            5⤵
                                                              PID:5516
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7300,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7752 /prefetch:1
                                                              5⤵
                                                                PID:5524
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7284,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7768 /prefetch:1
                                                                5⤵
                                                                  PID:5532
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7356,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7884 /prefetch:1
                                                                  5⤵
                                                                    PID:5540
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7348,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=8000 /prefetch:1
                                                                    5⤵
                                                                      PID:5548
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7648,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=8064 /prefetch:1
                                                                      5⤵
                                                                        PID:5556
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=8120,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:1
                                                                        5⤵
                                                                          PID:5680
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=7528,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7604 /prefetch:8
                                                                          5⤵
                                                                            PID:6044
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6544,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:8
                                                                            5⤵
                                                                              PID:6016
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6544,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:8
                                                                              5⤵
                                                                                PID:5124
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=560,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:8
                                                                                5⤵
                                                                                  PID:4544
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6444,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6984 /prefetch:8
                                                                                  5⤵
                                                                                    PID:2500
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6916,i,10327928235102282704,15032659608670167995,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6980 /prefetch:8
                                                                                    5⤵
                                                                                      PID:5820
                                                                            • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                              1⤵
                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                              • Checks BIOS information in registry
                                                                              • Executes dropped EXE
                                                                              • Identifies Wine through registry keys
                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:1052
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3708,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
                                                                              1⤵
                                                                                PID:2416
                                                                              • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                1⤵
                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                • Checks BIOS information in registry
                                                                                • Executes dropped EXE
                                                                                • Identifies Wine through registry keys
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:4416
                                                                              • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                1⤵
                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                • Checks BIOS information in registry
                                                                                • Executes dropped EXE
                                                                                • Identifies Wine through registry keys
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:3580

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

                                                                                Filesize

                                                                                280B

                                                                                MD5

                                                                                fd378e12828a601468e10e0e8717ba9f

                                                                                SHA1

                                                                                77719bef6afe2751bc310f0e44885105cfebf334

                                                                                SHA256

                                                                                cc5feaf6335281788dbf6704a488f142a511838eb92fc75da2b55a35a9f97067

                                                                                SHA512

                                                                                fe6d4816de386f388a2415ba59078b93c7f2e7b6119c3005a7b5b3e31087df3cb040730bfc16f0237c60d67a884d306ef9d6e77c1312a5aec7f5bf293408c413

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

                                                                                Filesize

                                                                                280B

                                                                                MD5

                                                                                b3609d3ffb4f086643a750f55455572e

                                                                                SHA1

                                                                                e6d24c9e310d3e4158c8a9f1354bb41354e9f7d6

                                                                                SHA256

                                                                                2e286f0dad1cabebb97d0263a63bac374f2b00737e7766eb9fb916826ad5b751

                                                                                SHA512

                                                                                57856dda527458c2bbaa480436f0b09213bb4e5d31f47e31f813764172c5627f9c766dfd9d31707c8c68e49b30c2abca80648496d4a907c9dc35ef563dffc2e2

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

                                                                                Filesize

                                                                                20B

                                                                                MD5

                                                                                9e4e94633b73f4a7680240a0ffd6cd2c

                                                                                SHA1

                                                                                e68e02453ce22736169a56fdb59043d33668368f

                                                                                SHA256

                                                                                41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

                                                                                SHA512

                                                                                193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0dbbbc12-fd6f-4601-81ea-ea1d917cb71c.tmp

                                                                                Filesize

                                                                                23KB

                                                                                MD5

                                                                                de341bdf00e66d51459180e23645b5f5

                                                                                SHA1

                                                                                58bf7e75921972703616d5cad5bed8029ef32412

                                                                                SHA256

                                                                                950989df71d3e66b15f206154cdd33c2b6acf9c93f65db10128b8c0c177c247c

                                                                                SHA512

                                                                                158b1f87a91a9dcf487952f440ac15de6b04d6576d4b6c2904a7e88f018890b074ca9a13de58c337f9741508f5fa6039a16cff3d35a9305d1644b2fef3f773c5

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index

                                                                                Filesize

                                                                                408B

                                                                                MD5

                                                                                784fe5c23f9e86683e2d498aaefa8598

                                                                                SHA1

                                                                                37602903e8a5ef506c2dba253abbd5dab051abdd

                                                                                SHA256

                                                                                cb47062998a6e9cb61434c02db4c9cc59897b08d6ee0a8b45f96a6484d6d64d3

                                                                                SHA512

                                                                                61b3d5e9a9f4f3557f4c2ce4be29c66510501e1ab7b24ffc44670d9d63b2ceaebdfcbb8e6c48d0eadde153f0b50099d0788d7cfa7637758b30cf1d6bfca3da2e

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index~RFe596e02.TMP

                                                                                Filesize

                                                                                48B

                                                                                MD5

                                                                                6a4e4a238dce439cf8178e7d30ae5661

                                                                                SHA1

                                                                                8c10166805ce530f987a7b582a81bd2f15e226ad

                                                                                SHA256

                                                                                6f1158652683e2e89e541923600ee522c4ceefe03facd8ddac433b6d303ec5d6

                                                                                SHA512

                                                                                d762c978ff123c719498b4131a14c4916f509206e52f3c203d3b8aea7f5afd77eac6790ed9189dcd5ce767b9862f12f1929708ef8e2e341eb8e9eceffd54d5a0

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

                                                                                Filesize

                                                                                41B

                                                                                MD5

                                                                                5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                SHA1

                                                                                d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                SHA256

                                                                                f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                SHA512

                                                                                de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

                                                                                Filesize

                                                                                59B

                                                                                MD5

                                                                                2800881c775077e1c4b6e06bf4676de4

                                                                                SHA1

                                                                                2873631068c8b3b9495638c865915be822442c8b

                                                                                SHA256

                                                                                226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                                                                                SHA512

                                                                                e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

                                                                                Filesize

                                                                                627B

                                                                                MD5

                                                                                0474af744c5b19175399e919e6528252

                                                                                SHA1

                                                                                b0716c65a9ee3512d1a056be1090f331bfb62674

                                                                                SHA256

                                                                                1f36c2844d4af2b4bd76c4aea1db365fc2433657b937efcf8de99c670cdb6564

                                                                                SHA512

                                                                                c94a043684093601847b20b30dae59e12d3cc9e14f9d703ec928872adc890de2b7a741e988bd18dcb90703d4ff8032f9418b6da5d5d0fa6cb98d85247052236e

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shared Dictionary\cache\index

                                                                                Filesize

                                                                                24B

                                                                                MD5

                                                                                54cb446f628b2ea4a5bce5769910512e

                                                                                SHA1

                                                                                c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

                                                                                SHA256

                                                                                fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

                                                                                SHA512

                                                                                8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

                                                                                Filesize

                                                                                48B

                                                                                MD5

                                                                                286246b987d65087b18fa8779f909592

                                                                                SHA1

                                                                                d9a8be8b722913fa20e9f0768ed222102aee43f3

                                                                                SHA256

                                                                                4c037e012a2a585b7087d2af86f44d5565c9f4b3fb5ab921ef5a2c284c090a8b

                                                                                SHA512

                                                                                2be2e9dd31048528312781525d6e51db06637d9e36d6155c3fe7573d1805a417b9e96711c80edd3e6c1b3d6f133c24a428c379f19390f177ba7583aebbbd23a0

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

                                                                                Filesize

                                                                                72B

                                                                                MD5

                                                                                1ad050e836ed26c2d03545467873823d

                                                                                SHA1

                                                                                2a078ca68939662266e73b72c84723774189aa9f

                                                                                SHA256

                                                                                b5171722557a16570e21f4b0aa6e5f8e4573e1ff00479283047ed4ad2e6c244a

                                                                                SHA512

                                                                                6f4205889521a467da91278fdaf061110f637d3881e2fd730bb7179dab02351428eb834c704aa20703ed622ebb2dc9c7d81d18553e4a1ef756a4ae0b3eebf0a8

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports

                                                                                Filesize

                                                                                2B

                                                                                MD5

                                                                                d751713988987e9331980363e24189ce

                                                                                SHA1

                                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                                SHA256

                                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                SHA512

                                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT

                                                                                Filesize

                                                                                16B

                                                                                MD5

                                                                                46295cac801e5d4857d09837238a6394

                                                                                SHA1

                                                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                SHA256

                                                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                SHA512

                                                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\c9e40296-92d9-4d58-8d26-0d9d7e5592d9.tmp

                                                                                Filesize

                                                                                6KB

                                                                                MD5

                                                                                a2f17808a0267739aa027a46e8111199

                                                                                SHA1

                                                                                82fba0c3fb602d835de0f227fee48e921aa2e51c

                                                                                SHA256

                                                                                bb9c0cc9038a3702d0e08b0e71782abfb69ae955d32589c24a5256aca307a1a4

                                                                                SHA512

                                                                                d1545225195434f5fa900b58c712581738e2450b36a30c690b5aef166d9f41b1900625dbe536518dba5748c2b4910eb6499b1350ed2976ce2f5a6b456a646718

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                cf89d16bb9107c631daabf0c0ee58efb

                                                                                SHA1

                                                                                3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                                                                                SHA256

                                                                                d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                                                                                SHA512

                                                                                8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

                                                                                Filesize

                                                                                264KB

                                                                                MD5

                                                                                d0d388f3865d0523e451d6ba0be34cc4

                                                                                SHA1

                                                                                8571c6a52aacc2747c048e3419e5657b74612995

                                                                                SHA256

                                                                                902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

                                                                                SHA512

                                                                                376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                0962291d6d367570bee5454721c17e11

                                                                                SHA1

                                                                                59d10a893ef321a706a9255176761366115bedcb

                                                                                SHA256

                                                                                ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                                                                                SHA512

                                                                                f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                41876349cb12d6db992f1309f22df3f0

                                                                                SHA1

                                                                                5cf26b3420fc0302cd0a71e8d029739b8765be27

                                                                                SHA256

                                                                                e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                                                                                SHA512

                                                                                e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                27KB

                                                                                MD5

                                                                                48b562cf57f8e3b33d9ad9a9b32b4b4c

                                                                                SHA1

                                                                                d3421c28d88986dba1301e291b920dd23f73b689

                                                                                SHA256

                                                                                31b565854b971c9a0df9c9a70ea0dfa367359608594764f13f4f431920d5b1b9

                                                                                SHA512

                                                                                c8bda1c7a04d409f478a4b7d16d7e5cc8ad33f00d8b19c913ef74504d6bd764a5b037d748bbe6b9c24a19e8284a5527cea4ee70662869ad975005e2e3908f173

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                cc41fc2c569e63fb8d2d42a328e28969

                                                                                SHA1

                                                                                3db1da9e726441c6f0aed985836a860faf30ef08

                                                                                SHA256

                                                                                9fed9c6be63a14685b18d455ee1d445bc4326d579f55cfdef0b10a5e486cddb9

                                                                                SHA512

                                                                                f6f2bce81c5ea8ce6847362280e8f50d65432dac9308369aded23ea9637271974487c0dd98bd78a1e501fc4003444242dc4f8bc9a9b4fabbad68607c3976bb95

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                858325d6470b8335cb125062d33c55ff

                                                                                SHA1

                                                                                7ade8fc4e9fd43c7f9bd471b9c7efbf720d2c535

                                                                                SHA256

                                                                                1b7b4815288544379a048b3b898afc64d325006f74dc545c6d0d8731a2868704

                                                                                SHA512

                                                                                befe30ef288321b6b11e5f8dcc8eb6b382dc7f486295792c0ed3e57eac65e52edc41a65297408ec1561fa97a9901433415e98e24331a8fae859e08a865d6ebbb

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                23KB

                                                                                MD5

                                                                                7f982d4b1d804321890ce8de8b2cc58d

                                                                                SHA1

                                                                                339fb2efee4ae180e1c8d9990e617ea704f8c493

                                                                                SHA256

                                                                                73f083e4a5181de1c331ebecbd1ad50d2b78e135c780658001c35606425824a6

                                                                                SHA512

                                                                                e36a4fbebef9d759296411b21e2d7da3599e0ead72787d8ab6e648e26e4f80c1559e1726770f3151393d96c3bdcc2079d3385fda0b0c414abae7b794bca713ac

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                4KB

                                                                                MD5

                                                                                e074eb617a04296d6501535edf7f5e61

                                                                                SHA1

                                                                                86d271383a1e044ca3658630006785e00276bf80

                                                                                SHA256

                                                                                a4b26671a8eb5dd7819841d5877aa7735b4a747cc2b6bcca151f7bd263b26e7d

                                                                                SHA512

                                                                                8fe8c941f892800038aa0f3c2dce0589bce167fb1393d66a9eb3e032a7a2c12431e5f28108112ea0e635180b92651fad2b074579c8d270265512af30ba49d9d3

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RFe591a35.TMP

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                945b5984f32ac21f06c72f43ed2e466f

                                                                                SHA1

                                                                                f305b46170b976556c4afba9801409c56fb3aa47

                                                                                SHA256

                                                                                bde6e97aeba349fa546b682672dbf40bb052fc3203caf5979ef154a7fb233543

                                                                                SHA512

                                                                                f628baa7cbbdba3f8dc990cda44e1add7dcb4078ae96e39e9358f8569c3e8b762987a486326b4c6134bee47775e119a8e3977360bd139ee440a600e4d54fdfa0

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                26611dbf21d501cda706e9e66f502401

                                                                                SHA1

                                                                                2b5beedfe55e59a50f3bc28b4346736f7a41b96e

                                                                                SHA256

                                                                                c43d77ece6dd64c9a3f4bd83d550839e56f790117c72c9ab36a0bc596ef94982

                                                                                SHA512

                                                                                8c50fb98615c1776e8796f84914264a5517a1fd9890098e8b2aa4b55cd41a30f834cdb304d5ec151286942171038fc41f797c8a61737a123916e6478bfa2bbf5

                                                                              • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

                                                                                Filesize

                                                                                1.8MB

                                                                                MD5

                                                                                34c7ab92d1a35ce4ba88bc394e2a25f2

                                                                                SHA1

                                                                                72cec5d2f3bcd4c72a8bac0824655446220d0cf7

                                                                                SHA256

                                                                                2202197b7208d7fc9a9984699081c74721cebd620a6672868ac7948ec2e05476

                                                                                SHA512

                                                                                e77e2efa1db8152eb8fdbd5247e6e399930ef77d3dc6fba0cf6098308415292949884f59fc895e3882baa2e333ecd0c55f9d55c043cfa846e3edddfab77076c0

                                                                              • C:\Users\Admin\AppData\Local\Temp\1000033001\5486b08c45.exe

                                                                                Filesize

                                                                                896KB

                                                                                MD5

                                                                                0df4978ab22502c7ae122ab13a255448

                                                                                SHA1

                                                                                845169633a45d0bc64c4799c0b5118ce6148131f

                                                                                SHA256

                                                                                e2a03fd46d56cb79ec4c0cbef9e6fe2bd3067418f81f77355c908cfeae03ee76

                                                                                SHA512

                                                                                d1b2a6ac51348f698f4d06ba62be48150fc7e1c0fdb1a99853caf555c3afcf76eea26a5862768c54a113bef2d5ee84d8c5f49c1903fecc7e15ee0282b903a69a

                                                                              • C:\Users\Admin\AppData\Roaming\1000026000\df41356fb1.exe

                                                                                Filesize

                                                                                1.7MB

                                                                                MD5

                                                                                c06c4e6ed6f4c67541e9cdacb508f653

                                                                                SHA1

                                                                                0a587b8151e8634a48dd686157b45a2e0477093c

                                                                                SHA256

                                                                                75406b44f46f30aed814150ed323b10f34d6e68b585a75b6e9796f556f1cd691

                                                                                SHA512

                                                                                93f7d6ee59b28bf72d1bfe16c5482d9fa0e1eb0f8ce9b901dc31a66b07e2e65cf21972723c90d5f86826d2cad53d126f18f1ae085416cc203059fa3c13d71440

                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                abda5d4cde3d102eaa488a24002ad6c8

                                                                                SHA1

                                                                                71b3d712ce43bf0807602e15ad3e5193da7ffec1

                                                                                SHA256

                                                                                1b591792d844af3b39c58b4d040d5152f1ddbc5e9d5bdf0ef37ee0e69ce01713

                                                                                SHA512

                                                                                446dd9ff61886672ea0a207fe23a15b02bb96f8eb9ec4570c66e5fa66c4ad552faee22be066a6c16cc6b3ad87d010efb5c48d9471fbac18b20a91f03d71b522e

                                                                              • \??\pipe\crashpad_1796_KWHZCFOJBVLQYFGH

                                                                                MD5

                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                SHA1

                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                SHA256

                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                SHA512

                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                              • memory/728-29-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-550-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-597-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-595-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-34-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-33-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-32-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-31-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-30-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-581-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-28-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-562-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-275-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-551-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-525-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-16-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-18-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-19-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-378-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-495-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/728-20-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1052-25-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1052-23-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1052-22-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1052-27-0x0000000000A11000-0x0000000000A3F000-memory.dmp

                                                                                Filesize

                                                                                184KB

                                                                              • memory/1052-26-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/3580-585-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/3580-583-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4416-389-0x0000000000A10000-0x0000000000ECA000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4832-5-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4832-15-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4832-0-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4832-3-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4832-2-0x0000000000A91000-0x0000000000ABF000-memory.dmp

                                                                                Filesize

                                                                                184KB

                                                                              • memory/4832-1-0x0000000076F94000-0x0000000076F96000-memory.dmp

                                                                                Filesize

                                                                                8KB

                                                                              • memory/4844-325-0x0000000000610000-0x0000000000C98000-memory.dmp

                                                                                Filesize

                                                                                6.5MB

                                                                              • memory/4844-66-0x0000000000610000-0x0000000000C98000-memory.dmp

                                                                                Filesize

                                                                                6.5MB

                                                                              • memory/5084-67-0x0000000000C40000-0x00000000012C8000-memory.dmp

                                                                                Filesize

                                                                                6.5MB

                                                                              • memory/5084-50-0x0000000000C40000-0x00000000012C8000-memory.dmp

                                                                                Filesize

                                                                                6.5MB