Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 15:37

General

  • Target

    c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe

  • Size

    1.8MB

  • MD5

    d5fcf8cf3ca99a694ee9b8a97776e64a

  • SHA1

    07542ce45f902bdc773702e17621cc600d3df50b

  • SHA256

    c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d

  • SHA512

    90da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e

  • SSDEEP

    49152:Bjnly4R2PVRilKbs9cRs+Ams7U9N2hk1:BjljR2dol0sMfzKhk1

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe
    "C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe
        "C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1652
      • C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe
        "C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1544
      • C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe
        "C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
          4⤵
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffe9823d198,0x7ffe9823d1a4,0x7ffe9823d1b0
            5⤵
              PID:2268
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2512,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:2
              5⤵
                PID:840
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1888,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:3
                5⤵
                  PID:4600
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2320,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2668 /prefetch:8
                  5⤵
                    PID:1888
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3400,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:1
                    5⤵
                      PID:1740
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3412,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3436 /prefetch:1
                      5⤵
                        PID:4200
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4560,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:1
                        5⤵
                          PID:1516
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4672 /prefetch:2
                          5⤵
                            PID:1808
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4604,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:1
                            5⤵
                              PID:5128
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:2
                              5⤵
                                PID:5136
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4656,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:2
                                5⤵
                                  PID:5144
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4920,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:1
                                  5⤵
                                    PID:5156
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5312,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:2
                                    5⤵
                                      PID:5164
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4880,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:1
                                      5⤵
                                        PID:5192
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5604,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:1
                                        5⤵
                                          PID:5204
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5584,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:2
                                          5⤵
                                            PID:5212
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5888,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:1
                                            5⤵
                                              PID:5224
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=6156,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:2
                                              5⤵
                                                PID:5252
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4188,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:1
                                                5⤵
                                                  PID:5264
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6332,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:2
                                                  5⤵
                                                    PID:5272
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6596,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6628 /prefetch:1
                                                    5⤵
                                                      PID:5288
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6680,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:2
                                                      5⤵
                                                        PID:5296
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6884,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6916 /prefetch:1
                                                        5⤵
                                                          PID:5312
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6352,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:2
                                                          5⤵
                                                            PID:5320
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7188,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7200 /prefetch:1
                                                            5⤵
                                                              PID:5328
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7336,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7348 /prefetch:1
                                                              5⤵
                                                                PID:5336
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7340,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4752 /prefetch:1
                                                                5⤵
                                                                  PID:5132
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=3460,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7420 /prefetch:8
                                                                  5⤵
                                                                    PID:1068
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7848,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7996 /prefetch:8
                                                                    5⤵
                                                                      PID:5464
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7848,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7996 /prefetch:8
                                                                      5⤵
                                                                        PID:5332
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=560,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6632 /prefetch:8
                                                                        5⤵
                                                                          PID:1860
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6676,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6920 /prefetch:8
                                                                          5⤵
                                                                            PID:1980
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6276,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6180 /prefetch:8
                                                                            5⤵
                                                                              PID:5360
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4104,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
                                                                      1⤵
                                                                        PID:5028
                                                                      • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                        1⤵
                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                        • Checks BIOS information in registry
                                                                        • Executes dropped EXE
                                                                        • Identifies Wine through registry keys
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:5352
                                                                      • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                        1⤵
                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                        • Checks BIOS information in registry
                                                                        • Executes dropped EXE
                                                                        • Identifies Wine through registry keys
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:6096

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

                                                                        Filesize

                                                                        280B

                                                                        MD5

                                                                        5dd8527aec4a059d7dfc4b146cce00a0

                                                                        SHA1

                                                                        17f6affdd5f872e921d2cfa3097ff85be1fc237f

                                                                        SHA256

                                                                        e002a6e7b20fccbe67412c86ea9dc4b232b84176aa9e672ec79798beebaba8ef

                                                                        SHA512

                                                                        61a3c52bc44f6dbb869ff3dfa06320ecccf811c0e330f4da507966bed3a3cfb5901cf47dfea0a61a970159b077ccbd81601cb2aa0c6adddc87ec056654b38cdb

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

                                                                        Filesize

                                                                        280B

                                                                        MD5

                                                                        01cb0c876b799d0d442b261322a89cfd

                                                                        SHA1

                                                                        ff1bfae90bc51dcac4bda22e97ae40936e68e4a6

                                                                        SHA256

                                                                        3902e752657e7df72ad464c70dae78810004dd0852f8040428a0d1208d8d8167

                                                                        SHA512

                                                                        29a6b1a149f68dca9500cdfcd7136aeba4bfb5eaa35ab5b73852a12230e2318f4012d284d59fb64798adb26ba3cdedefa57f1b93f1cd7465396d8911f6034c4e

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

                                                                        Filesize

                                                                        20B

                                                                        MD5

                                                                        9e4e94633b73f4a7680240a0ffd6cd2c

                                                                        SHA1

                                                                        e68e02453ce22736169a56fdb59043d33668368f

                                                                        SHA256

                                                                        41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

                                                                        SHA512

                                                                        193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0abd75d3-395b-49e5-946b-f568701f0b3f.tmp

                                                                        Filesize

                                                                        6KB

                                                                        MD5

                                                                        dee1fb94371e6f469e932fdc3ea1e23d

                                                                        SHA1

                                                                        2aae4188331ee3dc8e2841f9dcf5493af54e7baa

                                                                        SHA256

                                                                        6a2e35595eb49982bbfce5cd971085e6eee7447490847fd59e5bee98122a7a67

                                                                        SHA512

                                                                        0cf8fc8a8076c7c1626da36b280d144de4f1207be294fe4794ced6d9353f08bbd2abaf684e4af5db248b98b7b6a0bac8298d39b2f909b78335d2a9060ff635cb

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index

                                                                        Filesize

                                                                        408B

                                                                        MD5

                                                                        cf276f66a5c8e8a29891973bab267180

                                                                        SHA1

                                                                        1a4067f051509d26992de4652bde723bde8a0bed

                                                                        SHA256

                                                                        456e86ec2ff795f08bea526938fbe3e17f93922fe2bc0991d5154ff5abf49d21

                                                                        SHA512

                                                                        c8c76bcece2c6f224fd494c33e3c80d54629062c0642de3fd106cca4fbeaa0459885ea11fcbf975e438cf7c5d44515a1b76902ed965ae7de41adda61f76dc195

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index~RFe5962d7.TMP

                                                                        Filesize

                                                                        48B

                                                                        MD5

                                                                        225476a5d9bb214defb54fe671389f39

                                                                        SHA1

                                                                        1a3c378524e1c508748c9b236afdcec584b2d5ce

                                                                        SHA256

                                                                        94aae9ae09c7c4e85dc63bf13d5baa561841e920a8250eca0ddfd60cb2191819

                                                                        SHA512

                                                                        5fbffecc3216dda120cf5764cc631d81eb9ec2412c083c6ee9aa6808edec6d3f6cdd5149ae21a2be1b47131779aab286cd20baf5c03d44a14663a045cf217583

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_0

                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        cf89d16bb9107c631daabf0c0ee58efb

                                                                        SHA1

                                                                        3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                                                                        SHA256

                                                                        d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                                                                        SHA512

                                                                        8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_1

                                                                        Filesize

                                                                        264KB

                                                                        MD5

                                                                        d0d388f3865d0523e451d6ba0be34cc4

                                                                        SHA1

                                                                        8571c6a52aacc2747c048e3419e5657b74612995

                                                                        SHA256

                                                                        902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

                                                                        SHA512

                                                                        376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_2

                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        0962291d6d367570bee5454721c17e11

                                                                        SHA1

                                                                        59d10a893ef321a706a9255176761366115bedcb

                                                                        SHA256

                                                                        ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                                                                        SHA512

                                                                        f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_3

                                                                        Filesize

                                                                        8KB

                                                                        MD5

                                                                        41876349cb12d6db992f1309f22df3f0

                                                                        SHA1

                                                                        5cf26b3420fc0302cd0a71e8d029739b8765be27

                                                                        SHA256

                                                                        e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                                                                        SHA512

                                                                        e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

                                                                        Filesize

                                                                        627B

                                                                        MD5

                                                                        d28670e68197f7b0908b404f03c1658f

                                                                        SHA1

                                                                        e475dd8b459692fba04dd527d6495822a78be23a

                                                                        SHA256

                                                                        99dcf1251432342fce75e8d07839f74fc0911f8e8606edcb6dcfbc51b9d52b5b

                                                                        SHA512

                                                                        997428d0c0411e02ba0af1e015f350abe07d7081bd065a53b60cffa3896a97d6ad48b5bf84efdd8ba6f54d204352f8b1f140234bbf5b4029ac04f222c03dbe97

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

                                                                        Filesize

                                                                        59B

                                                                        MD5

                                                                        2800881c775077e1c4b6e06bf4676de4

                                                                        SHA1

                                                                        2873631068c8b3b9495638c865915be822442c8b

                                                                        SHA256

                                                                        226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                                                                        SHA512

                                                                        e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences

                                                                        Filesize

                                                                        23KB

                                                                        MD5

                                                                        1895e99abf6219b646bbda6dce383e2a

                                                                        SHA1

                                                                        af9ece3c4c90ce996eb6024878e250f443f9b0a7

                                                                        SHA256

                                                                        131742ccd960d04be1de4f33955969126b7c7c2895cd8125e7fc67d86ded028d

                                                                        SHA512

                                                                        3528d8158a1cb5b91d8619042ff94625f6fe3a106fd246b4c550b824a47e705658ce5f0919ecbc3ea271248c573fdca81969347dd26fb8c6a70bdff817de188f

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT

                                                                        Filesize

                                                                        16B

                                                                        MD5

                                                                        46295cac801e5d4857d09837238a6394

                                                                        SHA1

                                                                        44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                        SHA256

                                                                        0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                        SHA512

                                                                        8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

                                                                        Filesize

                                                                        41B

                                                                        MD5

                                                                        5af87dfd673ba2115e2fcf5cfdb727ab

                                                                        SHA1

                                                                        d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                        SHA256

                                                                        f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                        SHA512

                                                                        de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

                                                                        Filesize

                                                                        48B

                                                                        MD5

                                                                        9f14b87a962a84966268000c2ec651cd

                                                                        SHA1

                                                                        a84e75818773af7e9b401fe4d71c18e2b9bf322e

                                                                        SHA256

                                                                        6cd2f3faf3c6d7f0b9e863b27f4fc74031911391b62a4bc999a7a2f270579ca5

                                                                        SHA512

                                                                        e154c7c3021069bc16be18391eee600b31e8fbeb5cd9a4aaac743afe70b74fbc6a7e420f983e82484b019bee4c3b230a635ea01b1af69de9563c5f0988595549

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

                                                                        Filesize

                                                                        72B

                                                                        MD5

                                                                        72745bf16df7b9549f5c4d1724b6ce66

                                                                        SHA1

                                                                        e9bcafdd0a53c5d08ac589a99f14c534541fe4b2

                                                                        SHA256

                                                                        dcfd25da7154832ec4facc14572974a835de454634cf380a3dc5f467a296297e

                                                                        SHA512

                                                                        17d157cd8f1fdba2405432fb2cd0cd1f582b1f854e9488e1c00c1ad8142c1df79136c26d327db762f549c82ff3fab949e558ee66d3740d3f2694952cf93b0b6e

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

                                                                        Filesize

                                                                        24B

                                                                        MD5

                                                                        54cb446f628b2ea4a5bce5769910512e

                                                                        SHA1

                                                                        c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

                                                                        SHA256

                                                                        fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

                                                                        SHA512

                                                                        8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports

                                                                        Filesize

                                                                        2B

                                                                        MD5

                                                                        d751713988987e9331980363e24189ce

                                                                        SHA1

                                                                        97d170e1550eee4afc0af065b78cda302a97674c

                                                                        SHA256

                                                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                        SHA512

                                                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                        Filesize

                                                                        27KB

                                                                        MD5

                                                                        a9d7ff006938e617d72b5237c5e3cf18

                                                                        SHA1

                                                                        9de14a2b19341070aef255838ebefdd4fa2318ac

                                                                        SHA256

                                                                        f2bd9c1e9ceade2821e7a5fbfdccf910967be2ad67c8d90c91b50df824a1475d

                                                                        SHA512

                                                                        7aacbd0e92fe8c0e82010de6616b0102734785a7dae1c99fde34ea777dfcc11d3cefa591dde23e590fb3e81574258e6a03bbc0706d501a0ed82d9f0f2d7e2f66

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        003383bbb292e45ebe053556c82f5494

                                                                        SHA1

                                                                        7026ea4b8930478a22ab1bf1010ead36a169b147

                                                                        SHA256

                                                                        903382e0bee01cc56dc72a6b3195f10b91efc97d39077c22d9bccbcf3c292de3

                                                                        SHA512

                                                                        b290f146caefbde2fa56a8a745797fd64b04cdaef8e05e3844bdf028b4a4f995b15d69306f04e78b9932b4d5807940e95da299749184eb1f50c05a8466289f75

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                        Filesize

                                                                        23KB

                                                                        MD5

                                                                        3f93c986c7c68f0cd9f25f7044e5d4dc

                                                                        SHA1

                                                                        2493789a149af1d1676d68fadb02d1e7c4ae06c3

                                                                        SHA256

                                                                        b93b93cc27d85c9bdfa2d9310007e6328b733fa5b3d92c913f88fdb7622d3804

                                                                        SHA512

                                                                        0d78305dfa0a7cec53ae698db75a9e95f51b0030cdfc0c29b31179b5d01ac8a4de876e57bc1316f7704635d2eff891c3b1fc69bf154e8ca7fcd31d0d5cb8c8e9

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                        Filesize

                                                                        4KB

                                                                        MD5

                                                                        f324ab4d9aa2a32894f9a847675d1e47

                                                                        SHA1

                                                                        2518b8edaf4d2521f67848d192dd825cb86155c9

                                                                        SHA256

                                                                        87bcc060444e12e9cef438d4a0bff195f343a0540587ce134dedd943174b62ce

                                                                        SHA512

                                                                        ae3664d7449be260fce1f4fc2e1e7b9c6c2d0477a136ec1924e5094234c74df314d89139b534c50304cbfc4a0cdede8415dac726d8d9eea5e14c9100fd8a4f33

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        48b35502d9f78a13bce43629813ae436

                                                                        SHA1

                                                                        fd3f0a5ec0cfd9d4957fa73a7aae0481d009d039

                                                                        SHA256

                                                                        774c5ebcaa05315cc1988c6afd5ea47cf817186b0d132628be9f9ac6192f34cd

                                                                        SHA512

                                                                        9afdf00e645deacbb18fc3f61d63d16ac5cfa911657968384f512dc19db1f6525c0c176e7cbc7985080f79efebd0cbb3da6d27d7ca1dcc7cc16b4f5951d11204

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RFe591023.TMP

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        66815f2805690e819beeda8886227173

                                                                        SHA1

                                                                        1ca70ff7a5929aaf4dd5f06df67202236e63d053

                                                                        SHA256

                                                                        f130c376abbc0ed139497170c95eff210efd7346377d46370d08dd8a906f7a7d

                                                                        SHA512

                                                                        e4698b9cc8b34c43df492b78dae9effc3d31f18f585b9dff8e81ad17eedfa0c83be58df5f981477823049f6bfd36eb815a46c73bfd672b5035d4cefe97c8e9ad

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        3f50cac80e4520468b1fdff7a9ad429e

                                                                        SHA1

                                                                        bcfee981be0c4e13b2e7e56df49864ffdd5c1315

                                                                        SHA256

                                                                        a70049a25425f370253302bef36d7c8f3ca314f088fc87f1f90fac0c10522c8e

                                                                        SHA512

                                                                        c3fcee52ab1ee039a8a7507dd91dd425c9e7d9ac28c76bf622c47e74e33865f0b8d1edcf60ea5f565205213fa4fee086e47aba515d74fd4c88aa14f62c041896

                                                                      • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

                                                                        Filesize

                                                                        1.8MB

                                                                        MD5

                                                                        d5fcf8cf3ca99a694ee9b8a97776e64a

                                                                        SHA1

                                                                        07542ce45f902bdc773702e17621cc600d3df50b

                                                                        SHA256

                                                                        c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d

                                                                        SHA512

                                                                        90da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e

                                                                      • C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe

                                                                        Filesize

                                                                        896KB

                                                                        MD5

                                                                        2801358ac519754c48b748365a57fdc0

                                                                        SHA1

                                                                        c8e7b39b9172409eabcabe54b2a224d1a24e328a

                                                                        SHA256

                                                                        563f6936421d587af73cab59d466deb7bfe961fd7bb119b3366f20bb5be45915

                                                                        SHA512

                                                                        2b21599bd4d9035e3b2c367342c824c52133c28e0b4103ce1bd5933bc15b6380d56a694fa97fad973fe2b8a37115b3cbb9ab4a5c13fabd76a6c750e97d04c2db

                                                                      • C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe

                                                                        Filesize

                                                                        1.7MB

                                                                        MD5

                                                                        110750350e3f833d4de59ed0c7dd1b08

                                                                        SHA1

                                                                        ff21c68dad2c4733ced39aabd130e0406a56ed58

                                                                        SHA256

                                                                        d89f747d96c84dcd1a704731dd4261f6eb69f1498a05cae00a4635169ce5ec20

                                                                        SHA512

                                                                        df963df25b627e0aa446c0170acbfd3589d0b243eae8c34d84cd77940ee1d58b90f4a4739c10053eedd3dc1036a20aaf8cf202c8ed991b487712137ec0d52493

                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZAZZUMHXATXQCGY8PZXK.temp

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        779378d949c99129e03e0e2c8b80219e

                                                                        SHA1

                                                                        f294b68114af0d06c3d24ba818dcb0e45cd162b6

                                                                        SHA256

                                                                        d219daa587df578ac20cbb7ed76e7f0a9674f42dd027fbdf384a30a53d11d6eb

                                                                        SHA512

                                                                        fc2b27b496e5aadb441f3235412901e7121bf8d950d218eb4172f5ac89e00cd80a5a6889a934902e095e3449ba9be60a2ef7556071744fcdd87041f971f85fa6

                                                                      • \??\pipe\crashpad_1688_EEYGPGDNXMFZJREO

                                                                        MD5

                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                        SHA1

                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                        SHA256

                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                        SHA512

                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                      • memory/1544-62-0x0000000000910000-0x0000000000F79000-memory.dmp

                                                                        Filesize

                                                                        6.4MB

                                                                      • memory/1544-323-0x0000000000910000-0x0000000000F79000-memory.dmp

                                                                        Filesize

                                                                        6.4MB

                                                                      • memory/1652-44-0x0000000000610000-0x0000000000C79000-memory.dmp

                                                                        Filesize

                                                                        6.4MB

                                                                      • memory/1652-57-0x0000000000611000-0x0000000000625000-memory.dmp

                                                                        Filesize

                                                                        80KB

                                                                      • memory/1652-60-0x0000000000610000-0x0000000000C79000-memory.dmp

                                                                        Filesize

                                                                        6.4MB

                                                                      • memory/1652-63-0x0000000000610000-0x0000000000C79000-memory.dmp

                                                                        Filesize

                                                                        6.4MB

                                                                      • memory/2420-21-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-385-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-23-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-543-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-24-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-25-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-26-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-596-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-585-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-356-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-584-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-22-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-20-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-19-0x0000000000301000-0x000000000032F000-memory.dmp

                                                                        Filesize

                                                                        184KB

                                                                      • memory/2420-18-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-556-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-27-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-505-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-28-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-523-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2420-542-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2792-5-0x00000000002F0000-0x0000000000799000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2792-3-0x00000000002F0000-0x0000000000799000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2792-17-0x00000000002F0000-0x0000000000799000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/2792-2-0x00000000002F1000-0x000000000031F000-memory.dmp

                                                                        Filesize

                                                                        184KB

                                                                      • memory/2792-1-0x0000000077504000-0x0000000077506000-memory.dmp

                                                                        Filesize

                                                                        8KB

                                                                      • memory/2792-0-0x00000000002F0000-0x0000000000799000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/5352-355-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/5352-346-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB

                                                                      • memory/6096-555-0x0000000000300000-0x00000000007A9000-memory.dmp

                                                                        Filesize

                                                                        4.7MB