Malware Analysis Report

2024-10-23 21:51

Sample ID 240909-s2ggsawapr
Target c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe
SHA256 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
Tags
amadey stealc c7817d rave discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d

Threat Level: Known bad

The file c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 15:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 15:37

Reported

2024-09-09 15:39

Platform

win7-20240729-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\578cfbf4fd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\578cfbf4fd.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2340 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2340 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2340 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2788 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe
PID 2788 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe
PID 2788 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe
PID 2788 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe
PID 2788 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe
PID 2788 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe
PID 2788 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe
PID 2788 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe
PID 2788 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe
PID 2788 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe
PID 2788 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe
PID 2788 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe

"C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe

"C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\578cfbf4fd.exe"

C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe

"C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe"

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp

Files

memory/2340-0-0x00000000011F0000-0x0000000001699000-memory.dmp

memory/2340-1-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

memory/2340-2-0x00000000011F1000-0x000000000121F000-memory.dmp

memory/2340-3-0x00000000011F0000-0x0000000001699000-memory.dmp

memory/2340-5-0x00000000011F0000-0x0000000001699000-memory.dmp

memory/2340-9-0x00000000011F0000-0x0000000001699000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 d5fcf8cf3ca99a694ee9b8a97776e64a
SHA1 07542ce45f902bdc773702e17621cc600d3df50b
SHA256 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
SHA512 90da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e

memory/2340-16-0x00000000011F0000-0x0000000001699000-memory.dmp

memory/2340-18-0x0000000007480000-0x0000000007929000-memory.dmp

memory/2788-17-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-19-0x0000000000981000-0x00000000009AF000-memory.dmp

memory/2788-20-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-22-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-23-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-24-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-25-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-26-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-27-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-28-0x0000000000980000-0x0000000000E29000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\03ba3e42c0.exe

MD5 110750350e3f833d4de59ed0c7dd1b08
SHA1 ff21c68dad2c4733ced39aabd130e0406a56ed58
SHA256 d89f747d96c84dcd1a704731dd4261f6eb69f1498a05cae00a4635169ce5ec20
SHA512 df963df25b627e0aa446c0170acbfd3589d0b243eae8c34d84cd77940ee1d58b90f4a4739c10053eedd3dc1036a20aaf8cf202c8ed991b487712137ec0d52493

memory/2788-45-0x0000000006D40000-0x00000000073A9000-memory.dmp

memory/2788-47-0x0000000006D40000-0x00000000073A9000-memory.dmp

memory/2820-46-0x00000000012F0000-0x0000000001959000-memory.dmp

memory/2788-65-0x0000000006D40000-0x00000000073A9000-memory.dmp

memory/2852-66-0x00000000002F0000-0x0000000000959000-memory.dmp

memory/2788-64-0x0000000006D40000-0x00000000073A9000-memory.dmp

memory/2820-67-0x00000000012F0000-0x0000000001959000-memory.dmp

memory/2852-68-0x00000000002F0000-0x0000000000959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000033001\055c74b852.exe

MD5 2801358ac519754c48b748365a57fdc0
SHA1 c8e7b39b9172409eabcabe54b2a224d1a24e328a
SHA256 563f6936421d587af73cab59d466deb7bfe961fd7bb119b3366f20bb5be45915
SHA512 2b21599bd4d9035e3b2c367342c824c52133c28e0b4103ce1bd5933bc15b6380d56a694fa97fad973fe2b8a37115b3cbb9ab4a5c13fabd76a6c750e97d04c2db

memory/2788-83-0x0000000006D40000-0x00000000073A9000-memory.dmp

memory/2788-84-0x0000000006D40000-0x00000000073A9000-memory.dmp

memory/2788-86-0x0000000006D40000-0x00000000073A9000-memory.dmp

memory/2788-85-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-87-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-88-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-89-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-90-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-91-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-92-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-93-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-94-0x0000000000980000-0x0000000000E29000-memory.dmp

memory/2788-95-0x0000000000980000-0x0000000000E29000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 15:37

Reported

2024-09-09 15:39

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4aebe172fd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\4aebe172fd.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703698801757041" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{90AE31A6-29EC-42AE-9FDB-CDFD4FDADF24} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2792 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2792 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe
PID 2420 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe
PID 2420 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe
PID 2420 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe
PID 2420 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe
PID 2420 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe
PID 2420 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe
PID 3776 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3776 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 2268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe

"C:\Users\Admin\AppData\Local\Temp\c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4104,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8

C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe

"C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\4aebe172fd.exe"

C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe

"C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffe9823d198,0x7ffe9823d1a4,0x7ffe9823d1b0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2512,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1888,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2320,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2668 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3400,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3412,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4560,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4672 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4604,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4656,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4920,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5312,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4880,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5604,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5584,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5888,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=6156,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4188,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6332,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6596,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6680,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6884,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6352,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7188,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7336,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7340,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4752 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=3460,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7420 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7848,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7996 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7848,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7996 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=560,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6632 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6676,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6920 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6276,i,17665459785577292627,10161221895429433915,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6180 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 88.221.135.81:443 bzib.nelreports.net tcp
US 8.8.8.8:53 81.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 92.123.142.41:443 www.bing.com tcp
GB 92.123.143.113:443 www.bing.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 41.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 113.143.123.92.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.253.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 64.253.107.13.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/2792-0-0x00000000002F0000-0x0000000000799000-memory.dmp

memory/2792-1-0x0000000077504000-0x0000000077506000-memory.dmp

memory/2792-2-0x00000000002F1000-0x000000000031F000-memory.dmp

memory/2792-3-0x00000000002F0000-0x0000000000799000-memory.dmp

memory/2792-5-0x00000000002F0000-0x0000000000799000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 d5fcf8cf3ca99a694ee9b8a97776e64a
SHA1 07542ce45f902bdc773702e17621cc600d3df50b
SHA256 c583d2baee3ad40a8ce2f25b2427f20e9a6a95d811ca1deef408d6a238278b8d
SHA512 90da999cc41cef8a44a3b0186b2de606567414024a60e1467f970e39d64f67af254067e11ac19c7f8f7e1e270c3a71cd9214de4773044e68616dfb053c058e2e

memory/2792-17-0x00000000002F0000-0x0000000000799000-memory.dmp

memory/2420-18-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-19-0x0000000000301000-0x000000000032F000-memory.dmp

memory/2420-20-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-21-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-22-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-23-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-24-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-25-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-26-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-27-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-28-0x0000000000300000-0x00000000007A9000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\958f8cd0b1.exe

MD5 110750350e3f833d4de59ed0c7dd1b08
SHA1 ff21c68dad2c4733ced39aabd130e0406a56ed58
SHA256 d89f747d96c84dcd1a704731dd4261f6eb69f1498a05cae00a4635169ce5ec20
SHA512 df963df25b627e0aa446c0170acbfd3589d0b243eae8c34d84cd77940ee1d58b90f4a4739c10053eedd3dc1036a20aaf8cf202c8ed991b487712137ec0d52493

memory/1652-44-0x0000000000610000-0x0000000000C79000-memory.dmp

memory/1652-60-0x0000000000610000-0x0000000000C79000-memory.dmp

memory/1544-62-0x0000000000910000-0x0000000000F79000-memory.dmp

memory/1652-57-0x0000000000611000-0x0000000000625000-memory.dmp

memory/1652-63-0x0000000000610000-0x0000000000C79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000033001\452e882781.exe

MD5 2801358ac519754c48b748365a57fdc0
SHA1 c8e7b39b9172409eabcabe54b2a224d1a24e328a
SHA256 563f6936421d587af73cab59d466deb7bfe961fd7bb119b3366f20bb5be45915
SHA512 2b21599bd4d9035e3b2c367342c824c52133c28e0b4103ce1bd5933bc15b6380d56a694fa97fad973fe2b8a37115b3cbb9ab4a5c13fabd76a6c750e97d04c2db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 01cb0c876b799d0d442b261322a89cfd
SHA1 ff1bfae90bc51dcac4bda22e97ae40936e68e4a6
SHA256 3902e752657e7df72ad464c70dae78810004dd0852f8040428a0d1208d8d8167
SHA512 29a6b1a149f68dca9500cdfcd7136aeba4bfb5eaa35ab5b73852a12230e2318f4012d284d59fb64798adb26ba3cdedefa57f1b93f1cd7465396d8911f6034c4e

\??\pipe\crashpad_1688_EEYGPGDNXMFZJREO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 5dd8527aec4a059d7dfc4b146cce00a0
SHA1 17f6affdd5f872e921d2cfa3097ff85be1fc237f
SHA256 e002a6e7b20fccbe67412c86ea9dc4b232b84176aa9e672ec79798beebaba8ef
SHA512 61a3c52bc44f6dbb869ff3dfa06320ecccf811c0e330f4da507966bed3a3cfb5901cf47dfea0a61a970159b077ccbd81601cb2aa0c6adddc87ec056654b38cdb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 003383bbb292e45ebe053556c82f5494
SHA1 7026ea4b8930478a22ab1bf1010ead36a169b147
SHA256 903382e0bee01cc56dc72a6b3195f10b91efc97d39077c22d9bccbcf3c292de3
SHA512 b290f146caefbde2fa56a8a745797fd64b04cdaef8e05e3844bdf028b4a4f995b15d69306f04e78b9932b4d5807940e95da299749184eb1f50c05a8466289f75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RFe591023.TMP

MD5 66815f2805690e819beeda8886227173
SHA1 1ca70ff7a5929aaf4dd5f06df67202236e63d053
SHA256 f130c376abbc0ed139497170c95eff210efd7346377d46370d08dd8a906f7a7d
SHA512 e4698b9cc8b34c43df492b78dae9effc3d31f18f585b9dff8e81ad17eedfa0c83be58df5f981477823049f6bfd36eb815a46c73bfd672b5035d4cefe97c8e9ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 f324ab4d9aa2a32894f9a847675d1e47
SHA1 2518b8edaf4d2521f67848d192dd825cb86155c9
SHA256 87bcc060444e12e9cef438d4a0bff195f343a0540587ce134dedd943174b62ce
SHA512 ae3664d7449be260fce1f4fc2e1e7b9c6c2d0477a136ec1924e5094234c74df314d89139b534c50304cbfc4a0cdede8415dac726d8d9eea5e14c9100fd8a4f33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 48b35502d9f78a13bce43629813ae436
SHA1 fd3f0a5ec0cfd9d4957fa73a7aae0481d009d039
SHA256 774c5ebcaa05315cc1988c6afd5ea47cf817186b0d132628be9f9ac6192f34cd
SHA512 9afdf00e645deacbb18fc3f61d63d16ac5cfa911657968384f512dc19db1f6525c0c176e7cbc7985080f79efebd0cbb3da6d27d7ca1dcc7cc16b4f5951d11204

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 3f50cac80e4520468b1fdff7a9ad429e
SHA1 bcfee981be0c4e13b2e7e56df49864ffdd5c1315
SHA256 a70049a25425f370253302bef36d7c8f3ca314f088fc87f1f90fac0c10522c8e
SHA512 c3fcee52ab1ee039a8a7507dd91dd425c9e7d9ac28c76bf622c47e74e33865f0b8d1edcf60ea5f565205213fa4fee086e47aba515d74fd4c88aa14f62c041896

memory/1544-323-0x0000000000910000-0x0000000000F79000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZAZZUMHXATXQCGY8PZXK.temp

MD5 779378d949c99129e03e0e2c8b80219e
SHA1 f294b68114af0d06c3d24ba818dcb0e45cd162b6
SHA256 d219daa587df578ac20cbb7ed76e7f0a9674f42dd027fbdf384a30a53d11d6eb
SHA512 fc2b27b496e5aadb441f3235412901e7121bf8d950d218eb4172f5ac89e00cd80a5a6889a934902e095e3449ba9be60a2ef7556071744fcdd87041f971f85fa6

memory/5352-346-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/5352-355-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-356-0x0000000000300000-0x00000000007A9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 3f93c986c7c68f0cd9f25f7044e5d4dc
SHA1 2493789a149af1d1676d68fadb02d1e7c4ae06c3
SHA256 b93b93cc27d85c9bdfa2d9310007e6328b733fa5b3d92c913f88fdb7622d3804
SHA512 0d78305dfa0a7cec53ae698db75a9e95f51b0030cdfc0c29b31179b5d01ac8a4de876e57bc1316f7704635d2eff891c3b1fc69bf154e8ca7fcd31d0d5cb8c8e9

memory/2420-385-0x0000000000300000-0x00000000007A9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0abd75d3-395b-49e5-946b-f568701f0b3f.tmp

MD5 dee1fb94371e6f469e932fdc3ea1e23d
SHA1 2aae4188331ee3dc8e2841f9dcf5493af54e7baa
SHA256 6a2e35595eb49982bbfce5cd971085e6eee7447490847fd59e5bee98122a7a67
SHA512 0cf8fc8a8076c7c1626da36b280d144de4f1207be294fe4794ced6d9353f08bbd2abaf684e4af5db248b98b7b6a0bac8298d39b2f909b78335d2a9060ff635cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

MD5 9f14b87a962a84966268000c2ec651cd
SHA1 a84e75818773af7e9b401fe4d71c18e2b9bf322e
SHA256 6cd2f3faf3c6d7f0b9e863b27f4fc74031911391b62a4bc999a7a2f270579ca5
SHA512 e154c7c3021069bc16be18391eee600b31e8fbeb5cd9a4aaac743afe70b74fbc6a7e420f983e82484b019bee4c3b230a635ea01b1af69de9563c5f0988595549

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

MD5 72745bf16df7b9549f5c4d1724b6ce66
SHA1 e9bcafdd0a53c5d08ac589a99f14c534541fe4b2
SHA256 dcfd25da7154832ec4facc14572974a835de454634cf380a3dc5f467a296297e
SHA512 17d157cd8f1fdba2405432fb2cd0cd1f582b1f854e9488e1c00c1ad8142c1df79136c26d327db762f549c82ff3fab949e558ee66d3740d3f2694952cf93b0b6e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index

MD5 cf276f66a5c8e8a29891973bab267180
SHA1 1a4067f051509d26992de4652bde723bde8a0bed
SHA256 456e86ec2ff795f08bea526938fbe3e17f93922fe2bc0991d5154ff5abf49d21
SHA512 c8c76bcece2c6f224fd494c33e3c80d54629062c0642de3fd106cca4fbeaa0459885ea11fcbf975e438cf7c5d44515a1b76902ed965ae7de41adda61f76dc195

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index~RFe5962d7.TMP

MD5 225476a5d9bb214defb54fe671389f39
SHA1 1a3c378524e1c508748c9b236afdcec584b2d5ce
SHA256 94aae9ae09c7c4e85dc63bf13d5baa561841e920a8250eca0ddfd60cb2191819
SHA512 5fbffecc3216dda120cf5764cc631d81eb9ec2412c083c6ee9aa6808edec6d3f6cdd5149ae21a2be1b47131779aab286cd20baf5c03d44a14663a045cf217583

memory/2420-505-0x0000000000300000-0x00000000007A9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences

MD5 1895e99abf6219b646bbda6dce383e2a
SHA1 af9ece3c4c90ce996eb6024878e250f443f9b0a7
SHA256 131742ccd960d04be1de4f33955969126b7c7c2895cd8125e7fc67d86ded028d
SHA512 3528d8158a1cb5b91d8619042ff94625f6fe3a106fd246b4c550b824a47e705658ce5f0919ecbc3ea271248c573fdca81969347dd26fb8c6a70bdff817de188f

memory/2420-523-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-542-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-543-0x0000000000300000-0x00000000007A9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 a9d7ff006938e617d72b5237c5e3cf18
SHA1 9de14a2b19341070aef255838ebefdd4fa2318ac
SHA256 f2bd9c1e9ceade2821e7a5fbfdccf910967be2ad67c8d90c91b50df824a1475d
SHA512 7aacbd0e92fe8c0e82010de6616b0102734785a7dae1c99fde34ea777dfcc11d3cefa591dde23e590fb3e81574258e6a03bbc0706d501a0ed82d9f0f2d7e2f66

memory/6096-555-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-556-0x0000000000300000-0x00000000007A9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

MD5 d28670e68197f7b0908b404f03c1658f
SHA1 e475dd8b459692fba04dd527d6495822a78be23a
SHA256 99dcf1251432342fce75e8d07839f74fc0911f8e8606edcb6dcfbc51b9d52b5b
SHA512 997428d0c0411e02ba0af1e015f350abe07d7081bd065a53b60cffa3896a97d6ad48b5bf84efdd8ba6f54d204352f8b1f140234bbf5b4029ac04f222c03dbe97

memory/2420-584-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-585-0x0000000000300000-0x00000000007A9000-memory.dmp

memory/2420-596-0x0000000000300000-0x00000000007A9000-memory.dmp