Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/09/2024, 15:37
Static task
static1
Behavioral task
behavioral1
Sample
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe
Resource
win10v2004-20240802-en
General
-
Target
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe
-
Size
1.8MB
-
MD5
30ac84841a731fa47a3ce25033db8449
-
SHA1
7c2c107362576bd653e0dc6f96be4d7295d70889
-
SHA256
07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4
-
SHA512
d56c10c8af777e516ed343544c7b17eb5b1a9553c283da53728013adf1e5d572cf290be6502d25b42f8b617b36a754c39a320dfa4eb545e382de3689a3547e9f
-
SSDEEP
49152:g5kAmXhdOEgEjSVfpIfEA9fXK92mGWuYn7KU5:gW/sVsdWLnGU
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 65192f416f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ df653ec2bd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion df653ec2bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 65192f416f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 65192f416f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion df653ec2bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Executes dropped EXE 6 IoCs
pid Process 1976 svoutse.exe 2308 65192f416f.exe 3944 df653ec2bd.exe 4720 1b138a876d.exe 3132 svoutse.exe 4900 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine 65192f416f.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine df653ec2bd.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\df653ec2bd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\df653ec2bd.exe" svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0006000000025bc5-64.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1824 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 1976 svoutse.exe 2308 65192f416f.exe 3944 df653ec2bd.exe 3132 svoutse.exe 4900 svoutse.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65192f416f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df653ec2bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b138a876d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1824 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 1824 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 1976 svoutse.exe 1976 svoutse.exe 2308 65192f416f.exe 2308 65192f416f.exe 3944 df653ec2bd.exe 3944 df653ec2bd.exe 1948 msedge.exe 1948 msedge.exe 4232 msedge.exe 4232 msedge.exe 2380 msedge.exe 2380 msedge.exe 3856 identity_helper.exe 3856 identity_helper.exe 3132 svoutse.exe 3132 svoutse.exe 4900 svoutse.exe 4900 svoutse.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4720 1b138a876d.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4720 1b138a876d.exe 4720 1b138a876d.exe 4232 msedge.exe 4232 msedge.exe 4720 1b138a876d.exe 4232 msedge.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe 4720 1b138a876d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1824 wrote to memory of 1976 1824 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 81 PID 1824 wrote to memory of 1976 1824 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 81 PID 1824 wrote to memory of 1976 1824 07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe 81 PID 1976 wrote to memory of 2308 1976 svoutse.exe 82 PID 1976 wrote to memory of 2308 1976 svoutse.exe 82 PID 1976 wrote to memory of 2308 1976 svoutse.exe 82 PID 1976 wrote to memory of 3944 1976 svoutse.exe 83 PID 1976 wrote to memory of 3944 1976 svoutse.exe 83 PID 1976 wrote to memory of 3944 1976 svoutse.exe 83 PID 1976 wrote to memory of 4720 1976 svoutse.exe 84 PID 1976 wrote to memory of 4720 1976 svoutse.exe 84 PID 1976 wrote to memory of 4720 1976 svoutse.exe 84 PID 4720 wrote to memory of 4232 4720 1b138a876d.exe 85 PID 4720 wrote to memory of 4232 4720 1b138a876d.exe 85 PID 4232 wrote to memory of 2760 4232 msedge.exe 86 PID 4232 wrote to memory of 2760 4232 msedge.exe 86 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 4952 4232 msedge.exe 87 PID 4232 wrote to memory of 1948 4232 msedge.exe 88 PID 4232 wrote to memory of 1948 4232 msedge.exe 88 PID 4232 wrote to memory of 2104 4232 msedge.exe 89 PID 4232 wrote to memory of 2104 4232 msedge.exe 89 PID 4232 wrote to memory of 2104 4232 msedge.exe 89 PID 4232 wrote to memory of 2104 4232 msedge.exe 89 PID 4232 wrote to memory of 2104 4232 msedge.exe 89 PID 4232 wrote to memory of 2104 4232 msedge.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe"C:\Users\Admin\AppData\Local\Temp\07669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\1000026000\65192f416f.exe"C:\Users\Admin\AppData\Roaming\1000026000\65192f416f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\1000030001\df653ec2bd.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\df653ec2bd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\1000033001\1b138a876d.exe"C:\Users\Admin\AppData\Local\Temp\1000033001\1b138a876d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe178c3cb8,0x7ffe178c3cc8,0x7ffe178c3cd85⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1784 /prefetch:25⤵PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:85⤵PID:2104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:15⤵PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:15⤵PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:15⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:15⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:15⤵PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:15⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:15⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7540 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,9690956006253067385,15657046595924859457,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4896 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e8b8372959ee1f46be404badbdd0b21c
SHA1830c17fdc7782a5dd6b5982dbbadf153b58147b8
SHA256043798539667c427ad9eaa9420c299cecb3549cf8316d8bc9b9bd68f24c425c9
SHA5120d270585f309d26c5f8570af60558e002e58794ee48c01228b370714f49e5073525c8edf42c05e52213cb889801916b13f61843e63c059a2cfad81c74d1ac394
-
Filesize
152B
MD5f44ef8a0a14e479c483151a02fbf4305
SHA16901158841c8ede3f0be616470c42a120418ad6d
SHA256ce80f4d9b834b8e4275229a6d22485552921c933d810e8350f5796d5886c17d5
SHA5121da387a1f4ae8205d92c03771fe97010ff7dedca1751758c201480eacd1e883f126758a9eaa780ac045310664ef16092c363283d3b7bf3a51df0ed4738502f87
-
Filesize
152B
MD5ac43ce448c62affea5b48fefba4b6b76
SHA127684d10c56036269073228edd0057284ea0273e
SHA256dd482010f2a2a842cd6712baa54217d328cf7244a4ba76b8690e78c06f836096
SHA51289932e2e5e347922044d7efedfa59fe392f290d8957e982bc3d13881c199db8ba4f77d270f1909ebf6643914a0e1993039a106e4e3b1c5914f6fbf4e8b3a8c5b
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD55f12e0fc50e25a9aa4b4eecc870ee589
SHA19f3a973493a7d06796df336758e3888c48d662b3
SHA256ecb13a0da044bde01cdf6a8a4b226b3454fb006f04d3d3a9c7b07d76da082714
SHA512868c946ab6d8ced866f8634758c998f392f9b0230e32eb4608adc7403b8eeddec982454906366d078628f501e5b18fde7e7618deb308b498fedbe14d06985deb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD56df0add7d189a15c2bed935b3574d897
SHA1c5f740105ecf031241a14de89dfa8b409d9dc34c
SHA2564bd1c2e8f0967a7199232f6a425104c0e1716434beb292bcfbd0da7b7d9ee6be
SHA5125afdde9f827a2785fdd76aed737f246a483fa8020a4eddf5994d90f55dac722ab73025569b3004afcc898e155354eb6a8271be063b3e79bc86c32743c700a88d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5018a798e7329abc4e3fb437f3fe70012
SHA15c9d248a42155bd034636e2d1e7080e41b6a82a1
SHA256da3e4d2985ee53ee6594c7e2d51ea07ff475bc1970efc13918e2eb54815de18e
SHA51273d252212a716c17537ff011efa7d3b28b123e9b3bff486322422a2c0d615bf0b9d64c14245501e75fce16c1a85047763ffb7d22521bc48ee8a44b08f404296e
-
Filesize
1KB
MD570688a06dfea99b74d708111529f19e5
SHA15f9b229bbaf235c899119af736d896828fe4c723
SHA256b7ceb0b80d071714f47e4185f5e117da50c0bef4747e9072ccd3b0ec4149cfae
SHA5123b5bcf1a6f3bad4fb1ffcd834c47df70305a3f9d62cc7fe36260d6907adb765bc683e6d85f80749b91149b3f814da9d222c6dd5b084a266db74c7cc3480ae9bc
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
1KB
MD517670e0f0edc686a8e12b532293a283c
SHA18ebbb3934bec4f8df1df9cd30bee855cf3578596
SHA25697af10bd68fa6c4daa31e329ba1f9d96af2ef7a77adc5d89d26aab95e802d069
SHA512ee91f1544f09b5f7735945a3d4e90765caa5e626366befa092ca4578284e066ecd8f04f4921403e5dfa9143f736830254b590ae6b8b56b1168009e52cdb4320d
-
Filesize
3KB
MD50d4eed8ff522313bba84bacb40543ef3
SHA1ba7ab1cde0696211f40e3dd5423f5cee82858523
SHA25695305c39f875e21b91262a0f5d82d87ac4cf1ee24621b3887fff655b33dea22c
SHA512779ffeb005dbc00cf2010f16935d71b2c1d9de741f0c0505c37f8a955ad07d4d676307d227d47ba7cffcc55260b3359d241d078e0f9f30a93d3e0387b6c90b31
-
Filesize
4KB
MD503290140c1566b27fb5f747872f37a9e
SHA1be9aba6943d119850f0c7742037cee8dd2be3fc0
SHA256117429d927c2988291d01ee30c1315671b35025617b93889613931a28cc765b1
SHA51245e4a16a2b2566d7e423e485fb087fc371d879d34a4df7061178a8bf8664fcc1bd8ee591001269a00bd3d2d93c854da32889ca6ed7069537389e5383a59517c2
-
Filesize
4KB
MD5c48e18d0a7f7757a65b1cd0a498a4db6
SHA137972600b1b675831ac899fbb44c39b19e729446
SHA256961190b4e2f87fab699a524d3fee5aafebbfd6b61861714f0fcb55484d5a4626
SHA5125e44dd44d2faea70e8c038522b54e962a68ded2e8f07ba9925317f1905ef22d2a5df8613e6a3dc47b14eb61bc04fe4006e0f3c55d92949ddfb973790354d9aa4
-
Filesize
3KB
MD5c3c67486273cc86ff3e61c30cda52e08
SHA147aa15d741371465b73f34b7ae4c9c2dc9abc484
SHA25671ce95fbe36bd1eff7613a89218b80c1990ef672e3819e914bd3d7a754a05665
SHA512152c2ffd46a3c31a2b17dcff02e2879ffea670da8c9ec5aa714312b4a3451fee389a96dfc250658901f6c0f04230cdba6c12c2d2c9e81f6f22cedff5b7a45416
-
Filesize
26KB
MD5b4d2a7099eb0fd172c0389b541a2304f
SHA1b9289f63196716ea01836cb1cafc779fd1f21129
SHA256c13d9bdad4fa26e13624c48580df2d0c5e98c08557bdaea8884c2637cd425b5f
SHA512e5b967faa5cd2eefba2fcc4d240301e31df0bddcbde8b6f21111f277c69ca18ae09d06093ee0c9a4b8411d0460743fd45060e1b79dc661adc9568a63f19c1b91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57d61c.TMP
Filesize25KB
MD50ca4c1959da7dcce92254406bace6a9e
SHA12049693596073ea7396f92f47c1df26cfd9475a4
SHA256e71a4a511d6c332603402d5b0b2a2a24742bdc0ce6d8e5cb5d2fcf67999cac05
SHA51281ccdd44636d467d38cebb0ac0bb5a22f1d5dec0939d9e378bd5aa2af79e9b1ffe27aa59e0172f2f81857cff5a3d0d832422fb9d9ace8ae09ddc9a65b73c829c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
203B
MD5d06dcce8f8eda337f0b220866552e9b8
SHA122b2e5e5ec97542584135e90dc9a1d4017ca702b
SHA2566a64efa63b2d8257238c03ef14aa89d1f8416cfaeeb95d41b8fd3b8423d29d43
SHA512629cf77e31df9dc47971288d176a8aff5a34ab3b900db03b34c33b4ec00288c3b35f05b243483256914117408d3ef70fed8ab4b150393b3015549daae9b5a9bf
-
Filesize
203B
MD5bc6b4013d28765b3c335098fef6c2d54
SHA1142d744d4863a716b9ab9691d4d797c6262cc43a
SHA25663499112407c9dfe4942911ae3832b7b6750fc8bd9fc779378808d85c68816b6
SHA5122cb105c801613699b58e3c7d339c18aa65e8f31567696eaae75fb11c117efb798a3341f1d6a9f89531287255bcbe64e93a48f652aa1dbc43783e8fc94b1af7bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
4.0MB
MD5a2314684f81e4f9e40c3889289c0689b
SHA17e2557b6a514170bb5f390b8224a45b8cd2d6104
SHA2565c790b8978f28f055e0cef032354ee6742c745d132737217fb2f110648393ee3
SHA5121962f0815fcfe751b7abb1012ae9c04ab03b0800e7b21cdabb935fe2f7d9d4e06071a2ed9195b12d21ca8c528019ea989b501aa881ee9c795e032069d6236c64
-
Filesize
9KB
MD555ac5dde42dd6502f830e15772de1dca
SHA150a7a8a0f1d7673b38242e373f105d6d6c009a06
SHA2563ada0f3a7704f195bc691bb342dd8ec8271ea68ad306f84d20d3806da53d3395
SHA512eb2b618dffba1c7009c27dd18a4ebb52bb314d74afd4cf69b632292cd08ff2236b020ba205d1fee4a617876162b362ab4a84c3b919f6778d71d07f8d30c35bb5
-
Filesize
9KB
MD5d27541f0cc872d5c41eecc0af8f59bfa
SHA171ff9806bf32faba2805d39ed3f2b2f711c0167b
SHA25647b7f7f79016e154681562ae5bc2f01f31b135fcb2abd43d179caeaf66bc3b32
SHA5128484c6570e1964aa7a65aa52c6914429f9772199efcceb9f82dfe02fa314d94b72d11d0be3e90d22f6b3bdbb4047f982addacac69054b55baf26bb0c72194e3d
-
Filesize
1.8MB
MD530ac84841a731fa47a3ce25033db8449
SHA17c2c107362576bd653e0dc6f96be4d7295d70889
SHA25607669de4a752e210ee8066a04305d250ba526ff3581b5e3361f30821548dacb4
SHA512d56c10c8af777e516ed343544c7b17eb5b1a9553c283da53728013adf1e5d572cf290be6502d25b42f8b617b36a754c39a320dfa4eb545e382de3689a3547e9f
-
Filesize
896KB
MD52801358ac519754c48b748365a57fdc0
SHA1c8e7b39b9172409eabcabe54b2a224d1a24e328a
SHA256563f6936421d587af73cab59d466deb7bfe961fd7bb119b3366f20bb5be45915
SHA5122b21599bd4d9035e3b2c367342c824c52133c28e0b4103ce1bd5933bc15b6380d56a694fa97fad973fe2b8a37115b3cbb9ab4a5c13fabd76a6c750e97d04c2db
-
Filesize
1.7MB
MD5110750350e3f833d4de59ed0c7dd1b08
SHA1ff21c68dad2c4733ced39aabd130e0406a56ed58
SHA256d89f747d96c84dcd1a704731dd4261f6eb69f1498a05cae00a4635169ce5ec20
SHA512df963df25b627e0aa446c0170acbfd3589d0b243eae8c34d84cd77940ee1d58b90f4a4739c10053eedd3dc1036a20aaf8cf202c8ed991b487712137ec0d52493
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge (2).lnk
Filesize1KB
MD5b0478dba1f18578e00c963d0a9479ff1
SHA1aa6e7e2f9921467dafe5b1f916bb8e403b6f9adf
SHA25686446373d6ed0833990c272e5114a82cfc4426064e49865d7add36481b276fc1
SHA5127765aac630eb0196b7cf7c1c21a10449e30cd22578e9970c831af96470435e7aa2ffa5a78bccf0d585a7d566de4ffb1f561f724e71efedeb69db50f8a504d1e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD542ad838c24e0869dfe0c26a57895abcd
SHA16f4ce4f799184bf663bfdde35355eb118d831a84
SHA256342e01575f14c8bef3b15c36eddc69a19715e1cae3e1d9c88cb65c739e4630b5
SHA512e4ee9cadc950db7c150dc76d0720377dfa3f0fa1e17764355c9de749803d1c492c565fa84bc4e8973dea6aa909ac492c12a269695b3103f907ff18f259f49301