Malware Analysis Report

2024-10-23 21:50

Sample ID 240909-xphljawfpg
Target aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44
SHA256 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44
Tags
amadey c7817d discovery evasion trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44

Threat Level: Known bad

The file aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44 was found to be: Known bad.

Malicious Activity Summary

amadey c7817d discovery evasion trojan persistence

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 19:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 19:01

Reported

2024-09-09 19:04

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 212 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 212 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3204 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe
PID 3204 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe
PID 3204 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe
PID 4864 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4864 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 2784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 2784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 3712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 2920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 2920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3248 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe

"C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe

"C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe15646f8,0x7ffbe1564708,0x7ffbe1564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2692007951905879230,5693407346330874088,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp

Files

memory/212-0-0x00000000009B0000-0x0000000000E76000-memory.dmp

memory/212-1-0x0000000077BC4000-0x0000000077BC6000-memory.dmp

memory/212-2-0x00000000009B1000-0x00000000009DF000-memory.dmp

memory/212-3-0x00000000009B0000-0x0000000000E76000-memory.dmp

memory/212-4-0x00000000009B0000-0x0000000000E76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 667ebda9be3da6ee8b9f1cc419d336ba
SHA1 fb42333e24aac8e4d2989950cae402d7960f69b1
SHA256 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44
SHA512 aa83123064683405ba88663dc56ca3011961fff14acb9de47130099ceb98a060f74ce5e3fb8e73425bc6755e51c8cb488381640f4aeed13aaff7fb117921753c

memory/212-16-0x00000000009B0000-0x0000000000E76000-memory.dmp

memory/3204-17-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-20-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-19-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-21-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-22-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-23-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/4460-25-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/4460-26-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/4460-27-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/4460-29-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-30-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-31-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-32-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-33-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-34-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-35-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3480-37-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-38-0x00000000005E0000-0x0000000000AA6000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\daee0f5a75.exe

MD5 05896b9173ba7d70b5c76e9b32eff7ed
SHA1 8db04d03ca6fe3f374e4d03dc5ae5ec4fc7cec06
SHA256 b1dd9111721686ce097b06601dd5d07de00ec3327d67bb84f735fc065349442a
SHA512 7216dcd7b9f29249e98a98613901434f6f9d41620a1ddee9bc1b17f0e96c739c800a9e8782eeb884ff4842300e1b8e7a3548609359c165c43a893f46670ede25

memory/3204-53-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-54-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-55-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-56-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-57-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/1436-59-0x00000000005E0000-0x0000000000AA6000-memory.dmp

memory/3204-60-0x00000000005E0000-0x0000000000AA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000033001\4e1a1b0c94.exe

MD5 ea94163d40e5cb504778dc729ef519f1
SHA1 febde4e5f6373200e5daae74277adf576c76158a
SHA256 0c19bad7c0ab86a954f8d5cb8b0fc410bb8a792fa0a63140197db4f65e6af6c5
SHA512 46f2cdff5a9c72f18b268ed32f75e05d0262d1f12fcd155fef0e98ab9875dca752da4b1a58d66177c0daa8ed3b987da4c26be443391ac89b0e2f96d990891159

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 b5724059afdf989311e66c7d73cfcf03
SHA1 1b4f14863d585436d77cc6cc57d1aee6334d7e57
SHA256 5b8dd679f1fc08b2d25db0afc7745eed4e75bfb00156746369d69227e05535b2
SHA512 87db7ee3cb6789cb419fde65998a293059d656fbd0207db23dbd5ecc42a20f70d810e82d104b294071e246715b53159f8d971004db5a0fe621630a2783a5a848

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 20e073a3d4663b708ef62631b043010f
SHA1 d5585f23a1c1327728535ef3b072c600665b51bc
SHA256 6c1319d0f7edfeb2ba2f9a9dc60c0b9061524d811927161dfb96350ffae67318
SHA512 23373a01d5c5c3c9384bdad18f07fc1ab25ed07f3551668e2956ced3e20f444679cf0d2ba968a2627b42d542b8afe34cc6db24b4a6818d50fbbf1a146c5cf664

\??\pipe\LOCAL\crashpad_3248_FNRKZHNLXILZZDWR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 008d38c2eacc9b4f0e8d35f482581b56
SHA1 63feffc34d5e4b9959b6193ca8a6ab5e9c76cb70
SHA256 a073f441a11c2611a2931957bff925751f800eb357ed1fdf46e905594fa5a75d
SHA512 e1b6f0a2285eb95a4b9ac9034db66b75312b65b0be7850a6ffc8c01b3a6605f29a349d1a93379f228048b2e3d6a89d21cf36e44c40373a1f02a16df7d4f83a68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\5d50c520-fc69-4329-917e-43d80ddb0c3b.tmp

MD5 6f80ec29edf127ff37ee7f78a1bb6b09
SHA1 5f6acbcaec76a861977a86cebcdaa61ddcaff368
SHA256 8ca2e43412f67c32f4d462df1ea0cf79d0f2af0c2eda19af1acf92b88ef202b3
SHA512 1b3abeb1442bfe448704e041c38449eb853ddb836702132734ef256550f14162fdff3f9497c8c4095aeb18d9f8ae5fc7072edd3c2d167506856ff27f38f54cf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Microsoft Edge.lnk

MD5 ae5869682bbd3617f32931ef2035119d
SHA1 907b81e89600dc24bb8b73700a335883f7ebb17e
SHA256 f49e40c66869ad6c870a35016f1fde4e7ca55f3b583342a7d30f88c8a66464c9
SHA512 c9d9cb7dc126e365c5fd91f0c104ca3f07345d3548162f0748b9ab3bd8a7c8d723359217d82d04286ad2a1af5dc2a3bb771e40806ba532a99ed3d66848ac292a

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 19:01

Reported

2024-09-09 19:04

Platform

win11-20240802-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\295a9e1075.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\295a9e1075.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe

"C:\Users\Admin\AppData\Local\Temp\aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe"

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp

Files

memory/3452-0-0x0000000000ED0000-0x0000000001396000-memory.dmp

memory/3452-1-0x0000000077156000-0x0000000077158000-memory.dmp

memory/3452-2-0x0000000000ED1000-0x0000000000EFF000-memory.dmp

memory/3452-3-0x0000000000ED0000-0x0000000001396000-memory.dmp

memory/3452-5-0x0000000000ED0000-0x0000000001396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 667ebda9be3da6ee8b9f1cc419d336ba
SHA1 fb42333e24aac8e4d2989950cae402d7960f69b1
SHA256 aacd6fe72021f84220f48b9ea92cc41b6e7219e5edffe0e7329d7244c8d65f44
SHA512 aa83123064683405ba88663dc56ca3011961fff14acb9de47130099ceb98a060f74ce5e3fb8e73425bc6755e51c8cb488381640f4aeed13aaff7fb117921753c

memory/3528-17-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3452-16-0x0000000000ED0000-0x0000000001396000-memory.dmp

memory/3528-19-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-20-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-21-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-22-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-23-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-24-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/432-26-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/432-27-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/432-29-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-30-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-31-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-32-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-33-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-34-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-35-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3128-37-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-38-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-39-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-40-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-41-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/3528-42-0x0000000000B70000-0x0000000001036000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\c360b1a414.exe

MD5 989f3827314b02ff50fb99669751e3f3
SHA1 cbacdc6706b4e2bd385d656414f54f9c63324e02
SHA256 be4ed50898d50f6624be400235c8ce49c2d7024d605bea8022a6d8f8b01a5681
SHA512 7e158a0a839252b9d16519bc2c4ac49fb91ba188d01fc783e9db327fcde2155d9ac35777766d64733aa7767dee86f79edbb85915dd6a97224852f3248e6d1740

memory/3528-57-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/2912-59-0x0000000000B70000-0x0000000001036000-memory.dmp

memory/2912-74-0x0000000000B70000-0x0000000001036000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030001\295a9e1075.exe

MD5 149b45108edafd5aeb601284e95bd25a
SHA1 5931cbd8c8c54eb6b37ce65a883197484bb3c7bd
SHA256 ba2e11ad994e6e1eacc5c1f73c069d76cd37e4e70edfa0335a40f203f0aa9aa4
SHA512 e54dde5ed774c40c8af8ead30225110b78c0e069e4f57a2ee81db53fa54ed124ab107047ce9e5851511e6a8a9e551fe698e575f335e1f7d60f1d7c49e4dabcd8

memory/3984-78-0x0000000000AB0000-0x0000000001143000-memory.dmp

memory/3528-79-0x0000000000B70000-0x0000000001036000-memory.dmp