Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-09-2024 04:28
Static task
static1
Behavioral task
behavioral1
Sample
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe
Resource
win10v2004-20240802-en
General
-
Target
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe
-
Size
1.8MB
-
MD5
1f168ecf05a514a49417ac8cf81523f1
-
SHA1
4675d4458cdd7b48bdeaaedb954e17b28afc5503
-
SHA256
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469
-
SHA512
cec0800341c266fe8edfbae52b8f098f3e474ee4c2912f23abb08bf3184e5f70dc191cd0257e6356b5bf193b8da9140c9dc5286a6da32abb7b403f1e8cd59722
-
SSDEEP
49152:HMUbhF5mBfInDR9Iz/ULx/NP3Thua3P9HtWksuQ:nhF5Kwn84LXP3FuaPHsu
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exeHCFIIIJJKJ.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HCFIIIJJKJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exesvoutse.exed9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exeHCFIIIJJKJ.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HCFIIIJJKJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HCFIIIJJKJ.exe -
Executes dropped EXE 7 IoCs
Processes:
svoutse.exe1c2c86253d.exe799de67533.exe799de67533.exeHCFIIIJJKJ.exesvoutse.exesvoutse.exepid process 5072 svoutse.exe 3184 1c2c86253d.exe 6020 799de67533.exe 2640 799de67533.exe 3104 HCFIIIJJKJ.exe 3668 svoutse.exe 4548 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exed9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exeHCFIIIJJKJ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine HCFIIIJJKJ.exe -
Loads dropped DLL 2 IoCs
Processes:
1c2c86253d.exepid process 3184 1c2c86253d.exe 3184 1c2c86253d.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\799de67533.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\799de67533.exe" svoutse.exe Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\799de67533.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\799de67533.exe" svoutse.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000036001\799de67533.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exeHCFIIIJJKJ.exesvoutse.exesvoutse.exepid process 5316 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe 5072 svoutse.exe 3104 HCFIIIJJKJ.exe 3668 svoutse.exe 4548 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exedescription ioc process File created C:\Windows\Tasks\svoutse.job d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 908 3184 WerFault.exe 1c2c86253d.exe 2412 6020 WerFault.exe 799de67533.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeHCFIIIJJKJ.exed9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exe1c2c86253d.exe799de67533.exe799de67533.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HCFIIIJJKJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c2c86253d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 799de67533.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 799de67533.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1c2c86253d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1c2c86253d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1c2c86253d.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exe1c2c86253d.exemsedge.exemsedge.exemsedge.exeHCFIIIJJKJ.exeidentity_helper.exesvoutse.exesvoutse.exemsedge.exepid process 5316 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe 5316 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe 5072 svoutse.exe 5072 svoutse.exe 3184 1c2c86253d.exe 3184 1c2c86253d.exe 236 msedge.exe 236 msedge.exe 840 msedge.exe 840 msedge.exe 5796 msedge.exe 5796 msedge.exe 3184 1c2c86253d.exe 3184 1c2c86253d.exe 3104 HCFIIIJJKJ.exe 3104 HCFIIIJJKJ.exe 5564 identity_helper.exe 5564 identity_helper.exe 3668 svoutse.exe 3668 svoutse.exe 4548 svoutse.exe 4548 svoutse.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
799de67533.exepid process 2640 799de67533.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 840 msedge.exe 840 msedge.exe 840 msedge.exe 840 msedge.exe 840 msedge.exe 840 msedge.exe 840 msedge.exe 840 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe799de67533.exemsedge.exepid process 5316 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe 2640 799de67533.exe 2640 799de67533.exe 840 msedge.exe 840 msedge.exe 2640 799de67533.exe 840 msedge.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
799de67533.exepid process 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe 2640 799de67533.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exesvoutse.exe799de67533.exemsedge.exedescription pid process target process PID 5316 wrote to memory of 5072 5316 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe svoutse.exe PID 5316 wrote to memory of 5072 5316 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe svoutse.exe PID 5316 wrote to memory of 5072 5316 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe svoutse.exe PID 5072 wrote to memory of 3184 5072 svoutse.exe 1c2c86253d.exe PID 5072 wrote to memory of 3184 5072 svoutse.exe 1c2c86253d.exe PID 5072 wrote to memory of 3184 5072 svoutse.exe 1c2c86253d.exe PID 5072 wrote to memory of 6020 5072 svoutse.exe 799de67533.exe PID 5072 wrote to memory of 6020 5072 svoutse.exe 799de67533.exe PID 5072 wrote to memory of 6020 5072 svoutse.exe 799de67533.exe PID 5072 wrote to memory of 2640 5072 svoutse.exe 799de67533.exe PID 5072 wrote to memory of 2640 5072 svoutse.exe 799de67533.exe PID 5072 wrote to memory of 2640 5072 svoutse.exe 799de67533.exe PID 2640 wrote to memory of 840 2640 799de67533.exe msedge.exe PID 2640 wrote to memory of 840 2640 799de67533.exe msedge.exe PID 840 wrote to memory of 3512 840 msedge.exe msedge.exe PID 840 wrote to memory of 3512 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 344 840 msedge.exe msedge.exe PID 840 wrote to memory of 236 840 msedge.exe msedge.exe PID 840 wrote to memory of 236 840 msedge.exe msedge.exe PID 840 wrote to memory of 1392 840 msedge.exe msedge.exe PID 840 wrote to memory of 1392 840 msedge.exe msedge.exe PID 840 wrote to memory of 1392 840 msedge.exe msedge.exe PID 840 wrote to memory of 1392 840 msedge.exe msedge.exe PID 840 wrote to memory of 1392 840 msedge.exe msedge.exe PID 840 wrote to memory of 1392 840 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe"C:\Users\Admin\AppData\Local\Temp\d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5316 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Roaming\1000026000\1c2c86253d.exe"C:\Users\Admin\AppData\Roaming\1000026000\1c2c86253d.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HCFIIIJJKJ.exe"4⤵
- System Location Discovery: System Language Discovery
PID:904 -
C:\ProgramData\HCFIIIJJKJ.exe"C:\ProgramData\HCFIIIJJKJ.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 24764⤵
- Program crash
PID:908 -
C:\Users\Admin\AppData\Local\Temp\1000030001\799de67533.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\799de67533.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 13724⤵
- Program crash
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\1000036001\799de67533.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\799de67533.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffacdde3cb8,0x7ffacdde3cc8,0x7ffacdde3cd85⤵PID:3512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2072 /prefetch:25⤵PID:344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:85⤵PID:1392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:15⤵PID:5488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:15⤵PID:5220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:15⤵PID:5284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:15⤵PID:4788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:15⤵PID:4840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:15⤵PID:2340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:15⤵PID:4836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:15⤵PID:5516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5796 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7516 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5564 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,18084521751948045021,17432991423383107856,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5792 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5380
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3184 -ip 31841⤵PID:2724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6020 -ip 60201⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3668
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4548
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\37c27ce7-6c9d-4e7a-a9d3-af7021913ff3.tmp
Filesize9KB
MD5ccfbf2871f5a3334b7b8d4a366cb99ad
SHA1cf72c1e6ba2038b48d0123f128dd935705944c45
SHA256366ebd29daa2bc43f76b624eba5796f9e45e67b5c1782983867380c4b1a37ac8
SHA5125d9d8274418a7beed23a60362efefc7f210f495cbc74412376e0102cf8c734a391e62bc8bb091bc02d7bfb25142eb1172e0e30d5f3561fc23a570d13c8ada97f
-
Filesize
152B
MD5a705a1b92501ecedd82f0c49df113cf7
SHA1396c951ef7df053970280a445521dafb81fbd4b4
SHA2566c4e071a48ef3601c7061de696799fc9c80a94f84fd141a6eaa72aba268543e9
SHA5128789a76679e56e35508b82936297172ac4245bd99afe0d1f81c5893061792b763ac8118ff045eb9ffd864d9c1455e095e41aad60e69cfb1b0850785350137dc9
-
Filesize
152B
MD54439872c001ba115c89adfae103bad2f
SHA1720a14a6a337b6a593e0496903dfdf3c8dc9453d
SHA2565f4e2568a19c4507d658414d2e54a0437d87bdfeee773666ad764f9b70c3c0d9
SHA5125bbe17484e6c0319075b00af9dcb45729ed51d9185de233150e05deebbd5b35073afbeb3c7577a84b80ea91b16a764e36f4951236aa7dc15b1c2e6fef3aabf49
-
Filesize
152B
MD5cbf4ec444abb49d24a2b52b6f2de52b1
SHA18c619b12827b2219f6334da27c704201fb8ed402
SHA25605b94b01baa75828e05a714e53f4552f56a522026f4216f6fbd59497ea15baa9
SHA5128951d21c284113e92340508be2090d6f6d17d34886776167996c56abeb19f8cf911876c6f2aa42480314a25a14d0779f7b4a42efa8f1ec068537fae5f751500d
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD54cf675c3567a619ee46d4bd4cfcc3913
SHA1eb84ec9329d36f16a3c56d0067ca26d815a0a545
SHA256f41d61c9e4b9e203bd4755e6e125056ad2ef0246381a6cf617183ced1dc5e2a4
SHA512da4988a862b6a27a444dad79ef702ecc2a14905e031b6384a20ef95cc874bfd8bc5a23a397fbe07fd48ede58d4a5ed06aae63866a63764fa4b1aef47e01aad52
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD5807bbc6c543c31f1dd95f59c2dbaff0f
SHA15832014d9db24f0e8d75985162337d682bd5a6dc
SHA2569eecd2aca86e1f4982caafc8cbdd73f7406d413c293e2be9cc7c7702f009ecd2
SHA5124d331088601f4eb6d1baab68b774dad4b656e80984d4756b466da5c91c14da3feb0716074441df332d02e54c1ded45e0161c84bca860dfe21f3d0e609888946f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD506c4765655ecf816e061f9e8816cabcc
SHA1bfcdcafc1b01448a54c7e30d048c10aa3b28fd5e
SHA256cc406674269d0c68ccd488f8110631caff8697bb86299004e0cf513b0e64e4ab
SHA512e78b7dfc8b99eb1668558f045457ac0200e6c667601b8d5e60d59680106268dfa5a02998694669e14cc7d34781fefc8be57cf054bc1435febd7581736af2c5ce
-
Filesize
1KB
MD5c07747111e56e1b0d9764a0f0c6ac7c8
SHA119114163be0d40f9e05b15e6a2b613ab0e79ea95
SHA256dacd724d37a14658f3c350c873b9ac756023bd525d0c268a1d4c2c9b287a56c6
SHA512d2774abb05c30e831822bc8334ca1ecb5cb6c52960e5df8c61bed88bc0c3a943722ddb77998af83a1d1bbf89873f312a5900c39d275bf48dbb5ca314b3d55b6c
-
Filesize
1KB
MD5da18c76cc7012f5b9376a73e46a48055
SHA15d45a3caf12b0d2fe09bd4549ed86ffc32f1fd8c
SHA2568831f3aa506bbf24da1180b236c4466d8630808d07882feb123ed508eb278f22
SHA512fde8adf30881eb65dc8b7fa7a0c6f69d322d2c1d5e6744c75d4fa8bde1ac6c8cc0c895745ad49fc6f4dad651ed481f203fbc0583e64c1c84bf4fa7b45b1c7a80
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
3KB
MD521ffdf330b78a757c572383271368c83
SHA103415cce1c1e71e63dbac98f15edbb1f9a55b94c
SHA25654e734d9aa08766452875c5ab5b145af5822042a1158f387feecf2b9aa5bfb58
SHA512d2901ad51c39409fadd52d3eb73d01503c79435e0829bafa982f2cbaf189115fff2403130022e5ca035a848d612bb1b1a5098ca5d04a4f277edea522df0bb8f0
-
Filesize
4KB
MD552dfc636163744e29639edb856a781cf
SHA17772955b5a6d5c417cee3da3037c7479086490dc
SHA256ac0ae93a3257ec9411b21ed1a94ed4f291a4ebb4df78e359be896d9328319037
SHA51208a0089ccbd18c7ad9c25c7b1c339474174365d22e154b83e9794650e19981e25002d48e512a200a18a4053237069fb9090c9395d47e640d8fd74824616cca27
-
Filesize
4KB
MD568633cebd56bdfbe15643988681a61cb
SHA1bfe204b93140aa8f2b51420184f3c888cb0130eb
SHA256e4ff2d010693398368ff9b866f9b7f8644f249d6332c819263f1ac30bfc1748c
SHA51290958ee462aede2975ae81e482fe246b74bd5a8b809871b8675fe2e665efef0503dcdaf86e997953088409936595623dac0e9bc6e737a34d70d4d2cd6fa5e402
-
Filesize
3KB
MD5ff30bd8de738947fe0c2d56d289394d2
SHA1f0675005e16d86f90f577ae8f6f87492b1318b10
SHA25670b8d231c4f6fd04ea95789664953e2fcc99f4e0be2d419002a952ad2db36e6a
SHA51280b60694e78fed420554ab2999177c54dc6594ac0d7c0db21d9400e83af1ce4316cea5e2d5017ee8a4196af355d4eec1a83372d5576a0da302d76b535135e68f
-
Filesize
26KB
MD51e225598c4523c41fec68c0dab8dda7d
SHA13aa0d6514592289cd27de52fc1a8f8ae12d141c6
SHA256ceb72eb509a2b4c76e964fef86de7dd693297092a4a57547c82ee8beafaff02b
SHA5125b0389b7ab65de3e024b03d4baf1a64f631a13af387b9beae1c551a4cca732a25f4953e3050491c8a4348d36702a6998c9df16050c87c1a944284d0236c715de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57e7fe.TMP
Filesize25KB
MD581d79714246643910418dfb00707ca1d
SHA1c2b8deb139b5a6cf5c45e17717c5fdb28f3cec00
SHA256a42e3b9dbda7f3f8efa2974489c59913aab3f039791568451b47367b9c344eef
SHA51278d08134a48a540cdfd2c8bf8eaacf4baee9a7143fa032da5551de46c7b9ed087056186c5192286cccc3af8b9be4f08555186e909032a5989cd5d1dfa467b29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
203B
MD53f29779dcf9ebf4f62133a1016faf8cd
SHA1b0a7e23a18d4d281990bdce13a6b15f20276a84c
SHA256b5143db943ae71897957887d0617664f031041a5ed716ad4b1f5c81444e5f2c7
SHA512a143adfe8f9b894a4655ce4a422bc4cde8798bbebf7a6751705a4f1079f82872f7b7b71060208f39e531e2c8a638585536287638ef092cb5b9a28e65812f6aac
-
Filesize
203B
MD580799434d74754406e5bcd62f990cd9c
SHA142835cb46719e5c7e7dc8610302e3121a447e9d2
SHA2560b2c3048ed31bbe987b938832e7722c6e5b1830e7411555de1599adb4dac2b3d
SHA51273ec0b4d0c0f92710a7d95571b82c8625162593e711f2ef4e47538009ff2ddc566a13eb14d352f079f4250990f99b57b677bcd19fe2fec89168d43683b33a2f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
1.8MB
MD51f168ecf05a514a49417ac8cf81523f1
SHA14675d4458cdd7b48bdeaaedb954e17b28afc5503
SHA256d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469
SHA512cec0800341c266fe8edfbae52b8f098f3e474ee4c2912f23abb08bf3184e5f70dc191cd0257e6356b5bf193b8da9140c9dc5286a6da32abb7b403f1e8cd59722
-
Filesize
896KB
MD538f98be80e6670f46efc8544d762cfd4
SHA1fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA51260a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge (2).lnk
Filesize1KB
MD5df20964b2d9e0702d869cb832b658c53
SHA18bdf5ae70a48de095445b49072d2187865246c04
SHA256f7ae6042f558f05091c3e13e6d2c5c1a95deb4499994b6687968ae3f1b5f496a
SHA51201288dc917a8fe593c83fc656fc8ebf615e98afb7d275d834549f67c37d6ef1915571073124f0c9bb3a1e3c0de2e94b34f07efc6b4d4cb895c9eadb0e08a4d38
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L6XD8SGRMV6G7HGHA7RA.temp
Filesize3KB
MD5ece291a1faa584872fd7aeedc2ea7b69
SHA1c501f79cc15f6cd08f4c786270a14698b3c6d675
SHA25645cc7b06231a48d979788863153da0873774be2f593700c74a04ac9286b3d8a7
SHA51281c719c4c90e085a9ba446a8b15427f9ccbf0947c28d7ee49d214fbd08802a43dd85e903c3eb89089323e882171bc662f17b8984ce09cddcc2d91d3fa128e9a3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e