Malware Analysis Report

2024-10-23 21:51

Sample ID 240910-g1pwzs1fkh
Target 13a7ce03877b76aeae5920065b34a7ec.bin
SHA256 ae2f93fb4ce90502ca8be0d3433d7df5cf2430f78ff214661a35a09f6ae818de
Tags
stealc rave discovery evasion stealer amadey c7817d credential_access persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae2f93fb4ce90502ca8be0d3433d7df5cf2430f78ff214661a35a09f6ae818de

Threat Level: Known bad

The file 13a7ce03877b76aeae5920065b34a7ec.bin was found to be: Known bad.

Malicious Activity Summary

stealc rave discovery evasion stealer amadey c7817d credential_access persistence spyware trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Reads data files stored by FTP clients

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Identifies Wine through registry keys

Unsecured Credentials: Credentials In Files

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 06:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 06:16

Reported

2024-09-10 06:19

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"

Signatures

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe

"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"

Network

Country Destination Domain Proto
RU 185.215.113.103:80 185.215.113.103 tcp

Files

memory/1620-0-0x0000000000F50000-0x00000000015DA000-memory.dmp

memory/1620-1-0x0000000077A90000-0x0000000077A92000-memory.dmp

memory/1620-2-0x0000000000F51000-0x0000000000F65000-memory.dmp

memory/1620-3-0x0000000000F50000-0x00000000015DA000-memory.dmp

memory/1620-4-0x0000000000F50000-0x00000000015DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 06:16

Reported

2024-09-10 06:19

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\HIDHDAAEHI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\HIDHDAAEHI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\HIDHDAAEHI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\ProgramData\HIDHDAAEHI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\ProgramData\HIDHDAAEHI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\264c3cc630.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\264c3cc630.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4464686541.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4464686541.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\ProgramData\HIDHDAAEHI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\264c3cc630.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\HIDHDAAEHI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\cb360b9376.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe N/A
N/A N/A C:\ProgramData\HIDHDAAEHI.exe N/A
N/A N/A C:\ProgramData\HIDHDAAEHI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\HIDHDAAEHI.exe
PID 1868 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\HIDHDAAEHI.exe
PID 1868 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\HIDHDAAEHI.exe
PID 4176 wrote to memory of 4944 N/A C:\ProgramData\HIDHDAAEHI.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4176 wrote to memory of 4944 N/A C:\ProgramData\HIDHDAAEHI.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4176 wrote to memory of 4944 N/A C:\ProgramData\HIDHDAAEHI.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4944 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\cb360b9376.exe
PID 4944 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\cb360b9376.exe
PID 4944 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\cb360b9376.exe
PID 4944 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\264c3cc630.exe
PID 4944 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\264c3cc630.exe
PID 4944 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\264c3cc630.exe
PID 4944 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe
PID 4944 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe
PID 4944 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe
PID 5072 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5072 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 4696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 4696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 4432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1672 wrote to memory of 4432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe

"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HIDHDAAEHI.exe"

C:\ProgramData\HIDHDAAEHI.exe

"C:\ProgramData\HIDHDAAEHI.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\cb360b9376.exe

"C:\Users\Admin\AppData\Roaming\1000026000\cb360b9376.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\264c3cc630.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\264c3cc630.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1356 -ip 1356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1304

C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa499546f8,0x7ffa49954708,0x7ffa49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8164 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9002361230200373499,1283283609248343930,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7556 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1072-0-0x00000000009D0000-0x000000000105A000-memory.dmp

memory/1072-1-0x0000000077014000-0x0000000077016000-memory.dmp

memory/1072-2-0x00000000009D1000-0x00000000009E5000-memory.dmp

memory/1072-3-0x00000000009D0000-0x000000000105A000-memory.dmp

memory/1072-5-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1072-55-0x00000000009D0000-0x000000000105A000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1072-77-0x00000000009D0000-0x000000000105A000-memory.dmp

memory/1072-78-0x00000000009D0000-0x000000000105A000-memory.dmp

C:\ProgramData\HIDHDAAEHI.exe

MD5 1f168ecf05a514a49417ac8cf81523f1
SHA1 4675d4458cdd7b48bdeaaedb954e17b28afc5503
SHA256 d9f19676c6839d369a7f3c5650df9f7555c81cde3a594e64f991fdfb11597469
SHA512 cec0800341c266fe8edfbae52b8f098f3e474ee4c2912f23abb08bf3184e5f70dc191cd0257e6356b5bf193b8da9140c9dc5286a6da32abb7b403f1e8cd59722

memory/4176-84-0x0000000000BD0000-0x0000000001060000-memory.dmp

memory/1072-88-0x00000000009D0000-0x000000000105A000-memory.dmp

memory/4176-89-0x0000000000BD0000-0x0000000001060000-memory.dmp

memory/4176-87-0x0000000000BD1000-0x0000000000BFF000-memory.dmp

memory/4176-91-0x0000000000BD0000-0x0000000001060000-memory.dmp

memory/4176-103-0x0000000000BD0000-0x0000000001060000-memory.dmp

memory/4944-104-0x0000000000090000-0x0000000000520000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\cb360b9376.exe

MD5 f47cc7dc355ae01926f6065316c3bd68
SHA1 6b575930185f216e4fa5116fdcc8906eb9f53af9
SHA256 25741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512 cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e

memory/4628-137-0x0000000000400000-0x000000000247A000-memory.dmp

memory/4944-138-0x0000000000090000-0x0000000000520000-memory.dmp

memory/1356-139-0x0000000000400000-0x000000000247A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\4464686541.exe

MD5 38f98be80e6670f46efc8544d762cfd4
SHA1 fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256 fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA512 60a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf

memory/4032-159-0x0000000000090000-0x0000000000520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 55667d9b15a3dc87c3b4128c4063ffda
SHA1 acde26fe63a3e6284a8b683acbdece0c6d1d8458
SHA256 980c9b7edbb313c75a7c6283644262fbc0d9288f2e508e3e502270e7b65a2bed
SHA512 2a6cd78410c994471b0a98b2bad95e385f2f3c6d9cc54122426c13c05ed903bb05a7b63da308f96fdd22f667c86b60c268ce04baa7aa2de4f3d672007f17d73e

memory/4032-173-0x0000000000090000-0x0000000000520000-memory.dmp

\??\pipe\LOCAL\crashpad_1672_UVNCRRNEGHIYTEKZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 f38bf577ebbf03540e1665564ec217ee
SHA1 914f3dbb336dfdd62f7508ebc78c4fea591e081d
SHA256 d79a22b8f5ca4a35159f281eb031d23774d80ba71e7dae5bdc76e5476b5d8820
SHA512 4585f8a4b2174087469fa1595d3111ff7ee49459bb7ca76008281da605576e6992bea280e80e8e7d19d8c2b10b5f4698c32dc013cb3ae98022978f2f1344f447

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

MD5 bcbd53cb82f7b17357bc5a71b167d17e
SHA1 a7ad2fbb25c6a2be9fbef18abeb676669d59796e
SHA256 8c4b32c2386fb130ae125e40cea6de0f287b211a98d781584d0caf85f6ca4f2c
SHA512 a1b2a85a4de4a0b6277dc4aa27a36b7d58883ed352630592ffa20d443a068968b9c2bc0238514a9de1bf05c94987262274b6802aef770fc57aaec58065247ee3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 8cc6840cfa12b6b760f440aa28975b3c
SHA1 69450aec21fcdda7c29dd3a458ca657e145adf77
SHA256 8204c0780ebf3986fd327a2c49584812ed2d430e9950dc4e621a7be9571241a5
SHA512 0a60a356056767f97821c82d828a815292a894662e64a28647aa9880ded796f7770480709afd9dd67e4530b14cae1b6ef4d4c98bcf98b70bee6ba65fced28f10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RFe57f491.TMP

MD5 540805d13e116ffcded0ee0c2f0d396b
SHA1 b10f839bda807e82ddee565dc8a1d01dc35f08ac
SHA256 f8cb9e2d4157e817dc6761a81a0d79df18ac24c90caba4173c28fc81cbc654bb
SHA512 9922e381146eb00bab564e0f510986fa1324ae64e74b2e5daa4601579f6464cdb50b4c75d069ea541dddca485eb0bfeaa38ceb0ac19e4cc5b6c3a32c82f314ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Microsoft Edge.lnk

MD5 6262f60b222e12efba697da5e081aefe
SHA1 2dde5f0d11cdd739e3a0daef9807ee6001751e08
SHA256 e47f33b686ccb326b4f04a73e51e1e25755fafea48a27610fca59bdde78ac645
SHA512 aa24420c6dc6aaeb9a50b1d0b4c112894b128dff3c6337f27c16a58e8b3d9733164961c35c731e4d1465c467673acea91a04d4e417f156c819cc5c496fde3562

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XS0XG1C1AD3MZSP288GS.temp

MD5 3ca00a115ba973004ed6fe586127a9a3
SHA1 dbcc7a43fb0a6910f97cff1181717f2b648539ac
SHA256 c49f1056283bcee031b72e9ccf6ff9c9f70eabd7a9398447d62ac2b0491ecf31
SHA512 9041276b596200ec068b735aed51f0b39c9ad40dabaaeaeab2544999ba36c151c688fc036ec5bb17e48251b2de2d0628702f2524a61d6985e977e3fcc0fe1c6a

memory/4944-348-0x0000000000090000-0x0000000000520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 7ab4d1f2f43e280ea5ec3d797aa684ca
SHA1 aa8d1b9c5a2c8468ba041af73c7e55df8ca98b20
SHA256 9d8f81eeb66a33e68d76b3293283b8dcf3ef16376eea73db9eb1a76e8717073a
SHA512 6732d990b2dcfb957a7990b6fb078b9ea746729a5ed3e225a63b6732a182cfbf3510112ba34c5aa59f450265679bedae9debb445f11a1867f1c7174df24b7b21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences

MD5 e45cbc63bd6a8212b4f0044dd6b0f10b
SHA1 35c6c97af7d46f30fbf55feaa297507f537696da
SHA256 103487b36f6f1267405ed7bf38b3854da939c932a17938394c4b77320086c064
SHA512 e14536c0b81a953ea8c090a3628be020d7738ebda24b49ee6966361c160bf5cea7286325ad40a9831913dfd4fe79354efc4a76fdab4cecb4c68efcbd7c720af1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe581e03.TMP

MD5 7ca0ff70821e564c2ed47e13146f451b
SHA1 824fc115137e953cc6b2192e141c78549a5d68fe
SHA256 cf09279c2497b64ec3987e9f7c0c2e8017dd8e73a4963449b0964316ed0f18a6
SHA512 4ad53895f8e1d4b778d17dd94e266a6ac95a000d24f92508a5cab3a3a0d91ae5cb3806cf65bf9cd356029191ddc03d5ea16a72d9fafc9a730ef4e23c4ea99c93

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

memory/4944-425-0x0000000000090000-0x0000000000520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\c115530c-0441-4edf-82ee-03f66d1f2f0e.tmp

MD5 b45e584d0cf0deddb8c78045043cc9da
SHA1 604a4bfa76ec2105a2dd40720112f0a2a314765d
SHA256 25d853ad131d29d1b14b3eac0a7e0948c1d3f47616a8578dd5a09c0ce2cd56f6
SHA512 4ae42b05dc6555441dc06d72274050b976746aedabe12903286d8c11d1ea3389aa6e3d35438b2df564511032166a10edc11fa8405b063a7b06266467308a606f

memory/4944-444-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4944-445-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4944-446-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4944-456-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4032-458-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4032-461-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4944-469-0x0000000000090000-0x0000000000520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 167afc3f406ccb8e4669ea84dc72a59f
SHA1 032999e0af63a9ef5bbc12579d4465ea54b229af
SHA256 b7e8dc888832b5ea28e579dce72b5c0d9d724de916264dbfc1fc500dcc8995d1
SHA512 cdb524e4f91797e868d96d23c367b063367238df81fdcc4e381abb0644a03eba00c5d44770031f0da59374f5415ea403ad2990aa3d71291c41d3ae318ecc2435

memory/4944-488-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4944-489-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4944-490-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4944-491-0x0000000000090000-0x0000000000520000-memory.dmp

memory/4944-492-0x0000000000090000-0x0000000000520000-memory.dmp

memory/3540-494-0x0000000000090000-0x0000000000520000-memory.dmp