Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 07:00

General

  • Target

    454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe

  • Size

    1.8MB

  • MD5

    82ddd34be23d13d4fe950d51df9f1a9a

  • SHA1

    5518b021fa41c05fd6031ff377331c718c458ae3

  • SHA256

    454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b

  • SHA512

    29d277a18ce99b8a80a1cfb9ea880c7d3c30a399fdd0c9af6249435231c26d85f5b7160154d2033539b68a601bc302463a9ce659504eda76c6371f97710608a1

  • SSDEEP

    49152:WX+klqZySQ0gltPWH21lgbBteJWvd/zDcl2d+jE6d:ClqYkgltg21l4OJWl/zDq2dbE

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe
    "C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe
        "C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4400
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1304
          4⤵
          • Program crash
          PID:5396
      • C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe
        "C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1420
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1012
          4⤵
          • Program crash
          PID:6296
      • C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe
        "C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4568
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
          4⤵
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffa1f0bd198,0x7ffa1f0bd1a4,0x7ffa1f0bd1b0
            5⤵
              PID:3268
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2336,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:2
              5⤵
                PID:1636
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1784,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:3
                5⤵
                  PID:5108
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2212,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2468 /prefetch:8
                  5⤵
                    PID:828
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3424,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:1
                    5⤵
                      PID:4536
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3432,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
                      5⤵
                        PID:1048
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4540,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:1
                        5⤵
                          PID:5436
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:2
                          5⤵
                            PID:5444
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4980,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:1
                            5⤵
                              PID:5492
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4984,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:2
                              5⤵
                                PID:5540
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5416,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:2
                                5⤵
                                  PID:5592
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4528,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:1
                                  5⤵
                                    PID:5604
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5580,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:2
                                    5⤵
                                      PID:5636
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5832,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:1
                                      5⤵
                                        PID:5652
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5756,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:1
                                        5⤵
                                          PID:5660
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5896,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:2
                                          5⤵
                                            PID:5668
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5556,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:1
                                            5⤵
                                              PID:5684
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4192,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:2
                                              5⤵
                                                PID:5700
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6412,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:1
                                                5⤵
                                                  PID:5724
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6664,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:2
                                                  5⤵
                                                    PID:5740
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5836,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:1
                                                    5⤵
                                                      PID:5768
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6940,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:1
                                                      5⤵
                                                        PID:5776
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6992,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:1
                                                        5⤵
                                                          PID:5784
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=7120,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7244 /prefetch:2
                                                          5⤵
                                                            PID:5792
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7136,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6960 /prefetch:1
                                                            5⤵
                                                              PID:5800
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4156,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7524 /prefetch:2
                                                              5⤵
                                                                PID:5808
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7736,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6648 /prefetch:1
                                                                5⤵
                                                                  PID:5816
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7840,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7848 /prefetch:1
                                                                  5⤵
                                                                    PID:5824
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4552,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7788 /prefetch:1
                                                                    5⤵
                                                                      PID:5832
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=5020,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:8
                                                                      5⤵
                                                                        PID:5624
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7264,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:8
                                                                        5⤵
                                                                          PID:5568
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7264,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:8
                                                                          5⤵
                                                                            PID:5996
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5044,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8
                                                                            5⤵
                                                                              PID:6288
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5048,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:8
                                                                              5⤵
                                                                                PID:6276
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5244,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:8
                                                                                5⤵
                                                                                  PID:3992
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6964,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6996 /prefetch:8
                                                                                  5⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:6792
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4400 -ip 4400
                                                                          1⤵
                                                                            PID:5720
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
                                                                            1⤵
                                                                              PID:5612
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1420 -ip 1420
                                                                              1⤵
                                                                                PID:6272
                                                                              • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                1⤵
                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                • Checks BIOS information in registry
                                                                                • Executes dropped EXE
                                                                                • Identifies Wine through registry keys
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:7160
                                                                              • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                1⤵
                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                • Checks BIOS information in registry
                                                                                • Executes dropped EXE
                                                                                • Identifies Wine through registry keys
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:5548

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

                                                                                Filesize

                                                                                280B

                                                                                MD5

                                                                                139819725ce469afe3e83cbc3b47dfa7

                                                                                SHA1

                                                                                17b43c9717be9ec49c78bd029b34f841b99ae4f3

                                                                                SHA256

                                                                                deb59c40cbbbe8c86f0d81a259ad3876ea61cd4634aa65f8fb09af2110abe015

                                                                                SHA512

                                                                                cb5edde7d378997b6f248363743c027e9d08726a14a717a3fa23d7ace7b14e2b386e9ef221fbd3939d4c1f4b8d1294eef4b04c755700fb8f0080b58a0890176f

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

                                                                                Filesize

                                                                                280B

                                                                                MD5

                                                                                c3b9bc8aa208260a01ec20c23baaff6d

                                                                                SHA1

                                                                                9c3c2c01f758bd63f27b0474716f9b3343ac9a21

                                                                                SHA256

                                                                                7e06ca53f4654b5f862d0da54035b540119e330a0d9a80bc7e591b1f96eb086e

                                                                                SHA512

                                                                                1460c6a8c810178e75a39b76f7a5f8e992bbb43c3fe047b598651ae9d2edf74bc9dbeecf884f357cccebb7ab3032c010af3129366b8081a799bf0630d7008fba

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

                                                                                Filesize

                                                                                20B

                                                                                MD5

                                                                                9e4e94633b73f4a7680240a0ffd6cd2c

                                                                                SHA1

                                                                                e68e02453ce22736169a56fdb59043d33668368f

                                                                                SHA256

                                                                                41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

                                                                                SHA512

                                                                                193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\42b74d03-bf70-41d9-b43d-8e2e6cddf2ea.tmp

                                                                                Filesize

                                                                                6KB

                                                                                MD5

                                                                                4babe1c084fe4977f98ca322fb9bc0b9

                                                                                SHA1

                                                                                ca0a06c63302ecc21ce9c2a7159dd437c1833eb3

                                                                                SHA256

                                                                                84d47426c101e717dc8f2c794654da61f5185cc9b44d412a50cc8d146e3d27f1

                                                                                SHA512

                                                                                b6ac063d79d56fd6891a58b5d550047d898f2ca0e414dff5c47cd2eea4696feb02a6d20894598fc0b207ef4763b1a4f690bb5e0cf1d397333f13403baef2b8ee

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index

                                                                                Filesize

                                                                                408B

                                                                                MD5

                                                                                f0ace2f9c70cd5ab9a9478ba98535474

                                                                                SHA1

                                                                                a21993fa0cafa6aedb79b74d33f3700aef7cc745

                                                                                SHA256

                                                                                e8d1863e17b073f523aee22748717058c8055217132f55d8fd36858dd36d5d24

                                                                                SHA512

                                                                                fa561809772d6501458a775d74fbc164e335acd2efc8c1ff478b0b52eb97a05c77611e7ce6ca5a3e490fe8a277b90fc50481b596abf8e61b2d56124188593a25

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index~RFe58cafc.TMP

                                                                                Filesize

                                                                                48B

                                                                                MD5

                                                                                49498679d3c577908b943e6c7b63c467

                                                                                SHA1

                                                                                d823bb2047ea75c4ed186bc9ce75a019a898314b

                                                                                SHA256

                                                                                91039832cc0c4997c3f50ed1c886876c4f7c8983c19889181ef0ca39a749d39c

                                                                                SHA512

                                                                                a0b1cee30bc0815319b1bf4ba4c158f03cab0ac626a442a8a7cbb7178a00d98712b90afaffc821f1893b409ed44cf240554cc8a315b450bc8b1a1559d3091071

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_0

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                cf89d16bb9107c631daabf0c0ee58efb

                                                                                SHA1

                                                                                3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                                                                                SHA256

                                                                                d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                                                                                SHA512

                                                                                8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_1

                                                                                Filesize

                                                                                264KB

                                                                                MD5

                                                                                d0d388f3865d0523e451d6ba0be34cc4

                                                                                SHA1

                                                                                8571c6a52aacc2747c048e3419e5657b74612995

                                                                                SHA256

                                                                                902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

                                                                                SHA512

                                                                                376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_2

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                0962291d6d367570bee5454721c17e11

                                                                                SHA1

                                                                                59d10a893ef321a706a9255176761366115bedcb

                                                                                SHA256

                                                                                ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                                                                                SHA512

                                                                                f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_3

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                41876349cb12d6db992f1309f22df3f0

                                                                                SHA1

                                                                                5cf26b3420fc0302cd0a71e8d029739b8765be27

                                                                                SHA256

                                                                                e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                                                                                SHA512

                                                                                e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

                                                                                Filesize

                                                                                41B

                                                                                MD5

                                                                                5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                SHA1

                                                                                d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                SHA256

                                                                                f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                SHA512

                                                                                de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

                                                                                Filesize

                                                                                627B

                                                                                MD5

                                                                                d980ec948de88e3f920acd801d9c6b92

                                                                                SHA1

                                                                                b6faf07e5a47714eb66a134ab649300818258e3c

                                                                                SHA256

                                                                                71b94d6420ffea71b01255dcce1672cdb01eb63ed2695dbcd880076a03fc37e7

                                                                                SHA512

                                                                                b6d7683d90a14dff280a7789681c486dbfba9a0313aadd8ec6b965e062af2ef7a0470fb8732e8014ef821e69953adfe69ca6dd2940f0b294492d39b12e7c8338

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

                                                                                Filesize

                                                                                59B

                                                                                MD5

                                                                                2800881c775077e1c4b6e06bf4676de4

                                                                                SHA1

                                                                                2873631068c8b3b9495638c865915be822442c8b

                                                                                SHA256

                                                                                226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                                                                                SHA512

                                                                                e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports

                                                                                Filesize

                                                                                2B

                                                                                MD5

                                                                                d751713988987e9331980363e24189ce

                                                                                SHA1

                                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                                SHA256

                                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                SHA512

                                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

                                                                                Filesize

                                                                                7KB

                                                                                MD5

                                                                                a79b0e2e6eedbe7c4c4a3a85d34d02dc

                                                                                SHA1

                                                                                fe937e15a2b20ec706d81e3a9691c0ebd445bc25

                                                                                SHA256

                                                                                d50eeecc88b1bc8e67714b83207728e3542b71003f62de3adc70dd2d1acd498b

                                                                                SHA512

                                                                                b3ddc9a4f38715ed47a697801e47623d3c0620ffbf31cf6ade42acf1ac8e676a1feb1e7a2d27460f8238eff2921b1e4a469d556a829979569eed5ca4ac3f6ae3

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT

                                                                                Filesize

                                                                                16B

                                                                                MD5

                                                                                46295cac801e5d4857d09837238a6394

                                                                                SHA1

                                                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                SHA256

                                                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                SHA512

                                                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

                                                                                Filesize

                                                                                24B

                                                                                MD5

                                                                                54cb446f628b2ea4a5bce5769910512e

                                                                                SHA1

                                                                                c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

                                                                                SHA256

                                                                                fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

                                                                                SHA512

                                                                                8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

                                                                                Filesize

                                                                                48B

                                                                                MD5

                                                                                8a4d0d26ee4fdaa347fa72bc766b72dc

                                                                                SHA1

                                                                                e4a586e3f909c79da6b9b24e162e29ba7db50f98

                                                                                SHA256

                                                                                5a25e96f6d278c672ac5c52736cdb92fb9bf3fdc00e13cf120043ea5f502e303

                                                                                SHA512

                                                                                d32f24b71d0ff5c01eec3aa1cff0b8db1a4d8058c6b447572743fd599ca8bc37b7b5b429abda2bb212179a4359168cf3e54d78b16b63d7b83bd1cfdd68bbdd34

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

                                                                                Filesize

                                                                                72B

                                                                                MD5

                                                                                4896bed5a4c678225139f734f1aa4412

                                                                                SHA1

                                                                                df166e1874e91b6c79921ee63be8de73b64277d8

                                                                                SHA256

                                                                                ea489c9b0fb81133541e82130f8ed1e1d1833f5e5a9063512c392102815afcbe

                                                                                SHA512

                                                                                2efe167e8fd432a615ba6f0f2d715c79e5b61da90c7ee8e6242d6a40c89d193496abbf5db8f7b839d37982dd7c359c949896ea18b88df5850895e36ad10bca8b

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\a9d85a6f-22c4-4c3c-be48-2df282854858.tmp

                                                                                Filesize

                                                                                23KB

                                                                                MD5

                                                                                1a5e0af4b0a05afbe05b62015ef6d8a7

                                                                                SHA1

                                                                                658b3a9a6f9bc367a852d648c5cc2c76a898e893

                                                                                SHA256

                                                                                fd0b3588bac327069bc9a58b30b146cd8f372ae69cd92f715ca74edd2a7486fd

                                                                                SHA512

                                                                                7700cc9bfdeb200b8ec6e65b73528db8c955b12ccd9218f56226c02678dd9acc85406e5730782e96db8e2ec055d2f7ac8ff431c82283039f9e08dbf933806889

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                cb396f33a772cc93aed8b9bf680c5295

                                                                                SHA1

                                                                                c75f698064647e6ab566d1da4f1e766ee022bd39

                                                                                SHA256

                                                                                2a1d4d7222c08e757f09d03edad647e0ee4936c11e977b4447cec7870c0ed6d1

                                                                                SHA512

                                                                                0a6d8e55feb2e44963446ce7bd34915b11f7fd2263e9975d01836aed75cb5e5ea9e63a13a60e260ee0dc561a261de90a8d769da6a2bb5ef288adabb848a69cac

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                ff564cc6f27f65afa4066544430cc7e1

                                                                                SHA1

                                                                                aa4a2f889d669c38b7a5a614411d1c0f324a9ca9

                                                                                SHA256

                                                                                ccb7011aecfbbfcf26fe228426a504b7efaae9422fe92ee03fc57b5354253f81

                                                                                SHA512

                                                                                2ac205a1df6421c1dc1081c3513e5e126291ed42a031b39008d9f2a8d535cd345d4a1e996687a1cdfd41397b13c81f41f7b83e4c8410aff2e18d08a9b2eabb8f

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                4KB

                                                                                MD5

                                                                                e5e5204ed08fdc172bda33b98d548272

                                                                                SHA1

                                                                                bf126e3321cd3eb490a4485eb7f462a833f29637

                                                                                SHA256

                                                                                861f1b57a8b74451dbcc7d6cbf95bccc2a0f476b6a7ace5b1d5a4cb4883d51d8

                                                                                SHA512

                                                                                9fae3f9c9a44bc0d091ce7ea304fb64c392bc968981fbb5afeea4166774f1dbd0a3e0cad23cab7a8195adef697b7ca686eb4102e778894a7efc0da2d934a844b

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                23KB

                                                                                MD5

                                                                                1ec6ab731c09be09ca7aec3f5d6dfe72

                                                                                SHA1

                                                                                9913bacb265af3a5fd6d38e8b05d2ff5127ee750

                                                                                SHA256

                                                                                1db9b9b728e41d5dd384c5c1956cf4c3ae5e3891f5a7b27cbb9443e72f1fea0d

                                                                                SHA512

                                                                                61444d3a9bbbb88bdcf4d464b62b93e3a181d38c2847c505f37b83041bcf1c73045cbc88d8b53a1f20356526877d4bff09e113d7c7be96463d317b576740296e

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                27KB

                                                                                MD5

                                                                                792e70385bbfd78b8050bfe4b4b2a99f

                                                                                SHA1

                                                                                ccde2eeea4e7f22d785196f4f42d20c3c3c04376

                                                                                SHA256

                                                                                33550373a56be0ee0d3a1cc20a1f61b211d69ddfd5dff017616878b509f774a2

                                                                                SHA512

                                                                                11bd4c558e337c75ca0a9c98e8b76fc1357e923ec46f044da0b856f3555b7bb92e2aff568b02bcd9286755eef4a18db61bc55a903bc047c85a96384efa3ead5d

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RFe587886.TMP

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                62ef1daa264b69b41dd7bf17deeeae3b

                                                                                SHA1

                                                                                5fdba40fda661723ffca72b0ef6384814fb75182

                                                                                SHA256

                                                                                18acef6ffac71883800641213515e31ad9527be0fc9f44852b2f1863f554c43e

                                                                                SHA512

                                                                                ed9ca4ae9e3f3e30d69963b2d2e27eb20aa0b32aca1524f4cad40ee9d3bdbb8d25edd42aa30c82e6a6e76a0b9cf75cfd3559180cc1aa692ecfb6f2161c7beea0

                                                                              • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

                                                                                Filesize

                                                                                1.8MB

                                                                                MD5

                                                                                82ddd34be23d13d4fe950d51df9f1a9a

                                                                                SHA1

                                                                                5518b021fa41c05fd6031ff377331c718c458ae3

                                                                                SHA256

                                                                                454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b

                                                                                SHA512

                                                                                29d277a18ce99b8a80a1cfb9ea880c7d3c30a399fdd0c9af6249435231c26d85f5b7160154d2033539b68a601bc302463a9ce659504eda76c6371f97710608a1

                                                                              • C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe

                                                                                Filesize

                                                                                896KB

                                                                                MD5

                                                                                38f98be80e6670f46efc8544d762cfd4

                                                                                SHA1

                                                                                fcad2e65d0977f0ab297049d5c9c32450b230d2a

                                                                                SHA256

                                                                                fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996

                                                                                SHA512

                                                                                60a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf

                                                                              • C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe

                                                                                Filesize

                                                                                389KB

                                                                                MD5

                                                                                f47cc7dc355ae01926f6065316c3bd68

                                                                                SHA1

                                                                                6b575930185f216e4fa5116fdcc8906eb9f53af9

                                                                                SHA256

                                                                                25741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794

                                                                                SHA512

                                                                                cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e

                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                0ce629508117d3448c3eea10b1fda819

                                                                                SHA1

                                                                                a703d6766e9b79c24d301c589de3a9e54af18bd3

                                                                                SHA256

                                                                                8cac2042947a06a2f348f31db79817e811f175f184a93777e09e1ad11f1ea8ab

                                                                                SHA512

                                                                                f51b39720c672601ec39caf5c4e79aee152104cc58b7673ddfeea006bd6bb55b9f4e895e81eebddfe2dc213715fa3c2039668ab04f2147c651c898316f4a4d82

                                                                              • \??\pipe\crashpad_2780_WAVHWDASNZJRUCPQ

                                                                                MD5

                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                SHA1

                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                SHA256

                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                SHA512

                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                              • memory/1168-319-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-536-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-617-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-347-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-598-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-279-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-377-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-22-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-21-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-20-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-19-0x0000000000BD1000-0x0000000000BFF000-memory.dmp

                                                                                Filesize

                                                                                184KB

                                                                              • memory/1168-593-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-497-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-16-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-592-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-591-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-517-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-577-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-537-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-576-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1168-548-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/1420-349-0x0000000000400000-0x000000000247A000-memory.dmp

                                                                                Filesize

                                                                                32.5MB

                                                                              • memory/4400-314-0x0000000000400000-0x000000000247A000-memory.dmp

                                                                                Filesize

                                                                                32.5MB

                                                                              • memory/4664-3-0x00000000002C0000-0x000000000077F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4664-2-0x00000000002C1000-0x00000000002EF000-memory.dmp

                                                                                Filesize

                                                                                184KB

                                                                              • memory/4664-4-0x00000000002C0000-0x000000000077F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4664-0-0x00000000002C0000-0x000000000077F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4664-18-0x00000000002C0000-0x000000000077F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4664-1-0x0000000076FC4000-0x0000000076FC6000-memory.dmp

                                                                                Filesize

                                                                                8KB

                                                                              • memory/5548-579-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/5548-580-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/7160-509-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/7160-508-0x0000000000BD0000-0x000000000108F000-memory.dmp

                                                                                Filesize

                                                                                4.7MB