Malware Analysis Report

2024-10-23 21:50

Sample ID 240910-hss44s1ejk
Target 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b
SHA256 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b
Tags
amadey stealc c7817d rave discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b

Threat Level: Known bad

The file 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 07:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 07:00

Reported

2024-09-10 07:02

Platform

win7-20240903-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\6ce1ebb464.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\6ce1ebb464.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\b6125cf398.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\b6125cf398.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\b6125cf398.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1848 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1848 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1848 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2924 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe
PID 2924 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe
PID 2924 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe
PID 2924 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe
PID 2924 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\b6125cf398.exe
PID 2924 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\b6125cf398.exe
PID 2924 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\b6125cf398.exe
PID 2924 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\b6125cf398.exe
PID 2924 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe
PID 2924 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe
PID 2924 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe
PID 2924 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe

Processes

C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe

"C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe

"C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\b6125cf398.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\b6125cf398.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe"

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.103:80 185.215.113.103 tcp

Files

memory/1848-0-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/1848-1-0x00000000779D0000-0x00000000779D2000-memory.dmp

memory/1848-2-0x0000000000A11000-0x0000000000A3F000-memory.dmp

memory/1848-3-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/1848-4-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/1848-6-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/1848-5-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/1848-8-0x0000000000A10000-0x0000000000ECF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 82ddd34be23d13d4fe950d51df9f1a9a
SHA1 5518b021fa41c05fd6031ff377331c718c458ae3
SHA256 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b
SHA512 29d277a18ce99b8a80a1cfb9ea880c7d3c30a399fdd0c9af6249435231c26d85f5b7160154d2033539b68a601bc302463a9ce659504eda76c6371f97710608a1

memory/2924-20-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/1848-19-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/1848-18-0x00000000063E0000-0x000000000689F000-memory.dmp

memory/2924-21-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-22-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-25-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-24-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-26-0x0000000000A10000-0x0000000000ECF000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\1375b4cd3f.exe

MD5 f47cc7dc355ae01926f6065316c3bd68
SHA1 6b575930185f216e4fa5116fdcc8906eb9f53af9
SHA256 25741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512 cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e

memory/2288-61-0x0000000000400000-0x000000000247A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\6ce1ebb464.exe

MD5 38f98be80e6670f46efc8544d762cfd4
SHA1 fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256 fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA512 60a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf

memory/2924-76-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-77-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/652-78-0x0000000000400000-0x000000000247A000-memory.dmp

memory/2924-79-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-80-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-81-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-82-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-83-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-84-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-85-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-86-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-87-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-88-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-89-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-90-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-91-0x0000000000A10000-0x0000000000ECF000-memory.dmp

memory/2924-92-0x0000000000A10000-0x0000000000ECF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 07:00

Reported

2024-09-10 07:02

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6d2c111a89.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\6d2c111a89.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4f843eb5fb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\4f843eb5fb.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133704252363135253" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{9ABC1BBF-C464-4A86-8C60-8D098D60F01D} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4664 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4664 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1168 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe
PID 1168 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe
PID 1168 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe
PID 1168 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe
PID 1168 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe
PID 1168 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe
PID 1168 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe
PID 1168 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe
PID 1168 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe
PID 4568 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4568 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 3268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 3268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2780 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe

"C:\Users\Admin\AppData\Local\Temp\454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe

"C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\4f843eb5fb.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffa1f0bd198,0x7ffa1f0bd1a4,0x7ffa1f0bd1b0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2336,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1784,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2212,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=2468 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3424,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3432,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4540,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4980,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4984,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5416,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4528,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5580,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5832,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5756,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5896,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5556,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4192,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6412,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6664,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5836,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6940,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6992,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=7120,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7244 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7136,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4156,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7524 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7736,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7840,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7848 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4400 -ip 4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4552,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7788 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=5020,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7264,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7264,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1420 -ip 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1012

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5044,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5048,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5244,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6964,i,4192024272246844945,638819890624638415,262144 --disable-features=TranslateUI --variations-seed-version --mojo-platform-channel-handle=6996 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 13.107.6.158:443 business.bing.com tcp
US 13.107.6.158:443 business.bing.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 88.221.134.17:443 bzib.nelreports.net tcp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 92.123.142.32:443 www.bing.com tcp
GB 92.123.143.129:443 www.bing.com tcp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 32.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 129.143.123.92.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp

Files

memory/4664-0-0x00000000002C0000-0x000000000077F000-memory.dmp

memory/4664-1-0x0000000076FC4000-0x0000000076FC6000-memory.dmp

memory/4664-2-0x00000000002C1000-0x00000000002EF000-memory.dmp

memory/4664-3-0x00000000002C0000-0x000000000077F000-memory.dmp

memory/4664-4-0x00000000002C0000-0x000000000077F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 82ddd34be23d13d4fe950d51df9f1a9a
SHA1 5518b021fa41c05fd6031ff377331c718c458ae3
SHA256 454d2b2bfbe877dc3aa9f026b81a46cf9c4a9166ce8c1ecf562e93b765faf74b
SHA512 29d277a18ce99b8a80a1cfb9ea880c7d3c30a399fdd0c9af6249435231c26d85f5b7160154d2033539b68a601bc302463a9ce659504eda76c6371f97710608a1

memory/1168-16-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/4664-18-0x00000000002C0000-0x000000000077F000-memory.dmp

memory/1168-19-0x0000000000BD1000-0x0000000000BFF000-memory.dmp

memory/1168-20-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-21-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-22-0x0000000000BD0000-0x000000000108F000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\377a4a0525.exe

MD5 f47cc7dc355ae01926f6065316c3bd68
SHA1 6b575930185f216e4fa5116fdcc8906eb9f53af9
SHA256 25741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512 cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e

C:\Users\Admin\AppData\Local\Temp\1000036001\6d2c111a89.exe

MD5 38f98be80e6670f46efc8544d762cfd4
SHA1 fcad2e65d0977f0ab297049d5c9c32450b230d2a
SHA256 fb5cdb8d0f5558d5544c7722e616fbb498b501484f6ad0d1e2a2fe8118574996
SHA512 60a0c8f5516b41faa57ec4010eaed39a255ad2c96e58d7ae1273d3ef44196ea50b4f64c52e8301a95e45139ccd52bd9b52d177121ad1c77289bed89ac49c04cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 c3b9bc8aa208260a01ec20c23baaff6d
SHA1 9c3c2c01f758bd63f27b0474716f9b3343ac9a21
SHA256 7e06ca53f4654b5f862d0da54035b540119e330a0d9a80bc7e591b1f96eb086e
SHA512 1460c6a8c810178e75a39b76f7a5f8e992bbb43c3fe047b598651ae9d2edf74bc9dbeecf884f357cccebb7ab3032c010af3129366b8081a799bf0630d7008fba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 e5e5204ed08fdc172bda33b98d548272
SHA1 bf126e3321cd3eb490a4485eb7f462a833f29637
SHA256 861f1b57a8b74451dbcc7d6cbf95bccc2a0f476b6a7ace5b1d5a4cb4883d51d8
SHA512 9fae3f9c9a44bc0d091ce7ea304fb64c392bc968981fbb5afeea4166774f1dbd0a3e0cad23cab7a8195adef697b7ca686eb4102e778894a7efc0da2d934a844b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 ff564cc6f27f65afa4066544430cc7e1
SHA1 aa4a2f889d669c38b7a5a614411d1c0f324a9ca9
SHA256 ccb7011aecfbbfcf26fe228426a504b7efaae9422fe92ee03fc57b5354253f81
SHA512 2ac205a1df6421c1dc1081c3513e5e126291ed42a031b39008d9f2a8d535cd345d4a1e996687a1cdfd41397b13c81f41f7b83e4c8410aff2e18d08a9b2eabb8f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 139819725ce469afe3e83cbc3b47dfa7
SHA1 17b43c9717be9ec49c78bd029b34f841b99ae4f3
SHA256 deb59c40cbbbe8c86f0d81a259ad3876ea61cd4634aa65f8fb09af2110abe015
SHA512 cb5edde7d378997b6f248363743c027e9d08726a14a717a3fa23d7ace7b14e2b386e9ef221fbd3939d4c1f4b8d1294eef4b04c755700fb8f0080b58a0890176f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RFe587886.TMP

MD5 62ef1daa264b69b41dd7bf17deeeae3b
SHA1 5fdba40fda661723ffca72b0ef6384814fb75182
SHA256 18acef6ffac71883800641213515e31ad9527be0fc9f44852b2f1863f554c43e
SHA512 ed9ca4ae9e3f3e30d69963b2d2e27eb20aa0b32aca1524f4cad40ee9d3bdbb8d25edd42aa30c82e6a6e76a0b9cf75cfd3559180cc1aa692ecfb6f2161c7beea0

\??\pipe\crashpad_2780_WAVHWDASNZJRUCPQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 cb396f33a772cc93aed8b9bf680c5295
SHA1 c75f698064647e6ab566d1da4f1e766ee022bd39
SHA256 2a1d4d7222c08e757f09d03edad647e0ee4936c11e977b4447cec7870c0ed6d1
SHA512 0a6d8e55feb2e44963446ce7bd34915b11f7fd2263e9975d01836aed75cb5e5ea9e63a13a60e260ee0dc561a261de90a8d769da6a2bb5ef288adabb848a69cac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnWebGPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

memory/1168-279-0x0000000000BD0000-0x000000000108F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4400-314-0x0000000000400000-0x000000000247A000-memory.dmp

memory/1168-319-0x0000000000BD0000-0x000000000108F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 0ce629508117d3448c3eea10b1fda819
SHA1 a703d6766e9b79c24d301c589de3a9e54af18bd3
SHA256 8cac2042947a06a2f348f31db79817e811f175f184a93777e09e1ad11f1ea8ab
SHA512 f51b39720c672601ec39caf5c4e79aee152104cc58b7673ddfeea006bd6bb55b9f4e895e81eebddfe2dc213715fa3c2039668ab04f2147c651c898316f4a4d82

memory/1168-347-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1420-349-0x0000000000400000-0x000000000247A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 1ec6ab731c09be09ca7aec3f5d6dfe72
SHA1 9913bacb265af3a5fd6d38e8b05d2ff5127ee750
SHA256 1db9b9b728e41d5dd384c5c1956cf4c3ae5e3891f5a7b27cbb9443e72f1fea0d
SHA512 61444d3a9bbbb88bdcf4d464b62b93e3a181d38c2847c505f37b83041bcf1c73045cbc88d8b53a1f20356526877d4bff09e113d7c7be96463d317b576740296e

memory/1168-377-0x0000000000BD0000-0x000000000108F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\42b74d03-bf70-41d9-b43d-8e2e6cddf2ea.tmp

MD5 4babe1c084fe4977f98ca322fb9bc0b9
SHA1 ca0a06c63302ecc21ce9c2a7159dd437c1833eb3
SHA256 84d47426c101e717dc8f2c794654da61f5185cc9b44d412a50cc8d146e3d27f1
SHA512 b6ac063d79d56fd6891a58b5d550047d898f2ca0e414dff5c47cd2eea4696feb02a6d20894598fc0b207ef4763b1a4f690bb5e0cf1d397333f13403baef2b8ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

MD5 8a4d0d26ee4fdaa347fa72bc766b72dc
SHA1 e4a586e3f909c79da6b9b24e162e29ba7db50f98
SHA256 5a25e96f6d278c672ac5c52736cdb92fb9bf3fdc00e13cf120043ea5f502e303
SHA512 d32f24b71d0ff5c01eec3aa1cff0b8db1a4d8058c6b447572743fd599ca8bc37b7b5b429abda2bb212179a4359168cf3e54d78b16b63d7b83bd1cfdd68bbdd34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

MD5 4896bed5a4c678225139f734f1aa4412
SHA1 df166e1874e91b6c79921ee63be8de73b64277d8
SHA256 ea489c9b0fb81133541e82130f8ed1e1d1833f5e5a9063512c392102815afcbe
SHA512 2efe167e8fd432a615ba6f0f2d715c79e5b61da90c7ee8e6242d6a40c89d193496abbf5db8f7b839d37982dd7c359c949896ea18b88df5850895e36ad10bca8b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index

MD5 f0ace2f9c70cd5ab9a9478ba98535474
SHA1 a21993fa0cafa6aedb79b74d33f3700aef7cc745
SHA256 e8d1863e17b073f523aee22748717058c8055217132f55d8fd36858dd36d5d24
SHA512 fa561809772d6501458a775d74fbc164e335acd2efc8c1ff478b0b52eb97a05c77611e7ce6ca5a3e490fe8a277b90fc50481b596abf8e61b2d56124188593a25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index~RFe58cafc.TMP

MD5 49498679d3c577908b943e6c7b63c467
SHA1 d823bb2047ea75c4ed186bc9ce75a019a898314b
SHA256 91039832cc0c4997c3f50ed1c886876c4f7c8983c19889181ef0ca39a749d39c
SHA512 a0b1cee30bc0815319b1bf4ba4c158f03cab0ac626a442a8a7cbb7178a00d98712b90afaffc821f1893b409ed44cf240554cc8a315b450bc8b1a1559d3091071

memory/1168-497-0x0000000000BD0000-0x000000000108F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\a9d85a6f-22c4-4c3c-be48-2df282854858.tmp

MD5 1a5e0af4b0a05afbe05b62015ef6d8a7
SHA1 658b3a9a6f9bc367a852d648c5cc2c76a898e893
SHA256 fd0b3588bac327069bc9a58b30b146cd8f372ae69cd92f715ca74edd2a7486fd
SHA512 7700cc9bfdeb200b8ec6e65b73528db8c955b12ccd9218f56226c02678dd9acc85406e5730782e96db8e2ec055d2f7ac8ff431c82283039f9e08dbf933806889

memory/7160-508-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/7160-509-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-517-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-536-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-537-0x0000000000BD0000-0x000000000108F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

MD5 792e70385bbfd78b8050bfe4b4b2a99f
SHA1 ccde2eeea4e7f22d785196f4f42d20c3c3c04376
SHA256 33550373a56be0ee0d3a1cc20a1f61b211d69ddfd5dff017616878b509f774a2
SHA512 11bd4c558e337c75ca0a9c98e8b76fc1357e923ec46f044da0b856f3555b7bb92e2aff568b02bcd9286755eef4a18db61bc55a903bc047c85a96384efa3ead5d

memory/1168-548-0x0000000000BD0000-0x000000000108F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State

MD5 d980ec948de88e3f920acd801d9c6b92
SHA1 b6faf07e5a47714eb66a134ab649300818258e3c
SHA256 71b94d6420ffea71b01255dcce1672cdb01eb63ed2695dbcd880076a03fc37e7
SHA512 b6d7683d90a14dff280a7789681c486dbfba9a0313aadd8ec6b965e062af2ef7a0470fb8732e8014ef821e69953adfe69ca6dd2940f0b294492d39b12e7c8338

memory/1168-576-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-577-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/5548-579-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/5548-580-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-591-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-592-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-593-0x0000000000BD0000-0x000000000108F000-memory.dmp

memory/1168-598-0x0000000000BD0000-0x000000000108F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 a79b0e2e6eedbe7c4c4a3a85d34d02dc
SHA1 fe937e15a2b20ec706d81e3a9691c0ebd445bc25
SHA256 d50eeecc88b1bc8e67714b83207728e3542b71003f62de3adc70dd2d1acd498b
SHA512 b3ddc9a4f38715ed47a697801e47623d3c0620ffbf31cf6ade42acf1ac8e676a1feb1e7a2d27460f8238eff2921b1e4a469d556a829979569eed5ca4ac3f6ae3

memory/1168-617-0x0000000000BD0000-0x000000000108F000-memory.dmp