Malware Analysis Report

2024-10-19 09:07

Sample ID 240912-b3wjnavbmr
Target 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
Tags
amadey stealc c7817d rave discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a

Threat Level: Known bad

The file 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-12 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-12 01:40

Reported

2024-09-12 01:43

Platform

win7-20240903-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\075a7c4892.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\075a7c4892.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\d725f2ec79.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000040001\\d725f2ec79.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1708 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1708 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1708 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2732 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe
PID 2732 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe
PID 2732 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe
PID 2732 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe
PID 2732 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe
PID 2732 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe
PID 2732 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe
PID 2732 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe
PID 2732 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe
PID 2732 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe
PID 2732 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe
PID 2732 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe

"C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe"

C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe

"C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe"

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp

Files

memory/1708-0-0x0000000000BB0000-0x0000000001062000-memory.dmp

memory/1708-1-0x00000000770E0000-0x00000000770E2000-memory.dmp

memory/1708-2-0x0000000000BB1000-0x0000000000BDF000-memory.dmp

memory/1708-3-0x0000000000BB0000-0x0000000001062000-memory.dmp

memory/1708-4-0x0000000000BB0000-0x0000000001062000-memory.dmp

\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA1 14e7cff2628e339009821bdb95673a40299149d0
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512 d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

memory/1708-14-0x0000000007130000-0x00000000075E2000-memory.dmp

memory/1708-16-0x0000000000BB0000-0x0000000001062000-memory.dmp

memory/2732-17-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-18-0x0000000000DC1000-0x0000000000DEF000-memory.dmp

memory/2732-19-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-21-0x0000000000DC0000-0x0000000001272000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe

MD5 582c09e30698672fd833e6e6c0dc506e
SHA1 37dafeb7ea62e155ff3f2d47f84011b24ef8ba2b
SHA256 99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af
SHA512 495525e62560e397c0bef9c7f17358c08547c34930e772c8e59476ec50b7196eac28a0cbba83d0d90ebcc4282e210e0d140292cf4bfd52262cba45e2a9d6a1c9

memory/2732-39-0x00000000068C0000-0x0000000006F26000-memory.dmp

memory/2732-38-0x00000000068C0000-0x0000000006F26000-memory.dmp

memory/2732-41-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/1548-40-0x00000000009A0000-0x0000000001006000-memory.dmp

memory/2732-58-0x00000000068C0000-0x0000000006F26000-memory.dmp

memory/2732-60-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/316-62-0x0000000001350000-0x00000000019B6000-memory.dmp

memory/2732-61-0x00000000068C0000-0x0000000006F26000-memory.dmp

memory/2732-59-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/1548-64-0x00000000009A0000-0x0000000001006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe

MD5 6ca9ba147fcf085d7f828da983fd946f
SHA1 e7fedc40f0cbbe1ba28d52b4c25d2840a0004002
SHA256 df465e0e7a01e93a8ed0f4a96fcba84506e0789f329fac2419d17f65bd1749c8
SHA512 626c5f47f2da8bfcd805d0fb510beb1800359596b304a90afdbc2f7d381c2df42751f3659b12c30d4e430c6e46ee1ef9be2c2d1a6779dac13399d7511b2121f0

memory/2732-79-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-80-0x00000000068C0000-0x0000000006F26000-memory.dmp

memory/2732-81-0x00000000068C0000-0x0000000006F26000-memory.dmp

memory/316-82-0x0000000001350000-0x00000000019B6000-memory.dmp

memory/2732-83-0x00000000068C0000-0x0000000006F26000-memory.dmp

memory/2732-84-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-85-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-86-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-87-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-88-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-89-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-90-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-91-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-92-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-93-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-94-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-95-0x0000000000DC0000-0x0000000001272000-memory.dmp

memory/2732-96-0x0000000000DC0000-0x0000000001272000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-12 01:40

Reported

2024-09-12 01:43

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8f8646f857.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\8f8646f857.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1aff3cdbe7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000040001\\1aff3cdbe7.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4488 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4488 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2816 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe
PID 2816 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe
PID 2816 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe
PID 2816 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe
PID 2816 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe
PID 2816 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe
PID 2816 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe
PID 2816 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe
PID 2816 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe
PID 4288 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4288 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 3600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 3600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe

"C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\8f8646f857.exe"

C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe

"C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffe7f6346f8,0x7ffe7f634708,0x7ffe7f634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15151115331381073588,5701536899311598164,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4488-0-0x0000000000050000-0x0000000000502000-memory.dmp

memory/4488-1-0x0000000077954000-0x0000000077956000-memory.dmp

memory/4488-2-0x0000000000051000-0x000000000007F000-memory.dmp

memory/4488-3-0x0000000000050000-0x0000000000502000-memory.dmp

memory/4488-4-0x0000000000050000-0x0000000000502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA1 14e7cff2628e339009821bdb95673a40299149d0
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512 d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

memory/2816-16-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/4488-18-0x0000000000050000-0x0000000000502000-memory.dmp

memory/2816-19-0x0000000000891000-0x00000000008BF000-memory.dmp

memory/2816-20-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-21-0x0000000000890000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\ae8933b5da.exe

MD5 582c09e30698672fd833e6e6c0dc506e
SHA1 37dafeb7ea62e155ff3f2d47f84011b24ef8ba2b
SHA256 99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af
SHA512 495525e62560e397c0bef9c7f17358c08547c34930e772c8e59476ec50b7196eac28a0cbba83d0d90ebcc4282e210e0d140292cf4bfd52262cba45e2a9d6a1c9

memory/2732-37-0x0000000000AB0000-0x0000000001116000-memory.dmp

memory/2732-38-0x0000000000AB1000-0x0000000000AC5000-memory.dmp

memory/2732-39-0x0000000000AB0000-0x0000000001116000-memory.dmp

memory/2816-48-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/4372-56-0x0000000000CC0000-0x0000000001326000-memory.dmp

memory/2732-57-0x0000000000AB0000-0x0000000001116000-memory.dmp

memory/2816-58-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-59-0x0000000000890000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000040001\1aff3cdbe7.exe

MD5 6ca9ba147fcf085d7f828da983fd946f
SHA1 e7fedc40f0cbbe1ba28d52b4c25d2840a0004002
SHA256 df465e0e7a01e93a8ed0f4a96fcba84506e0789f329fac2419d17f65bd1749c8
SHA512 626c5f47f2da8bfcd805d0fb510beb1800359596b304a90afdbc2f7d381c2df42751f3659b12c30d4e430c6e46ee1ef9be2c2d1a6779dac13399d7511b2121f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 7b2ba78f9155ea1530003864e0a971f3
SHA1 c8e2f7f89cb153d8f21052ff596d4b829fbe710a
SHA256 ac31c861e2a9b1e17b23ce923bb06406a35c9e0c55c0caa296006f0621556364
SHA512 afd9e5cbdc7b9ab87479b289775d735f34ea3ae40ab809bbf5811ad8d43d64a80f308e0bd90f823278b2b8274cb99dad1c7020d52d6f6da72a70487e5fdd987a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 da96f71e7b224b657a0b7265eedfa7ae
SHA1 a603875299869669a5db9b68977f748e7c953f0f
SHA256 5e40d0e010480ed1717c928dd4953c094d86e345249b67389a313ed6631a092f
SHA512 2158a23b3dd1b8ffd057da3cd63a39c59fab1e59cf066c6689d343b021a9a28f0a7642e7f8bb58d344eaa4f0dc9d19e730b44a679d44cc7e538e483e1c0cbedc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

\??\pipe\LOCAL\crashpad_2620_MKBHMXEKXQZKCYZF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

MD5 929cafc7bcc7aa22b673c8eede3c614d
SHA1 0e18c8f428f607658b211f6f3760b1b5d37566c8
SHA256 4ca2056962155d90c2cf64de3500fc2fa29581c9fa3c5b4597cbcc8898c0a683
SHA512 b4550985e0e89b2e28b815a51c32f501c9408dfeffcc799192be10aeb674f4af6906229973a3b87c7fb8b9a20c384e147cce4fa0da540fb864a219b1c82ab01f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/1312-151-0x0000000000890000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\25629871-5927-4fdb-8359-72713c2a93be.tmp

MD5 685a71ff06d0c50252ad091430c8f07a
SHA1 ca1bb22d7e7a6acf7675ccd8cfeaaf22cc8c7334
SHA256 35dd438692da90b01bbd96ad3bbe62f703fe3749541752fd7b4634b1acac6e7a
SHA512 3d2c4638c0632e4dd597276da869adfeee38201ac06c1b10476561fdb869720ac30a54cecfe67955a002bafa88a10677c3e5f708ebe58e43e624adbbe329bc02

memory/2816-144-0x0000000000890000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Microsoft Edge.lnk

MD5 77de1060779e32400a88a4ef66f58bc4
SHA1 746ce834aee48782ce9ab64b74444b3f66d8421f
SHA256 f59047ffe9c2843434804e61fe0a5f0bb342b046ca4ef3976f3a187da61f35e8
SHA512 e1a0337524569eac1168d108ee871bf90857d28d289a15a809a41f161826a9809da2c2f71557731efd2f40c592645067d6158b96c03aa28d3bc3338405703377

memory/1312-188-0x0000000000890000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0T2DY6U7ZQMHE3RYODND.temp

MD5 feb560d8c8a30a798fe6592c38b00e4d
SHA1 b468331dd526731ed37de049b6d9bc31697386b4
SHA256 17bb86bfdac01da8fb00a6ef6836a2287c6bde90dd77c22682f9e6da8715fe66
SHA512 549b010e5db0f378b9382887ebed3cdbf306bc547057251039cccf2651faf1bdf396c37e1fa17e75f5a6d434c62d499ce37a9761769d3d084a43d2d74916e6cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

memory/2816-269-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/4372-271-0x0000000000CC0000-0x0000000001326000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 3a599c52972feb3746d14cbb981f3bb9
SHA1 6d849e5bcb1e4f23ad9488bd885c0cf7f9f7f452
SHA256 893ac734142590842d32b3d801c7c17de3e65c5886c0d166ae05b6db72d6a7b2
SHA512 57b59b9bf1ddb7d8d32b5c543e11502f7ad2c23eca318d22908029bb4863dba2dbabfbbe49bfd5fdfbca9d1b3a59d8797916461c130d70d4ba34489ce701271f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences

MD5 336a5b542f8a2c96cddcbb777e8731e8
SHA1 e18f6f7c2e24059757f445619d1c3363292eb24a
SHA256 caa4fa995ccac3609710d0cd6bb539613f8ab7005bd7f5eaa5878c5c3500bf4d
SHA512 a6cb8e91170470610bde0e3d47745f4501e128908974f997ca2247db8ed1142db0056e82974341c69ebd55dba40e9e0aafbe5fa068cc7696c6ed3b421df8300d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe57b47b.TMP

MD5 fffb23126ebfedbb092f159bfda2eea7
SHA1 72851ad83d39a93af40f2fc2e0f59c377a940e28
SHA256 f6b9132931b63e17c1e9007764fb1a13ce0811470dc6c3704af1cfd0bfd02be7
SHA512 0b8f08c71ed3253b6875ade9f237c2c6faf7a49ec097f4c0bef251bb892ea312ec9518262fca851168a5933e72e65d5b4f9e1b877528bdde04040b6555b1502b

memory/2816-296-0x0000000000890000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

memory/2816-349-0x0000000000890000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\c4282fa5-c8d1-405a-a4f0-3ef0da262010.tmp

MD5 15c522b2d6ffe0e03ddad1332c27d6ed
SHA1 5be47452fdf1133efed4321559541de5d7d265ab
SHA256 396512499154fb1e6a41a651e2530945e464deab6fb7b70e3ffaa92d6e05f91e
SHA512 b4e4d1160ed7122b367f5b43340ce00e1bfdb9e1d2928b6734d89a0adf29b43f50a312de72854a23273d06d56f179495e7e7127e218e17131d55ae68bb23a5d9

memory/2816-368-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-369-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-379-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/5976-390-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/5976-391-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-392-0x0000000000890000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

MD5 82ba9883fc81611cd0e0e2cb32da9cab
SHA1 5d72fa19c790ce7c4d074ca4406277ebc526ed6a
SHA256 45673db640b03e347474569e253b25766418203d206901a5fb1ba5a1bd161dc9
SHA512 77e7d3beb49b38e608b654bf29648791a6dbf380451fecc835226ba2009fd9e0decfc79115f957aea00c64779c7e85080981341ad9f5132a272ab0868c72bc18

memory/2816-411-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-412-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-413-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-414-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-415-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/5852-419-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/5852-420-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-421-0x0000000000890000-0x0000000000D42000-memory.dmp

memory/2816-424-0x0000000000890000-0x0000000000D42000-memory.dmp