Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-03-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
Resource
win10v2004-20240226-en
General
-
Target
3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe
-
Size
1.8MB
-
MD5
e3f2565e66bef7c990748a5f99b706c4
-
SHA1
52808d09a2b8c7b4fe54e3f0634ad74663003a37
-
SHA256
3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e
-
SHA512
c03ba03ffaf5d8ade527be7a9a8efec7e28d702cf6d2cefefb0be396e867033efa80501b69975405df9980cc1e2ca6612bd1ae28ee017c80b5a74f9d8e931979
-
SSDEEP
49152:69FWlJTG9dU9I6XyhhBnr1a+mu+1ENJ8+OcWsMo7r:Bl6diI6Xwxrzv+16++Z1/
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
explorha.exe3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exe8ce42d6d1d.exeamert.exeexplorgu.exeexplorha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8ce42d6d1d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exeflow pid process 41 5992 rundll32.exe 49 3328 rundll32.exe 52 5836 rundll32.exe 54 2448 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorgu.exeexplorha.exeexplorha.exeexplorha.exe8ce42d6d1d.exeamert.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8ce42d6d1d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8ce42d6d1d.exe -
Executes dropped EXE 7 IoCs
Processes:
explorha.exe8ce42d6d1d.exego.exeamert.exeexplorgu.exeexplorha.exeexplorha.exepid process 2972 explorha.exe 4236 8ce42d6d1d.exe 2808 go.exe 5616 amert.exe 5280 explorgu.exe 5620 explorha.exe 5244 explorha.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
amert.exeexplorgu.exeexplorha.exeexplorha.exe3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exe8ce42d6d1d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine 8ce42d6d1d.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 5964 rundll32.exe 5992 rundll32.exe 3328 rundll32.exe 5964 rundll32.exe 5836 rundll32.exe 2448 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorha.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\8ce42d6d1d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\8ce42d6d1d.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exeamert.exeexplorgu.exeexplorha.exeexplorha.exepid process 5044 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe 2972 explorha.exe 5616 amert.exe 5280 explorgu.exe 5620 explorha.exe 5244 explorha.exe -
Drops file in Windows directory 2 IoCs
Processes:
amert.exe3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exedescription ioc process File created C:\Windows\Tasks\explorgu.job amert.exe File created C:\Windows\Tasks\explorha.job 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeamert.exerundll32.exepowershell.exemsedge.exeidentity_helper.exeexplorgu.exeexplorha.exerundll32.exepowershell.exeexplorha.exemsedge.exepid process 5044 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe 5044 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe 2972 explorha.exe 2972 explorha.exe 4776 msedge.exe 4776 msedge.exe 3172 msedge.exe 3172 msedge.exe 2944 msedge.exe 2944 msedge.exe 232 msedge.exe 232 msedge.exe 5616 amert.exe 5616 amert.exe 5992 rundll32.exe 5992 rundll32.exe 5992 rundll32.exe 5992 rundll32.exe 5992 rundll32.exe 5992 rundll32.exe 5992 rundll32.exe 5992 rundll32.exe 5992 rundll32.exe 5992 rundll32.exe 5356 powershell.exe 5356 powershell.exe 5356 powershell.exe 3884 msedge.exe 3884 msedge.exe 4640 identity_helper.exe 4640 identity_helper.exe 5280 explorgu.exe 5280 explorgu.exe 5620 explorha.exe 5620 explorha.exe 5836 rundll32.exe 5836 rundll32.exe 5836 rundll32.exe 5836 rundll32.exe 5836 rundll32.exe 5836 rundll32.exe 5836 rundll32.exe 5836 rundll32.exe 5836 rundll32.exe 5836 rundll32.exe 5812 powershell.exe 5812 powershell.exe 5812 powershell.exe 5244 explorha.exe 5244 explorha.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 5356 powershell.exe Token: SeDebugPrivilege 5812 powershell.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exego.exemsedge.exepid process 5044 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe 2808 go.exe 2808 go.exe 2808 go.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
go.exemsedge.exepid process 2808 go.exe 2808 go.exe 2808 go.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 5044 wrote to memory of 2972 5044 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe explorha.exe PID 5044 wrote to memory of 2972 5044 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe explorha.exe PID 5044 wrote to memory of 2972 5044 3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe explorha.exe PID 2972 wrote to memory of 4236 2972 explorha.exe 8ce42d6d1d.exe PID 2972 wrote to memory of 4236 2972 explorha.exe 8ce42d6d1d.exe PID 2972 wrote to memory of 4236 2972 explorha.exe 8ce42d6d1d.exe PID 2972 wrote to memory of 4708 2972 explorha.exe explorha.exe PID 2972 wrote to memory of 4708 2972 explorha.exe explorha.exe PID 2972 wrote to memory of 4708 2972 explorha.exe explorha.exe PID 2972 wrote to memory of 2808 2972 explorha.exe go.exe PID 2972 wrote to memory of 2808 2972 explorha.exe go.exe PID 2972 wrote to memory of 2808 2972 explorha.exe go.exe PID 2808 wrote to memory of 2944 2808 go.exe msedge.exe PID 2808 wrote to memory of 2944 2808 go.exe msedge.exe PID 2944 wrote to memory of 4696 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4696 2944 msedge.exe msedge.exe PID 2808 wrote to memory of 2120 2808 go.exe msedge.exe PID 2808 wrote to memory of 2120 2808 go.exe msedge.exe PID 2120 wrote to memory of 920 2120 msedge.exe msedge.exe PID 2120 wrote to memory of 920 2120 msedge.exe msedge.exe PID 2808 wrote to memory of 4492 2808 go.exe msedge.exe PID 2808 wrote to memory of 4492 2808 go.exe msedge.exe PID 4492 wrote to memory of 1820 4492 msedge.exe msedge.exe PID 4492 wrote to memory of 1820 4492 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe PID 2944 wrote to memory of 4472 2944 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe"C:\Users\Admin\AppData\Local\Temp\3bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\8ce42d6d1d.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\8ce42d6d1d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d5cc3cb8,0x7ff9d5cc3cc8,0x7ff9d5cc3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10216545100164289502,2722062880607159056,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2596 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d5cc3cb8,0x7ff9d5cc3cc8,0x7ff9d5cc3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,13188893340279081275,1336940715022056991,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,13188893340279081275,1336940715022056991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d5cc3cb8,0x7ff9d5cc3cc8,0x7ff9d5cc3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,8146423560888786520,14916923651305002106,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,8146423560888786520,14916923651305002106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ae626d9a72417b14570daa8fcd5d34a4
SHA1c103ebaf4d760df722d620df87e6f07c0486439f
SHA25652cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD519a8bcb40a17253313345edd2a0da1e7
SHA186fac74b5bbc59e910248caebd1176a48a46d72e
SHA256b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e
SHA5129f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD596899614360333c9904499393c6e3d75
SHA1bbfa17cf8df01c266323965735f00f0e9e04cd34
SHA256486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c
SHA512974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
936B
MD54370d14710a36a56e32aeadf31288610
SHA10f832620c831d80422daa2d5028421548218551b
SHA25655ea9098e289fa6a827f852dc1e90546e4d51f84cb13389037c1fb4bf42dac77
SHA512f191ab086f9ddca9b78b303bdd699b15dd46e6f76f8c0789c0dd90216041192a9c4a945cd4b5a6281c92f5a479d0c22ae03fe027d043898249d787b82b882710
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5f626ace70d9ab9ddaa746294b5bb3971
SHA1aa1719baf5dc0050b5fa403361f347a46a2016e1
SHA256312a59f280386b4732b1ba02d90f4f06146896e45905a3376e7b65b4f4cee5f6
SHA51299af3be3bb33cc824982c113bbb6ecb2bc7e52ec0e59a726815876a622d0d464e25f897ecb92907aa288457674402f5a67c513049bd72cab6cbedf4f4596a11d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5a10d8965733e51239735363b7c1021fa
SHA1bc4d2d29d3682728ddcf34981fc35542ed012b07
SHA2565ad72a55056c770b1750191549db7588a30efef8a5f7081405e3d0a9320aa100
SHA5120dd14955e697be180b1c28b7a5212a2fda32086ee81015ef0dbaa89301f9366fb0421601284200480ab3545449795ae967196885fd9ababd67e7cc0605d96991
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD54dc8088c17bd042eb71a4d8112a591fd
SHA1c36bef64ca2cd0267e91406309785224ed2ec448
SHA25691c12fd4289564e94111ab825d15aabe3e75f6730fc85840b6cffd3dbb311920
SHA51265f1c50347129b53ca1abcf807b9d8e7bb503dffdef54bdf06d97c76608a37f10cf9cefbf1e8d1e15253cccac5a4b7811a97d9d6da6caf7098085b7d502db0a3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5da63419caa80ed3879c95bdc936f61e9
SHA1633a6dd907c871d63d8680a0acd516738de09103
SHA256b28d4d1ae3532595b423ca01e0aeec0bc1e4e74077a1a99f8c8fe10b4a0fb3f0
SHA512fd5a0377841e0bfe351dcbc8217470a121e0c5b937ca43cf08b15250a82a9f99de5fcbefe28950f1ce1ebf822d43a454a80b048b555069ab781789d2c5c09c78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5914b31cfcc36052c4dacaa75bae3c859
SHA16aa50c1fb13502c390772f16e44954aff335b278
SHA25634de782178394e8c6446c8a41c804926dd4c0dfb10fc749ce54fb4004d196600
SHA5120b83588736b142b4a72ba76be273d517a1509e02d466ab50b3e1dcbd19a98b6680c7a97da4fbf5d773f551c35d78755c0a5a0519a5052e2d2972007d438b5bf3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD534f9286fcf11a36c9af30052173cb59b
SHA14a2e6548657d2760b13021f5d81fe00fdbba9343
SHA256aca2971175c829432aed592862e16a5f5d51aa50151449250d6fc7b49d6c6f10
SHA512c591b014f0e656f7f77212717453a44117a89b956df0d26f4b8299b254aebaaa4dee056a33aa567a1f33e0e1bf118d401aa7c11e67a35886ef8eebed727617f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5016670b1b37982b57977913286cee284
SHA1521dd62bd56180d881d1de7e60fbb29f5845180c
SHA256fa3658c84f8d3e41241e125b45331ef12477ff0dbf0c39835bd34b36f3d2fa6e
SHA512fbcc0ee79100eeb4f10068675f6c694bd827c57a0af804c8d3a6120852371583496b38ea6149f70201ccc920dfd4575a4f1a499659225420a67f8eeff7d8a610
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD517afb7822a06ce6a4bc5841159244d7e
SHA182447a1d328b4974c7e12bf32fcfd81cd2790674
SHA25697a8e022744a9a99c8330a6d31acc9f200e72145574ae1fe638d012ac77e5dc7
SHA5124ffd633c557e227f8c33b5e7fd7fde470ae36ee8f21ba259db5bc2bb47852b7e4d48d6b6f747f54145bb13dd5c03aac421fadb931cc00c0364e1f390689d85eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ec44.TMPFilesize
707B
MD5a2610346152b54ce689e33e2b5970415
SHA14e0f0730af8f935297127653c59810779f3202e5
SHA2564cab63dbb18142cb2022ae59bb21eefebbebd44bb202712db2896883dfd79a68
SHA512f9902ad8484e825a1d9d90b9fe7b02faaf517fa91157c4e44673c82c0191b48e7e1af0048741289cefd93a0c09668efa1e3577b42b5bfdfb61dff8bbf0472e97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5eb6c9a42c10b1c06c36e26c20e32a193
SHA1847fa26613088539b791fdf96d541cd09f69f4a7
SHA25624f1ab60823fcf26a31db2dff117ebd71c486372c9bc1caf8fad69f9d85d1844
SHA512506c0a9d57d0157dc752a37bd7c643ce350a68a832a8bd3070981d63578d56e7b2583f364ebea0408aa481f32209e44577a6843535c6783474bd5909cc6197e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD51991d531a1ac12c935d39d1fe5b90be8
SHA1eb3f959dba5f3c2f566828239830f631b0c56f29
SHA256324a1673d0a3666c4a78a036ea0b33b827208f8b731ae9d9fcb745b06f5e1478
SHA512f8489ba41275d1aa4552868f713a0588828937be6e8fe6e33faf64d8a84bcfff50f5713318f8df3e2368772c291f0ee36aa3193c4fefc86544236a1c93c98d62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD579b7f2195004e3432caed6f40ed58908
SHA194f325ba1b578c4f1ec268b3e895b7ffa7a6195d
SHA25661534a27423c30b67a14d227a39c74a2ed89352c55f2d59d36589bd083d39f1f
SHA512bcb9646edb86b4593a855b292f4bf709d56c1b819cf9dd6ca9bb97f4c6245bd4f06ed112e3273952fb22b4b4cf19a22028ae120166ca8f49686718372a708fd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5632c87ef107ab7b49fb9a44a393b9c82
SHA1fe7035d40d08ab65b460058c5a458d628e6b8b58
SHA256b17dd2b6c26b9544cb72f91e3084945df5a5c08407a0939ef2397bb3c6ee1dfe
SHA51258e0371748ed013a13afd013da63c3c757e7b22be95fe1624784768b2493e5c1b9c352925f3559c3887a28c48b2e72336cb7acb9d385982324a1d62056987d6c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dc1581e35979397950e6872b3a3b1298
SHA14f1a7a8f2cff4603f4fc4b7370494c61cbcb3c7f
SHA25640767ed690a6468aa11b9bce89cb43dca925e5027934ead29e5b708d2fafa9e7
SHA512e8d5fcc9be11d5ca64475d35bc662b19c994c0e4deec79d86c9bbe7dff4ac06fe831ffe0bef93efa46c0078ce535693dafc8372e652c282d8b43e6c6ec16eeba
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.8MB
MD5e3f2565e66bef7c990748a5f99b706c4
SHA152808d09a2b8c7b4fe54e3f0634ad74663003a37
SHA2563bce752207b2f203bf9d90528279efdde5cf758d4c0ff3c28f446c758b98981e
SHA512c03ba03ffaf5d8ade527be7a9a8efec7e28d702cf6d2cefefb0be396e867033efa80501b69975405df9980cc1e2ca6612bd1ae28ee017c80b5a74f9d8e931979
-
C:\Users\Admin\AppData\Local\Temp\1000042001\8ce42d6d1d.exeFilesize
3.1MB
MD5339f3f4f39d82660a784f3fb070220f1
SHA1a03957dadfbc4d434510278b58f4d7e655effce5
SHA25693b6b07774d558791bc34c872f8d67123b26fb070f7612278e37e934c71c9abe
SHA51206b181700ff678ab659cbab3486b9c28f30e3c333274541549b11e08e45d1a9a8389efb247a9dd52ffd327a7d7d08380f1730e0df5bfc9750f44d4674cb3f165
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD54ffe02ab61d06ce1dec85cfef4122de3
SHA1e92368cd89deb3ccb81ea21a4e6c6a1ab3a0fba7
SHA2568f1dc6a85630b9a36d235e7f4912309ac8afdfa136125d574b27376cfbb6d059
SHA5129a01c2baaad83cfe4188b530235cc01dca5bdaeab8c50e881ec36a3ca623afb32915cb9d1d007fd22b8e4d90ad9da4020443d384744127132d846e40935ca8cf
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oq3ugpie.wm1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
\??\pipe\LOCAL\crashpad_2944_SDUEVFKVAOUCTCAVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2972-584-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-477-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-578-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-25-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/2972-401-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-243-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-596-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-313-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-31-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/2972-516-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-30-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/2972-417-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-27-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/2972-29-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/2972-28-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/2972-538-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-370-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-558-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-23-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-553-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-24-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-550-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-32-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/2972-441-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/2972-26-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/4236-548-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-579-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-345-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-451-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-551-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-554-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-51-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-371-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-567-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-382-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-52-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-497-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-585-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-517-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-416-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/4236-419-0x0000000000B50000-0x0000000000F06000-memory.dmpFilesize
3.7MB
-
memory/5044-0-0x0000000000400000-0x00000000008BE000-memory.dmpFilesize
4.7MB
-
memory/5044-9-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/5044-10-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/5044-1-0x0000000077206000-0x0000000077208000-memory.dmpFilesize
8KB
-
memory/5044-21-0x0000000000400000-0x00000000008BE000-memory.dmpFilesize
4.7MB
-
memory/5044-8-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/5044-7-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/5044-2-0x0000000000400000-0x00000000008BE000-memory.dmpFilesize
4.7MB
-
memory/5044-6-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/5044-5-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/5044-4-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/5044-3-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/5244-566-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/5280-426-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/5280-424-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/5280-586-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-580-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-438-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/5280-439-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/5280-568-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-556-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-518-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-421-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-452-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-453-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-552-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-422-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-428-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/5280-427-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/5280-498-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-549-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-480-0x0000000000E80000-0x0000000001332000-memory.dmpFilesize
4.7MB
-
memory/5280-423-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/5280-425-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/5356-331-0x00000178EC9E0000-0x00000178EC9F0000-memory.dmpFilesize
64KB
-
memory/5356-332-0x00000178EC9E0000-0x00000178EC9F0000-memory.dmpFilesize
64KB
-
memory/5356-330-0x00000178EC9E0000-0x00000178EC9F0000-memory.dmpFilesize
64KB
-
memory/5356-326-0x00000178D4880000-0x00000178D48A2000-memory.dmpFilesize
136KB
-
memory/5356-320-0x00007FF9C4F00000-0x00007FF9C59C2000-memory.dmpFilesize
10.8MB
-
memory/5356-340-0x00007FF9C4F00000-0x00007FF9C59C2000-memory.dmpFilesize
10.8MB
-
memory/5356-334-0x00000178D48B0000-0x00000178D48BA000-memory.dmpFilesize
40KB
-
memory/5356-333-0x00000178ECA70000-0x00000178ECA82000-memory.dmpFilesize
72KB
-
memory/5616-319-0x0000000000F20000-0x00000000013D2000-memory.dmpFilesize
4.7MB
-
memory/5616-314-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/5616-245-0x0000000000F20000-0x00000000013D2000-memory.dmpFilesize
4.7MB
-
memory/5616-276-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/5616-277-0x0000000005940000-0x0000000005941000-memory.dmpFilesize
4KB
-
memory/5616-280-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/5616-281-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/5616-268-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/5616-264-0x0000000000F20000-0x00000000013D2000-memory.dmpFilesize
4.7MB
-
memory/5616-315-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/5620-434-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/5620-440-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/5620-435-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/5620-433-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/5620-437-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/5620-432-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/5620-431-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/5620-436-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/5620-430-0x0000000000580000-0x0000000000A3E000-memory.dmpFilesize
4.7MB
-
memory/5812-479-0x0000025D82210000-0x0000025D82220000-memory.dmpFilesize
64KB
-
memory/5812-478-0x00007FF9C4AB0000-0x00007FF9C5572000-memory.dmpFilesize
10.8MB