Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 12:59
General
-
Target
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
-
Size
1.9MB
-
MD5
bf765192fb7e18bf2c9025248d43906b
-
SHA1
1083b78af5811beedf7d4e0f8c7dcb742c531b83
-
SHA256
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20
-
SHA512
85bb10c7045a4b28a07eb1aa9d576910a8849433d29a9c0079e173a3d5eba33b6b4755ef4527b94e83f9229546b638e3871ae2758d08b879959c8998a3e52a39
-
SSDEEP
49152:jIS2DUkA/ZCcWeLrfU671Jc4BvvXoCR3BbAbmlM5:PkaZdWeLLj7jcsJAbF
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 29 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe"C:\Users\Admin\AppData\Local\Temp\01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\93247754b3.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\93247754b3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff984246f8,0x7fff98424708,0x7fff984247185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3240003867950130398,7313724525615654278,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3240003867950130398,7313724525615654278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff984246f8,0x7fff98424708,0x7fff984247185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff984246f8,0x7fff98424708,0x7fff984247185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8016956068585645088,11415155317589426507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:35⤵
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\757987694264_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
960B
MD578e91fd9bd1f268bae09bfbed203d7bc
SHA13c3cc2c7a8c73c6e093e00d5cad76d94a960697d
SHA256ca002324bb36da406e74be7379c50fe9179a1ba811b453092e463d8714b98869
SHA5127f5b594c66d1388675481d13af9562315677ac9550a012794e4ba67638bad3d212b5ab2e9991861d2caccc7c32aa16b41c3a873ce965c503cbe4b67bc94d674f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD54f8ebf544945c1087ee77b6a137564df
SHA12d24eab2cd186e609e112d3f99221d49cbc97032
SHA25692249916b51736dabab1956b74c29f3f103e0d725fea8c0cb327e72b5fe823f8
SHA51205213ad2859819437e5efeb0c04ea2210bc16029c6e58b6919280f6127a1f9eb26bcda3d8c7716d43bbf3b44d71440ac42abe656859f0ba1414c55878b28187e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5eab989edf143203ee38dad3e3d11d34c
SHA175416bc0b2f37f8d49b62943cdf142b1a5f28bb4
SHA25687f93d34fc4d9e23e01073fbdc0d30913a8d92d0b59a50f6a8ce6c6e5666f124
SHA51202df827fabfec0241bbe3827a008c9fa8af43e4bddeace5511e96f77ab1cdf7112f6d071ea206ee515be6c6052344531f3c7bc1521920ed2f7f307a6e7faec0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50bfbba2977516805f5ba1f631cee1ce6
SHA1a714dc6ca80a6c371144ccd1c58e653be56a8d52
SHA2569b9f829d3bd765c5cca0d34f8fa869d4c81cbe13a7b5d036e4a2b04c7c3bf94b
SHA512b99e5d127533cc65c17378650015df9ddc28dcf50f67b4bf405bb2b3cbed0250d100ebedca94889f447f5c090f3a2d82adf391688b9e3e1cfd2515f6a18d62ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD515a1377044c6829cb4a801cd9a4c556a
SHA1882e7568498de7201202d3ec7b716632602cb7e6
SHA256993e1a40234937519026760131ce6c06253618c043c9b536e3dc60198af8d100
SHA512752f88e2b688e581f0fed540d19f62d3efbca32dd9b140fca92e4a4cb5c052f9dc698e5131dd27e34f6d5bee3938c8cf20023412c1490603a3d6d203ab6eed66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5e6cde973163a2596e0ef23a812d3c812
SHA1e5fffb672a5815c70bbaf8c80ca1d165bb8144ea
SHA256e0f36ebd2e5c252a1804695a5bfbb39ffd57cadddd0d32e67c4ab1b1a575a4e9
SHA512cd3ff299de383e2ab72b4529a36cf42e9840f58b44809216a9a7c51e9a47ebd873390e6013f72e3297a861c106d79db0388db5487674bb4fade68170ee0b5147
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5c22e123ad1c10691f9ae6e20ccb6642f
SHA1d6f37869919ec9c3b3a46b86444541c6425e1113
SHA2564b725384e024235e4b819dfb967507384aa5e93bf42922151dd0be021b053017
SHA5128ac845f1821ba8e8a8491c431fee93720c8a0ba2889b78fbc8d09652c696a3bab8fd8b786016663c6c463e0b29011c827e2ad5c9c5b94355890a27e37dececfb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD50b4d27b2d3d53c5f6d40686365bc4df9
SHA17b77b41b94a1214a0a43a37c713db603b92160cb
SHA256034c3c2b9a1950d681a87306e3453b552625f85e712c022b3518833f680a3c56
SHA512826fb8077740553c50cb6425f30234a7a32e10461df927dc948839686247e4fcd920b63909e89bb465b156cca3ea992ee7a1409d3f99b26b6acb39a3fafcebe3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5c82557f86c4f7a476e397c1ee774b717
SHA1b63289a1ad563cf00e863e18edcbc43e8e3b3e7f
SHA256e0e1f4fab8379b5cabb3211169e7deb8e9cf6a1209034be2d1965a48319748de
SHA51201c1f71333d84b723cfe3a6a8bd3e6f16d2c2dc49448e59d9ef44839a5b2d3387126ac0a2e64765bea5514f2aa30a8643367925fd09821bbe5f5203dd2797437
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c8fd.TMPFilesize
707B
MD59b1a59277ddb4b1cd5e4c4e600793761
SHA100b87b31a392ed9fc3e23497fcc13bc776980c43
SHA256af914283de4e2b9171e70e43cdfb2170a3825068b4fb5ad8de555193b70a35ca
SHA512d37a58bbfdcc2d82c9822f411a17db6cbc3dc1d232b9f9d7015aedbe8bab210a859d3a73061ecc060cee7999e1e618cfdd09a675465539db9cb9e07dcbf59cad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD53fa52dda248f43635cc171be99708bc5
SHA19b3df19a64a4fd4388b28266ba1d8c1032f3664e
SHA2560091ec2c3d900dc9ba533db5a3318929d0ac3ffbcb7b5440d3b3c143fd198a49
SHA51226307badfa01d4322e5a91dc94ce8c69d8fe25f274eb8442f8e198c86b33270db96d2a4751075f7f0a380c33873e7c719d5c4e59ea4445e2ee2719d1cd06f467
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD560407fd70783590fc0f4aa4f76e95846
SHA1ccf3292bcf89550307559a9996b486098063075e
SHA2569da536e13e4b376159ee69a20e396e6ae83ee95290c8fbaa22326b7be4795197
SHA51249ba70c324143a09d70c4b1538ff44000cd922269bb05862b33c38ab9e2d8b6284f2d42c844fe79ff2d1f74e588e0bcf3dfc25eded42f74c90e54841bd097573
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a9b5cea8926aab8c60fb6fa70c2b3abf
SHA1fc4135fc30e2a6dd5f7a0ef06e9bc792288dbeb1
SHA256526fe9f9d011f92e274069efccf562250e6fc2d238f69780a29ec58d0b2293a7
SHA51296d386c2536cfee9986c0d4b2c7d91d365a2216649694010f4f6ca6a5a1fa4219733a64fc471f10d2f7a64b018e517ba87d987b3575bbe789d1ce147f1a0f6fa
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.9MB
MD5bf765192fb7e18bf2c9025248d43906b
SHA11083b78af5811beedf7d4e0f8c7dcb742c531b83
SHA25601283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20
SHA51285bb10c7045a4b28a07eb1aa9d576910a8849433d29a9c0079e173a3d5eba33b6b4755ef4527b94e83f9229546b638e3871ae2758d08b879959c8998a3e52a39
-
C:\Users\Admin\AppData\Local\Temp\1000042001\93247754b3.exeFilesize
3.1MB
MD503560350b623d3325d16a46f69be90fc
SHA163d3d99dade999f15cfbad22ff040dacd13a8e1b
SHA256fd6a73027fb19ad5b50bbdd8d6b8dd3a144d1bfd5fe14a1b61d8b95207ea6c0e
SHA512d102273cff603acc6ce9e865b0d92fb6c2dd33eb7186cece8363eca6244279c1e201466211bb21c46115fb490c126d70b4c56e2fe2ee2d8922c5365606526dff
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD5727c54fa3a9c67f729c897be63eb2ee0
SHA1c94e05a7dd1573c0df9d2f8e9a2f1e10d0174c23
SHA256cd91b436df70efb3b0d4cf141d257282ace5d9daa990161b85d46d266514e886
SHA512ebf23a591fc7a602e9b1983ea54b724bdc455a4ef2e1ab40117f44fae66c5c249d34ec8809798129bdacf1a6c03f8aefde4c1bd8a4b4cea753b1dd267bee196c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ykq1lmim.yr4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
\??\pipe\LOCAL\crashpad_3772_GMRGDXDXPSSSRTZOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2036-53-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-417-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-350-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-55-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-468-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-470-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-472-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-474-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-485-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-489-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-351-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-502-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-379-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-434-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-428-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-404-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-406-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2548-7-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/2548-0-0x00000000002F0000-0x00000000007CF000-memory.dmpFilesize
4.9MB
-
memory/2548-2-0x00000000002F0000-0x00000000007CF000-memory.dmpFilesize
4.9MB
-
memory/2548-3-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/2548-6-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/2548-11-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/2548-10-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/2548-8-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/2548-9-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/2548-5-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/2548-4-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/2548-24-0x00000000002F0000-0x00000000007CF000-memory.dmpFilesize
4.9MB
-
memory/2548-1-0x0000000076F44000-0x0000000076F46000-memory.dmpFilesize
8KB
-
memory/2872-33-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/2872-27-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/2872-23-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-501-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-32-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/2872-31-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2872-488-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-30-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/2872-324-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-484-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-368-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-29-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/2872-28-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/2872-380-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-473-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-471-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-26-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/2872-469-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-405-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-25-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-407-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-34-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/2872-458-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-427-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-215-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-433-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/4536-337-0x000001B5130A0000-0x000001B5130B0000-memory.dmpFilesize
64KB
-
memory/4536-336-0x000001B5130A0000-0x000001B5130B0000-memory.dmpFilesize
64KB
-
memory/4536-338-0x000001B52B770000-0x000001B52B782000-memory.dmpFilesize
72KB
-
memory/4536-339-0x000001B52B750000-0x000001B52B75A000-memory.dmpFilesize
40KB
-
memory/4536-345-0x00007FFF94870000-0x00007FFF95331000-memory.dmpFilesize
10.8MB
-
memory/4536-335-0x00007FFF94870000-0x00007FFF95331000-memory.dmpFilesize
10.8MB
-
memory/4536-325-0x000001B52B290000-0x000001B52B2B2000-memory.dmpFilesize
136KB
-
memory/5660-220-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/5660-225-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/5660-226-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/5660-275-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/5660-274-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/5660-282-0x0000000000EB0000-0x0000000001370000-memory.dmpFilesize
4.8MB
-
memory/5660-224-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/5660-223-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/5660-217-0x0000000000EB0000-0x0000000001370000-memory.dmpFilesize
4.8MB
-
memory/5660-222-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/5660-218-0x0000000000EB0000-0x0000000001370000-memory.dmpFilesize
4.8MB
-
memory/5660-219-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB