amadey | 7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a

Analysis

max time kernel
150s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
31-03-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
Size

1.8MB
MD5

6eaa9c6417b48514603ff6dce5552fb0
SHA1

aea8136d796429b198e3e9280d5eee3d1962243e
SHA256

7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a
SHA512

fa2c1edd8c2c0f0af2d3c1e3224fecfecbf7cc43645969e618205de20fcd87842e2b3a6aa995eb51bfc6c018e6b74773f8b714c374faab0dd3b31e001a5171fb
SSDEEP

49152:1/JtLHZklXNKCtzmeZdg4iZ/lA6b8/AhJzzVLDa:ftLH2l9rX5iZtA6bWwR

Score

10^/10

amadey evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a1618ff01b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
40	5036	rundll32.exe
43	4776	rundll32.exe
46	5436	rundll32.exe
47	3508	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a1618ff01b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a1618ff01b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe

Executes dropped EXE 7 IoCs

pid	Process
1088	explorha.exe
3216	a1618ff01b.exe
2844	go.exe
1756	amert.exe
6084	explorha.exe
5948	explorgu.exe
5052	explorha.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	a1618ff01b.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorgu.exe

Loads dropped DLL 6 IoCs

pid	Process
5156	rundll32.exe
5036	rundll32.exe
4776	rundll32.exe
3108	rundll32.exe
5436	rundll32.exe
3508	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0002000000025c7e-58.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2684	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
1088	explorha.exe
1756	amert.exe
5948	explorgu.exe
6084	explorha.exe
5052	explorha.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2684	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
2684	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
1088	explorha.exe
1088	explorha.exe
4764	msedge.exe
4764	msedge.exe
4848	msedge.exe
4848	msedge.exe
4820	msedge.exe
4820	msedge.exe
4896	msedge.exe
4896	msedge.exe
1756	amert.exe
1756	amert.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5868	powershell.exe
5868	powershell.exe
5868	powershell.exe
5956	msedge.exe
5956	msedge.exe
3520	identity_helper.exe
3520	identity_helper.exe
5948	explorgu.exe
5948	explorgu.exe
6084	explorha.exe
6084	explorha.exe
5436	rundll32.exe
5436	rundll32.exe
5436	rundll32.exe
5436	rundll32.exe
5436	rundll32.exe
5436	rundll32.exe
5436	rundll32.exe
5436	rundll32.exe
5436	rundll32.exe
5436	rundll32.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
5052	explorha.exe
5052	explorha.exe
5712	msedge.exe
5712	msedge.exe
5712	msedge.exe
5712	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2684	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
2844	go.exe
2844	go.exe
2844	go.exe
2844	go.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2844	go.exe
2844	go.exe
2844	go.exe
2844	go.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1088	2684	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe	81
PID 2684 wrote to memory of 1088	2684	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe	81
PID 2684 wrote to memory of 1088	2684	7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe	81
PID 1088 wrote to memory of 3216	1088	explorha.exe	82
PID 1088 wrote to memory of 3216	1088	explorha.exe	82
PID 1088 wrote to memory of 3216	1088	explorha.exe	82
PID 1088 wrote to memory of 2300	1088	explorha.exe	83
PID 1088 wrote to memory of 2300	1088	explorha.exe	83
PID 1088 wrote to memory of 2300	1088	explorha.exe	83
PID 1088 wrote to memory of 2844	1088	explorha.exe	84
PID 1088 wrote to memory of 2844	1088	explorha.exe	84
PID 1088 wrote to memory of 2844	1088	explorha.exe	84
PID 2844 wrote to memory of 4848	2844	go.exe	85
PID 2844 wrote to memory of 4848	2844	go.exe	85
PID 4848 wrote to memory of 4956	4848	msedge.exe	88
PID 4848 wrote to memory of 4956	4848	msedge.exe	88
PID 2844 wrote to memory of 4900	2844	go.exe	89
PID 2844 wrote to memory of 4900	2844	go.exe	89
PID 4900 wrote to memory of 3848	4900	msedge.exe	90
PID 4900 wrote to memory of 3848	4900	msedge.exe	90
PID 2844 wrote to memory of 2196	2844	go.exe	91
PID 2844 wrote to memory of 2196	2844	go.exe	91
PID 2196 wrote to memory of 668	2196	msedge.exe	92
PID 2196 wrote to memory of 668	2196	msedge.exe	92
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93
PID 4848 wrote to memory of 4580	4848	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe
"C:\Users\Admin\AppData\Local\Temp\7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\1000042001\a1618ff01b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\a1618ff01b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:3216
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
    "C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b8253cb8,0x7ff9b8253cc8,0x7ff9b8253cd8
        5⤵
        
        PID:4956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1984 /prefetch:2
        5⤵
        
        PID:4580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
        5⤵
        
        PID:4040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        5⤵
        
        PID:2408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        5⤵
        
        PID:3208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
        5⤵
        
        PID:3560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
        5⤵
        
        PID:3184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
        5⤵
        
        PID:5188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
        5⤵
        
        PID:5400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
        5⤵
        
        PID:4704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
        5⤵
        
        PID:5612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        
        PID:3604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
        5⤵
        
        PID:2016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,6759081676286576019,2344057798695035241,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4872 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ff9b8253cb8,0x7ff9b8253cc8,0x7ff9b8253cd8
        5⤵
        
        PID:3848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,11358875149117632115,10087964383033524286,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
        5⤵
        
        PID:4776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,11358875149117632115,10087964383033524286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b8253cb8,0x7ff9b8253cc8,0x7ff9b8253cd8
        5⤵
        
        PID:668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,12506103104575106117,3593511134898340226,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
        5⤵
        
        PID:3520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,12506103104575106117,3593511134898340226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4896
- - C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1756
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5156
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5036
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:5600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5868
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6084

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5948
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:3108
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5436
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2572
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3508

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce319bd3ed3c89069337a6292042bbe0

SHA1
7e058bce90e1940293044abffe993adf67d8d888

SHA256
34070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3

SHA512
d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
12b71c4e45a845b5f29a54abb695e302

SHA1
8699ca2c717839c385f13fb26d111e57a9e61d6f

SHA256
c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0

SHA512
09f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
3ff416cc3d6f54e4566f0acd3957b12c

SHA1
5ce6d43fd2c53561e1329af76c5222dc01765adb

SHA256
67eb2a1ab35397e0a311e20c9fcfef73e8de728df47d06ddcfb48ad54516684f

SHA512
aa97648b6c33ebda41768362255659767554f5f8188e1ebe1ff88db8dc39e3fbd5f10840e82cf079ea899c82ab2bfd0169edaa223aa080638f148553008c49e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d142d415dba5c70a43b599ff879c9d74

SHA1
7c57ffc40cae950c8ef3951acc086c71a8ff9f74

SHA256
380a7cf3727613a692406edc7935b7e2024e14648c326c986b4f86d526df9276

SHA512
0d36083844ad587e60da27232b8fecf7a90e27b784c9b5527b7082bea130dcd3a5b6a3e4c821caf8e12bd433703fcf3327a2bf579fa894a5c2592beaeb3dab67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
31e1199c8a7ac43e428db795e91f0fdb

SHA1
924357fe3d000525f1f67856dd9c6fb84addaba5

SHA256
fb05311a8fc7a0c1174b657ec41b6d196adb870a58a1a42ff625bd5a7a29032b

SHA512
72d66b61f430079dc07acece09d8e0fab50d3e8744a9d9bd5149d3a1465fe7f028e9bbe5f5e016b34b91eb0dd7f6930a399ac58bb82cbbe591a268f9cd8c532d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
60773069c5702aafe4a9fb4207dcf065

SHA1
a633fd3ade38d9c493ddeef5d895dbbe58664769

SHA256
e5ad5b8f86c772a609ba78f8053aa79e281029335fa44956d72a88d435c008b7

SHA512
cc944b9e6c91a91196dcf73ad50539b63a86ecb3c0422f8c3690770aae5fd0cf1328bbdfccfb7c51c0a1cfeb3995ee283124fb5fe176e57d166ab6e9f9b61e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
699B

MD5
2643431bca6c81c527378ea788ca3ba8

SHA1
27e2af5bab3c52cb75762028c0f6509b1bceb189

SHA256
bc9ecea4f549e9eb1a5a27c2a0e856a1b9028ec35ce754904e6a91b51c620e88

SHA512
3901fc1e7b74a7692b9095da12489458e23e79a5b6d3b2f36a16e284d3b96396427aae072473c32f0a15cf9bfacd6db0196dfa912b21e99b0d07737650e66ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
699B

MD5
ec7e263c0d88389a731bb473da4f5ef5

SHA1
75fed0a72e6748afa9258c2e17a99376c1f4431d

SHA256
09aa4f4877e0ed672a9426b8d9d98842aad8825eab346a0976d45d6de7402ed7

SHA512
13636af98b8c0d220341207346f1f9f9f88cf924fdd787fa7c9b145e4ad5e286944815d935cb132968b07352a9712ad994714527465d9a71383830e9ddccd4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
699B

MD5
ff7f708e2ef15a790601cd7926edd1cf

SHA1
d783c5d9d8179f0c189b7a50eaba140ca9831e14

SHA256
9694ae874b2e84829da03aa045b49893db7d3a15e64cb420afe0377a3925a491

SHA512
fad0636adf4152e36a53fc52ea2060b19d6792a872c6966f680039b374c17209874f323c6294e1faa172578ea32699f0a9e369aee1e0c49f7ca52e929ad00698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
699B

MD5
8f87bd35228be836fbfd93d9308cc66c

SHA1
664e2822b7bf5e2a26049f5637feb366f597a6b0

SHA256
e9a3554bf78bcc23cf873ae85e9ad131f96e6025453d58fe5515c372727b268b

SHA512
8c4e01267a1d8af9d35a3683af81541f442aac96e76713ad790e88ffa7e23f1751777cf9a5d1d09288aff18439568e030aeae255d36c2b2b907e2063c3eaa8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5807ac.TMP

Filesize
699B

MD5
324596a95d7e877389a14d006438020e

SHA1
af3ace8aa6be6b81e70a03a817d1d894f054a1f1

SHA256
4306d6a2e19fb47ebf6c63e6f2ee46c00b15d568a8bccc130e48d85e405c5daa

SHA512
0184924decac93e89def1fee6c559a137628bff5fe1cac7d26db6d44cf21253c94f909be1aa3e3c4a8b9c670f977ffe71b20e212fd6a9ea0e62e11a658ecafbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb32ac3f18720386a6eba2dc83cb228f

SHA1
eee44f9b8b8ad9254d2d81b7dd2d1d9f4f4bf1cc

SHA256
a608da3230de2624725127ca4ef9de56cce8314029820d321a42ec5e6e113397

SHA512
0c2d6d1416bbba96c3198626c594b2efa7291dbff3c5cbb2cf3131edfa62fc3d1b5a293574131aa3857dbbbee9bc8a5e0fb3f81ab1d430db4c73ce48aa3f597c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
28c8e84a6ae2f725fa3546fd21ceed48

SHA1
477b1c6b581ffcc9e68d843bd86fbc8b9b23178e

SHA256
72be569398a44ca1ddfbd1368146a9810ab9eeac09d7da9d0e90d7842846acd5

SHA512
6f7af27e5aff03eebe3322040597bee6389b9ac748a08ae9bb3238d6af0d65d4bc15b82a28e160924859bb89de9117986b3d0eabdbd7f207de4d88080a568250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fc900be6cbb6665e51d68d8ba4a8d827

SHA1
fdb8d7463579498aae73add3204c9fd22e79c434

SHA256
3727194ddb197c40392668df9a477516b2a82bcfc6e4675d91273b8ca965b755

SHA512
5f09154270ab7478f5ede3c04175330d9208edc44ba910b60c41813d34494d8c07fc693f68a6aea76047983e08bf526236baa345b0dba7037685cdc406639087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba73cffb844afdc52e9ba1f9d94d89b7

SHA1
0403c284807d1e62a5900db1c6ac9baa2e7186a6

SHA256
54bf08bb68531bf821a7242ec7ef1bb57395245e0ff39db8fb95695c56ea55eb

SHA512
047aca8de4ac236d5771ee68406995d92861fdaf8f38e0a0e48282e1cab4cd5a81b9cadddece2ea141abb758741a3d209daae7498119a9829a2d8d630d935257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a3d2d8ec742f283d8aa08d1382996e6

SHA1
122eabf3e0b279fea6e837d55cd642b16e352ea3

SHA256
02b28ebbce54c6722b45cc497a275c60698c1be6085cd2bd8bfd5a4c8a7b053f

SHA512
fc7ac5f6c369ec6e2bd5aca829d2f75eaadf03623e1d2ba4b563a86a62eb6c9ec953b641c3e38ce6ac7e6d6cde281f59c26d992d3f510880b3fe1919ea412dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
6eaa9c6417b48514603ff6dce5552fb0

SHA1
aea8136d796429b198e3e9280d5eee3d1962243e

SHA256
7939481ace0868e47c53d885de56aa47e629bb7d53d3da2d7dcf47aa0fa33b1a

SHA512
fa2c1edd8c2c0f0af2d3c1e3224fecfecbf7cc43645969e618205de20fcd87842e2b3a6aa995eb51bfc6c018e6b74773f8b714c374faab0dd3b31e001a5171fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\a1618ff01b.exe

Filesize
3.1MB

MD5
8ae8bb956d560cb0b4d59a248b4b45b6

SHA1
af72db693ce41594e3e9228dc6a58d2fb716aa24

SHA256
7762e275244c704bb1fddf43ce848aad716be6ec1893b8d11c539bf39038001e

SHA512
db8f39e8d77a207bc17f3e222a1bb8a0eeec8a188cef08bbaa37d09bb8dc24e4b78cc18e708ef67feaa70634499073e9ccea5e5e1b4e208dadda3132aa4caec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe

Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe

Filesize
1.8MB

MD5
5d6ff253ae0ac0541592fdb4a185062c

SHA1
189fdafc73c0cd2ebd59977d325aeb2d9a9fc1c1

SHA256
3ae0e846d5116a716420f71ff16b2489ab889ef6ab3d1e7dfb4b1447680bcdee

SHA512
d66296124beee389226666ca8bd449971d952c15a9bc98a6f3ef59bab5e07558259e68d43fed36df2c4f4040cd002cda77a03d9319ee94a9da1405b012cc1c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c2u35sks.dso.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
memory/1088-29-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1088-440-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-24-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-23-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-139-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-597-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-401-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-28-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/1088-27-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1088-580-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-577-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-366-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-567-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-562-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-545-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-25-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1088-207-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-26-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/1088-337-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-594-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-455-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-504-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1088-32-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/1088-31-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/1088-30-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/1088-524-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1756-171-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1756-232-0x0000000000190000-0x0000000000650000-memory.dmp

Filesize
4.8MB

Download
memory/1756-211-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/1756-203-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1756-196-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/1756-192-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/1756-187-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/1756-178-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/1756-164-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/1756-163-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/1756-162-0x0000000000190000-0x0000000000650000-memory.dmp

Filesize
4.8MB

Download
memory/1756-161-0x0000000000190000-0x0000000000650000-memory.dmp

Filesize
4.8MB

Download
memory/2572-488-0x00007FF9B4EC0000-0x00007FF9B5982000-memory.dmp

Filesize
10.8MB

Download
memory/2572-479-0x00007FF9B4EC0000-0x00007FF9B5982000-memory.dmp

Filesize
10.8MB

Download
memory/2572-481-0x0000027877430000-0x0000027877440000-memory.dmp

Filesize
64KB

Download
memory/2572-480-0x0000027877430000-0x0000027877440000-memory.dmp

Filesize
64KB

Download
memory/2684-7-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/2684-22-0x0000000000E70000-0x0000000001317000-memory.dmp

Filesize
4.7MB

Download
memory/2684-1-0x0000000077996000-0x0000000077998000-memory.dmp

Filesize
8KB

Download
memory/2684-10-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/2684-0-0x0000000000E70000-0x0000000001317000-memory.dmp

Filesize
4.7MB

Download
memory/2684-2-0x0000000000E70000-0x0000000001317000-memory.dmp

Filesize
4.7MB

Download
memory/2684-9-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/2684-3-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2684-4-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/2684-8-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/2684-5-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/2684-6-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/3216-498-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-53-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-518-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-564-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-576-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-526-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-596-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-51-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-547-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-579-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-318-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-454-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-399-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-400-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-434-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/3216-591-0x0000000000FB0000-0x0000000001378000-memory.dmp

Filesize
3.8MB

Download
memory/5052-575-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/5052-568-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/5868-345-0x0000024E6B690000-0x0000024E6B6A2000-memory.dmp

Filesize
72KB

Download
memory/5868-334-0x00007FF9B4FF0000-0x00007FF9B5AB2000-memory.dmp

Filesize
10.8MB

Download
memory/5868-352-0x00007FF9B4FF0000-0x00007FF9B5AB2000-memory.dmp

Filesize
10.8MB

Download
memory/5868-335-0x0000024E6B530000-0x0000024E6B540000-memory.dmp

Filesize
64KB

Download
memory/5868-333-0x0000024E6B600000-0x0000024E6B622000-memory.dmp

Filesize
136KB

Download
memory/5868-336-0x0000024E6B530000-0x0000024E6B540000-memory.dmp

Filesize
64KB

Download
memory/5868-346-0x0000024E6B5F0000-0x0000024E6B5FA000-memory.dmp

Filesize
40KB

Download
memory/5948-563-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-443-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5948-546-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-505-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-483-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-456-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-453-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5948-598-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-439-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-565-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-595-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-441-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-442-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5948-447-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5948-446-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/5948-578-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-444-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5948-445-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5948-581-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/5948-525-0x0000000000FD0000-0x0000000001490000-memory.dmp

Filesize
4.8MB

Download
memory/6084-448-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/6084-449-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/6084-450-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/6084-451-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/6084-436-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/6084-452-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download