Malware Analysis Report

2024-11-30 21:58

Sample ID 240705-y5966axdqc
Target 7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80
SHA256 7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80

Threat Level: Known bad

The file 7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks computer location settings

Reads data files stored by FTP clients

Identifies Wine through registry keys

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 20:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 20:23

Reported

2024-07-05 20:25

Platform

win10v2004-20240704-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\AKKEGHJDHD.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\AKKEGHJDHD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\AKKEGHJDHD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\AKKEGHJDHD.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKKEGHJDHD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKKEGHJDHD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3876 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3876 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 3876 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 388 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe
PID 388 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe
PID 388 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe
PID 388 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2528 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe

"C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\167ebb5265.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff917cc46f8,0x7ff917cc4708,0x7ff917cc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKKEGHJDHD.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCFCFHJDBK.exe"

C:\Users\Admin\AppData\Local\Temp\AKKEGHJDHD.exe

"C:\Users\Admin\AppData\Local\Temp\AKKEGHJDHD.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12549214396714825458,5126649595291059434,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 consent.youtube.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

memory/3876-0-0x0000000000A80000-0x0000000000F31000-memory.dmp

memory/3876-1-0x0000000077E14000-0x0000000077E16000-memory.dmp

memory/3876-2-0x0000000000A81000-0x0000000000AAF000-memory.dmp

memory/3876-3-0x0000000000A80000-0x0000000000F31000-memory.dmp

memory/3876-4-0x0000000000A80000-0x0000000000F31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 cc3efa3f90e26642363415a00aed47f7
SHA1 d01b54ce8f110ef6b1ce195378769e64e1366edc
SHA256 7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80
SHA512 6e3dabb1e5bd78a9309507eb84f9034273e36424f22d3158b0951b30dc3f855392e8f56fc48884cfe9692ffff7fb91a2213e4f46630e7a1c8bcbc2b2234e1c50

memory/388-18-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/3876-17-0x0000000000A80000-0x0000000000F31000-memory.dmp

memory/388-19-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-20-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-21-0x0000000000700000-0x0000000000BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe

MD5 96abb53059a3d749188008a41e4cf448
SHA1 47d0209bd0e28f90c62b63ac2c03bfe41683cb67
SHA256 60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c
SHA512 dc4c739a401032cb802a68b65754763f2edfec791f07b1cb23a89f43f35daf4445fa2399570c169a66d34d6d731c65d84e5bc07773e045c7bbf86d073aacbb2d

memory/2976-37-0x00000000006F0000-0x00000000012DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\167ebb5265.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5b6ff6669a863812dff3a9e76cb311e4
SHA1 355f7587ad1759634a95ae191b48b8dbaa2f1631
SHA256 c7fb7eea8bea4488bd4605df51aa560c0e1b11660e9228863eb4ad1be0a07906
SHA512 d153b1412fadda28c0582984e135b819ba330e01d3299bb4887062ffd6d3303da4f2c4b64a3de277773f4756da361e7bc5885c226ae2a5cfdd16ee60512e2e5e

\??\pipe\LOCAL\crashpad_1508_DHPHAPBRSVBCQWFB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2976-64-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fbc957a83b42f65c351e04ce810c1c11
SHA1 78dcdf88beec5a9c112c145f239aefb1203d55ad
SHA256 7bb59b74f42792a15762a77ca69f52bf5cc4506261a67f78cd673a2d398e6128
SHA512 efad54eb0bd521c30bc4a96b9d4cb474c4ca42b4c108e08983a60c880817f61bc19d97538cc09a54b2db95ab9c8996f790672e19fb3851a5d93f174acdfac0ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 feb07e2ec103a44485e9db93cd073ecd
SHA1 4480b7b7ac955b4940a6de6d75934117999df01c
SHA256 439d0db73d6cec80688e720ef9e7b2ff6cec979c7905995203a23dfc814e9694
SHA512 4b69a3831deed916839d314b0fe093b1cb3066ef460e522412295827ab40485b1a39f504f13ca6c0984015c340eba72cc376ad5ebd094dbc50a996f851500e6c

memory/388-125-0x0000000000700000-0x0000000000BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/388-171-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/2976-178-0x00000000006F0000-0x00000000012DE000-memory.dmp

memory/388-182-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/1496-183-0x0000000000BE0000-0x0000000001091000-memory.dmp

memory/1496-184-0x0000000000BE0000-0x0000000001091000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8c40871b3cf04efd944d44ffa687043b
SHA1 ba46e54154887ccd99240b279ca11f84b08bd0da
SHA256 15a20e944ca23304a42d1c991b5a9a6121be1491e304893a416c14a01c9d14e7
SHA512 1e9276d81e40b26a4d412f5b5dcfe32100d9eb4cdf6516fa2e0f6972b65403fa0cb2fea5540e9af35bd7d94cf72fbeeae3b36267b426a3daa39b5dfd8a6df082

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f865964fd1aeb0b9293df682306b6e93
SHA1 9ad4512426704546aab5dd854900ccf1cf97257a
SHA256 fd60fb5947a9c8f5768176c0ae2999488cfa6457ac82b997ccfce679de597e4a
SHA512 6f2aec4bb29de791ded502859d80674e5652c4612a2a641a62bc330e788ded3c27926ae704580a85f4d742220662b510fa97015983a89c3f06667fc1956e7440

memory/388-201-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-202-0x0000000000700000-0x0000000000BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f0539df8-0ac7-41ee-aba1-dff738294959.tmp

MD5 aaf6b3702466ff198f5570bfc5ef22f6
SHA1 120003ab845050f49d63eccd9d47242fdc6f0fa7
SHA256 065e7b68ec238731974058b23f138d9437bd5d98a5900992c7ce35c192ebad7b
SHA512 89e6ca750caf13f9c1b52190d707aaa005bff85e4fac676c6c4a6ab4783377af15b49c497d7e9eda124d92f6ac225b40d3603a88766324ff3e9cdff93357c021

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 28f9ba3ef6f1f573956397190425fbd2
SHA1 a2b20c15ba65863f05c98ea6298ead0a138fadcf
SHA256 69c6bfd54fce6e542a772d69ec0640c999208e170092c2fa3474e762949c5e4c
SHA512 fc1a96a2b4770323120c220f513c83da72bac6b06a77ca414b2ee46d3566a79b3d0dff2b46935068829f890dbd1e5a620809c527fbd0da5d7326d08d989416e4

memory/388-226-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/4360-228-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/4360-229-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-230-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-231-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-241-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-250-0x0000000000700000-0x0000000000BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6152fdb968e7fa53b084a108b3f207cc
SHA1 7c0b972963ef0b5ab0d6d78088e46355f789dbb1
SHA256 e45a29647ac4ef90df47362930f4efc69f3330cdea7143ee57463e2ebd549444
SHA512 e5ecf2157f8f4581ac7f05bfee645a0fff95508ec63a86dea9bb699438bc3ed153164bcc7e67368b22afece62a656d61074a9a47ca7ca3bc9787365fffa7f590

memory/388-274-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-275-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/1352-277-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-278-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-279-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-280-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-284-0x0000000000700000-0x0000000000BB1000-memory.dmp

memory/388-287-0x0000000000700000-0x0000000000BB1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 20:23

Reported

2024-07-05 20:25

Platform

win11-20240704-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2133704870-72480668-1360283475-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2133704870-72480668-1360283475-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2133704870-72480668-1360283475-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2133704870-72480668-1360283475-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2133704870-72480668-1360283475-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1192 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1192 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2360 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe
PID 2360 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe
PID 2360 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe
PID 2360 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3244 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 4636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 4636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3308 wrote to memory of 1752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe

"C:\Users\Admin\AppData\Local\Temp\7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\4a22595fd0.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb1cf73cb8,0x7ffb1cf73cc8,0x7ffb1cf73cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFHJECAAAF.exe"

C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe

"C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1772,10766960202731266956,16039010800886468250,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
GB 216.58.201.110:443 www.youtube.com udp
RU 77.91.77.81:80 77.91.77.81 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 play.google.com tcp
GB 216.58.201.110:443 www.youtube.com udp
NL 52.111.243.30:443 tcp
GB 216.58.201.110:443 www.youtube.com udp

Files

memory/1192-0-0x0000000000E20000-0x00000000012D1000-memory.dmp

memory/1192-1-0x0000000077896000-0x0000000077898000-memory.dmp

memory/1192-2-0x0000000000E21000-0x0000000000E4F000-memory.dmp

memory/1192-3-0x0000000000E20000-0x00000000012D1000-memory.dmp

memory/1192-5-0x0000000000E20000-0x00000000012D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 cc3efa3f90e26642363415a00aed47f7
SHA1 d01b54ce8f110ef6b1ce195378769e64e1366edc
SHA256 7cd55af8ca34ebf1a4ce65ec3538c274007b05018e2d2db00f148a3555414a80
SHA512 6e3dabb1e5bd78a9309507eb84f9034273e36424f22d3158b0951b30dc3f855392e8f56fc48884cfe9692ffff7fb91a2213e4f46630e7a1c8bcbc2b2234e1c50

memory/2360-16-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/1192-18-0x0000000000E20000-0x00000000012D1000-memory.dmp

memory/2360-20-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-19-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-21-0x0000000000BF0000-0x00000000010A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\684679ea11.exe

MD5 96abb53059a3d749188008a41e4cf448
SHA1 47d0209bd0e28f90c62b63ac2c03bfe41683cb67
SHA256 60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c
SHA512 dc4c739a401032cb802a68b65754763f2edfec791f07b1cb23a89f43f35daf4445fa2399570c169a66d34d6d731c65d84e5bc07773e045c7bbf86d073aacbb2d

memory/1828-37-0x0000000000550000-0x000000000113E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\4a22595fd0.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8739e9507ed3529c450eb5b6ac83e21
SHA1 0f933f32c39a0af112fbe0a58e5d7a9edc617965
SHA256 2b35918fecd0a80628088d9069436558b2dde8eb14de4162abf9c2e4538eaa13
SHA512 e852a75b3505554fc690faa3720b2889c884602b724210533c608649e1a1a58ebb33975ee0acfe9767ab09ddac120e934bc9662a9949750665a3a350ba9acb67

memory/1828-61-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\??\pipe\LOCAL\crashpad_3308_OKGCXLZGAKJXKXAS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c00182578404b4b6fcfde21669962dd4
SHA1 25e096b73941797b77cfb40dfc84e5d38102b1ee
SHA256 6b4b411180d903dcee076619b1b6af71d0e35569e68f0d330f8050a94e5c521e
SHA512 06a13324b95603357abbc051ec4fd083148bb28da731f8b83d4066bd47d73a7383a58d4dba52ecd63f28ff46070669dee07ce8e8f87fa07207af122264e95e9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eab34ec626c28b6d397f0ffdae0a92f6
SHA1 261bab16aec9739c49a08f0e1b828e914041b665
SHA256 2b70445641afa6a94b38ad0310d78ca20e07b7658139ba23ec27a08e64b3cf4e
SHA512 e751e0bfec8c0fccaacccb8be6cd63e13d55a4b5e470c1c76dd3ce83ac8dc658c565e86f176170c6331c097d4e88b10e06f7df9abf50a11ef53789829062459a

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

memory/2360-177-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/1828-180-0x0000000000550000-0x000000000113E000-memory.dmp

memory/760-184-0x0000000000D00000-0x00000000011B1000-memory.dmp

memory/760-187-0x0000000000D00000-0x00000000011B1000-memory.dmp

memory/2360-188-0x0000000000BF0000-0x00000000010A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1862d8a5f954789acf53b2cf9d0098a2
SHA1 8fdade8266f524d937359dfb9e6f6209dcef21e2
SHA256 a4efdbc6666afa387e669dff47a3c8079d1fc2de03694580f489fb58b31d1b2e
SHA512 5be261b5e37fe6972285f7c9d83688c415dbcee095cdffc9c84db8898b3f00a7c2ff728203f1b812488e1df923dd2cd05848dafb42db70b08936159673dfe824

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 04cbf99ae868cd2e0c82f2cd831f2dc1
SHA1 496e201925d6bf151723368353b73460fb95b635
SHA256 c5150810be3226d39df221c427055e5be761f94b9f2ce6bc691b153d4c5b5a00
SHA512 b4213b122262d6dbd0f584ef0db0a2c2458c621fbcba8e2cbdd2126fd9b044329979fff377b539b4f6988604ab5daff423673e69f02989d21e73435b1c90f0db

memory/2360-209-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-210-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-211-0x0000000000BF0000-0x00000000010A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0182d4aadf0df91ceb5e59b2d8e39d7d
SHA1 6ab2fea6ba55fab60ebad0e0d74319c4a91092c6
SHA256 f1d8820f7ede5262f479e0cba076044f17e8676e2e3eaf2c944c299c44147bd7
SHA512 33d26649cacadb4c4722365745462694924e96d08227ae8623968ab5e8a81159a76dad3103211b44c320aee00f657a3b2447517dda2f3020b3cf50449aceadfc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9f8c5702ca080a7d049740be10f9cd5c
SHA1 8d77ac2af0ff70abd400b52512f7118204ae1ebc
SHA256 ef76bd003a00c91fd97e33ad8a7c1a4b54d05b4826e5bff73b208fd96e6c349b
SHA512 ba2878e95b8c1fc9a3c6c7091b6adc6dead6266cde9e589361546a3ebb15fbb7577abb67de8d286582aa0f96c51333168603897d273e8464f9cd94b3f072497a

memory/2360-226-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/1320-228-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/1320-229-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-230-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-231-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-241-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-248-0x0000000000BF0000-0x00000000010A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4f8f0989e35c17830c4c0f2341fc6edb
SHA1 ca9b508e23a563bc20a04c978bd0b9a6c2954baa
SHA256 a2c4dcdc8587ae5585863105ef615189204c4d5fa0dbe3b5134b81c17197a2f2
SHA512 1402c55a9d62cceb756b38f84f78b9686f34edfa770a3ba6947081cbc532103d46cee57bd1815206421f0f1b38df157c944e76fb301c157207eba3e2d3346a01

memory/2360-272-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-273-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/1728-275-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/1728-276-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-277-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-278-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-279-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-282-0x0000000000BF0000-0x00000000010A1000-memory.dmp

memory/2360-285-0x0000000000BF0000-0x00000000010A1000-memory.dmp