Analysis Overview
SHA256
179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Stealc
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
Identifies Wine through registry keys
Reads data files stored by FTP clients
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Checks BIOS information in registry
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-06 02:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-06 02:57
Reported
2024-07-06 03:18
Platform
win7-20240705-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\e05e56667b.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\e05e56667b.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1824B0F1-3B46-11EF-AB23-E297BF49BD91} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf71000000000200000000001066000000010000200000007962fd9880aaae5fde929308d1c81a7912911168f450417bb71c0114ebaf1e87000000000e80000000020000200000001e32c36de3abf99f2891e74b3dd14f40f280e060ff2f01ae6e6b7e3a6e6267c390000000be104ba60ca436d9b3b70076e111a56d57263f73f3277980542199655e9b8cf8a3d68d1229b9b0314ecb661a1c618423f4d0a1f2698e9df15798a4b8bc30e24a668a6b8635acec5d45d3faa5335b789ae088f39710456e6af89a3ffa92a112e47d6afaf23e592e318271d408e429b3821fe9532b743e845bf360686fbdc3b1874cef9709bf6c139434b6252f8542a0264000000067315d5a433a0c09ead2f58706ac83a596f7e82cc8a688a4bbaf8e501dfe68e699ce8cdf5d8837e9438c65958134dee463277f4afb913cda9eb974ea839dffdd | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426397640" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0324df052cfda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf710000000002000000000010660000000100002000000082628fe453287b2053ec7390635791d8decaef74970ef54e11242089a9d47e23000000000e8000000002000020000000b7d7fdf4331034c888e71771d66f54e8ba53032249cc60e121bc4a6c396c0c9d20000000a7b34b723b960e802b4555da7ff29221105dbf9574faec0ffcc463f02759df1f400000006a4286a99092979465ad7e5424b48c0f661c5acd3f115bffd29e19223e121d3e8decc57d4ddf8021dc6782a15f09b31220d3956df0b5101f3c6c31df65d62169 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\e05e56667b.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHCGDAFCFH.exe"
C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe
"C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\e05e56667b.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\e05e56667b.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\756fd33691.cmd" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | tcp |
| GB | 216.58.201.110:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/3036-0-0x0000000000360000-0x0000000000F4C000-memory.dmp
memory/3036-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
memory/3036-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3036-62-0x0000000000360000-0x0000000000F4C000-memory.dmp
memory/3036-66-0x0000000000360000-0x0000000000F4C000-memory.dmp
memory/3036-67-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
memory/1988-102-0x0000000002190000-0x0000000002646000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe
| MD5 | 6b40c1ad4eb4763067fb1cfa75f8ce61 |
| SHA1 | 297b3ab03063c43f5e4e752efbba3986e2245e22 |
| SHA256 | 8ecd9ef4ed16ada01ebf877fd6911837d50003e004b0f18d48e07f347c710230 |
| SHA512 | b639cfdca983bfad19bfd54b95197e2b8c8868e7c786cec6520a61864f6571473873939b35fe5aea847d7073135df94901b1b929fbab6c8c5177626cfa65dc1f |
memory/2804-103-0x0000000000040000-0x00000000004F6000-memory.dmp
memory/2308-120-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2804-119-0x0000000007380000-0x0000000007836000-memory.dmp
memory/2804-118-0x0000000000040000-0x00000000004F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\e05e56667b.exe
| MD5 | 05be2cbe945ebb1f4db5c1fa09a75079 |
| SHA1 | bda32f10b41780e494da9733b74aaff5ddca342d |
| SHA256 | 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac |
| SHA512 | 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb |
memory/2308-142-0x00000000069A0000-0x000000000758C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008021\756fd33691.cmd
| MD5 | ee00aba3bdbf694bb1588c965a077e3a |
| SHA1 | 00491ccb092d576b62d54172bdc09877d0f74c19 |
| SHA256 | 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750 |
| SHA512 | 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49 |
memory/2056-164-0x0000000002250000-0x0000000002350000-memory.dmp
memory/2056-165-0x0000000002250000-0x0000000002350000-memory.dmp
memory/2056-159-0x0000000002250000-0x0000000002350000-memory.dmp
memory/2308-183-0x00000000069A0000-0x000000000758C000-memory.dmp
memory/2056-163-0x0000000002250000-0x0000000002350000-memory.dmp
memory/1060-185-0x0000000000340000-0x0000000000F2C000-memory.dmp
memory/2056-162-0x0000000002250000-0x0000000002350000-memory.dmp
memory/2056-161-0x0000000002250000-0x0000000002350000-memory.dmp
memory/2056-160-0x0000000002250000-0x0000000002350000-memory.dmp
memory/1060-182-0x0000000000340000-0x0000000000F2C000-memory.dmp
memory/2056-181-0x0000000002250000-0x0000000002350000-memory.dmp
memory/2056-180-0x0000000002250000-0x0000000002350000-memory.dmp
memory/2308-219-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/1988-220-0x0000000002190000-0x0000000002646000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\favicon[2].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jmgc6we\imagestore.dat
| MD5 | 79d10fa6b11bdc0d70a1b41999a219bc |
| SHA1 | fc65b6b8a7bff5e260faabece6c0386b65dfb426 |
| SHA256 | 1129340181d8be2d4a9b1b6772b9d84be55a90fe77bff4cde6819d3da702b51e |
| SHA512 | 0374a6ee9d3deb3cce35b8b284ec1487e3734adbcf02bc30afe94e2fc8dbb50f89e84a7627590b9f6705a33057943a7dafce9094ec52aacc2bf4d7178a0ab3db |
C:\Users\Admin\AppData\Local\Temp\Cab893D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar8950.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3eba09bd633e278c59b0fee1214e4ab0 |
| SHA1 | fffdc4cb8585f532334c2e952a586f8861f1ae57 |
| SHA256 | 8e55a5c805c2cb09cf3a496172ec794bdafe1f479be8c7a4fd22c6725be72188 |
| SHA512 | 6e7dcc97920b3584b485494a7702a94e6c38bfff04b7336e781fda098089b86ced039de7aefeb420395d58d04bc5a3a381a70e2ee771ce0cafccea5381629ef2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc2cd3d549da5417a59720ed7bfa22a3 |
| SHA1 | ace8e277fbd6a1964ec4b29af9fe46632a764afb |
| SHA256 | 4f43828b2ec665f3fa2146ce36d328ed244e2f09a7ade5131618f3b93caaeb32 |
| SHA512 | 216ee5fa6c718ae421d67cca4e7fbd8147bc7535fb1552fd315913aa3966f094d5132e1ff12d0d71a62dd813c5962e1fe54b9a1b4b2618c2896f657b13d6657f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 36c1500c46af6788aff7cf073e661372 |
| SHA1 | 3dea5fd480c54dc9400a5a79b24e65e75d5f0606 |
| SHA256 | 975409dfcbcfc0cece83b67c50a9ef1426c4742693bc4b44fd4aca719118352e |
| SHA512 | fe5818ce3ae9222be988c8cc310aff4296307d3a479401b4eb9f9f7ea054c419981c10393dd33d022e0a4a83b989f76b7f162e00deae62a5ab2e0bf98bc4dcb4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47fdb3e07be6c480c57a86a1605c0877 |
| SHA1 | add53c6a402ea86b87c2a4bcd134c094b6213e31 |
| SHA256 | cb8edef4840351a4210af7d37755ad951cb74d9442e705674e766503debc5588 |
| SHA512 | a642d9ceb4582047ab0055ef4371a4b749f0d662e6efb1b516132df495cf8590f2538a73897c0eafc673acb463eadedb3679418c59771ed9fce3e68aa1ceab3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0cd97d1278e7edb93b435852fb90e957 |
| SHA1 | eee462454ce6ac3192f7103d584a1e9061ee21a0 |
| SHA256 | 3124fb524b24ab5ed783c636b691be53e366e6f4eb0d9dc1dfa0a5c1c3cdf3e5 |
| SHA512 | d089bf270eed1fa42bcd2a7ff553d887ff94d48300f2091118ebf6eba724aeb1d3e84bd8f61230710728694c865899fccc95b4b26c5636012c725c78d6cce9ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 596eb5d6a34c67c954d81267d15f4f28 |
| SHA1 | d5e2584915a092b78bcd51615d577c56b8d73fc7 |
| SHA256 | 2b219532318cb278ec9e563bbccb564dcd0daeee3c8541a19648b50c6258fb20 |
| SHA512 | a7257015df200b48f334093b2a1fa22f3c5f7a4492904d7a72db39c0afea8b2708f021905da23b6a65e6f16807e17d93b53a7b2d8e3f473c95253814622b312a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2765f019fa667df33a89d656076c0c80 |
| SHA1 | 20c5d269756da54a06b543092b9faed359876d38 |
| SHA256 | 0b03f07eddd6a45c520f283adc0fe34037da687829e75f61f125b80993e1b2ab |
| SHA512 | 3b379f9801d3fa5a0c348a13118a18164a87edde465999a586d394d9950660326cee88112100a6fa86184ea91c78f5970bf44d9c83649cba865150ca76503ed3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9d5749faffa0dbb699a8ffd4ea536f3d |
| SHA1 | a4d9df4c293c46a614f5b27514bda1225a26a9aa |
| SHA256 | 25ec97dcb525fb55c83591d29f77733a2ed2814cafcb56cb04213c0220c10c95 |
| SHA512 | 993b12f60039276fed8b41d9ab6e3de6d7e9d284d2cbdedd2160798332043a158d53c610547dd9d5183cf2e80c7153066464d63b9382e66e735f2a151eb03250 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e95fa5b621c8425e09af7e43d879161 |
| SHA1 | ed4f8cc4c1893f33d3d04d214f7413e9b62ad0d9 |
| SHA256 | 68cb9d6e40e6e2d78d8f13ab9af2a7e98ec1b25e247ae181028ac303f9e85faa |
| SHA512 | 13410db2d2f4112e0c1ac864f5361b2c9b2faca9cef9bd7b21200d86fc618c8adce1fcc3b78dd7d7c2eaf37d0a8ed6a622efef0f789c32b5cb606a85122f689e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5124d18588253a5abc1229a40469fe47 |
| SHA1 | 0a94bc9dc10e444376eb890445c6b42f2469f711 |
| SHA256 | a1ad11d251595d18630059c0e7c829327ff8c2b83c902f6994daa2b952aa5c61 |
| SHA512 | 297febb3563e4962315c62a70f2be2da13f5806ff7068ecd14795ddcb6ba0cf0d675700682db7fdb6e84bbf3f8fa1b84fe1a945fe0bc19b482a963bf68cfdc51 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4f2563e17ee4897dc84d59f54073a4f |
| SHA1 | 8dd51ddc21a408a0f6ad215d53be92c640080bce |
| SHA256 | d814c4507c8fb17f39509161dcb115ce6ade8fa6e511055435aba06a28547df6 |
| SHA512 | 8e6b8b0a6799fbe6bfbfdd5869b15ed2f4b28bc0f2ab19eab425e1c6ea50c9a3f2c16c4eb6831ee18353c8abf80a6306217b65123ab40d1c1691b7fc76f69614 |
memory/2308-641-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2804-669-0x0000000007380000-0x0000000007836000-memory.dmp
memory/2308-670-0x00000000069A0000-0x000000000758C000-memory.dmp
memory/2308-671-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2308-672-0x00000000069A0000-0x000000000758C000-memory.dmp
memory/2308-673-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2308-674-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2308-675-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2308-676-0x0000000000960000-0x0000000000E16000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17fa15e9f60f50d40850a560750f1135 |
| SHA1 | e5d250e7ad2b0ef8833b9839229c622034be2cfa |
| SHA256 | 71a218bf43e72903c66f105494d0e382e850858eeec17b220d647b4d44c37004 |
| SHA512 | 0dccea8fa0a889d64a92fdf60a1a671829b3f7df52363b5cbcf9870a88a005bde59c625da670fae11768becc9099e61a35ad4f70dbde6d877a20643382d10c82 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89e5cdff982d2d96f01b4fb1c3caffec |
| SHA1 | b352623c879b04f524f3e3872afbf03668a0cd9f |
| SHA256 | dbf8f372e58dea770c5db5eefa09e2b81c6045e4000f188ef8059e8181ad32c4 |
| SHA512 | 39a8b08595778c1415e0950ea8bc3e6d833e6abdfec1fa2eda32f9e258ffac82c4f7a8d2cb63a07e32f4e907fcf21025ce9e4cb4ede18b56ddeb46da5327451f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cfc2f5194c5b7d27f545599aacb055fd |
| SHA1 | 4e66fc1c4cb4d8550526e0f4268f16a941ce5b3b |
| SHA256 | 8497e6d9d228a30b8f22aa48179a8caea6b5adb0fb1f461eccc23dc69b838066 |
| SHA512 | a9337ee7ee86e42a0230e12192203ab80f2003cb7b5a7da738c08422562d40e1ab2ed374bf95256e266065d111c1dfc8a8d797b619a0023bdec025b3de2d7915 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9feef9067c93ff50907bdf8007cdde19 |
| SHA1 | 97195610efab8c5d8737558925558233614ea807 |
| SHA256 | b85fa2d50c633ebe6ba58a9cd906b16e637e9e4c1b3b135713397a2846c16964 |
| SHA512 | 23900317903ef9de5810bce82435c77af6e3dec7a8e39e1b74d4a002f78a4061491aa709cfd0f994d5b5ce0ba852f2b82047dcf06049110efab999a0c4428d83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 74a626b78a4e5e5b94b087522fd44b84 |
| SHA1 | cfd328239526b876a1310e4284cff44f7c5e5e1d |
| SHA256 | c80f85dea55ef3bfdd25c03d5cc82d8bbfa661d4c9fd78c682940b1182e07f7b |
| SHA512 | e944a12074e74f6d081fe0caf2fe1dac015695786a79d1926eb36c82b0d5aea97d5c98b4227049c6d3b202b71e64ae8c07aeea638896ec7402a4b6a87c067e3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b479155b96b73b2d5babccf066896727 |
| SHA1 | f86479136dbebb60ee07ffefccb55913a34d324d |
| SHA256 | 206ecdcdd0740196c81579b9b926ab737c08efab33466a6e08f9e5d66677b1b9 |
| SHA512 | 8cc9435ff2b1875844588dc76d84b6a3897e8d100cd3e4346e986e49f418d1783a5727dc7457d45fc7f4f1eceb87e2784d36c3ffe7fbdae1246686128066e163 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b4a90cd98659c30750fcad2251c696c |
| SHA1 | a48ce2c663cd20b3c47c8e4bd31a1ca57e847c85 |
| SHA256 | b300fe038a1bfbdc5fb66ffd8b06b793991dd3a50e91bd03d62ff9946d298615 |
| SHA512 | 1a7a22ece22a893b84aca1b309954f442e3bc4d869c7c51a23533bbd82e399c84954e2efc0d8dcbc2d526251a42aa6e9b41989dce29c6e1131aebf3a727eb2b2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bce4d2de70dafe2d5f9c3d895baf60d4 |
| SHA1 | 01c1daf6b16662618ad65e8ef3726c30bc7c59d5 |
| SHA256 | 80bdcf0903cc42c8d89872d9c1520601cda16a22ededd1ac41da38ac9d382321 |
| SHA512 | 8a3e9dfca97c8215f0ed3ad3d3b1f73b867a629778286414376180ec92b691486bc32792c237b188f944cea86c410722ebfba1aee84c7d7bd7de2a88e5ab9bc7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 887cdbbd25bc0b01e845ed60685cfe05 |
| SHA1 | fc95472ef6a8591b80ea5485ddf97cee3bdd8364 |
| SHA256 | 7991f2ba0056373e7a6430821cc5f3dbdde9a09d42b80e64dfb1bb6be27ed192 |
| SHA512 | 31977834bffb3939492b7cc85441760a0723d12263eac801cd8c9633f404429ceca009d5679c30d6d5f8211d343b8a3d4a06fe641872b365bf23d331b89f0e96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 73f573066792501eb04ca4c7e05448dc |
| SHA1 | 24462adc30477517b4de88cc459bfff73db9d247 |
| SHA256 | 03005a67f1250d73c80a18fd2273a519d9f9361608105283b4b5650608ea0014 |
| SHA512 | 60bcec3a306f730780c56536f230ae5dbf05b049623a357218bb0b677196bb9ea97bdb7875fe3752ac831e604bdb1516f11ed2131f46fc00adb5e9967adcb5e8 |
memory/2308-1109-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2308-1110-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2308-1111-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2308-1112-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2308-1113-0x0000000000960000-0x0000000000E16000-memory.dmp
memory/2308-1114-0x0000000000960000-0x0000000000E16000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-06 02:57
Reported
2024-07-06 03:19
Platform
win10v2004-20240704-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\e04c439569.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\e04c439569.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\e04c439569.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFHIEBKKFH.exe"
C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe
"C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\e04c439569.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\e04c439569.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\cf186c6e2b.cmd" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd476746f8,0x7ffd47674708,0x7ffd47674718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15052158482801124437,8722282650066259895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| US | 8.8.8.8:53 | 30.47.28.85.in-addr.arpa | udp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 81.77.91.77.in-addr.arpa | udp |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 82.77.91.77.in-addr.arpa | udp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/1936-0-0x0000000000C40000-0x000000000182C000-memory.dmp
memory/1936-1-0x000000007F130000-0x000000007F501000-memory.dmp
memory/1936-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1936-51-0x0000000000C40000-0x000000000182C000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1936-78-0x0000000000C40000-0x000000000182C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BAAEHDBFID.exe
| MD5 | 6b40c1ad4eb4763067fb1cfa75f8ce61 |
| SHA1 | 297b3ab03063c43f5e4e752efbba3986e2245e22 |
| SHA256 | 8ecd9ef4ed16ada01ebf877fd6911837d50003e004b0f18d48e07f347c710230 |
| SHA512 | b639cfdca983bfad19bfd54b95197e2b8c8868e7c786cec6520a61864f6571473873939b35fe5aea847d7073135df94901b1b929fbab6c8c5177626cfa65dc1f |
memory/1936-82-0x000000007F130000-0x000000007F501000-memory.dmp
memory/5088-83-0x00000000001A0000-0x0000000000656000-memory.dmp
memory/5088-84-0x0000000077984000-0x0000000077986000-memory.dmp
memory/5088-98-0x00000000001A0000-0x0000000000656000-memory.dmp
memory/2184-97-0x0000000000050000-0x0000000000506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\e04c439569.exe
| MD5 | 05be2cbe945ebb1f4db5c1fa09a75079 |
| SHA1 | bda32f10b41780e494da9733b74aaff5ddca342d |
| SHA256 | 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac |
| SHA512 | 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb |
memory/2472-114-0x0000000000FF0000-0x0000000001BDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008021\cf186c6e2b.cmd
| MD5 | ee00aba3bdbf694bb1588c965a077e3a |
| SHA1 | 00491ccb092d576b62d54172bdc09877d0f74c19 |
| SHA256 | 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750 |
| SHA512 | 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49 |
memory/2472-126-0x0000000000FF0000-0x0000000001BDC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0331fa75ac7846bafcf885ea76d47447 |
| SHA1 | 5a141ffda430e091153fefc4aa36317422ba28ae |
| SHA256 | 64b4b2e791644fc04f164ecd13b8b9a3e62669896fb7907bf0a072bbeebaf74a |
| SHA512 | f8b960d38d73cf29ce17ea409ef6830cae99d7deafaf2ff59f8347120d81925ff16e38faaa0f7f4c39936472d05d1d131df2a8a383351f138c38afb21c1a60e2 |
\??\pipe\LOCAL\crashpad_4240_MZMCRIPZCZREPZVS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f0f818d52a59eb6cf9c4dd2a1c844df9 |
| SHA1 | 26afc4b28c0287274624690bd5bd4786cfe11d16 |
| SHA256 | 58c0beea55fecbeded2d2c593473149214df818be1e4e4a28c97171dc8179d61 |
| SHA512 | 7e8a1d3a6c8c9b0f1ac497e509e9edbe9e121df1df0147ce4421b8cf526ad238bd146868e177f9ce02e2d8f99cf7bb9ce7db4a582d487bbc921945211a977509 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 717e20357dcbd9e0b2d8aca28d5a2499 |
| SHA1 | 9554967b178f8434eabe55f0f67de70a06a5ecaf |
| SHA256 | 81450cd73f9ed3cd3d2027ef33adf58db53529c6632f24c2a8277a7742cd54c3 |
| SHA512 | 1d36636d417a11bae5e464d4ec1e3457a83d68a184ee796cbd10b0ab61d3f0be2a1c5983798ddd573f7e94a28399dd1dbe8beaadcc8dab97a81e2fc6052be312 |
memory/2184-171-0x0000000000050000-0x0000000000506000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 13392b98a71511c927480886382a3198 |
| SHA1 | 1c533a097f9e0088824babaac6d02a37a15096e5 |
| SHA256 | db5fd8d4e80bb6c54ded175ac2122e731e4e50376457bedf9042dca24db2ba19 |
| SHA512 | 8370b4b49043afeefbdf5c5f6a80a952aaaee52fd513caf3ff8f3a70301b5f4d4eb06f818024d1af68d0b230db26b7827e90caacb277f4d0b3db7ae623ae99ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b3df5f1b33b39563e2e44f6cf00e1bde |
| SHA1 | 10cf6d0db56f8322d68b153d7e9dd27a3485a636 |
| SHA256 | 0202e3bce8811d3b0fa2d81ea504f4ecfbeb247c596014c954cafa0e385914b5 |
| SHA512 | 03f4ee96b99dfe62de5c2aa9d12352721d9121ba690e3fcd4c6b913562b4400aea976584ea3bf2a75a4938229a035ec19359dec913f3e746f8eef740cd701d74 |
memory/2184-212-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2184-222-0x0000000000050000-0x0000000000506000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ba8c5dca1b1861700103928278a92f21 |
| SHA1 | ea23cba56b7d9c3a1e50b24ec5c6d6c8ec16bc32 |
| SHA256 | ec180402d07b29bf4c6d51af655e8200ed3afc547bd8e0117b140c0d8ea4704f |
| SHA512 | 410eb1a3dd204e095f6418fcaacd9afb72329586af111cbd78efd6d882c4d5fb91e39de6b0986f888391962e90523aa92ffd942ca491969ed8e34b36b42fee60 |
memory/2184-228-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2184-229-0x0000000000050000-0x0000000000506000-memory.dmp
memory/4776-231-0x0000000000050000-0x0000000000506000-memory.dmp
memory/4776-233-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2184-243-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2184-252-0x0000000000050000-0x0000000000506000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\851c4323-aab8-4d22-ba62-be7596eebc5b.tmp
| MD5 | c1c138170292b251f44a3a5e893c9287 |
| SHA1 | 4afec712444a4029b3ed1947548e7c6064600937 |
| SHA256 | c49b1dcb47ca4e6ba51b0cd2f5725fd8af71eda6704714ec01306d49ad18c5e8 |
| SHA512 | 18df7fff9c06469929e994f677f611f138cf50324487b37b8a8f859abf19acec50b26f9b595a2592be3d897de999eb92a34ff08696c8b98417fd3994547e52a2 |
memory/2184-276-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2184-277-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2184-278-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2184-279-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2720-281-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2720-282-0x0000000000050000-0x0000000000506000-memory.dmp
memory/2184-283-0x0000000000050000-0x0000000000506000-memory.dmp