Analysis Overview
SHA256
60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c
Threat Level: Known bad
The file 60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Identifies Wine through registry keys
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-06 08:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-06 08:00
Reported
2024-07-06 08:02
Platform
win7-20240705-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\289fcc9148.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109087a77acfda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000b3fe0b362b735639b7f7f7c696add652c0444daf49a0eeb95ff6e88f95932f5c000000000e8000000002000020000000d7df559c6d90cdada4c440cd25d1928dc0c96a78d91244cc5ef35323f4d1acbc90000000896bf02f045f683961c0b1fda3d6fcada0d74b6c760b880306a49abdc721f090d698bfd541e0a0b06a7696bc34e074da68f0a17f1b7e8c401919cbbd1f02c689c99dccf7627a0213467d65421364c03e5fd83641764de12a940255392e726b3289ce1c039f302dc7930ec7d86f085a57759d98323dd3b67c328197541c4d2e9f4dcfa32efe9b5b0f62186aba48653e33400000007844eb8dd035b670def2ffd49e49cce4a99b176d63d2d44948b9ab08ef2c06a23df55d51811384b3be6bb280d428a1da94fb389c5dcf91d93a10509701e7188d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f0000000002000000000010660000000100002000000054a69d72a89e01a1c4129ab86404707e12401de9efb098e96aa34b8531460038000000000e8000000002000020000000eb375fd06cadff3255eb862fcbecf7dac84e57d5ecc8f11c68fb2f900308f54b200000007eb58dd6834ac265853dd91fac5c94a50d07179532c9724641bcc8111bdd780c400000009e96c4626a1f4bba7e8ccbe561feebdf827c1ce61d47cfefd54e925a87ebf6f5976fa721f611f85ac6fd229fdb74ba89fa0eccc8d2ca6c374f842514607ce738 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426414701" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D23772D1-3B6D-11EF-9A68-F6314D1D8E10} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\289fcc9148.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe
"C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKKJEHCGCG.exe"
C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe
"C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\289fcc9148.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\289fcc9148.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\475249a024.cmd" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.204.78:443 | www.youtube.com | tcp |
| GB | 216.58.204.78:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | tcp |
| GB | 216.58.201.110:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/760-0-0x0000000000870000-0x000000000145E000-memory.dmp
memory/760-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
memory/760-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/760-62-0x0000000000870000-0x000000000145E000-memory.dmp
memory/760-67-0x0000000000870000-0x000000000145E000-memory.dmp
memory/2496-97-0x0000000000AE0000-0x0000000000F8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FIJJKECFCF.exe
| MD5 | 7a7d0951bdab4de768832ef651e78c6c |
| SHA1 | 42adc0c0197ccdb7c5e444f27b9c4f79f848ec5b |
| SHA256 | 686f915f8c4cdfbd0ab8d4d4b3215b14aba3a5bd11c4ab2c5e62ad2e94cac555 |
| SHA512 | a8261a96e752e61771ad7af0b845baf35c8ae0a69e6cd82560b2bdbd2db519f20604c58f8d791c7a1513cc7e672418ed33d1852eaf2b934ff88ed9167249f737 |
memory/2496-115-0x0000000007570000-0x0000000007A1E000-memory.dmp
memory/2496-118-0x0000000000AE0000-0x0000000000F8E000-memory.dmp
memory/2932-119-0x0000000000A80000-0x0000000000F2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\289fcc9148.exe
| MD5 | de1f91ae5c55b1cbbc6d6561464d7d99 |
| SHA1 | 1d0d10896ee940549c1b70ac512935e1179932d2 |
| SHA256 | 6bf4612c1b4d71558e998e0761e3e4b4481c89ae3827622e86a81f46c08d7332 |
| SHA512 | cea1d5db20760dfca9a9b9e11358c19b53fe7c24e52aa41ce4981a6b0f76337420091d7aa0bbee250a7fd987c123d6fdb5147777ca1b56691bb2d7b83c979faa |
memory/2932-140-0x0000000006A70000-0x000000000765D000-memory.dmp
memory/1520-142-0x0000000000E90000-0x0000000001A7D000-memory.dmp
memory/2932-141-0x0000000006A70000-0x000000000765D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008021\475249a024.cmd
| MD5 | ee00aba3bdbf694bb1588c965a077e3a |
| SHA1 | 00491ccb092d576b62d54172bdc09877d0f74c19 |
| SHA256 | 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750 |
| SHA512 | 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49 |
memory/1520-160-0x0000000000E90000-0x0000000001A7D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\favicon[2].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hqw8ypt\imagestore.dat
| MD5 | 0be6f340adc48184038105970ac27691 |
| SHA1 | b620f467580f4d527d8a30bfab14240762defa9d |
| SHA256 | c614486ae04ea2a89fa5a089b03b373d2ea5566f5548ea59ebb2658f2321a08b |
| SHA512 | 8f43eb16af66e7e4603c72669301cd92b264ab557228b736a0f978b8def04c52d31743979de547807b26dcca9dca8a583d2c8b64d0b01f11d6bde5d1b4a2c8fc |
memory/2932-236-0x0000000000A80000-0x0000000000F2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarFFC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\CabFF9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e531521c9e1add70e7ac540524dc5ec |
| SHA1 | b4a582d6a02aff37fc0a70445a7aecdcaa2b279b |
| SHA256 | 249557dacfa8ea6de1b1138729540ddc21d39573ba987997ac9dc63d7ede1b31 |
| SHA512 | 738ab4f7223f406797a27ad4534d724c9f96f811b711174deb93967a0408e1ac2dd0fcf549c5c4a40da7250806e5f96d2053e88ffd03941ac0692a1ac254216f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d564fd7a65add7b79d3003e883309e35 |
| SHA1 | 01d86ee30b1bdf55055b1fc888c5addeb1079a3b |
| SHA256 | b849898f86e86693772c6933ef48e548cbbdfa9bf0b76aaccec5863c6c1777cf |
| SHA512 | 1f44c63109140060c56301a9ed794d6cc61ed66f3a2786f4fee71fbc764a323056844663da0223bf582dfe142e4dbe23504441a7bcf71f3406fa3b8dccf7253a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5464b9aa5119535e97f5ec2cebc5d41 |
| SHA1 | 2ee73cc38d81fc3336587e086a259e59900e3fd6 |
| SHA256 | 6622420a68698837dcc5cddf2a1a36225b7c5465aa5f5f22c907231facdb69e5 |
| SHA512 | 49a251f731b59b352601259eb22ac5826da65dd2842bee0b250de47b73bf72e722e628656833299bb74cff1e90a27606248588be468f560d24c728c1a0feecde |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6759521976a141fd45e4deec968828c4 |
| SHA1 | 7e51bc9c71079303286c4f2f39f943c53e5a7fe0 |
| SHA256 | 157c77c62f39b78ec286af02a1e84836f73104d955db752c15f33d7463b9f0b9 |
| SHA512 | 3453abd2b7c3f01c42cc935f358e76303cec0dd9d3d8aafce442e955db0c1230e4d9c9a4b2624262b24e424a8e2dba1d877ef7b1045b92dcb449d06246f6bf9f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbf21c584d09de782e2200e3a77676b5 |
| SHA1 | b9e88985d5b2a555f3637b5c96fab4fd3307eb57 |
| SHA256 | ac6670396fed99091fd3d301f9ade0c31fe1d7386651ebe4812d6a4cfbc7b533 |
| SHA512 | f678b374b784f18789576a0aae4e4ee1b4131377e5759adeb1bd0cf80d332a7b209fbcc1b672c5a37789171616f5e5eca06bf42336f400a7c663bef5a2ef71a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d47e03b198d47a618777c14d856d27f |
| SHA1 | 1c0a2dd4932fe2cbbc8331573b4f10b1251427f2 |
| SHA256 | 9139a92a700b55d49a986599a7759610972d0b97322f6fa9fd6c2671164e0c2d |
| SHA512 | c723437a4fa880dbc0ce9747dd6c9aa6c02a3a114af64341bc5f4cc42a6a7ae54b81bb121a5d1c8686351cdd7c99687c49a09db1bab51393a5b4f85afab4bd74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f3f75eed7d8d116ab795b4c022e4ba2 |
| SHA1 | 5a403edf7bdc9807b38926a676ff2159ae7f2cb7 |
| SHA256 | 6d15eac1c69dd38562e05a7228776ec139053dfa6da37c2f5d207b6ec632ad4a |
| SHA512 | a7664d490b139faa04f2a9b607c40046c8f45950649e0b4be716b1f8c8f2bfbce7f599ae3e49d7f62ad8364bf6d6a230c6a93d39d3d9b33cb6780be003ff3820 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01e651c1a5245d11df7868b977d8d9f4 |
| SHA1 | b8b1fa5f9f780e0caeb281d4322a6e0a6b70bd75 |
| SHA256 | f537b97d24a8c3a5cc2840e11f8c64f71d6df7f02c01877f81e0da4c7871f536 |
| SHA512 | b97e06ff98be95a8b5e08947d5627ad31806ebe1b9a94f77badb38578a76a008da71f2115a03b30d496e4d74fcb2c982a2056041b9a0f266114bedcf33236db1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 503e8d8b1a45216b1b88cc15516885b6 |
| SHA1 | 2e9854dcbe989881cd80dd8af606ca36763252b3 |
| SHA256 | f893aee9f0b09af59e430c0637692ed04199c4d4e49ee774125f556314ba959a |
| SHA512 | 18d02960810565d8d63d907181fc42353bf169c14e1387ff35ad28478d8d93c57f605de1a167e1946f0b23e3594bc266b72b7737292d54408178108e76cde3a9 |
memory/2932-666-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-665-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-667-0x0000000006A70000-0x000000000765D000-memory.dmp
memory/2932-668-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-669-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-670-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-671-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-672-0x0000000000A80000-0x0000000000F2E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1102939733fd634b6d8a9f487c805d1f |
| SHA1 | 6a748f83fc6c31047f403ad111cf1910d6cd046b |
| SHA256 | dc1c041945d0a2686d422df481a2f911643aa38201a10847442e77f2fa1631fb |
| SHA512 | e3adfb65841181c1823bc3c4f926f909f23988694bf5752b53f6d95ec2c88e1c2857b22645c817db43032eb2342d9575f309c730f9aef9b36b0b58f00077a67c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f16036bb6c357a7ac3f5296b283529a |
| SHA1 | e71b690df306c1773d367eba00981cae908b405f |
| SHA256 | b95defd38ee10e7164cccfe5706f2ad9df0a80bd36cd1df1c319842a8df1f075 |
| SHA512 | d8db46c09de5e0a6413d4c9e538ed160cd077acc5b137fe98a8da3c219066c72ed127dc03f1c1c0f022e96d1f7cc7957ef8591d8957e718eb0376935a255b2a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4f26efc3e074541a7f79b5bd48ec65ce |
| SHA1 | 85f759c44f857a585d375cc0105e356e567d7d41 |
| SHA256 | 7cb18750fbaab5b861cae2d509db50fe13ff833a6f3452207fc9d3bfab916805 |
| SHA512 | 33735aee73c31cf4261a5b4ad01b70afee7fb9ea4bbb58afcd9d74b6e42af75baaf4c457ccc2d88276321396ae4364d981b1e083a56f604e92d12be1544ed5e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ca557e4d423d8ef48fd8d357cf47244 |
| SHA1 | 8ad97c29f506775c9011a4b3167d82ae84cb8d7f |
| SHA256 | 3f3fe4e9f2e132d125fb895856dc907ec18ef7eac28a425efbd9f275acf971f8 |
| SHA512 | 3f5b292d90873e8df8dc7ac7933e3bdab349fe44f4ebda841f4680ed25de1d1b4ece484a18aaabe7289456b9a8d0460525c288c93722e4928a7503b9b2af8370 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | edfc4c1e7a79194a815dec65c985dbad |
| SHA1 | 1ee3d2128eb70be0ad0c08e93807b034b37e1b77 |
| SHA256 | 81fffeba89dc99cba2477695cf4654a7356f36dc8d6d9f6c8f565a483ddd2a83 |
| SHA512 | 7f0582db4555639bb8008d23a3ac4ea97d8cf3a9535b6279ca5837d5fbbeb84914bceb06ebc3cb6ab3961663a1e5ece3812187fdb4cfb258f49715277ca2986f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 73a581116b36ca6aa68a2bd765bd1be6 |
| SHA1 | 0b4a7025abc19749ac5bc4ad32d2dfec71e760d4 |
| SHA256 | 16160d7f0d4096da2d38fc1764213a41252c84ab2d4747f53e0e4dc1f4c726e0 |
| SHA512 | fc592c7bd4a5678d8818a41156099c39914f5d6b2b1ca096e294d2a7c9444214ccfde188fc8882a022b1c35c0cebc14fd0052fd5fa6ad7e78ec34b4b5443a33b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d938df3a4236482c14bcfcd52feda142 |
| SHA1 | 429a41fa4d89089d28dc15f92b6077fc7b20935c |
| SHA256 | efbb0285fa74871974be28f585344935d2fceff629f789f5ef797f10ffcced18 |
| SHA512 | 4abbedd6f896464af442c46d3b3c2f86334b069e6b2e0ad7fec4a3933dc58a6a44b0c7559deb1d655c92d993e95578cd6a8f682e3f8e2933ab0fbae7ebdb7ad8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f969ffed7e2e310a326f64dafb0bebc4 |
| SHA1 | 86f4bfbf848d023063d9b8bd689986174ccb0c5a |
| SHA256 | 7833f91f8f91d9419618f9827fd2ef179b2927c0a184951581594c5ab34902fa |
| SHA512 | dbe28609a72aaaeea5550c41d51c83b1360b4e72c31653553edacf3e804342eaad8aa74689a4fe958c5e87e3b5485d32786bb104014e7220e2b607415f4aa2d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4959f0038e4e89659561f0b5d425dcd4 |
| SHA1 | 0dace889556f17ff260049a3d295e898907fb449 |
| SHA256 | 40cb5110a538fb5724b4bd876d2091c1d49254b3cb087399769cb081d055a4c0 |
| SHA512 | 7b13eb1960f3fca99647490840bb631eeeefe6bdef5204557d84b74b8bfc900ded45d46d711d853dd67e8a880ca7956f571c7414ab3d1b1539a6e34a4937e7f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6641d00b61fb6dc8649e375bc5fdc492 |
| SHA1 | 57969bcdd1fa2b1e5b6f11a9a65ae3494da0fcaf |
| SHA256 | aa30ecac3f945e1096a95b1f3203787ec7ae8ad949d0ae3ef2c9fc7685b46654 |
| SHA512 | 236db23119743b8b282ddc36828f69a156bd2c30680dc8e5fde070b8f80ee647c0eaa9373cc78ab7e4681e1bc7792b975903f35c013217a27d9c45afea894901 |
memory/2932-1105-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-1106-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-1107-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-1108-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-1109-0x0000000000A80000-0x0000000000F2E000-memory.dmp
memory/2932-1110-0x0000000000A80000-0x0000000000F2E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-06 08:00
Reported
2024-07-06 08:02
Platform
win10v2004-20240704-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\0b8892f785.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\0b8892f785.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe
"C:\Users\Admin\AppData\Local\Temp\60d7123cafb385bba287360f90d6f682c6397f8feb030ac0d36f4473b779ab3c.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IEBFHCAKFB.exe"
C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe
"C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\0b8892f785.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\0b8892f785.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\289fcc9148.cmd" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff399f46f8,0x7fff399f4708,0x7fff399f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,525641422652481789,12457807209297510108,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5324 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.47.28.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 81.77.91.77.in-addr.arpa | udp |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 82.77.91.77.in-addr.arpa | udp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.213.14:443 | www.youtube.com | tcp |
| GB | 216.58.213.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.110:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
memory/3584-0-0x0000000000350000-0x0000000000F3E000-memory.dmp
memory/3584-1-0x000000007EEE0000-0x000000007F2B1000-memory.dmp
memory/3584-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3584-74-0x0000000000350000-0x0000000000F3E000-memory.dmp
memory/3584-79-0x0000000000350000-0x0000000000F3E000-memory.dmp
memory/3584-80-0x000000007EEE0000-0x000000007F2B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KJJJKFIIIJ.exe
| MD5 | 7a7d0951bdab4de768832ef651e78c6c |
| SHA1 | 42adc0c0197ccdb7c5e444f27b9c4f79f848ec5b |
| SHA256 | 686f915f8c4cdfbd0ab8d4d4b3215b14aba3a5bd11c4ab2c5e62ad2e94cac555 |
| SHA512 | a8261a96e752e61771ad7af0b845baf35c8ae0a69e6cd82560b2bdbd2db519f20604c58f8d791c7a1513cc7e672418ed33d1852eaf2b934ff88ed9167249f737 |
memory/2932-84-0x00000000001A0000-0x000000000064E000-memory.dmp
memory/2932-85-0x0000000077EB4000-0x0000000077EB6000-memory.dmp
memory/2932-98-0x00000000001A0000-0x000000000064E000-memory.dmp
memory/4328-99-0x0000000000260000-0x000000000070E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\0b8892f785.exe
| MD5 | de1f91ae5c55b1cbbc6d6561464d7d99 |
| SHA1 | 1d0d10896ee940549c1b70ac512935e1179932d2 |
| SHA256 | 6bf4612c1b4d71558e998e0761e3e4b4481c89ae3827622e86a81f46c08d7332 |
| SHA512 | cea1d5db20760dfca9a9b9e11358c19b53fe7c24e52aa41ce4981a6b0f76337420091d7aa0bbee250a7fd987c123d6fdb5147777ca1b56691bb2d7b83c979faa |
memory/1740-115-0x0000000000300000-0x0000000000EED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008021\289fcc9148.cmd
| MD5 | ee00aba3bdbf694bb1588c965a077e3a |
| SHA1 | 00491ccb092d576b62d54172bdc09877d0f74c19 |
| SHA256 | 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750 |
| SHA512 | 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49 |
memory/1740-128-0x0000000000300000-0x0000000000EED000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9abb787f6c5a61faf4408f694e89b50e |
| SHA1 | 914247144868a2ff909207305255ab9bbca33d7e |
| SHA256 | ecfd876b653319de412bf6be83bd824dda753b4d9090007231a335819d29ea07 |
| SHA512 | 0f8139c45a7efab6de03fd9ebfe152e183ff155f20b03d4fac4a52cbbf8a3779302fed56facc9c7678a2dcf4f1ee89a26efd5bada485214edd9bf6b5cd238a55 |
\??\pipe\LOCAL\crashpad_3756_GSZDRXZFJZJAXMDR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6a4c641d4a4c18b6dd76ca8c3cc0cf67 |
| SHA1 | 0c6344ef80826095383100a4dc5d3f9b04a338c2 |
| SHA256 | 58c4b02c0ec928f1c6565a152e22dd6435fd8953e100a4bfdf26f065afb0b4cb |
| SHA512 | 2d13ee975425951ca0eff246282975cefae6d0f96f424ecb25dd3be68a67d295a1e35e78fe270076ca82c82bb7f17b0e6c92736535efc59838a632d8bb988c34 |
memory/4328-173-0x0000000000260000-0x000000000070E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9b27210de44df83063cd0a4f28a84063 |
| SHA1 | 026f292f0a6768861a2be2f95885d79ebe2a11dd |
| SHA256 | 95e6ae525666969df38c25b3720e833d01b0114d3491c42a5a009eb2c573b8eb |
| SHA512 | dbf7bf24bb148a417ee707f779d58416a7c484efd3b886f478a4c1d960341d388e59657c9e4ceb93bccd182b5210469516bb28fd45289f7b4441632450e1119f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5c9cec8d74ab3a4bcfaeeadac6f38060 |
| SHA1 | 632b43879e3325b8207c6f2d25be7bcd18345eb4 |
| SHA256 | 8334710ae0a512fddbac5b957554db0d77da0a8e4bb3320373951c1743a857f4 |
| SHA512 | 7c822288811319cdbf550995c4052522f9ca558e620bec2355563a42c18249d942d26ca04ae5dc484a82e31cbebe7d63a572ce9f367e0eb68804170372b9cd80 |
memory/4328-204-0x0000000000260000-0x000000000070E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2bf15eabc1d5a411cbd27f2e501a51be |
| SHA1 | 51279e56b1438481d346c84464ccfadd616a676e |
| SHA256 | 8f7267e0a4796b4b561768161423cb8065a681123c3b2e933a5e779e8235dd5f |
| SHA512 | 8b241d92bc9daa9bc35658caf1a3377a0c8096b40bc4b7c86d3ab98c07a677a5d8e40fb71889a8145e541e70d050b801e3d4944d34fff8cf813433385bd0cd41 |
memory/4328-210-0x0000000000260000-0x000000000070E000-memory.dmp
memory/2144-221-0x0000000000260000-0x000000000070E000-memory.dmp
memory/2144-223-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4328-224-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4328-225-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4328-235-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4328-244-0x0000000000260000-0x000000000070E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | bbce1b3f068719b6026e56a3d31e0d18 |
| SHA1 | 2a568457b668ed320e3ae165f95c28c73efe574c |
| SHA256 | 63b9c000331d20b8dafad162d1abea40e62da2e81a534033b11092a9ba6e6f28 |
| SHA512 | 5729c8e490116b5dfd978e9d265b98852c7a45a0b117c2458e080da560f62d050acf463feff1f7e2afe52d5d6acf9c01b1eb2f6c2c33d74eb0d5e77665a71228 |
memory/4328-268-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4328-269-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4524-271-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4524-273-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4328-274-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4328-275-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4328-276-0x0000000000260000-0x000000000070E000-memory.dmp
memory/4328-279-0x0000000000260000-0x000000000070E000-memory.dmp