Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 13:40
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240708-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
87c548fab3b4bf1b9fdaa21e4cc18f27
-
SHA1
cfa7c8c564668ef2827efd4d890f1ff19a8f0c78
-
SHA256
d7e8125c7026f1a9e05ecd076203aef923870b2a222945cdf13b9a9165928748
-
SHA512
764b3e7db14e07bcdad352e0d141f315f9370828475a5809f8e1df8e887c5168c2bdfea7988a50fcdab1916f8fb11814f65f8088f68c721d14589f6d0afde8a9
-
SSDEEP
49152:MFLjIClgvypImQ2hJaSsS/zL6MBgZgNFgB:MFLac4QVs6bBgGFg
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
explorti.exefile.exeexplorti.exef6f86602ba.exe7a40f37c60.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f6f86602ba.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7a40f37c60.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exeexplorti.exe7a40f37c60.exeexplorti.exef6f86602ba.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7a40f37c60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f6f86602ba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f6f86602ba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7a40f37c60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exeexplorti.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exef6f86602ba.exe7a40f37c60.exea0df713e0d.exeexplorti.exeexplorti.exepid process 3220 explorti.exe 4436 f6f86602ba.exe 3984 7a40f37c60.exe 2036 a0df713e0d.exe 1416 explorti.exe 5492 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
file.exeexplorti.exef6f86602ba.exe7a40f37c60.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine f6f86602ba.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine 7a40f37c60.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine explorti.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000053001\a0df713e0d.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
file.exeexplorti.exef6f86602ba.exe7a40f37c60.exeexplorti.exeexplorti.exepid process 4072 file.exe 3220 explorti.exe 4436 f6f86602ba.exe 3984 7a40f37c60.exe 1416 explorti.exe 5492 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
file.exedescription ioc process File created C:\Windows\Tasks\explorti.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7a40f37c60.exea0df713e0d.exefile.exeexplorti.exef6f86602ba.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a40f37c60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0df713e0d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6f86602ba.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
file.exeexplorti.exef6f86602ba.exe7a40f37c60.exemsedge.exemsedge.exeidentity_helper.exeexplorti.exeexplorti.exemsedge.exepid process 4072 file.exe 4072 file.exe 3220 explorti.exe 3220 explorti.exe 4436 f6f86602ba.exe 4436 f6f86602ba.exe 3984 7a40f37c60.exe 3984 7a40f37c60.exe 3740 msedge.exe 3740 msedge.exe 4824 msedge.exe 4824 msedge.exe 4620 identity_helper.exe 4620 identity_helper.exe 1416 explorti.exe 1416 explorti.exe 5492 explorti.exe 5492 explorti.exe 828 msedge.exe 828 msedge.exe 828 msedge.exe 828 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a0df713e0d.exepid process 2036 a0df713e0d.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
a0df713e0d.exemsedge.exepid process 2036 a0df713e0d.exe 2036 a0df713e0d.exe 4824 msedge.exe 2036 a0df713e0d.exe 4824 msedge.exe 2036 a0df713e0d.exe 4824 msedge.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
a0df713e0d.exepid process 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe 2036 a0df713e0d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeexplorti.exea0df713e0d.exemsedge.exedescription pid process target process PID 4072 wrote to memory of 3220 4072 file.exe explorti.exe PID 4072 wrote to memory of 3220 4072 file.exe explorti.exe PID 4072 wrote to memory of 3220 4072 file.exe explorti.exe PID 3220 wrote to memory of 4436 3220 explorti.exe f6f86602ba.exe PID 3220 wrote to memory of 4436 3220 explorti.exe f6f86602ba.exe PID 3220 wrote to memory of 4436 3220 explorti.exe f6f86602ba.exe PID 3220 wrote to memory of 3984 3220 explorti.exe 7a40f37c60.exe PID 3220 wrote to memory of 3984 3220 explorti.exe 7a40f37c60.exe PID 3220 wrote to memory of 3984 3220 explorti.exe 7a40f37c60.exe PID 3220 wrote to memory of 2036 3220 explorti.exe a0df713e0d.exe PID 3220 wrote to memory of 2036 3220 explorti.exe a0df713e0d.exe PID 3220 wrote to memory of 2036 3220 explorti.exe a0df713e0d.exe PID 2036 wrote to memory of 4824 2036 a0df713e0d.exe msedge.exe PID 2036 wrote to memory of 4824 2036 a0df713e0d.exe msedge.exe PID 4824 wrote to memory of 4832 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 4832 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1928 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 3740 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 3740 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1696 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1696 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1696 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1696 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1696 4824 msedge.exe msedge.exe PID 4824 wrote to memory of 1696 4824 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Roaming\1000051000\f6f86602ba.exe"C:\Users\Admin\AppData\Roaming\1000051000\f6f86602ba.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4436 -
C:\Users\Admin\AppData\Roaming\1000052000\7a40f37c60.exe"C:\Users\Admin\AppData\Roaming\1000052000\7a40f37c60.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\1000053001\a0df713e0d.exe"C:\Users\Admin\AppData\Local\Temp\1000053001\a0df713e0d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cff146f8,0x7ff9cff14708,0x7ff9cff147185⤵PID:4832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵PID:1928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:85⤵PID:1696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:15⤵PID:3616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:15⤵PID:3580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:15⤵PID:2584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:15⤵PID:3260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:15⤵PID:428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:15⤵PID:2968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:15⤵PID:4584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:15⤵PID:3664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:15⤵PID:4908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:15⤵PID:2064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:15⤵PID:2316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:15⤵PID:3044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:15⤵PID:1108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:15⤵PID:5040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:15⤵PID:2276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:15⤵PID:4616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:15⤵PID:5128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:15⤵PID:5136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:15⤵PID:5148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:15⤵PID:5160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:15⤵PID:5192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:15⤵PID:5200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:15⤵PID:5236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:15⤵PID:5532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:15⤵PID:5540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:15⤵PID:5764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:15⤵PID:5772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:15⤵PID:5888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:15⤵PID:6012
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:85⤵PID:5536
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,2098700358072712995,186708845583242866,131072 --disable-features=TranslateUI --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6160 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:828
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b0d38f3a702f0dd5bab08675bb7000f9
SHA1d6791538216b0e53b2a01f4e412aae5bf225f42c
SHA2569c1c0cbebfe12305c37c05cb953ae290c3de3a81446160c6404a0567f9fe742c
SHA512ebcbfb5ba092484cfde53d456cf2b6ab144a7b5553b271af379956f6eb7ed720e4122f3cf0b100671c2f37db4ca715109dce2918cd8c63ee160d51b96e91fe1d
-
Filesize
152B
MD5cc1206eec767267902cea5581c96ab81
SHA17dbfc29d40f6f0dcb678a80993be52e264f3c6a4
SHA25621089dfd9875ce29aa85f9af3d0b04d8de90f23b3a70dd51188ccd24b2b0f40a
SHA51274b06002c3829ff049008af6733a385e8ccab4bc30247768ed7f692228b97a4db85053965b0736eb7b59477457fd43bf2b905aa3c45186fcf9870276b1d3f383
-
Filesize
152B
MD52801a46fe50e7837c2fd4393fe563a8a
SHA13d1bb542da970206dbe2e972333ff1b76a0f7497
SHA256a9813825ac87701d9aa86507dae2bb09821d83da4011aebeabfade681efd5734
SHA51202220d91ee2ba898762a22db64980dfa4a70d326c949521e6cb73ecd51aa5757f8f4e3927b87aaf11fadd0ef6d2b9eed87587f46f6cd3b36681b8ae53ed3517f
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\96c26794-613f-4a33-a6da-73c95c9e5ffa.tmp
Filesize4KB
MD5120e89e3f4aa1c006c2d4f9214f6f771
SHA1af241e85b8ff5552285ae529fc76d2955e420d9c
SHA256cb05a5fd61260fd8bb7ea0535030725c1b9e305e76c645a76bee5cf276ff031a
SHA512ea3221e989751f21a9a604f7a701992ac36fa00050f8daaf181e49ad49c4ec1e02bc86bc964559a49d6dba83d3271944fcf3a6b511ef0d6af9647aaba018ec4f
-
Filesize
1KB
MD5576283d354dec55e1aa8c25e840285f6
SHA1ab60ceda37551ae14720b86dce6c1c40caa322aa
SHA2564fdfb81bdc21912527eb33e7774e2d3d002a9174164873ba77384ad5939c8266
SHA51235908331457e2d4d569d21911a100cc402371da2abfe3d66946d6b87d8d9ee49b5da888f7218b6c26b5ef6ee85b138c20037c81e74ea831e6efa820e567ff6b7
-
Filesize
4KB
MD52f1d2d101c3e9754b6e24248005f241c
SHA1d21692eee10ee62d709beb91c944e3b316103440
SHA256f75d88694719190055d1584f7977f75dac4252e337a5f361c8e2f982ba108e8d
SHA512349ab3bd5c408e8fb6cb72bbccb30f1cd935913aa8e4b0ffd3eef1c87669fccfb673dfce7c025a81ca6e6bbe66e0f41335f7a78fbe1b8e6891ffdb6d8efb74fa
-
Filesize
4KB
MD5535e771d2eab3b62df474b68143dc1e6
SHA1a8582dc3608a0534bd52cb382cfc0c994ad0e4df
SHA2565e7832e1350289c50a921ad5c3f4024b70569492bf235b416a69fb31a2fe7ecd
SHA512119aea358518ba36621453e3a92e5b1713b986378578fd943adf4f5e497929ad53b6e1cd30c8c563d1c121826abbed73c9e52eb17644e008a874d7cf1327e490
-
Filesize
24KB
MD51fbd19577537ab00a09fc359c4ec6c9f
SHA1fbe7b1fa961309af21f9822d874c629e64ed822b
SHA25607a2cab166f631f41274f0f9bdd9f2a429ed3ab864b24c54a287ebcf5b67ae6c
SHA512888480f63cc759a059228eb2f3666d899dc5b3eed614135a9226a888cf8cf7db8ace4bebe85d371d63fc1ea8ee9d28ab3c787ebcd35aa378f106e05e080fddad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe580c9d.TMP
Filesize24KB
MD543d21344a153c57ab58966deff61fb4b
SHA1852babf193cbd34b2d29c7544f2f27eecb6d9890
SHA256ad62f9c8d4db4395695c91f4b67cc8f4ae4d8f144ca94559f669a3057136a332
SHA5123bd4a1e49ca58deb8b6496921c17bc42b4da4c5d7eda3ea7f0f76f78bff7b779163bc0a6007037641e9af04a1e8cded555d84b7928e68e000695f57df7e18803
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\cb00afa0-99e5-4100-9e89-df200b1dcd7e.tmp
Filesize9KB
MD5b16b3ac88ed41eaf9752219f54a16139
SHA11c12481cf677732566af013649289588563ced97
SHA256001b2f23c11356d0d74d58c575afd3d07e713d43e14b5a4ef1b5ccf5d5b91873
SHA5127443bdf544a0e0eff3f0181c62f588d0546407a1319134929f62022cdbc18da079eb582ef0b51c36f09ea1094d3982f5c89a0cdd1fef59d9840d043d2a400caa
-
Filesize
1.8MB
MD587c548fab3b4bf1b9fdaa21e4cc18f27
SHA1cfa7c8c564668ef2827efd4d890f1ff19a8f0c78
SHA256d7e8125c7026f1a9e05ecd076203aef923870b2a222945cdf13b9a9165928748
SHA512764b3e7db14e07bcdad352e0d141f315f9370828475a5809f8e1df8e887c5168c2bdfea7988a50fcdab1916f8fb11814f65f8088f68c721d14589f6d0afde8a9
-
Filesize
896KB
MD5815d0325b08029dc535dc4c7c9daeaf7
SHA15f0d5f6624954c274bbce5edd211b28696897400
SHA25680c206cdeb203530a85f6700016155be6e1380d913c589bad66ca7a7ff209b4f
SHA512cb754b8f9d907be570ed3a5d218184970872c015b88e8ba78ae5425198fcf8ea6e8d01a4ecfbd8b3dbc1ac3eccfcc692297579cb5c9b67a560059038f62c8d0f
-
Filesize
1.7MB
MD5c318d3326ce1921ff20be775cbc99782
SHA194bb85d34e0fccf26fd58cfadfabe90606ec00f4
SHA2563ab3541c8960a2f4ccc60e0e8efc339d0f99d9cb96b0ea46a5e0440b020347d9
SHA51235556fabf9cd5c229fb2975a9075dd25b1ff913d152689a5e955b6214691779b6e8f58d53750bd9abb1ffddedc5b238a6284628c1b3a2286f59ef727aade7919
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MT6ZR8BG14T4ZXS2MPVP.temp
Filesize3KB
MD58b2dcea9f9fa12a983e1551f2b6b0908
SHA195b2d810f687bd79ba5f51ec624874d2ab046360
SHA2564f28a073120a7c5b8336f433de0aabec9160b8d99bd26bf81ed00b42466c5e46
SHA51219b03dea5956b6e991bf4ab9f12c9eb1b5314dbef30ec1665e991971fb37796c67ddbe5ff4cbef134e33e9d130381b333aa243f452937bd321e55036aacaed8a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e