Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 02:00
Static task
static1
Behavioral task
behavioral1
Sample
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe
Resource
win10v2004-20240319-en
General
-
Target
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe
-
Size
1.8MB
-
MD5
75c5abaeb9f1654c1daf75aab1e032dd
-
SHA1
9ccdcdc00e4108b0cf873b8948919b6015e7f118
-
SHA256
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429
-
SHA512
f8103bea2707cabeb2207128f2782ccce77c99b73a41425760eb03c2c1bfabbee856789ec4f3e0349584b6eb07099da664f2c670814bea18298e6503e4b9bcd6
-
SSDEEP
24576:aE6MsqRTgfRkmMSDyNnBVv0zO6jRjXFVPQlgKHxKPA/Otoi+4mn1q+yn1KsM:GMs0MRGSDqJYFjVV0pHQIuVmnufM
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
4.185.137.132:1632
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.18
http://193.233.132.56
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.12
http://185.172.128.19
-
install_dir
cd1f156d67
-
install_file
Utsysc.exe
-
strings_key
0dd3e5ee91b367c60c9e575983554b30
-
url_paths
/ghsdh39s/index.php
Signatures
-
Detect ZGRat V1 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe family_zgrat_v1 behavioral2/memory/1304-55-0x00000000005E0000-0x000000000065A000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 behavioral2/memory/3476-117-0x00000000002A0000-0x000000000045C000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\63P52RXT\alex1234[1].exe family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/560-60-0x0000000000400000-0x0000000000450000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline behavioral2/memory/388-162-0x0000000000A50000-0x0000000000AA2000-memory.dmp family_redline behavioral2/memory/4388-184-0x0000000000C20000-0x0000000000CAC000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
Processes:
random.exeamadka.exeexplorha.exeexplorha.exeamadka.exeexplorha.exe02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exeexplorgu.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeflow pid process 63 4256 rundll32.exe 66 5856 rundll32.exe 85 5264 rundll32.exe 86 5244 rundll32.exe 94 6088 rundll32.exe 100 1056 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exerandom.exeexplorha.exeamadka.exeexplorgu.exeexplorha.exeexplorha.exeamadka.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorha.exechrosha.exeRegAsm.exeexplorgu.exeRegAsm.exeNewB.exeamadka.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation explorha.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation chrosha.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation explorgu.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation NewB.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation amadka.exe -
Executes dropped EXE 25 IoCs
Processes:
explorgu.exegoldprimeldlldf.exerandom.exealex1234.exepropro.exeTraffic.exechckik.exeamadka.exeNewB.exeexplorha.exeredlinepanel.exe32456.exeexplorha.exechrosha.exeNewB.exeamadka.exeNewB.exeredlinepanel.exegoldprimeldlldf.exe32456.exealex1234.exepropro.exeTraffic.exeexplorha.exeNewB.exepid process 3676 explorgu.exe 1304 goldprimeldlldf.exe 5068 random.exe 3476 alex1234.exe 388 propro.exe 4388 Traffic.exe 5508 chckik.exe 5540 amadka.exe 4480 NewB.exe 5340 explorha.exe 5076 redlinepanel.exe 2200 32456.exe 6068 explorha.exe 6100 chrosha.exe 4076 NewB.exe 4652 amadka.exe 3232 NewB.exe 4376 redlinepanel.exe 5532 goldprimeldlldf.exe 3272 32456.exe 5584 alex1234.exe 1312 propro.exe 5264 Traffic.exe 6068 explorha.exe 5152 NewB.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorha.exe02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exeexplorgu.exerandom.exeamadka.exeexplorha.exeexplorha.exeamadka.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine amadka.exe -
Loads dropped DLL 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 4904 rundll32.exe 4256 rundll32.exe 5856 rundll32.exe 5864 rundll32.exe 5264 rundll32.exe 5244 rundll32.exe 4828 rundll32.exe 6088 rundll32.exe 1056 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
explorgu.exechrosha.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000087001\\amadka.exe" chrosha.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exeexplorgu.exeamadka.exeexplorha.exeexplorha.exeamadka.exeexplorha.exepid process 2076 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe 3676 explorgu.exe 5540 amadka.exe 5340 explorha.exe 6068 explorha.exe 4652 amadka.exe 6068 explorha.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
goldprimeldlldf.exealex1234.exegoldprimeldlldf.exealex1234.exedescription pid process target process PID 1304 set thread context of 560 1304 goldprimeldlldf.exe RegAsm.exe PID 3476 set thread context of 1864 3476 alex1234.exe RegAsm.exe PID 5532 set thread context of 5884 5532 goldprimeldlldf.exe RegAsm.exe PID 5584 set thread context of 2580 5584 alex1234.exe RegAsm.exe -
Drops file in Windows directory 3 IoCs
Processes:
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exechckik.exeamadka.exedescription ioc process File created C:\Windows\Tasks\explorgu.job 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe File created C:\Windows\Tasks\chrosha.job chckik.exe File created C:\Windows\Tasks\explorha.job amadka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
propro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 propro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 propro.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exeexplorgu.exerundll32.exepowershell.exeRegAsm.exeTraffic.exepid process 2076 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe 2076 02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe 3676 explorgu.exe 3676 explorgu.exe 4256 rundll32.exe 4256 rundll32.exe 4256 rundll32.exe 4256 rundll32.exe 4256 rundll32.exe 4256 rundll32.exe 4256 rundll32.exe 4256 rundll32.exe 4256 rundll32.exe 4256 rundll32.exe 5308 powershell.exe 5308 powershell.exe 5308 powershell.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 560 RegAsm.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 4388 Traffic.exe 560 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Traffic.exepowershell.exeRegAsm.exepropro.exeRegAsm.exe32456.exeredlinepanel.exepowershell.exe32456.exeTraffic.exeredlinepanel.exepowershell.exeRegAsm.exepropro.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4388 Traffic.exe Token: SeDebugPrivilege 5308 powershell.exe Token: SeBackupPrivilege 4388 Traffic.exe Token: SeSecurityPrivilege 4388 Traffic.exe Token: SeSecurityPrivilege 4388 Traffic.exe Token: SeSecurityPrivilege 4388 Traffic.exe Token: SeSecurityPrivilege 4388 Traffic.exe Token: SeDebugPrivilege 560 RegAsm.exe Token: SeDebugPrivilege 388 propro.exe Token: SeDebugPrivilege 1864 RegAsm.exe Token: SeDebugPrivilege 2200 32456.exe Token: SeBackupPrivilege 2200 32456.exe Token: SeSecurityPrivilege 2200 32456.exe Token: SeSecurityPrivilege 2200 32456.exe Token: SeSecurityPrivilege 2200 32456.exe Token: SeSecurityPrivilege 2200 32456.exe Token: SeDebugPrivilege 5076 redlinepanel.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 3272 32456.exe Token: SeDebugPrivilege 5264 Traffic.exe Token: SeDebugPrivilege 4376 redlinepanel.exe Token: SeBackupPrivilege 5264 Traffic.exe Token: SeSecurityPrivilege 5264 Traffic.exe Token: SeSecurityPrivilege 5264 Traffic.exe Token: SeSecurityPrivilege 5264 Traffic.exe Token: SeSecurityPrivilege 5264 Traffic.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeDebugPrivilege 5884 RegAsm.exe Token: SeBackupPrivilege 3272 32456.exe Token: SeSecurityPrivilege 3272 32456.exe Token: SeSecurityPrivilege 3272 32456.exe Token: SeSecurityPrivilege 3272 32456.exe Token: SeSecurityPrivilege 3272 32456.exe Token: SeDebugPrivilege 1312 propro.exe Token: SeDebugPrivilege 2580 RegAsm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
chckik.exepid process 5508 chckik.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
explorgu.exegoldprimeldlldf.exealex1234.exerundll32.exeRegAsm.exerundll32.execmd.exeNewB.exeamadka.exedescription pid process target process PID 3676 wrote to memory of 1304 3676 explorgu.exe goldprimeldlldf.exe PID 3676 wrote to memory of 1304 3676 explorgu.exe goldprimeldlldf.exe PID 3676 wrote to memory of 1304 3676 explorgu.exe goldprimeldlldf.exe PID 1304 wrote to memory of 560 1304 goldprimeldlldf.exe RegAsm.exe PID 1304 wrote to memory of 560 1304 goldprimeldlldf.exe RegAsm.exe PID 1304 wrote to memory of 560 1304 goldprimeldlldf.exe RegAsm.exe PID 1304 wrote to memory of 560 1304 goldprimeldlldf.exe RegAsm.exe PID 1304 wrote to memory of 560 1304 goldprimeldlldf.exe RegAsm.exe PID 1304 wrote to memory of 560 1304 goldprimeldlldf.exe RegAsm.exe PID 1304 wrote to memory of 560 1304 goldprimeldlldf.exe RegAsm.exe PID 1304 wrote to memory of 560 1304 goldprimeldlldf.exe RegAsm.exe PID 3676 wrote to memory of 5068 3676 explorgu.exe random.exe PID 3676 wrote to memory of 5068 3676 explorgu.exe random.exe PID 3676 wrote to memory of 5068 3676 explorgu.exe random.exe PID 3676 wrote to memory of 3476 3676 explorgu.exe Conhost.exe PID 3676 wrote to memory of 3476 3676 explorgu.exe Conhost.exe PID 3676 wrote to memory of 3476 3676 explorgu.exe Conhost.exe PID 3476 wrote to memory of 1864 3476 alex1234.exe RegAsm.exe PID 3476 wrote to memory of 1864 3476 alex1234.exe RegAsm.exe PID 3476 wrote to memory of 1864 3476 alex1234.exe RegAsm.exe PID 3476 wrote to memory of 1864 3476 alex1234.exe RegAsm.exe PID 3476 wrote to memory of 1864 3476 alex1234.exe RegAsm.exe PID 3476 wrote to memory of 1864 3476 alex1234.exe RegAsm.exe PID 3476 wrote to memory of 1864 3476 alex1234.exe RegAsm.exe PID 3476 wrote to memory of 1864 3476 alex1234.exe RegAsm.exe PID 3676 wrote to memory of 4904 3676 explorgu.exe rundll32.exe PID 3676 wrote to memory of 4904 3676 explorgu.exe rundll32.exe PID 3676 wrote to memory of 4904 3676 explorgu.exe rundll32.exe PID 4904 wrote to memory of 4256 4904 rundll32.exe rundll32.exe PID 4904 wrote to memory of 4256 4904 rundll32.exe rundll32.exe PID 1864 wrote to memory of 4388 1864 RegAsm.exe Traffic.exe PID 1864 wrote to memory of 4388 1864 RegAsm.exe Traffic.exe PID 1864 wrote to memory of 388 1864 RegAsm.exe propro.exe PID 1864 wrote to memory of 388 1864 RegAsm.exe propro.exe PID 1864 wrote to memory of 388 1864 RegAsm.exe propro.exe PID 4256 wrote to memory of 1672 4256 rundll32.exe netsh.exe PID 4256 wrote to memory of 1672 4256 rundll32.exe netsh.exe PID 4256 wrote to memory of 5308 4256 rundll32.exe powershell.exe PID 4256 wrote to memory of 5308 4256 rundll32.exe powershell.exe PID 3676 wrote to memory of 5856 3676 explorgu.exe rundll32.exe PID 3676 wrote to memory of 5856 3676 explorgu.exe rundll32.exe PID 3676 wrote to memory of 5856 3676 explorgu.exe rundll32.exe PID 3676 wrote to memory of 5508 3676 explorgu.exe chckik.exe PID 3676 wrote to memory of 5508 3676 explorgu.exe chckik.exe PID 3676 wrote to memory of 5508 3676 explorgu.exe chckik.exe PID 3676 wrote to memory of 5540 3676 explorgu.exe amadka.exe PID 3676 wrote to memory of 5540 3676 explorgu.exe amadka.exe PID 3676 wrote to memory of 5540 3676 explorgu.exe amadka.exe PID 1864 wrote to memory of 5836 1864 RegAsm.exe cmd.exe PID 1864 wrote to memory of 5836 1864 RegAsm.exe cmd.exe PID 1864 wrote to memory of 5836 1864 RegAsm.exe cmd.exe PID 5836 wrote to memory of 4828 5836 cmd.exe choice.exe PID 5836 wrote to memory of 4828 5836 cmd.exe choice.exe PID 5836 wrote to memory of 4828 5836 cmd.exe choice.exe PID 3676 wrote to memory of 4480 3676 explorgu.exe NewB.exe PID 3676 wrote to memory of 4480 3676 explorgu.exe NewB.exe PID 3676 wrote to memory of 4480 3676 explorgu.exe NewB.exe PID 4480 wrote to memory of 2892 4480 NewB.exe schtasks.exe PID 4480 wrote to memory of 2892 4480 NewB.exe schtasks.exe PID 4480 wrote to memory of 2892 4480 NewB.exe schtasks.exe PID 5540 wrote to memory of 5340 5540 amadka.exe explorha.exe PID 5540 wrote to memory of 5340 5540 amadka.exe explorha.exe PID 5540 wrote to memory of 5340 5540 amadka.exe explorha.exe PID 3676 wrote to memory of 5076 3676 explorgu.exe redlinepanel.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe"C:\Users\Admin\AppData\Local\Temp\02bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000107001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1000107001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000111001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1000111001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000113001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1000113001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000118001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000118001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\32456.exe.logFilesize
2KB
MD517b8882e9c305f6a959decfaaee9cde6
SHA1f599dfee6a1222afadb4719d382731f9085196f0
SHA256dd0699677a992abfb8040a2fbab8c0f5d612d20c81b769dd913bf6fb3620861d
SHA512f3ac1932850f59a6fc1f80a88cb61bbb3df4915ec8b270fa1214088a5e61d061df60dcd11858360dd243573107fff2aacb0e175f884f4384f10a5f243066ef5e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\goldprimeldlldf.exe.logFilesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\redlinepanel.exe.logFilesize
2KB
MD5f57bf6e78035d7f9150292a466c1a82d
SHA158cce014a5e6a6c6d08f77b1de4ce48e31bc4331
SHA25625a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415
SHA512fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\63P52RXT\alex1234[1].exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b293f105d36500e347b423351d8efcb3
SHA1b79867b94180b79f579247f03c0ed05f0941bf44
SHA256c5f9b82ffe4548e7b2172a8253e7c73b6421d3c85c4e2f46347edf9ca39806a9
SHA51284c86521498aead654e9adb0ea89d9a9894251850a30c0189baaeca0fbd8bfd9aa24e3baf155ec1975e3a45f8b78d85fa7369215721da2899fab768629a38d0e
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.8MB
MD575c5abaeb9f1654c1daf75aab1e032dd
SHA19ccdcdc00e4108b0cf873b8948919b6015e7f118
SHA25602bec171956fcf41f4314275a9209d49c29f91ffe9993718665bdd93f6be6429
SHA512f8103bea2707cabeb2207128f2782ccce77c99b73a41425760eb03c2c1bfabbee856789ec4f3e0349584b6eb07099da664f2c670814bea18298e6503e4b9bcd6
-
C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exeFilesize
320KB
MD52d65492ea6b38bd6fc8ee8a64bef1524
SHA147bd0cacd3a668f593b762d92374946e03e7829f
SHA2566280b0782a483d381de0bc671f603c9af4975d6e5e7d2793bc5c857c2bdfded5
SHA512152686ee7c268e53c371461e68475687c95bd4a0fda9c3e9d54086ab53b8cb3135a0ecbbe1febc94b0da6470fe512dc0f7d425870123df3ef72c3feb22dc66b6
-
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exeFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exeFilesize
2.6MB
MD52ac74eb22248743e5e6a3261aebbe7f1
SHA1652f1439d47d3dd130b3eadec3fc6d1dd2c885cb
SHA256791fb972714570862c511eaa63f7d91d217bc74369bc2e5ee93c1db0a212b722
SHA512a2cc98f72ac5b165d2370826b2ecc822ba1f47451ea72fd5e7294b5fdcdf07afab025b93faffd900f114b9b98a8ed604d78272e4214b174e8b04e4ae95c2755f
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exeFilesize
1.7MB
MD5ed6171c14390b8a75cdffad6edd963e1
SHA114adc05da9f402a1f86d32b9b4ed11ecfaed013c
SHA25639a7bc7c20c2a3470e2842a291390582a4d605976de90f22e2f7cc1f82a92448
SHA5126ad67f45024e4bfcef1744459d2dbdc3b8a9e86fb65b6ba8cb9834e55a0385f48714be1f3c00c19ccab172f228b52e9ae25c50b21336ed012aed58c303a74f94
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exeFilesize
1.6MB
MD5b54ce85789aaa3824e677bb838ad241a
SHA19e5defe07531a8d46ee5f96014e791b64a135a20
SHA256d74628856dad03b3d5f639f0f6c9e8ec76d0bb0f7461aa5c70a5b8d29d0de50a
SHA5129fff86226f084d9e2eec045689863f1a53bdbd81f8cb4122f2e995ea9ac5302c781a02522cf7588d0a3c5743beac470d1d6f979732bf61ae168f2d62ea75fe0f
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
320KB
MD5864c0d13909df7fdd8b10868891f200a
SHA1d7ed3b93d350a1b22e1c31b73fba5fb7f0a37b53
SHA256b0f2c35e6628987f2a3c81694dfbc166963abdcd9a1ab0823e3dab10fc6e07a4
SHA5123ee78c33aefa0bc8b4f1c3eda56b7bc18d65560eb3116ac64a78e01e917ca8965ed06b9428788595c97806f27528dbec0d53ddd92ec44adda5ca1a43083530d4
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.6MB
MD5a5196c290c1da5f78970ae0f3ccd62c5
SHA1e12b5a9750a35518bc5eaf89b0f5a8eb585f2ad0
SHA2567560c32decb39774c027fda3ec4a97ac5015e6c2f6d262d65f3dc01a2bd4a62a
SHA51281cb62f8c77608ced38a6175fff1ff3419dc6895c967824fe883085c1811ed2afbbd40358a5edbc25db82cb90f4e0ef3eced1f03d8419e31db699a329e4f6617
-
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exeFilesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exeFilesize
1.8MB
MD5eec22ed5b2a2f269fc2b96585f09e9d3
SHA1c8f13c0804e9e980622b7657e3cec359e87f7450
SHA256376ed655b53b7df00e2a4bd6898943b08c9e27031f2cfde2c028d4f012ef06a4
SHA512fa442720b19ad3e27f10fdac8deed9bb0a26b1002981d205a50fd68389ce7bdb3504633c03517ea7cd305b062e7908a2bd8c1535d1b7b042f5705701f1303075
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exeFilesize
1.4MB
MD5541a8420b7ff97424be0a89b2d215e4d
SHA135957319ec9311c8bbfd7a00147495abbff6a0fe
SHA256d47ea3297294dbaff455c9d6f4af6f7eafc089b5753231ff157c7a7a9424ce98
SHA512cce41b117acb058c81efc9761e6caa18c0a8234736c5b6678d598c9ea8a9a39a283f24dc8b0b5106c9025e3a40d19f6a98a9fbed26e313dc32d5490fbd42437a
-
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zipFilesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
C:\Users\Admin\AppData\Local\Temp\TmpDD6.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sj1atrad.fyl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp3FA9.tmpFilesize
56KB
MD5d444c807029c83b8a892ac0c4971f955
SHA1fa58ce7588513519dc8fed939b26b05dc25e53b5
SHA2568297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259
SHA512b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e
-
C:\Users\Admin\AppData\Local\Temp\tmp3FDB.tmpFilesize
220KB
MD5e7ae222c9b212ec7392f2134571f81db
SHA1e8873f05bf5a261832366b035b756239b81d7c03
SHA25687b6d0a47c6c24197e5e26883d24166383cbaf1ee0cede60911772c1608d53f6
SHA5125c69a9b050166f9e59c3b984c4d69dd9b1ad610eca27b38180548f81c9aec0042e135eded089e5ef7a0eb9c060744573234cb509bacb7098de3b47d46ec2dd1f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
896KB
MD53ad7e3844719303906bff7ab6f20499f
SHA10caea32b44e4bd6d1ed1515fcdaf6d1788707f93
SHA256af2acad7f2c43ab7ab6dcc88975a89cee75bb96418f6d78660c5cdd976d21885
SHA5121063c5816da32ae5bd27b66a91b7d022a199bda75a618dd7de4e47f31d8c212c511794d231030aa78d50cedcffe6fcf6bdc0a88090307c7daef08dfca5ed622f
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5892e94f45dafcb982ae378027fb937ae
SHA1995c66e510eeec779ff286fd570f20887cee840a
SHA2569e0bd75918f280a91089209ddbd4adcdab129fa7f2f6f9c62ee8b7803f751dab
SHA5123f78f13f6a89977599612aefb3e3ab4b65c1de21314f432dd7c542de51fd2b525972c8e43ed854e3b4cd0098e3269637168e5d212d4715f8ada00b6ffeac3319
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5e94400c90c32966765f186c5f924669f
SHA1899e75629f6809d1608225a4e6b1463779df30d2
SHA256e6e2d29771f1424e6a89fe072807867fb88e5f41a85d1fb032d2ac5a0cb29d89
SHA512ffbc04333564a2f00dd562fec2ece2173496e358da4882f3e9ca2bc51bdd820c8e3ea3b6e49f81e87f42f6ef0a45c08a8a78591d28405a2b7cea86abab15df17
-
memory/388-183-0x0000000005540000-0x0000000005550000-memory.dmpFilesize
64KB
-
memory/388-182-0x0000000005FF0000-0x0000000006066000-memory.dmpFilesize
472KB
-
memory/388-186-0x00000000067B0000-0x00000000067CE000-memory.dmpFilesize
120KB
-
memory/388-163-0x00000000730C0000-0x0000000073870000-memory.dmpFilesize
7.7MB
-
memory/388-162-0x0000000000A50000-0x0000000000AA2000-memory.dmpFilesize
328KB
-
memory/560-191-0x0000000005360000-0x0000000005370000-memory.dmpFilesize
64KB
-
memory/560-187-0x00000000730C0000-0x0000000073870000-memory.dmpFilesize
7.7MB
-
memory/560-109-0x00000000067F0000-0x0000000006802000-memory.dmpFilesize
72KB
-
memory/560-100-0x0000000006880000-0x0000000006E98000-memory.dmpFilesize
6.1MB
-
memory/560-112-0x0000000008100000-0x000000000813C000-memory.dmpFilesize
240KB
-
memory/560-103-0x0000000008210000-0x000000000831A000-memory.dmpFilesize
1.0MB
-
memory/560-114-0x0000000008140000-0x000000000818C000-memory.dmpFilesize
304KB
-
memory/560-66-0x00000000730C0000-0x0000000073870000-memory.dmpFilesize
7.7MB
-
memory/560-76-0x00000000053A0000-0x0000000005432000-memory.dmpFilesize
584KB
-
memory/560-77-0x0000000005340000-0x000000000534A000-memory.dmpFilesize
40KB
-
memory/560-60-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/560-78-0x0000000005360000-0x0000000005370000-memory.dmpFilesize
64KB
-
memory/560-192-0x0000000006380000-0x00000000063E6000-memory.dmpFilesize
408KB
-
memory/560-65-0x00000000058B0000-0x0000000005E54000-memory.dmpFilesize
5.6MB
-
memory/1304-63-0x00000000730C0000-0x0000000073870000-memory.dmpFilesize
7.7MB
-
memory/1304-64-0x0000000002AC0000-0x0000000004AC0000-memory.dmpFilesize
32.0MB
-
memory/1304-57-0x0000000005020000-0x0000000005030000-memory.dmpFilesize
64KB
-
memory/1304-55-0x00000000005E0000-0x000000000065A000-memory.dmpFilesize
488KB
-
memory/1304-56-0x00000000730C0000-0x0000000073870000-memory.dmpFilesize
7.7MB
-
memory/1304-181-0x0000000002AC0000-0x0000000004AC0000-memory.dmpFilesize
32.0MB
-
memory/1864-129-0x0000000005490000-0x00000000054A0000-memory.dmpFilesize
64KB
-
memory/1864-130-0x00000000730C0000-0x0000000073870000-memory.dmpFilesize
7.7MB
-
memory/1864-122-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2076-6-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/2076-7-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/2076-1-0x00000000774B4000-0x00000000774B6000-memory.dmpFilesize
8KB
-
memory/2076-2-0x0000000000130000-0x00000000005EA000-memory.dmpFilesize
4.7MB
-
memory/2076-3-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/2076-4-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/2076-0-0x0000000000130000-0x00000000005EA000-memory.dmpFilesize
4.7MB
-
memory/2076-14-0x0000000000130000-0x00000000005EA000-memory.dmpFilesize
4.7MB
-
memory/2076-9-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/2076-5-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/2076-8-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/3476-118-0x00000000730C0000-0x0000000073870000-memory.dmpFilesize
7.7MB
-
memory/3476-127-0x00000000730C0000-0x0000000073870000-memory.dmpFilesize
7.7MB
-
memory/3476-128-0x00000000026A0000-0x00000000046A0000-memory.dmpFilesize
32.0MB
-
memory/3476-119-0x0000000004D50000-0x0000000004D60000-memory.dmpFilesize
64KB
-
memory/3476-117-0x00000000002A0000-0x000000000045C000-memory.dmpFilesize
1.7MB
-
memory/3676-18-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-23-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/3676-231-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-793-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-790-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-27-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/3676-787-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-26-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/3676-25-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/3676-319-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-24-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/3676-781-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-22-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/3676-501-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-19-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/3676-89-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-21-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/3676-440-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-760-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-20-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/3676-113-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-17-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-485-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/3676-706-0x0000000000420000-0x00000000008DA000-memory.dmpFilesize
4.7MB
-
memory/4388-185-0x00007FFC430C0000-0x00007FFC43B81000-memory.dmpFilesize
10.8MB
-
memory/4388-190-0x0000000002C20000-0x0000000002C30000-memory.dmpFilesize
64KB
-
memory/4388-184-0x0000000000C20000-0x0000000000CAC000-memory.dmpFilesize
560KB
-
memory/4652-574-0x00000000007C0000-0x0000000000C75000-memory.dmpFilesize
4.7MB
-
memory/5068-761-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-436-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-792-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-115-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-194-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-497-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-193-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-789-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-294-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-700-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-484-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-786-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-90-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5068-782-0x0000000000410000-0x00000000007B3000-memory.dmpFilesize
3.6MB
-
memory/5308-208-0x00000275F11D0000-0x00000275F11E2000-memory.dmpFilesize
72KB
-
memory/5308-197-0x00000275F0D80000-0x00000275F0D90000-memory.dmpFilesize
64KB
-
memory/5308-207-0x00000275F0D00000-0x00000275F0D22000-memory.dmpFilesize
136KB
-
memory/5308-195-0x00007FFC430C0000-0x00007FFC43B81000-memory.dmpFilesize
10.8MB
-
memory/5308-196-0x00000275F0D80000-0x00000275F0D90000-memory.dmpFilesize
64KB
-
memory/5340-788-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/5340-785-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/5340-707-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/5340-486-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/5340-528-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/5340-447-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/5340-791-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/5340-767-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/5340-804-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/5540-362-0x0000000000ED0000-0x0000000001385000-memory.dmpFilesize
4.7MB
-
memory/6068-530-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB
-
memory/6068-803-0x00000000003A0000-0x0000000000855000-memory.dmpFilesize
4.7MB