amadey | e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5

Analysis

max time kernel
140s
max time network
174s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
Size

1.8MB
MD5

c67f86a4d71035df46b89d1b630c3cbb
SHA1

1c1911efdd9ed8e7289b3a6a444b1c5afd7ab9a6
SHA256

e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5
SHA512

e329c0433eb91d7026cdc7aaf2c2d0d25a997533d6d870c26c298632f8bbf6a3e8ddb9c78282979c9455bb22d816178e93b954c71b826433896fdd68a30fe784
SSDEEP

49152:bwFA3XkkrXUwmkHadZQVjkRK3VaLHkhG0RWN1MIrO2bJP:USX7DUwHwUjkRKFThG0A15rdbN

Score

10^/10

amadey redline risepro sectoprat zgrat livetraffic evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 18 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe	family_zgrat_v1
behavioral2/memory/200-824-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-822-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-828-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-834-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-848-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-851-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-858-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-866-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-862-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-883-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-870-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-887-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-895-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-899-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1
behavioral2/memory/200-901-0x0000000005D40000-0x0000000005F56000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_redline
behavioral2/memory/4196-752-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\b.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\b.exe	family_sectoprat

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

028feab495.exeexplorha.exeexplorgu.exee9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exeamert.exeexplorha.exerandom.exeamadka.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	028feab495.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amadka.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

36 4832 rundll32.exe
40 3240 rundll32.exe
59 3272 rundll32.exe
63 3800 rundll32.exe
Downloads MZ/PE file

flow	pid	process
36	4832	rundll32.exe
40	3240	rundll32.exe
59	3272	rundll32.exe
63	3800	rundll32.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorgu.exeamert.exeexplorha.exeexplorha.exerandom.exeamadka.exee9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exe028feab495.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	028feab495.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	028feab495.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 17 IoCs

Processes:

explorha.exe028feab495.exego.exeamert.exeexplorha.exeexplorgu.exeexplorha.exerandom.exealex1234.exeredlinepanel.exeamadka.exe32456.exeNewB.exeEljlre.exegoldprimeldlldf.exePayload.exefile300un.exe

pid	process
2868	explorha.exe
3672	028feab495.exe
1756	go.exe
768	amert.exe
5244	explorha.exe
3680	explorgu.exe
3232	explorha.exe
3248	random.exe
4888	alex1234.exe
5864	redlinepanel.exe
4424	amadka.exe
1116	32456.exe
2016	NewB.exe
200	Eljlre.exe
4320	goldprimeldlldf.exe
3908	Payload.exe
4980	file300un.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amert.exeexplorha.exeexplorgu.exeamadka.exeexplorha.exe028feab495.exerandom.exee9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	amadka.exe
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	028feab495.exe
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4888 rundll32.exe
3240 rundll32.exe
4832 rundll32.exe
5284 rundll32.exe
3272 rundll32.exe
3800 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4888	rundll32.exe
3240	rundll32.exe
4832	rundll32.exe
5284	rundll32.exe
3272	rundll32.exe
3800	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exeexplorgu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\028feab495.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\028feab495.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe"	explorgu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
70 pastebin.com

flow	ioc
3	pastebin.com
70	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeamadka.exe

pid	process
3356	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
2868	explorha.exe
768	amert.exe
5244	explorha.exe
3680	explorgu.exe
3232	explorha.exe
4424	amadka.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

goldprimeldlldf.exealex1234.exe

description	pid	process	target process
PID 4320 set thread context of 4196	4320	goldprimeldlldf.exe	RegAsm.exe
PID 4888 set thread context of 2820	4888	alex1234.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

6004 schtasks.exe

pid	process
6004	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exerundll32.exemsedge.exemsedge.exeamert.exemsedge.exemsedge.exeexplorha.exepowershell.exemsedge.exeidentity_helper.exeexplorgu.exeexplorha.exeamadka.exerundll32.exepowershell.exe

pid	process
3356	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
3356	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
2868	explorha.exe
2868	explorha.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3040	msedge.exe
3040	msedge.exe
2324	msedge.exe
2324	msedge.exe
768	amert.exe
768	amert.exe
2172	msedge.exe
2172	msedge.exe
5388	msedge.exe
5388	msedge.exe
5244	explorha.exe
5244	explorha.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe
2800	msedge.exe
2800	msedge.exe
4372	identity_helper.exe
4372	identity_helper.exe
3680	explorgu.exe
3680	explorgu.exe
3232	explorha.exe
3232	explorha.exe
4424	amadka.exe
4424	amadka.exe
3272	rundll32.exe
3272	rundll32.exe
3272	rundll32.exe
3272	rundll32.exe
3272	rundll32.exe
3272	rundll32.exe
3272	rundll32.exe
3272	rundll32.exe
3272	rundll32.exe
3272	rundll32.exe
5492	powershell.exe
5492	powershell.exe
5492	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exe32456.exepowershell.exeEljlre.exe

description	pid	process
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeDebugPrivilege	1116	32456.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	200	Eljlre.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exego.exemsedge.exe

pid	process
3356	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
1756	go.exe
1756	go.exe
1756	go.exe
1756	go.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

go.exemsedge.exe

pid	process
1756	go.exe
1756	go.exe
1756	go.exe
1756	go.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exerundll32.exe

description	pid	process	target process
PID 3356 wrote to memory of 2868	3356	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe	explorha.exe
PID 3356 wrote to memory of 2868	3356	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe	explorha.exe
PID 3356 wrote to memory of 2868	3356	e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe	explorha.exe
PID 2868 wrote to memory of 3672	2868	explorha.exe	028feab495.exe
PID 2868 wrote to memory of 3672	2868	explorha.exe	028feab495.exe
PID 2868 wrote to memory of 3672	2868	explorha.exe	028feab495.exe
PID 2868 wrote to memory of 2740	2868	explorha.exe	explorha.exe
PID 2868 wrote to memory of 2740	2868	explorha.exe	explorha.exe
PID 2868 wrote to memory of 2740	2868	explorha.exe	explorha.exe
PID 2868 wrote to memory of 1756	2868	explorha.exe	go.exe
PID 2868 wrote to memory of 1756	2868	explorha.exe	go.exe
PID 2868 wrote to memory of 1756	2868	explorha.exe	go.exe
PID 1756 wrote to memory of 3184	1756	go.exe	msedge.exe
PID 1756 wrote to memory of 3184	1756	go.exe	msedge.exe
PID 3184 wrote to memory of 408	3184	msedge.exe	msedge.exe
PID 3184 wrote to memory of 408	3184	msedge.exe	msedge.exe
PID 1756 wrote to memory of 2172	1756	go.exe	msedge.exe
PID 1756 wrote to memory of 2172	1756	go.exe	msedge.exe
PID 2172 wrote to memory of 1152	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 1152	2172	msedge.exe	msedge.exe
PID 1756 wrote to memory of 4652	1756	go.exe	msedge.exe
PID 1756 wrote to memory of 4652	1756	go.exe	msedge.exe
PID 2868 wrote to memory of 4888	2868	explorha.exe	rundll32.exe
PID 2868 wrote to memory of 4888	2868	explorha.exe	rundll32.exe
PID 2868 wrote to memory of 4888	2868	explorha.exe	rundll32.exe
PID 4652 wrote to memory of 1056	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 1056	4652	msedge.exe	msedge.exe
PID 4888 wrote to memory of 3240	4888	rundll32.exe	rundll32.exe
PID 4888 wrote to memory of 3240	4888	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 768	2868	explorha.exe	amert.exe
PID 2868 wrote to memory of 768	2868	explorha.exe	amert.exe
PID 2868 wrote to memory of 768	2868	explorha.exe	amert.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe
PID 2172 wrote to memory of 864	2172	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
"C:\Users\Admin\AppData\Local\Temp\e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\1000042001\028feab495.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\028feab495.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3672

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
4⤵
- Suspicious use of WriteProcessMemory
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84ba13cb8,0x7ff84ba13cc8,0x7ff84ba13cd8
5⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1748,8842255078333989568,4742450409896715244,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
5⤵
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1748,8842255078333989568,4742450409896715244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84ba13cb8,0x7ff84ba13cc8,0x7ff84ba13cd8
5⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
5⤵
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
5⤵
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
5⤵
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
5⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
5⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
5⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
5⤵
PID:5976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
5⤵
PID:6020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7148 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
5⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
5⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
5⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
5⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff84ba13cb8,0x7ff84ba13cc8,0x7ff84ba13cd8
5⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,13234737412589391013,11876684398434716876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5388

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3240

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\852399462405_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5436

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5244

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3248

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2820

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
PID:1452

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
2⤵
- Executes dropped EXE
PID:5864

C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"
2⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:6004

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:5284

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\852399462405_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4196

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3800

C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exe"
2⤵
- Executes dropped EXE
PID:3908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"
3⤵
PID:5216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="
3⤵
PID:1676

C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
3⤵
PID:4072

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
PID:2448

C:\Users\Admin\AppData\Roaming\b.exe
"C:\Users\Admin\AppData\Roaming\b.exe"
3⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"
2⤵
- Executes dropped EXE
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
3⤵
PID:6020

C:\Users\Admin\Pictures\8rel7TXKDfMAjwbwzpl8EmnW.exe
"C:\Users\Admin\Pictures\8rel7TXKDfMAjwbwzpl8EmnW.exe"
4⤵
PID:5196

C:\Users\Admin\Pictures\qqdIgrWv9y0DHnRiYidIgdUw.exe
"C:\Users\Admin\Pictures\qqdIgrWv9y0DHnRiYidIgdUw.exe"
4⤵
PID:5852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:6596

C:\Users\Admin\Pictures\Uw0X3o1l8jUbAsPrDULPLjxC.exe
"C:\Users\Admin\Pictures\Uw0X3o1l8jUbAsPrDULPLjxC.exe"
4⤵
PID:748

C:\Users\Admin\Pictures\vr6dxF57XXSr9QZgUQetXLBq.exe
"C:\Users\Admin\Pictures\vr6dxF57XXSr9QZgUQetXLBq.exe"
4⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
341f6b71eb8fcb1e52a749a673b2819c

SHA1
6c81b6acb3ce5f64180cb58a6aae927b882f4109

SHA256
57934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29

SHA512
57ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
88e9aaca62aa2aed293699f139d7e7e1

SHA1
09d9ccfbdff9680366291d5d1bc311b0b56a05e9

SHA256
27dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c

SHA512
d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
960B

MD5
992ae8de6277ed25e534b7ee597e32ed

SHA1
f5a8c0ae73d9b5dea7491f004656b1bb8d56d949

SHA256
67fe6a36b3294e6d503dac10518a3ad09b60989c7646a56ac1eb1389fe37fc6f

SHA512
4e6de51910eb812ad9ed7fea098c35e300552a0369ff3c46322b2d3fc158a480c37898015f4c0896c58d9cc4f5ebd2b5b4e1895642e1b19f3ef0af66b4e745bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
c14581fc8232cbc2953fa335c91d39bb

SHA1
0c73ea077256835d7300cc873cbc26fb8561410b

SHA256
1017ac1d2ae4cb2d8ee8fa2f96b0c58dd0b05a77aa130850004a6ec1b6cbe3a1

SHA512
edcd9b9363bb9fa2a83c1629d05fdbc416809fb8ea502f65a60cc1ce48a6b89460bb769d524bbab632a79d12e7c68b25592f185d62e3e5806f92e87e43de2a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
8fde125224961115d5e689361146733a

SHA1
2ffcc7b5e3357386b7e6647edc3d33feb0d6f689

SHA256
0b8b616ab100fe4d75ede128d499a44007f0a856dd50f78cafc95f5a12bfa2b5

SHA512
b29819ea6956a9ae9d7b76c87b65b048e58ae7fe99d9268ae93e8aa74d4ba8e50e2380d1ce51d29c82be4d7853275722b695bf6fc8303eb4934f84dceeb0f24c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
80e4884f7dc89ab13613e95e4713e6e7

SHA1
b4348df1454315545d0fa0ba6e0f031d54a1e9b5

SHA256
96dd03bd501a28f564d6a92facf5e3c5c5768502c5d40c1e9dcd2677c49ac355

SHA512
a3850b3182afd0bf2504ad59214c33a5877d949e0d0111d070f1d72d327dbdbf73746b42822c13e5318a5f826c328830c7b47ff116e6e00e51ab98bd2b15924f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
22998a62bbad141c0a44f2e137275f6d

SHA1
ba3bbd24cd15c8023480b3d03ffd3c7c99e05036

SHA256
c2dd4b17335281cef3efd0dd69e93e2a1ef2bca8e3235d5c0b64aa09c81f371b

SHA512
b72681f3f503432dfab52207ae7d883bf235aeafe63564345ed632a9fc1b720aa7acf101397dcbf6535a67e6bb78d8979b63b1053ce62d789db422f49456d633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
e8f99c2a6edafd3a44c0b301d7f09cd5

SHA1
d5dcf8e4b2e438ffc615b2f7970863166a026394

SHA256
7e1b6243fb1127cd9fde6b4a4d84838b417f9969349253c126f9f1c2cc466cb9

SHA512
afe337b0f5af8b75a170f3e9d5c235fafea74dbf1476da2df7073f19329e0b9fe412ee6bdd4f9610633a68d3c09793dbd4387ef99f26378f918139dd82af203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
cd381a9cb4b4e8f9ee496fd1f53c9aa9

SHA1
2a744743155178687b4f085f4e8617c515ff8032

SHA256
39a1f539bddb349fd57db0514adfe1c5d8442c847d7baa6642637927ef3bc02b

SHA512
aded0b004cec489b0403b1f05366f793381a1939d2a0d02080409362f0eb6050a8cbf29318cf65bc3e1ef2aa1926fd8e1fc87c339856ddc4025707149943954f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
c669d8109df8bfcf3544e852cb5332e4

SHA1
be210d77419e4c3eb5a9c79ed478adec9030f53f

SHA256
fd2874b7ee538213464f06543c2a53af39dd8b8d3e6d52cc28e5cb6fcf7e5326

SHA512
b10c2092dfccb96500b43c525ac7349025ebff8d6ddf0e6c57f9b132741aa9edd3273857faf899033c8151a4713370a4254fbc3a3a404fa3af30dcb621cafac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
03be0c84d469d84d200e09f98fc8d367

SHA1
ff4e779104a754d8b57260d60031f588f9fb51c5

SHA256
b39279b03b01713d39dc34e202a75522cf5d34df2214da4698e05c6ada609c69

SHA512
a5b3a7fdc353c1f7490db550fe3eff59052122951a9a193fe18e07653289cb57f014614ed029930c68bcba92bca22fd001df38f66a7bceee1f6b385556852794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591ee8.TMP
Filesize
707B

MD5
1d0865db66f62a4cf63ddb8c2eef8181

SHA1
fbec32773735372b2e232a905bd3fdcb9d0b99cf

SHA256
40a36e6ae77b962b2da62904ff26a3a0cbd38354391f9fab22d1bb6abd8ac00f

SHA512
c1a3718e47ef5c88090084374e9d53de94af1abbb6a7055c4d20bff429844fe84aaf1dc667e99d623e9b530c8c2cba3d50e582a2c62f42db19cf6b39b088bf57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
fc1230794999ecd35ca425f19eb3e06f

SHA1
644308a2e77d959dd4c127ceec4cd9a49dfaee0e

SHA256
58423a5815261fb5f6c6cd3b5073d69b380ff1c6bf7b1c3beed336c119d2b658

SHA512
5e6d5b2f17a05034bfeb85641ac3513c0c3fe22b32e8f7a5c09c2a82a22cd9d3cbbe89909fb011545cdb073bb8da7d8308c5a923db3647e1e8e93c69f0469fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
96b228edec4ec97977d1c5fe6409e947

SHA1
1f4907e15ed04a896944940b1c01a3fc79c4d0fe

SHA256
aafd7f48ff2f383033d559768f5264752c138bd9492dd16cb8036f19f4672c22

SHA512
8dfdf3beb0fce989ba1c73e163349829796a94e29038da656e112c961e67da0f3f805672ba4a9807b6cd754c7f5475ed1e3b6f566c1b79fcbfffcc1a42c86ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
64d22615a3d72608b82f43feffaacdf4

SHA1
df42abda6d43d3e3d895e25a9cd32964e134cf77

SHA256
f79e8de53f8893109fdf48ad0c96ccae61fd99019e9e9879856edc5d78247a6b

SHA512
eb75a96155314c284431ae7d858352c5c8cb4b3ea04ec083211136b6d6023ef13e7059dcc32682c005a5d4de1167076648676991b715246d7b6c6498c12c70e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
969e1525e45a4ae99aed34ab4010b5ef

SHA1
20cb661905b70d7a69864c33ab237f5ac42e2079

SHA256
c33a64c48d057fc3ca8c206d614fdd9d9b3231ad338963c32de08cfaa1c88e7e

SHA512
4cb0229c69d9907685c69316b100e6457bb461ad7b8abd16d6fccad42c6feab1be8bdcd4907f284f8694181c70b1caa759609abf4dee569839b5df8630069464

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
Filesize
1.8MB

MD5
c67f86a4d71035df46b89d1b630c3cbb

SHA1
1c1911efdd9ed8e7289b3a6a444b1c5afd7ab9a6

SHA256
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5

SHA512
e329c0433eb91d7026cdc7aaf2c2d0d25a997533d6d870c26c298632f8bbf6a3e8ddb9c78282979c9455bb22d816178e93b954c71b826433896fdd68a30fe784

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\028feab495.exe
Filesize
3.0MB

MD5
8f596cf662d3070c4778030b0ebf1697

SHA1
ca4e9791887dfd346392e84670f3606e08b0da70

SHA256
beac4e6145269334ebaf3d723fa089c0b336dac94ad12da55574b713c496516a

SHA512
6db0f316dacf5ee6191d1574316ecc1ac7c90c21faf3d60795cb4fd2f9c57724bb1162286a37b104741ce64e63366480a1468a49bdd114e28110c8577f4b820c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
Filesize
1.8MB

MD5
c24cc500387c37edb2c4ac0f460dd272

SHA1
bebd2b99916372d6f4293c276387e904096b50cd

SHA256
dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3

SHA512
16c07ff0c0feb7f2c64671d11737b683e5f243c63263a46dec5ca765d0d2401dde85e57a2619e87391eefaec4f3b10a5eb2aee786d7b4d456c4bcb5fcd2a8570

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
Filesize
301KB

MD5
832eb4dc3ed8ceb9a1735bd0c7acaf1b

SHA1
b622a406927fbb8f6cd5081bd4455fb831948fca

SHA256
2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7

SHA512
3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
Filesize
499KB

MD5
83d0b41c7a3a0d29a268b49a313c5de5

SHA1
46f3251c771b67b40b1f3268caef8046174909a5

SHA256
09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9

SHA512
705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
Filesize
2.8MB

MD5
1e1152424d7721a51a154a725fe2465e

SHA1
62bc3d11e915e1dbd3cc3ef5a11afec755c995d9

SHA256
674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c

SHA512
752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exe
Filesize
2.6MB

MD5
55e393da1714013720ddf266c7906f43

SHA1
91a636913604184c010c2d9e0b331a804a2c0ab4

SHA256
6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957

SHA512
40a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
Filesize
386KB

MD5
16f67f1a6e10f044bc15abe8c71b3bd6

SHA1
ce0101205b919899a2a2f577100377c2a6546171

SHA256
41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89

SHA512
a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpF497.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbny4hnv.ejz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\y3FeZmEguniNI5AJZFvacA8X.exe
Filesize
4.1MB

MD5
ac5f59828c7112f4d6f37f3daea03a4c

SHA1
780cbc00e9a044da535af3f1da25445c893a8e53

SHA256
6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc

SHA512
7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe
Filesize
2.5MB

MD5
6fd62e635b39a02ba8cac6fc124c9475

SHA1
e13080b9cc546e44a9f1c419ba86aeb190a14b2d

SHA256
78b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870

SHA512
e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\b.exe
Filesize
95KB

MD5
184ac479b3a878e9ac5535770ca34a2b

SHA1
1f99039911cc2cfd1a62ce348429ddd0f4435a60

SHA256
8e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c

SHA512
e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Pictures\1kjeFopmUlGBvXxodMLhGDht.exe
Filesize
3KB

MD5
1518ca527dd08b68ab98b5a0897c112d

SHA1
f3e828d90c18e4763d4a63f7844f22225d042a15

SHA256
509c2d674d844083927dd3b67971e8d2fa31e6b4905dfa901c3532bcb18922da

SHA512
4d36a93b165a97eb526677f7edc69002443b99e86ea775463475fe7d68f364fb329faf39bdf95b4f8aa98be508e07e0f72493b438cc4f7bd91f09f6eba683676

Download Submit
C:\Users\Admin\Pictures\6vE9mpJYvchhS8XVmARvG7R9.exe
Filesize
3KB

MD5
b42cc2ab7659f1530fb15d4c0b1c6245

SHA1
62ecd62d873626d3ca31d2233e3ed14437d18889

SHA256
53c55437ef32f9c0129bb3e02d6e8867b93193cd2fb91d307aedb8f88565431a

SHA512
c44e8a015e02f8e571a727457ed3f5bf5b530720854df5e8dd90c49ee29d981a515189d83c38bbc6c4fa2358a642b0763881d7235b01deef8da980a2489b43c9

Download Submit
C:\Users\Admin\Pictures\8rel7TXKDfMAjwbwzpl8EmnW.exe
Filesize
405KB

MD5
04b64be2aee124ca06181ea6b5aceed3

SHA1
9093feccff2d574b2e9f1e35fb6c77f217d1ff7f

SHA256
67c5d6538ebf16eb5cd205230c0b45468228b3ce6b602eaaebec50e230976d00

SHA512
353015bdbd18001c7d04e81facbe78fef0e681de072778723b6d11bb59270ca99638486074886911b66df12d087ce1a6818a8079d5afc6ec5298cf102600d428

Download Submit
C:\Users\Admin\Pictures\Vd5xTYUNsTcvlxb4fMzuskII.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\qqdIgrWv9y0DHnRiYidIgdUw.exe
Filesize
437KB

MD5
7960d8afbbac06f216cceeb1531093bb

SHA1
008221bf66a0749447cffcb86f2d1ec80e23fc76

SHA256
f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84

SHA512
35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

Download Submit
C:\Users\Admin\Pictures\vr6dxF57XXSr9QZgUQetXLBq.exe
Filesize
372KB

MD5
e2a6c1f58b137874e490b8d94382fcdb

SHA1
71529c5d708091b1e1a580227dc52e62a140edd1

SHA256
4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437

SHA512
24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

Download Submit
\??\pipe\LOCAL\crashpad_2172_UAAXQQAZRHRXYKOC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/200-862-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-851-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-895-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-899-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-901-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-870-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-848-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-887-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-883-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-828-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-866-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-858-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-834-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-822-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/200-824-0x0000000005D40000-0x0000000005F56000-memory.dmp

Filesize
2.1MB

Download
memory/768-144-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/768-148-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/768-146-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/768-147-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/768-116-0x0000000000EE0000-0x00000000013A5000-memory.dmp

Filesize
4.8MB

Download
memory/768-150-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/768-194-0x0000000000EE0000-0x00000000013A5000-memory.dmp

Filesize
4.8MB

Download
memory/768-145-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/768-149-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/768-141-0x0000000000EE0000-0x00000000013A5000-memory.dmp

Filesize
4.8MB

Download
memory/768-143-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/768-142-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/2820-753-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2868-25-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/2868-596-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-23-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-386-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-364-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-24-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-158-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-26-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/2868-28-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/2868-29-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/2868-433-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-678-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-30-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/2868-453-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-27-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/2868-31-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/2868-32-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2868-479-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-33-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/2868-52-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-115-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-283-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-140-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/2868-782-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/3232-492-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/3232-502-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/3248-722-0x0000000000260000-0x00000000005FD000-memory.dmp

Filesize
3.6MB

Download
memory/3248-630-0x0000000000260000-0x00000000005FD000-memory.dmp

Filesize
3.6MB

Download
memory/3248-885-0x0000000000260000-0x00000000005FD000-memory.dmp

Filesize
3.6MB

Download
memory/3356-0-0x0000000000F50000-0x000000000140B000-memory.dmp

Filesize
4.7MB

Download
memory/3356-8-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/3356-9-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3356-7-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3356-11-0x0000000000F50000-0x000000000140B000-memory.dmp

Filesize
4.7MB

Download
memory/3356-6-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3356-3-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3356-5-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3356-4-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/3356-22-0x0000000000F50000-0x000000000140B000-memory.dmp

Filesize
4.7MB

Download
memory/3356-2-0x0000000000F50000-0x000000000140B000-memory.dmp

Filesize
4.7MB

Download
memory/3356-1-0x0000000077D96000-0x0000000077D98000-memory.dmp

Filesize
8KB

Download
memory/3672-434-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-801-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-248-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-284-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-369-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-597-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-166-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-410-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-463-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-483-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-53-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-679-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3672-55-0x0000000000760000-0x0000000000AFD000-memory.dmp

Filesize
3.6MB

Download
memory/3680-488-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3680-598-0x00000000000A0000-0x0000000000565000-memory.dmp

Filesize
4.8MB

Download
memory/3680-802-0x00000000000A0000-0x0000000000565000-memory.dmp

Filesize
4.8MB

Download
memory/3680-486-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3680-485-0x00000000000A0000-0x0000000000565000-memory.dmp

Filesize
4.8MB

Download
memory/3680-489-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/3680-490-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3680-491-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3680-482-0x00000000000A0000-0x0000000000565000-memory.dmp

Filesize
4.8MB

Download
memory/3680-680-0x00000000000A0000-0x0000000000565000-memory.dmp

Filesize
4.8MB

Download
memory/3680-487-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4196-752-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4424-624-0x0000000000690000-0x0000000000B4B000-memory.dmp

Filesize
4.7MB

Download
memory/5244-172-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/5244-170-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/5244-169-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/5244-171-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/5244-186-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/5244-167-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/5244-168-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/5244-165-0x0000000000A70000-0x0000000000F2B000-memory.dmp

Filesize
4.7MB

Download
memory/5244-174-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/5244-173-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/5436-412-0x000002744BCE0000-0x000002744BCEA000-memory.dmp

Filesize
40KB

Download
memory/5436-363-0x00007FF8379E0000-0x00007FF8384A2000-memory.dmp

Filesize
10.8MB

Download
memory/5436-344-0x00000274338B0000-0x00000274338D2000-memory.dmp

Filesize
136KB

Download
memory/5436-371-0x000002744BAD0000-0x000002744BAE0000-memory.dmp

Filesize
64KB

Download
memory/5436-373-0x000002744BAD0000-0x000002744BAE0000-memory.dmp

Filesize
64KB

Download
memory/5436-380-0x000002744BAD0000-0x000002744BAE0000-memory.dmp

Filesize
64KB

Download
memory/5436-411-0x000002744BD00000-0x000002744BD12000-memory.dmp

Filesize
72KB

Download
memory/5436-418-0x00007FF8379E0000-0x00007FF8384A2000-memory.dmp

Filesize
10.8MB

Download