Analysis
-
max time kernel
115s -
max time network
176s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-03-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral2
Sample
0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe
Resource
win11-20240221-en
General
-
Target
0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe
-
Size
1.8MB
-
MD5
f70c66a757081bd6064c35dcc32f5664
-
SHA1
4e00e1051b158a4b70951a3d56fa2358e2e9f5e7
-
SHA256
0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf
-
SHA512
b21554005d16d16e3a7f33d3e327c438cbe1b553f2a7f87d035dc129979a33fa0c67c55febc22d44067af67868dc040524f255a793611bcc180c92bb25286539
-
SSDEEP
49152:9HXQwyeFKFMuR9GfHwxAuVYG6j7y7dcFf5UAu1Otv:9HXQwlEMuR9Gfiv6CSf5Qs
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
4.185.137.132:1632
Signatures
-
Detect ZGRat V1 20 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe family_zgrat_v1 behavioral2/memory/5616-774-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-775-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-777-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-779-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-781-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-784-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-787-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-793-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-796-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-799-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-802-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-815-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-825-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-829-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-833-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-838-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5616-841-0x0000000004F90000-0x00000000051A6000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline behavioral2/memory/5752-795-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
Processes:
explorha.exea5c51096e2.exeexplorha.exerandom.exeamadka.exe0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exeamert.exeexplorgu.exeexplorha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a5c51096e2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exeflow pid process 5 4360 rundll32.exe 47 1740 rundll32.exe 58 1436 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
amert.exeexplorha.exea5c51096e2.exeexplorha.exeexplorha.exerandom.exeamadka.exeexplorgu.exe0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a5c51096e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a5c51096e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe -
Executes dropped EXE 13 IoCs
Processes:
explorha.exea5c51096e2.exego.exeexplorha.exeamert.exeexplorgu.exeexplorha.exerandom.exealex1234.exeamadka.exeredlinepanel.exeTraffic.exepropro.exepid process 2292 explorha.exe 1952 a5c51096e2.exe 3108 go.exe 2580 explorha.exe 1944 amert.exe 328 explorgu.exe 4468 explorha.exe 1572 random.exe 5352 alex1234.exe 2936 amadka.exe 3560 redlinepanel.exe 5604 Traffic.exe 4820 propro.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorha.exeexplorgu.exeamadka.exea5c51096e2.exeexplorha.exeamert.exeexplorha.exerandom.exe0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine a5c51096e2.exe Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 3548 rundll32.exe 4360 rundll32.exe 1740 rundll32.exe 4156 rundll32.exe 1436 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\PqGLGs1XXlGVuJ6o5JY0QdP3.exe themida -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
explorha.exeexplorgu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exeexplorha.exeexplorha.exeamert.exeexplorgu.exeexplorha.exeamadka.exepid process 4984 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe 2292 explorha.exe 2580 explorha.exe 1944 amert.exe 328 explorgu.exe 4468 explorha.exe 2936 amadka.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
alex1234.exedescription pid process target process PID 5352 set thread context of 2872 5352 alex1234.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exeamert.exedescription ioc process File created C:\Windows\Tasks\explorha.job 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe File created C:\Windows\Tasks\explorgu.job amert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5572 6432 WerFault.exe RxRVskgfXYWeCQMjY3O709xC.exe 4156 3112 WerFault.exe XhYX0z5bybSMaSS4mpqMRW5T.exe 6592 5084 WerFault.exe RegAsm.exe 2080 2828 WerFault.exe EbASkJDrDUpqU5vhqNO7dtG7.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exeexplorha.exerundll32.exeexplorha.exeamert.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exeidentity_helper.exemsedge.exeexplorgu.exeexplorha.exerundll32.exeamadka.exepowershell.exepid process 4984 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe 4984 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe 2292 explorha.exe 2292 explorha.exe 4360 rundll32.exe 4360 rundll32.exe 4360 rundll32.exe 4360 rundll32.exe 4360 rundll32.exe 4360 rundll32.exe 2580 explorha.exe 2580 explorha.exe 1944 amert.exe 1944 amert.exe 3672 msedge.exe 3672 msedge.exe 3292 msedge.exe 3292 msedge.exe 4240 msedge.exe 4240 msedge.exe 4360 rundll32.exe 4360 rundll32.exe 4360 rundll32.exe 4360 rundll32.exe 3544 msedge.exe 3544 msedge.exe 1676 powershell.exe 1676 powershell.exe 1676 powershell.exe 5516 identity_helper.exe 5516 identity_helper.exe 5696 msedge.exe 5696 msedge.exe 328 explorgu.exe 328 explorgu.exe 4468 explorha.exe 4468 explorha.exe 1436 rundll32.exe 1436 rundll32.exe 1436 rundll32.exe 1436 rundll32.exe 1436 rundll32.exe 1436 rundll32.exe 2936 amadka.exe 2936 amadka.exe 1436 rundll32.exe 1436 rundll32.exe 1436 rundll32.exe 1436 rundll32.exe 4536 powershell.exe 4536 powershell.exe 4536 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 4536 powershell.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exego.exemsedge.exepid process 4984 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
go.exemsedge.exepid process 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 3108 go.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe 4240 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exeexplorha.exerundll32.exerundll32.exego.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 4984 wrote to memory of 2292 4984 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe explorha.exe PID 4984 wrote to memory of 2292 4984 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe explorha.exe PID 4984 wrote to memory of 2292 4984 0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe explorha.exe PID 2292 wrote to memory of 1952 2292 explorha.exe a5c51096e2.exe PID 2292 wrote to memory of 1952 2292 explorha.exe a5c51096e2.exe PID 2292 wrote to memory of 1952 2292 explorha.exe a5c51096e2.exe PID 2292 wrote to memory of 2640 2292 explorha.exe explorha.exe PID 2292 wrote to memory of 2640 2292 explorha.exe explorha.exe PID 2292 wrote to memory of 2640 2292 explorha.exe explorha.exe PID 2292 wrote to memory of 3108 2292 explorha.exe go.exe PID 2292 wrote to memory of 3108 2292 explorha.exe go.exe PID 2292 wrote to memory of 3108 2292 explorha.exe go.exe PID 2292 wrote to memory of 3548 2292 explorha.exe rundll32.exe PID 2292 wrote to memory of 3548 2292 explorha.exe rundll32.exe PID 2292 wrote to memory of 3548 2292 explorha.exe rundll32.exe PID 3548 wrote to memory of 4360 3548 rundll32.exe rundll32.exe PID 3548 wrote to memory of 4360 3548 rundll32.exe rundll32.exe PID 2292 wrote to memory of 1944 2292 explorha.exe amert.exe PID 2292 wrote to memory of 1944 2292 explorha.exe amert.exe PID 2292 wrote to memory of 1944 2292 explorha.exe amert.exe PID 4360 wrote to memory of 3436 4360 rundll32.exe netsh.exe PID 4360 wrote to memory of 3436 4360 rundll32.exe netsh.exe PID 3108 wrote to memory of 4240 3108 go.exe msedge.exe PID 3108 wrote to memory of 4240 3108 go.exe msedge.exe PID 4240 wrote to memory of 4148 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 4148 4240 msedge.exe msedge.exe PID 3108 wrote to memory of 4560 3108 go.exe msedge.exe PID 3108 wrote to memory of 4560 3108 go.exe msedge.exe PID 4560 wrote to memory of 4752 4560 msedge.exe msedge.exe PID 4560 wrote to memory of 4752 4560 msedge.exe msedge.exe PID 3108 wrote to memory of 3496 3108 go.exe msedge.exe PID 3108 wrote to memory of 3496 3108 go.exe msedge.exe PID 3496 wrote to memory of 4996 3496 msedge.exe msedge.exe PID 3496 wrote to memory of 4996 3496 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe PID 4240 wrote to memory of 1004 4240 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe"C:\Users\Admin\AppData\Local\Temp\0d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\a5c51096e2.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\a5c51096e2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc5f643cb8,0x7ffc5f643cc8,0x7ffc5f643cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2076 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4188 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8561129615170839524,901300296238021642,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5128 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5f643cb8,0x7ffc5f643cc8,0x7ffc5f643cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,15302461453457954316,2625357636664654471,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2000 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,15302461453457954316,2625357636664654471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc5f643cb8,0x7ffc5f643cc8,0x7ffc5f643cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,14697887795598053499,11120759823786222873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\602636161432_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\602636161432_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
-
C:\Users\Admin\Pictures\XhYX0z5bybSMaSS4mpqMRW5T.exe"C:\Users\Admin\Pictures\XhYX0z5bybSMaSS4mpqMRW5T.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\u2eg.0.exe"C:\Users\Admin\AppData\Local\Temp\u2eg.0.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\u2eg.1.exe"C:\Users\Admin\AppData\Local\Temp\u2eg.1.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 15205⤵
- Program crash
-
C:\Users\Admin\Pictures\EbASkJDrDUpqU5vhqNO7dtG7.exe"C:\Users\Admin\Pictures\EbASkJDrDUpqU5vhqNO7dtG7.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 11925⤵
- Program crash
-
C:\Users\Admin\Pictures\MN4S5J9VUCZk5nl3ozOQ66rX.exe"C:\Users\Admin\Pictures\MN4S5J9VUCZk5nl3ozOQ66rX.exe"4⤵
-
C:\Users\Admin\Pictures\45LRb4ePDcMK4wCNe7WsBqBH.exe"C:\Users\Admin\Pictures\45LRb4ePDcMK4wCNe7WsBqBH.exe"4⤵
-
C:\Users\Admin\Pictures\Ivp5eNWKGZxsEgvwrBd9nsYY.exe"C:\Users\Admin\Pictures\Ivp5eNWKGZxsEgvwrBd9nsYY.exe"4⤵
-
C:\Users\Admin\Pictures\RxRVskgfXYWeCQMjY3O709xC.exe"C:\Users\Admin\Pictures\RxRVskgfXYWeCQMjY3O709xC.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 5526⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 8765⤵
- Program crash
-
C:\Users\Admin\Pictures\LbN0mStzaxPf3ZNiV4XmXLVq.exe"C:\Users\Admin\Pictures\LbN0mStzaxPf3ZNiV4XmXLVq.exe" --silent --allusers=04⤵
-
C:\Users\Admin\Pictures\LbN0mStzaxPf3ZNiV4XmXLVq.exeC:\Users\Admin\Pictures\LbN0mStzaxPf3ZNiV4XmXLVq.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6bc4e1d0,0x6bc4e1dc,0x6bc4e1e85⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LbN0mStzaxPf3ZNiV4XmXLVq.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LbN0mStzaxPf3ZNiV4XmXLVq.exe" --version5⤵
-
C:\Users\Admin\Pictures\LbN0mStzaxPf3ZNiV4XmXLVq.exe"C:\Users\Admin\Pictures\LbN0mStzaxPf3ZNiV4XmXLVq.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6572 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329021644" --session-guid=2c125d5f-071b-4949-901a-1c060385792f --server-tracking-blob=NDEwMmU0YjQ1ZDQxNzI1MjllZDE5ZmU0NmY4ZmRlZWIzYzk4OTI2NmZkYzU5OTM0ZWJiMTdiYmYxN2YwYWFlNDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2Nzg1OTkuODAyMiIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImMwNzBhMjQzLThkODItNGFhZi1iNzRlLTg2MTU2YzNhNWEzMSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=38040000000000005⤵
-
C:\Users\Admin\Pictures\LbN0mStzaxPf3ZNiV4XmXLVq.exeC:\Users\Admin\Pictures\LbN0mStzaxPf3ZNiV4XmXLVq.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6acfe1d0,0x6acfe1dc,0x6acfe1e86⤵
-
C:\Users\Admin\Pictures\PqGLGs1XXlGVuJ6o5JY0QdP3.exe"C:\Users\Admin\Pictures\PqGLGs1XXlGVuJ6o5JY0QdP3.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6432 -ip 64321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3112 -ip 31121⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5084 -ip 50841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2828 -ip 28281⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5a87844d5b61c42fc602f01070f37ec45
SHA1415b87ba63f0d908bb804ba10d91a74e536ad9f3
SHA2566a58c5abebd242398876f15234c7794b10fac5e79ac7ba1074b240a2acc30a81
SHA51263541fd2ed677c03c11af0c2433ada1e97dd1da818a33fe4ed7b9b897679a01acc1c8385f34051cae3516f249cd4c85978d52450280f9a355a61bdcbf33e5eb9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f2dc80f5403feb8461b7ffa09890d6a0
SHA1d5b61e6d672e7e71571e0132e21cead181da8805
SHA256eadeadba37eed18e5acba408d7e076270b00403fed372b77164577232232428a
SHA5125e2119529b99b76be105c43714e4b9977ee2147172c1c44e92bd9b41fa7a66f55d4073c864aac668a912aff2898bd216fb38f2fe34ef65de69ad12965218caf5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55c48e8b68231fb5b2d7f1188b930bc0e
SHA11822aef5da8fdd47626fb91afcf79a2be175a325
SHA256c3b287c29eaa57166b2ab1ba9bd0aaced13cc2f946a04b8d708ac429187fe944
SHA5122bd09b83e44e0104fbe080a8573690217dc9fbf7fd59ff25a1a9e9ebd2d87ac533f9b99350773d081a7e748b39657115a13e94538b153bceb13ecdfc4672a0f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
960B
MD51c09849863d27692e8fda7a78e2af8db
SHA1a1dd469f4a1668006b372fa67580512fd2210ce3
SHA2561546c539775946674865cd02d514595c6c05d463ca4865ca044fafacf62737e6
SHA5125a36d2b5e8685105f901417f73dd383ad89df3fd43f822f03c400c2b1a921e3c5d5b95b05a1c089355ef709eba340fa6cdc3fd49243803ce8b7daa812e41eb78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5b2e7f43fdccd4ca5dc86293fb1fd4ef8
SHA1b70a7405eeeb48dbdf05a3850011d5aad418123a
SHA256c5885888e000d1a1b2b8899a31e7769edf89aec65f8527a5a3272533b5b30911
SHA512903b54a715e5db16fb67cff1b58912a7e8b8028f2927e8ef4bf6f48cd7cdb6b9adb795fb93797d749e78593e558c236d2bdab24a902b57efa5a1b3123424ae4d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD59e653cbdbfc5b317084aa48e745c9ec2
SHA16a7bf24569b5370a6f0640a1ba01feb98c426084
SHA256259f778b2aece8cf95f2235c26f2e90b9bcfc6976135cc0fac6bff7657ccd25d
SHA512ac3dbe90cec5c5f593608105e85727cfcb6396ab6f3627f1f3bfd1ac9a32b034d849e24f6658ab4ab73a0e32b0d8c389d1364620aca1ae8d924368906d27f801
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58f15af831556c6cc3c5a0291c8e4e780
SHA1f36947091576e36910cbce2226282c5ececc76cd
SHA256d1f1bb4d81da7d4798d803e070d3361485d81d9af729425cb1974fcb84d20daf
SHA512188a0d48331b7f90e7635c36de1520dbaa913667a04ae2aba519fbb7a68ef82b0fcc326df497259e3814ec09658502d6280d93bf90c6af859925ccfe9c17918b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5449b42692b85651984a32dc6f5272700
SHA12c08fb78919c573dbf76b9aa4cc972e3203311ab
SHA25667457884a82b9a02a0a7066a216fa86b751cdb4084dcef433d68d3ab7df50f51
SHA512f9d13702d823057931f09daae3feeb0c2e30e44eeed82a5b52b9280807a0c9bddb79a857d9498c49113f3307de24bab425d9015882d13c358bfb7e0019aee79a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5f117a663b7de2cf3f00b43e6c0ae80c7
SHA16645141bbfcc8a81dbdaa707025fc919032374e7
SHA25674cb4bb8e72848ba49d775db15914931ab4de360fcbaac2150f53aae44263b13
SHA512f1a0c6cdfde4f8953e81fe1bd495730e0353126214d225f7c80222b0e164fa93e528606cd378d7299d65a3d48ccf8c97f2280407827bad33c8fca1487547033d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD54e4c64bca1cc66ff0f9144992993984e
SHA182de4735d361b83d7ee25fce8c171264724e5c45
SHA25628faaa95b0e2c35b762d8df6a9bcb79f4c802a6e07cd993c0347f9e973ce1938
SHA512588b1f004a92a64058e7bd4f552f520405e7889ff45d24ff453403bd6df5da4d8d3d4aeb260c7a3d5648675bd0b09469539e2337d80d4b05e013a129aedcdb56
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58657b.TMPFilesize
707B
MD5c0e73a57a3825905249b08f743a3810c
SHA1e62a3ea3b28a8f686bf56935e03bf5e2aa7ca251
SHA256640ebdb6e85007d1709a9870000a45e6a6201fca5a7dc5655bdda34a0b46c699
SHA5121db8b671b292385f8064f09762fffe4bc0e41b484d798d9ad9308078ca5de7376253e5a2dd25fc19d05a9cd8f492abf0f7a9803012dd8690ca34a71e5f749d44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD596932797c573120470dc039321413000
SHA1db153ff98d1a56d3b68b3987969d1f584898667d
SHA2565575c47ab9e8951e9dc06068325a64d6c520533dc59ab2592493c34ccda8c805
SHA512d00a4e053b34278ed1f1e136fcfaa7c4d18edd2f89b0f0990dea33f3d086f231fd3e60b5c0ac2888226ff4ee2d7c6cbafbaae03b235b62d590264ca3047102d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD50e33de69ced320893ab6c744f0252c79
SHA196d8e7ca33e6acd665b6f091b8318477e68afac5
SHA25664edffa0cb1780035dc219d034bb74126ab114f18f38bbe476591d55c3e3f2dd
SHA512e3cc71090aa40f3d521ea4f416f1bb51b44b92713f9ff0f05d01736db5631e6fc01ef016e56deb1cb953ee8a552e9afa555ec5a6a9a2bff7a4d62f3255648ca1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5582fb179722bbae87426c1d26aa0406e
SHA19808f8baab60ae94e4ed5459e121f12a5d3025ad
SHA25674f7f6c9ca21f599cfa3e34850229f69c497e6ef60b0a8e254e9b33cd7ca19e2
SHA512ce47ddb4b408641b1dc546bd18a2c6ee95954e6ff3103d237d4bb4519e9142adc2f2b9a621652d06722c08ceb01c8fd01fda71b760bde74ff53158b19fd5894d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d7b91006aeaf6abdabea8be0287f1f6f
SHA162e0e92b663a55195864faf7001ddf4026993300
SHA2563dd8a391e37b66da88ed90f77300ab6215a06638e9c736ec449691276b89e6a5
SHA5121712e7aa2c55eea896265c0041ddb51b822873b4a8f505b61d1cb108de6c926a88de3558950724cd73add0c7d2cfb5d18c10e2d9eca979cd9c20a255f64bfeed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD57e43ecdefb2dd1d876c266fd8cc3ecae
SHA1f893dd1205563cf1159d798d68a2cb1d3726bcd0
SHA2566466f258f3cac696b6f7fe23f9d49e8d29e67bd9dc72f089128c4cb3dfc12123
SHA51256faaec0d0aea341f5a39940be2ea890dfa9ab1b734fba9b61627239cd6d0e159ed3497195310392e6c08956ba1e8c11e79fbf5f86b3a3b41dd79fe158982d35
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d2266b9ac47c081bb409020841147098
SHA1d91769d1bd681edb640d6a1744692483826d8f87
SHA256693008a4ea214a1b7bb6d066ab53f8246c11a5feed068a3fa489ef02ede693a6
SHA5124465619f163dceadb8fcc2475dec47442e384c5742693104cdebfbeb9b33da4fbf8b08f184b5d5437561ef54c59cee6e730e235f1aa393f63788c632894325a5
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.8MB
MD5f70c66a757081bd6064c35dcc32f5664
SHA14e00e1051b158a4b70951a3d56fa2358e2e9f5e7
SHA2560d9ae5d727bdab19d60c47757e655d07d80ca125f6f9975009968be677af88cf
SHA512b21554005d16d16e3a7f33d3e327c438cbe1b553f2a7f87d035dc129979a33fa0c67c55febc22d44067af67868dc040524f255a793611bcc180c92bb25286539
-
C:\Users\Admin\AppData\Local\Temp\1000042001\a5c51096e2.exeFilesize
2.9MB
MD5e4b5f874ded4d62f347be608addb0dae
SHA12e1fcdbc81ccaf221e654dc69a74c5dbcb129549
SHA25697ececf64f9dff2ff1e30bc31d946dd64eb57fe798bda2a12fd29a2e06d177d4
SHA512cb271a4bc200abb08ed5eb1028a6a62e8ad1f2870315ca50884f3832a459d239a9471efac4fa22ca3bfe398a87c431d21c409bc823767f3b0da3e9b2564a7a92
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD58e2f5dac4491c3f83867b903df33a43c
SHA1ec92dfdfdf66a990576c754aef5b42a2e93da7ff
SHA25662c762d602b7e8b89d7bc734d38bf7f4ee8cf9e7dae83b30f295f1753935a5f2
SHA512a13a7ca2c7bf0be168057f946de2179707eb475b3a57728af43b55c6ff1595d12609ed54835b8cbefba4b32b43eaaa7eb910f3f99b5dc0efdaff1d892da7b47e
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exeFilesize
2.8MB
MD51e1152424d7721a51a154a725fe2465e
SHA162bc3d11e915e1dbd3cc3ef5a11afec755c995d9
SHA256674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c
SHA512752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exeFilesize
386KB
MD516f67f1a6e10f044bc15abe8c71b3bd6
SHA1ce0101205b919899a2a2f577100377c2a6546171
SHA25641cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89
SHA512a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403290216444732232.dllFilesize
4.6MB
MD5117176ddeaf70e57d1747704942549e4
SHA175e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA2563c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9
-
C:\Users\Admin\AppData\Local\Temp\Tmp30CA.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kuy55ubk.d1c.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp772D.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmp77DC.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\AppData\Local\Temp\u2eg.0.exeFilesize
260KB
MD5a533c58be371236669106ab5243b05bb
SHA159e8eae350fd911b9d74940fd5a0793f6b4fddc0
SHA2566f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09
SHA51283970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d
-
C:\Users\Admin\AppData\Local\Temp\u2eg.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Pictures\9kWLx3Li0xX6DVfjl1QOT17M.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\EbASkJDrDUpqU5vhqNO7dtG7.exeFilesize
372KB
MD5e2a6c1f58b137874e490b8d94382fcdb
SHA171529c5d708091b1e1a580227dc52e62a140edd1
SHA2564801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA51224d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff
-
C:\Users\Admin\Pictures\HzSZRoTFG6kjuY8nxGvmIEcB.exeFilesize
3KB
MD5e63c91ac7cf19785be5a5db39257e762
SHA1567bbda007e33e37c6c45b21d4c00cc23cf40d47
SHA25642af39af4526729b6d8ebe9359e825b15cc9a33de052537ad73ba6b7634535aa
SHA5129f964bcdd271a7fb77182965e2d14300dbcf03c45886fd544f0d5d393f6ce71777d81211a636fca86fa3e606d078c30997f88fcc243d86f98fa7376bd5219ab8
-
C:\Users\Admin\Pictures\LbN0mStzaxPf3ZNiV4XmXLVq.exeFilesize
5.1MB
MD57e85016a366445e0f731f58428d43563
SHA1012d701c219fddfdd2e57e51f9f01eeff64680fa
SHA2564b7b813cabce8de3bf4ac0358263d62f5c1df52a63ebfd8bf5586225505b5a58
SHA5125c018e1327d7240e8e5fa82fa8cc3d5eb24cec43fe36d5a2fee813e1b5787353abebe96b20dfe724525e06c803fc2ee85dfae64087e6c2ef13bbf647cb2e476d
-
C:\Users\Admin\Pictures\MN4S5J9VUCZk5nl3ozOQ66rX.exeFilesize
4.1MB
MD580fbcd8bcab6ddca53a467dfc54b2123
SHA15394a3de0dc598eeba66870d9070f54e8b137ede
SHA256fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b
SHA512d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c
-
C:\Users\Admin\Pictures\PqGLGs1XXlGVuJ6o5JY0QdP3.exeFilesize
4.3MB
MD5858bb0a3b4fa6a54586402e3ee117076
SHA1997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd
-
C:\Users\Admin\Pictures\RxRVskgfXYWeCQMjY3O709xC.exeFilesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
C:\Users\Admin\Pictures\XhYX0z5bybSMaSS4mpqMRW5T.exeFilesize
404KB
MD58bc396803bf0c509173078f354cb293b
SHA18a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0
SHA256e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb
SHA512da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83
-
C:\Users\Admin\Pictures\Y37yDkExiWcRGPofbE1TtACi.exeFilesize
3KB
MD5d797d0c0abfde8aa1faff550ea84ede7
SHA1809db1c4731d7f165fd628eb555b66798bc6088f
SHA256c68c69b7864aae40e86976525ff83ddb6db875fe289ff4bc4b6fc5439eda7745
SHA512c7d6fb1fe2b93391500c12db148792af99d7f59a14515d37c954fb3bde1205b46c4711083445f1b14851e177c005de7a0fa1a868b43a426d52954c429f4c02ee
-
memory/328-457-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/328-453-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/328-452-0x0000000000040000-0x00000000004F6000-memory.dmpFilesize
4.7MB
-
memory/328-454-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/328-649-0x0000000000040000-0x00000000004F6000-memory.dmpFilesize
4.7MB
-
memory/328-518-0x0000000000040000-0x00000000004F6000-memory.dmpFilesize
4.7MB
-
memory/328-458-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/328-463-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/328-462-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/328-816-0x0000000000040000-0x00000000004F6000-memory.dmpFilesize
4.7MB
-
memory/328-456-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/328-451-0x0000000000040000-0x00000000004F6000-memory.dmpFilesize
4.7MB
-
memory/328-455-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/1572-519-0x00000000007B0000-0x0000000000B4B000-memory.dmpFilesize
3.6MB
-
memory/1572-697-0x00000000007B0000-0x0000000000B4B000-memory.dmpFilesize
3.6MB
-
memory/1676-196-0x00007FFC5D6E0000-0x00007FFC5E1A2000-memory.dmpFilesize
10.8MB
-
memory/1676-355-0x00007FFC5D6E0000-0x00007FFC5E1A2000-memory.dmpFilesize
10.8MB
-
memory/1676-339-0x00000150CDE70000-0x00000150CDE7A000-memory.dmpFilesize
40KB
-
memory/1676-338-0x00000150CDE90000-0x00000150CDEA2000-memory.dmpFilesize
72KB
-
memory/1676-227-0x00000150B5CF0000-0x00000150B5D12000-memory.dmpFilesize
136KB
-
memory/1676-202-0x00000150CDE80000-0x00000150CDE90000-memory.dmpFilesize
64KB
-
memory/1676-197-0x00000150CDE80000-0x00000150CDE90000-memory.dmpFilesize
64KB
-
memory/1944-112-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/1944-124-0x0000000000A40000-0x0000000000EF6000-memory.dmpFilesize
4.7MB
-
memory/1944-133-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/1944-101-0x0000000000A40000-0x0000000000EF6000-memory.dmpFilesize
4.7MB
-
memory/1944-155-0x0000000000A40000-0x0000000000EF6000-memory.dmpFilesize
4.7MB
-
memory/1944-123-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/1944-115-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/1944-114-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/1944-116-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/1944-132-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/1944-122-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/1952-428-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-703-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-51-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-448-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-53-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-426-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-550-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-401-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-186-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-240-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-393-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/1952-496-0x0000000000930000-0x0000000000CCB000-memory.dmpFilesize
3.6MB
-
memory/2292-696-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-427-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-30-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/2292-25-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/2292-26-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/2292-495-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-392-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-24-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-400-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-185-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-31-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/2292-548-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-425-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-49-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-438-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-29-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/2292-28-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/2292-22-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-27-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/2292-97-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2292-102-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2580-103-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2580-105-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/2580-109-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/2580-111-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/2580-106-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/2580-110-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/2580-104-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/2580-130-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2580-100-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/2872-588-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2936-594-0x0000000000690000-0x0000000000B3E000-memory.dmpFilesize
4.7MB
-
memory/4468-490-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/4468-466-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/4468-464-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/4468-467-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/4468-460-0x0000000000BC0000-0x000000000106E000-memory.dmpFilesize
4.7MB
-
memory/4468-465-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/4984-5-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/4984-6-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/4984-7-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/4984-8-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/4984-9-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/4984-11-0x0000000000D90000-0x000000000123E000-memory.dmpFilesize
4.7MB
-
memory/4984-0-0x0000000000D90000-0x000000000123E000-memory.dmpFilesize
4.7MB
-
memory/4984-3-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/4984-23-0x0000000000D90000-0x000000000123E000-memory.dmpFilesize
4.7MB
-
memory/4984-1-0x0000000077526000-0x0000000077528000-memory.dmpFilesize
8KB
-
memory/4984-4-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/4984-2-0x0000000000D90000-0x000000000123E000-memory.dmpFilesize
4.7MB
-
memory/5616-775-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-796-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-841-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-833-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-829-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-825-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-815-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-802-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-799-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-838-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-774-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-793-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-787-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-784-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-781-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-779-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5616-777-0x0000000004F90000-0x00000000051A6000-memory.dmpFilesize
2.1MB
-
memory/5752-795-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB