Analysis
-
max time kernel
106s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-03-2024 12:02
Static task
static1
Behavioral task
behavioral1
Sample
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe
Resource
win11-20240214-en
General
-
Target
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe
-
Size
1.8MB
-
MD5
8cef71906c123049c0e3a0ebd9f420e3
-
SHA1
60f4c13bc04c536f56b6fcb82fca6ebd556084d6
-
SHA256
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71
-
SHA512
6561c864d6c684e394160bcec82c36a12a8dc87070f224eae28d08ec92ceff29dedf84cc9307d7f1ccc035ffe4339fb67285e0756b72426658d70710031eacff
-
SSDEEP
49152:VN3o9vO1DXwG/lKa1y2In8b51LGFgxzcy9mVc3jG2A:VBo9vk7saHb51LGFgxwWmAC2
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Detect ZGRat V1 27 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 behavioral2/memory/5828-504-0x0000000000E60000-0x000000000101C000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 behavioral2/memory/5628-813-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-814-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-816-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-818-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-820-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-822-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-825-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-828-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-830-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-834-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-836-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-838-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-840-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe family_zgrat_v1 behavioral2/memory/5628-851-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-861-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-869-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-872-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-874-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-876-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-878-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-880-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-882-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 behavioral2/memory/5628-884-0x0000000005790000-0x00000000059A6000-memory.dmp family_zgrat_v1 -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
kwYlaP9uD9LrQoim5vqU1u4e.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" kwYlaP9uD9LrQoim5vqU1u4e.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 4732 created 2932 4732 RegAsm.exe sihost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
Processes:
fa136186c5.exekwYlaP9uD9LrQoim5vqU1u4e.exeamert.exeexplorgu.exeexplorha.exerandom.exeamadka.exe5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exeexplorha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fa136186c5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ kwYlaP9uD9LrQoim5vqU1u4e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exeflow pid process 41 5344 rundll32.exe 48 5956 rundll32.exe 57 5928 rundll32.exe 67 5704 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1832 netsh.exe 5128 netsh.exe 2460 netsh.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exeexplorha.exeamert.exerandom.exefa136186c5.exeexplorha.exekwYlaP9uD9LrQoim5vqU1u4e.exeamadka.exeexplorgu.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fa136186c5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kwYlaP9uD9LrQoim5vqU1u4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fa136186c5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kwYlaP9uD9LrQoim5vqU1u4e.exe -
Executes dropped EXE 30 IoCs
Processes:
explorha.exefa136186c5.exego.exeamert.exeexplorgu.exeexplorha.exerandom.exealex1234.exepropro.exeTraffic.exeamadka.exeredlinepanel.exe32456.exeNewB.exeEljlre.exegoldprimeldlldf.exefile300un.exe7XOdWfBvqYD2zr7D32WZ5nBW.exeQczTYBqaeUMB72OyxPvWtk3N.exeE5NymT1DuZ5SVrBCmwRAhkW7.exesBQBvSsSDy0nlGEPLWZcnRx8.exeoJ5kiJCUAy0r5oi0Sd1oMiVU.exeu4d8.0.exekwYlaP9uD9LrQoim5vqU1u4e.exeGJtEpu5Q82iE8KmlETcVsp6w.exeGJtEpu5Q82iE8KmlETcVsp6w.exeGJtEpu5Q82iE8KmlETcVsp6w.exeu4d8.1.exeGJtEpu5Q82iE8KmlETcVsp6w.exeGJtEpu5Q82iE8KmlETcVsp6w.exepid process 652 explorha.exe 232 fa136186c5.exe 1616 go.exe 5496 amert.exe 5300 explorgu.exe 5396 explorha.exe 4988 random.exe 5828 alex1234.exe 5632 propro.exe 6108 Traffic.exe 5140 amadka.exe 2184 redlinepanel.exe 6000 32456.exe 2776 NewB.exe 5628 Eljlre.exe 2064 goldprimeldlldf.exe 5980 file300un.exe 5660 7XOdWfBvqYD2zr7D32WZ5nBW.exe 1636 QczTYBqaeUMB72OyxPvWtk3N.exe 4700 E5NymT1DuZ5SVrBCmwRAhkW7.exe 2884 sBQBvSsSDy0nlGEPLWZcnRx8.exe 5932 oJ5kiJCUAy0r5oi0Sd1oMiVU.exe 1456 u4d8.0.exe 6108 kwYlaP9uD9LrQoim5vqU1u4e.exe 6000 GJtEpu5Q82iE8KmlETcVsp6w.exe 4236 GJtEpu5Q82iE8KmlETcVsp6w.exe 3176 GJtEpu5Q82iE8KmlETcVsp6w.exe 1236 u4d8.1.exe 5860 GJtEpu5Q82iE8KmlETcVsp6w.exe 5056 GJtEpu5Q82iE8KmlETcVsp6w.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
random.exeamadka.exe5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exeexplorha.exefa136186c5.exeamert.exeexplorgu.exeexplorha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe Key opened \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine fa136186c5.exe Key opened \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine explorha.exe -
Loads dropped DLL 11 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeGJtEpu5Q82iE8KmlETcVsp6w.exeGJtEpu5Q82iE8KmlETcVsp6w.exeGJtEpu5Q82iE8KmlETcVsp6w.exeGJtEpu5Q82iE8KmlETcVsp6w.exeGJtEpu5Q82iE8KmlETcVsp6w.exepid process 5316 rundll32.exe 5344 rundll32.exe 5956 rundll32.exe 5876 rundll32.exe 5928 rundll32.exe 5704 rundll32.exe 6000 GJtEpu5Q82iE8KmlETcVsp6w.exe 4236 GJtEpu5Q82iE8KmlETcVsp6w.exe 3176 GJtEpu5Q82iE8KmlETcVsp6w.exe 5860 GJtEpu5Q82iE8KmlETcVsp6w.exe 5056 GJtEpu5Q82iE8KmlETcVsp6w.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorgu.exeexplorha.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\fa136186c5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\fa136186c5.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
kwYlaP9uD9LrQoim5vqU1u4e.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kwYlaP9uD9LrQoim5vqU1u4e.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
GJtEpu5Q82iE8KmlETcVsp6w.exeGJtEpu5Q82iE8KmlETcVsp6w.exedescription ioc process File opened (read-only) \??\F: GJtEpu5Q82iE8KmlETcVsp6w.exe File opened (read-only) \??\D: GJtEpu5Q82iE8KmlETcVsp6w.exe File opened (read-only) \??\F: GJtEpu5Q82iE8KmlETcVsp6w.exe File opened (read-only) \??\D: GJtEpu5Q82iE8KmlETcVsp6w.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 api.myip.com 30 ipinfo.io 95 api.myip.com 97 ipinfo.io -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Drops file in System32 directory 4 IoCs
Processes:
kwYlaP9uD9LrQoim5vqU1u4e.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI kwYlaP9uD9LrQoim5vqU1u4e.exe File opened for modification C:\Windows\System32\GroupPolicy kwYlaP9uD9LrQoim5vqU1u4e.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini kwYlaP9uD9LrQoim5vqU1u4e.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol kwYlaP9uD9LrQoim5vqU1u4e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exeexplorha.exeamert.exeexplorgu.exeexplorha.exeamadka.exekwYlaP9uD9LrQoim5vqU1u4e.exepid process 1736 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe 652 explorha.exe 5496 amert.exe 5300 explorgu.exe 5396 explorha.exe 5140 amadka.exe 6108 kwYlaP9uD9LrQoim5vqU1u4e.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
alex1234.exegoldprimeldlldf.exefile300un.exesBQBvSsSDy0nlGEPLWZcnRx8.exedescription pid process target process PID 5828 set thread context of 5940 5828 alex1234.exe RegAsm.exe PID 2064 set thread context of 2096 2064 goldprimeldlldf.exe RegAsm.exe PID 5980 set thread context of 3012 5980 file300un.exe installutil.exe PID 2884 set thread context of 4732 2884 sBQBvSsSDy0nlGEPLWZcnRx8.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exeamert.exedescription ioc process File created C:\Windows\Tasks\explorha.job 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe File created C:\Windows\Tasks\explorgu.job amert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1680 2884 WerFault.exe sBQBvSsSDy0nlGEPLWZcnRx8.exe 5876 4732 WerFault.exe RegAsm.exe 1824 4732 WerFault.exe RegAsm.exe 4872 1456 WerFault.exe u4d8.0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u4d8.1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4d8.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4d8.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4d8.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u4d8.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u4d8.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u4d8.0.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
propro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 propro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 propro.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeamert.exemsedge.exerundll32.exeidentity_helper.exepowershell.exeexplorgu.exeexplorha.exeamadka.exerundll32.exepowershell.exeTraffic.exeredlinepanel.exepropro.exepid process 1736 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe 1736 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe 652 explorha.exe 652 explorha.exe 864 msedge.exe 864 msedge.exe 1484 msedge.exe 1484 msedge.exe 2900 msedge.exe 2900 msedge.exe 2992 msedge.exe 2992 msedge.exe 5496 amert.exe 5496 amert.exe 5880 msedge.exe 5880 msedge.exe 5344 rundll32.exe 5344 rundll32.exe 5344 rundll32.exe 5344 rundll32.exe 5344 rundll32.exe 5344 rundll32.exe 5400 identity_helper.exe 5400 identity_helper.exe 5344 rundll32.exe 5344 rundll32.exe 5344 rundll32.exe 5344 rundll32.exe 2580 powershell.exe 2580 powershell.exe 2580 powershell.exe 5300 explorgu.exe 5300 explorgu.exe 5396 explorha.exe 5396 explorha.exe 5140 amadka.exe 5140 amadka.exe 5928 rundll32.exe 5928 rundll32.exe 5928 rundll32.exe 5928 rundll32.exe 5928 rundll32.exe 5928 rundll32.exe 5928 rundll32.exe 5928 rundll32.exe 5928 rundll32.exe 5928 rundll32.exe 5808 powershell.exe 5808 powershell.exe 5808 powershell.exe 6108 Traffic.exe 6108 Traffic.exe 2184 redlinepanel.exe 2184 redlinepanel.exe 5632 propro.exe 5632 propro.exe 5632 propro.exe 5632 propro.exe 5632 propro.exe 5632 propro.exe 5632 propro.exe 5632 propro.exe 5632 propro.exe 5632 propro.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
powershell.exeTraffic.exe32456.exepowershell.exeredlinepanel.exeEljlre.exepropro.exeinstallutil.exeRegAsm.exeRegAsm.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 6108 Traffic.exe Token: SeBackupPrivilege 6108 Traffic.exe Token: SeSecurityPrivilege 6108 Traffic.exe Token: SeSecurityPrivilege 6108 Traffic.exe Token: SeSecurityPrivilege 6108 Traffic.exe Token: SeSecurityPrivilege 6108 Traffic.exe Token: SeDebugPrivilege 6000 32456.exe Token: SeDebugPrivilege 5808 powershell.exe Token: SeBackupPrivilege 6000 32456.exe Token: SeSecurityPrivilege 6000 32456.exe Token: SeSecurityPrivilege 6000 32456.exe Token: SeSecurityPrivilege 6000 32456.exe Token: SeSecurityPrivilege 6000 32456.exe Token: SeDebugPrivilege 2184 redlinepanel.exe Token: SeDebugPrivilege 5628 Eljlre.exe Token: SeDebugPrivilege 5632 propro.exe Token: SeDebugPrivilege 3012 installutil.exe Token: SeDebugPrivilege 2096 RegAsm.exe Token: SeDebugPrivilege 5940 RegAsm.exe Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
go.exemsedge.exeu4d8.1.exepid process 1616 go.exe 1616 go.exe 1616 go.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
go.exemsedge.exeu4d8.1.exepid process 1616 go.exe 1616 go.exe 1616 go.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe 1236 u4d8.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 1736 wrote to memory of 652 1736 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe explorha.exe PID 1736 wrote to memory of 652 1736 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe explorha.exe PID 1736 wrote to memory of 652 1736 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe explorha.exe PID 652 wrote to memory of 232 652 explorha.exe fa136186c5.exe PID 652 wrote to memory of 232 652 explorha.exe fa136186c5.exe PID 652 wrote to memory of 232 652 explorha.exe fa136186c5.exe PID 652 wrote to memory of 4332 652 explorha.exe explorha.exe PID 652 wrote to memory of 4332 652 explorha.exe explorha.exe PID 652 wrote to memory of 4332 652 explorha.exe explorha.exe PID 652 wrote to memory of 1616 652 explorha.exe go.exe PID 652 wrote to memory of 1616 652 explorha.exe go.exe PID 652 wrote to memory of 1616 652 explorha.exe go.exe PID 1616 wrote to memory of 1484 1616 go.exe msedge.exe PID 1616 wrote to memory of 1484 1616 go.exe msedge.exe PID 1484 wrote to memory of 1812 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1812 1484 msedge.exe msedge.exe PID 1616 wrote to memory of 5088 1616 go.exe msedge.exe PID 1616 wrote to memory of 5088 1616 go.exe msedge.exe PID 5088 wrote to memory of 3632 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3632 5088 msedge.exe msedge.exe PID 1616 wrote to memory of 1528 1616 go.exe msedge.exe PID 1616 wrote to memory of 1528 1616 go.exe msedge.exe PID 1528 wrote to memory of 1800 1528 msedge.exe msedge.exe PID 1528 wrote to memory of 1800 1528 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 1464 1484 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe"C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffe7f4d3cb8,0x7ffe7f4d3cc8,0x7ffe7f4d3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffe7f4d3cb8,0x7ffe7f4d3cc8,0x7ffe7f4d3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,12120944477741708760,4476226757659418759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7f4d3cb8,0x7ffe7f4d3cc8,0x7ffe7f4d3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1769692498864712888,10771721504036366289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\7XOdWfBvqYD2zr7D32WZ5nBW.exe"C:\Users\Admin\Pictures\7XOdWfBvqYD2zr7D32WZ5nBW.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe"C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe"5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe8⤵
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30009⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 35206⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe"C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD16⤵
-
C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe"C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe"C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe"C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe"C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exe"C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 5446⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 5566⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 8725⤵
- Program crash
-
C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe"C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe"C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe"C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe"4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe"C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exeC:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6b8ce1d0,0x6b8ce1dc,0x6b8ce1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GJtEpu5Q82iE8KmlETcVsp6w.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GJtEpu5Q82iE8KmlETcVsp6w.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe"C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6000 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329120436" --session-guid=3a216780-4c1f-45f8-b410-6c7859a29b85 --server-tracking-blob=MWIxZDI5ZDE5MWFmNzZiZDlhODZjZTNmNmU4NmM3NzM1OGYwNjgzNDJiYTNhYWNlZTlkMjcxOWMyNzczNWI0Mjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3MTM4NjguMjc2NSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImEyNDQzNzlmLWIyYWUtNDQ2My1hNTg0LWM2MTA5OWI4MmRmNyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=28040000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exeC:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6af4e1d0,0x6af4e1dc,0x6af4e1e86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe" --version5⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x1140040,0x114004c,0x11400586⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4732 -ip 47321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4732 -ip 47321⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1456 -ip 14561⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\EHJDGCBGDBKJKFHIECBAEHIDHJFilesize
20KB
MD51bd071fa20b30ee9fcf5969ec0be08d5
SHA1aac9930201b9d93cba56f07457a8d4c0e1a18bbb
SHA2567ae90e60e93153baa01ba343dfc0316a39737ba7e45e90006d7b77065a171793
SHA5121e20c45822ed054db8a8f0151d755aa2dae9d7b25c733d5dbb96bb515166a4e4b3ec47a2866515c0f727f7f5857366c9d9c32d224cab25715ba0bd4c65297b56
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2c35519b-81ac-482f-a424-3d1109b2e16c.tmpFilesize
10KB
MD5e94ad5abcd5726b029556585b8b720e7
SHA1577c3547b01d4cf77a3df167a7af0d65978b91b5
SHA256ba23441eed96f97fe93864194084b405afaec62c57b561f5dbfb87bdf9f47c81
SHA512054dfb6424d33034e7585caea3fb6eef6f740af008d6d0c81d3a6d8f0e5113b876b0d4f940b7cc4c6da5c4010410ff4b90cc59a327bdc281275e02cef64b1fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57656e81014b9872f6a1697828a9cc60f
SHA160e1b4b1574d100e821bdfe8c46dd82c91196dcd
SHA256885097327a3e85d7476d570a4c4261e78261fa6560c4f99e7e815b51d5c9fb67
SHA51272931405c2b50a0776885b6e3d445d71c0f2dc81774bb4794c34cf983f334b869d20870edbd6a3804c4c0a0ae7cde74632a35f0b2f8385fd29d4f63c691a4353
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ec7568123e3bee98a389e115698dffeb
SHA11542627dbcbaf7d93fcadb771191f18c2248238c
SHA2565b5e61fe004e83477411dd2b6194e90591d36f2f145cc3b4faa20cf7ae266a75
SHA5124a53fbbd7281a1a391f0040f6ff5515cedf6e1f97f2dae4ab495b4f76eb4f929dcda6b347f9bf7f66a899330f8897e1ed117314945d1de27b035cc170fa447d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\974b3db7-771a-4026-93d6-bd8870ce2246.tmpFilesize
6KB
MD5ca6335cdf4101904dd3489e1896d665c
SHA1077748a07347108d14d28b53c07906c575b5295a
SHA256a05ad8fad245f2040497f5afce845902be939c3d73f6e979268cf08889337cc9
SHA5128601d37dba10fae7f83171195a02a8ce11ae6241fb1f2aafdf44f7b6bff4c6ce31da963ab79a5b73defcbfd6c4295b975151ade3d43a6f8dfec7f853146bd48a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
960B
MD5b62078a421c7a02e22a29df55dddd948
SHA1cdc8040f788f8e08f913a5a6865366942f7b18ad
SHA2564eeb8c769e946230b84f940cfbe29b91abf4398a93833e4750a1f5e2a9aabdde
SHA5125fdb2ea0dc5587bcb4a1a694b4236d9dcbc2844b0f93bbb99d35e187e28ccd37a90c9592737465510412ef05c3ace92f974733b992e300d4551ad1712611c7fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD58c26a95fca7aef0b5bc1cdf6a935afe1
SHA117233ceb6c08c616aebe42a0b8e3a336b5024c91
SHA2562ba4aa18c4d904decb833f5851e12bf41f14e87520eefae419e82e61630f6eef
SHA512acfba72702e05b1b93ffac9a0e43773192599dc9130420c80afa224b55561af651ee325a48461ab935fccffd4778e63d12c16c60d50069f2a95a1dcfbce80e06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5fc0425fd99b9675a7a613368796e6e32
SHA13d1d9876812266f5e09b8cfaad6e109871d25475
SHA2568d07c0ee64b501fb1c60ce99ed40baefdb604e50190579ae193fa954c01a8470
SHA512cca79cacb58265d2192164f1d81487994a5a0a76c4eb69688fbc11c667cae07b93eecfc11c956f3459bf9e761051fe17c0f1cb3271db4e3a58f771e221ed35d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
25KB
MD50ba15f72ffb0a37243558588d3e78221
SHA1814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0
SHA2563d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a
SHA51202b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5ae611f6640d482f791295fb0d2ba585c
SHA1665f0ea7c9893c52e42ffe94c86b409658a5536e
SHA256392e766cede4ead76b1c5ab060345e49a21f6cf8a40771d314c477870514ad3a
SHA512b679d9ea6acccc298708970659f97f915f852d80c93c763e971225aab085a339317ff1fc4e070904e79bb8fea03d41a920b03f320a0147018d9408906c24decb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5de230f8fadb2a61f91c13b31935186b4
SHA15ad23991be84a0ad8d39ffe1bd49891e3557f334
SHA25689b48db8c0ffaa0c6f006686532dc225e10a33b0351657e07db595f0fd986754
SHA51274d09181f9961261f381f9d4f8f18663c52843e677ca2c414480ce9dc3a556697df2eeb0f0da1b63b5c23c225d466d36603bea44f8bc8e75ba85e5fc82cba797
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
705B
MD58a57c865ac8303bebcd98e17bbb97b05
SHA13008643b1a1af5124ebcaea0121b9c368d20664c
SHA2561d2213848f133e6257cd58a491fa3cd0d945032f649eea3218a9e39dc6742d61
SHA5129806ba0ed6eef6e8f111f0a1e428044066aefd56b7b0f10ebe93dd91cb1dd93897732affa317df5e4a5a2cbd874dde7ec749fbe24cd73f3d7fe588488fd2102b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ec54.TMPFilesize
707B
MD5bbe0a2aecf77a1dfe16d1589c39a5350
SHA17b12eb4a79751d08c52c4c395214f30f927ac38a
SHA256419c35df5a638d50e5c488fe9a1bfe59c1d590e69bb7d3c8eee7efe491098c1c
SHA512f87c23ea629d3019d4f9292dab7d35276dee80bbdcc719a87c4b59a966eded1da2dd19715e3b72bcf5ea884062106191e6b955d8aebfefbc49036d6417ed071c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD520cff694a779f38820e5eb1d826673f0
SHA12f8b897aa176e9cf38c405f343947aebf07623fc
SHA256acf6f00819e527d62d0b047fc555958b90abd1a2c2c80df923a9c37384bf8f70
SHA51236c765fd3f9758da90ce2be7a94f74e07b19ba7d9fc664ea00c14abd1b97b95873c9f90ca4908cdc3d6f116757d2d4109d84c0306300da909356d38c451039ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD50b5e151c3ed57f27b9e8d43e4fdafb9f
SHA1f3a115e022abfc0a3f3be704b3bd7dc7c64c1178
SHA2568eeb0ab7bde4e50ee4e56d46bd4c8efdb7fdfe7500f6bd548d996f0f498025d5
SHA5121bcb4ca3adff6234eed72d60ae1a11f5702499a35e337d1ba69a516c800db2a77844380a26b2426bd82e69dd7fbb4f23884e063f10ed61c39ce74ffd57a247be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5b303bf6bfdc2b4e87660ac0468a40b8c
SHA11368ee96c498677df7e07b61e8d5b25fb6c2769d
SHA2560ada73cb8615c8bb7d4d267a10140482ea4fa512c1fab8394d0abe63174af171
SHA512c304407b824c78e4b4e71044065d7a4bfc8fa2424be351acb026ed776df7cd464848c984004e952447c9bfe7e89081adc873c3129ce935e6db6bad8009cdc928
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD558f9daf761254e0e3203a7bc3e83c11c
SHA1b9a76e65d8e5befc3a02c1f72f9cd3a8c6b913d6
SHA25604fca90098f849dec9a1827b644a12f02414aa592241cdf37ee98d73cc722bf9
SHA5128a3a1584f029d79507798923c96621be1dd475b802432d378b0d9af8ca47e5151e738a21129ad700430c79310d02b2805e11a08ae3ff1476d0729d5bd189428f
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\additional_file0.tmpFilesize
2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\opera_packageFilesize
103.9MB
MD5401c352990789be2f40fe8f9c5c7a5ac
SHA1d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.8MB
MD58cef71906c123049c0e3a0ebd9f420e3
SHA160f4c13bc04c536f56b6fcb82fca6ebd556084d6
SHA2565c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71
SHA5126561c864d6c684e394160bcec82c36a12a8dc87070f224eae28d08ec92ceff29dedf84cc9307d7f1ccc035ffe4339fb67285e0756b72426658d70710031eacff
-
C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exeFilesize
3.1MB
MD5346ddba47f6fabef752b2d9633cf5ca3
SHA1b338ea2be5012a72e0681c097feae15c785dafd0
SHA256bfdb396a094d7457e243379fd31c3de59a4f00c315f7e8fb6263f7babd12f906
SHA512fb51a1223aa77ddb989cfd4195bde63f5ac1d8a3959f68301fa2ab66cd6552f63735a8d165d0944f5a7cc5b024e96ad5af7b162481ea81ea0105f6e84cf3f7a8
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD570cc66ea2a3de44e1e0b7e6d6954569a
SHA14468a51f760ff319172c111cce7b54d1ff93efa9
SHA256d85047b22c62c35cfac371778dd92db8ac907be315160f34cfb03f00830e703f
SHA5121a0f646d3387fb3b35792b9c1d72c33333968b3c3142543c90093f3400739e6bc73d62914807abf26ddd3b4410fe1c7cfd58cb925bd5e74aac8384959f342937
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exeFilesize
2.8MB
MD51e1152424d7721a51a154a725fe2465e
SHA162bc3d11e915e1dbd3cc3ef5a11afec755c995d9
SHA256674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c
SHA512752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exeFilesize
386KB
MD516f67f1a6e10f044bc15abe8c71b3bd6
SHA1ce0101205b919899a2a2f577100377c2a6546171
SHA25641cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89
SHA512a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c
-
C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zipFilesize
192KB
MD55f81e608051da6a40f979c02d22c4f82
SHA1d8e54e70718eb2971d0f3e7ec7523579b343ac67
SHA256fbede004ee49f50369646e772a336abbe646fb663c25102c594af7ac7c372485
SHA512ffae5b3c6be707d7f4beadb805fa5cece90cf53cac0f9df0275381d4e7b1fdda963a432feb378037a396ad61bbfd56b177d62fff64307dc3cffd2a2b235e6a58
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403291204366723176.dllFilesize
4.6MB
MD5117176ddeaf70e57d1747704942549e4
SHA175e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA2563c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9
-
C:\Users\Admin\AppData\Local\Temp\Tmp5F03.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\_Files_\WriteUninstall.txtFilesize
192KB
MD510eb90dbd53a7a1dd436e3b9383b1735
SHA124d358c136b161fbb69d88814edc5db64932c18c
SHA256db6c1f4cde04ea6b438e9ffa3882ce95ea6d723f7bdd723e836061f20e83b074
SHA5120bd7c7bb45c5339afe238732758b28e169b42dcdda5006ffc25c5015fc81aee5386715704a73b671ed3ed4fa3707f404c47a05936f55b9757f263a35af5ddc54
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2z5d3uee.gzd.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD53c1175890ac76f1cefcf369ce5e6897f
SHA1a1ea4db1592478f2366212c3e4be47f4daa316fe
SHA2566fd05799fb1818ffaab897655db73a38256b4f1255d3e2d343fe150ee19d39a8
SHA5123e0d4974b969c21b525cbc679d495ffb2b07fc177dd8c21a08554a13aa7dad5a87b491c29aff40e9b85200b6fa597100410fee4e5efe82a8331a470dbfb17632
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD5f2ead1d88de02796782a32da68ef5005
SHA13536a03ce0e44271f2546c1a3594270a2b9a9218
SHA2567446a71b75d7d672c080fd1f6e684111f7bb9922c88541a8f6811da6d9e20ce0
SHA512aa93307b130af349d6713f79502427b25b70b26d490fc797dff7182a8cc49ed9526c4728fc7533cfc64a1b282a07f8945c0dee5df0778ee4125b19134bc2d079
-
C:\Users\Admin\AppData\Local\Temp\tmp8412.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp851F.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmp8551.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\AppData\Local\Temp\u4d8.0.exeFilesize
233KB
MD587188a05666ced303bb17f04ec29042f
SHA1651ae4e7b98655fd4dd2de62b0111dacac47cd9e
SHA25697332596f72bc538f176fddac06e1c2ba40922ee87329d8be32d7ac80127de97
SHA51214301c8b8641e5e19203abfcc17755ccefe2b551c3e6ff235b21ccb17e4ee977a060ed7ee7268c446d86191f271bddcb8a59d22e61e1cf9ff7a46d0ee09dbb99
-
C:\Users\Admin\AppData\Local\Temp\u4d8.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Pictures\7XOdWfBvqYD2zr7D32WZ5nBW.exeFilesize
378KB
MD5a05eb8eeeb2ec539e4f54ac435ba86bc
SHA172ed93362d4c17434981cf5fd0e3888c44587dfb
SHA256e57e37490a710106cb78deba4b189fc867b994d4ade9f040dc5486665f549708
SHA51269456e5c0f237820642c8790746866979db14c40099287b6b3409b305a314cafccbe2a443812824096cd5a9dac9a1e6710a8154479cb050a6aa17d3054143201
-
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exeFilesize
5.1MB
MD5cc0a37140d9f3fbbe28272c2cfb336af
SHA15a9e7251e38a5bd5f1c2cbf6a2c75b24f76254fa
SHA2563aab7652a97a91a0a606567afc9e093c48fd636dfd4e1e36442c6d82ef1e704b
SHA5129e0cdcc05a47bc37417a9b62219b962b61be818848c5cf71b4549905d0a5996532cd14db147c998bc0e56e727e03ac65e0d4535659b927ca2aeb0efa6b7d7d1c
-
C:\Users\Admin\Pictures\GRXoECQKxJbxNqKOr4vjCjCK.exeFilesize
3KB
MD5b508ece0341fdcfe871f46c320f0e568
SHA1bd9b34e65c6c1c8ccf53c43c3612940b85ae324b
SHA2564dc81a270c853848f4de827007cf5f0d4d2858bb78400b0c25d2a20db4c42651
SHA512ae491faa60f3a51500e278da3f812a4ba71245b73974205e71473d7c7e6fff8f9890fe4bcefdd79a1cf1bf48c22735ace824864af518daa81ccb0b74c8e837dc
-
C:\Users\Admin\Pictures\HG3hwFlFgpo4DcpBtpS2sIws.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exeFilesize
4.1MB
MD598273a3121a2516cda6f31e67ec2d52f
SHA101c6990adecce2b1e4794429f478fc3f63baaf83
SHA2561c65e140170310153ba3929cdedecf221ae57e55c79b97fa1a4601f4d97ee988
SHA512c633c87af70740d7d147a62ea91cd7fe8764b816fe7b2a076955d6a35474dd745a2c5d05f39efd32b204e59845914d2e4d571d2440f78bbc6d2ab71491343118
-
C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exeFilesize
4.3MB
MD5858bb0a3b4fa6a54586402e3ee117076
SHA1997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd
-
C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exeFilesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
C:\Users\Admin\Pictures\zb1MI8XA7oVtC7SdlSRkuPkB.exeFilesize
3KB
MD54ec1e99d3e9e4e5fcc0a346be8589f80
SHA1aaca4178e744116de5e5c3b989f54851d1acd8ba
SHA2565ee377ba52e67430f0d0f486869d76e0b12a68831c598b502b720c1bfb09965c
SHA5128041896b4a2531e7db0714a3477f61bc9383b5595b01183c0cf478d3f75a85f818c9ec6f2dc0e303cec034ce5096af4cba9c64247f439c16c7a4f3b4cabeb749
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\??\pipe\LOCAL\crashpad_1484_EGBEDJGEJCPFJUGDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/232-365-0x00000000005E0000-0x00000000009AC000-memory.dmpFilesize
3.8MB
-
memory/232-364-0x00000000005E0000-0x00000000009AC000-memory.dmpFilesize
3.8MB
-
memory/232-53-0x00000000005E0000-0x00000000009AC000-memory.dmpFilesize
3.8MB
-
memory/232-52-0x00000000005E0000-0x00000000009AC000-memory.dmpFilesize
3.8MB
-
memory/232-428-0x00000000005E0000-0x00000000009AC000-memory.dmpFilesize
3.8MB
-
memory/232-691-0x00000000005E0000-0x00000000009AC000-memory.dmpFilesize
3.8MB
-
memory/232-403-0x00000000005E0000-0x00000000009AC000-memory.dmpFilesize
3.8MB
-
memory/232-503-0x00000000005E0000-0x00000000009AC000-memory.dmpFilesize
3.8MB
-
memory/232-430-0x00000000005E0000-0x00000000009AC000-memory.dmpFilesize
3.8MB
-
memory/652-23-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-27-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/652-25-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/652-429-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-24-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-431-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-26-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/652-811-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-418-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-339-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-28-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/652-30-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/652-31-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/652-596-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-29-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/652-253-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-392-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/652-32-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/652-33-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/1736-9-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/1736-6-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/1736-1-0x0000000077B46000-0x0000000077B48000-memory.dmpFilesize
8KB
-
memory/1736-2-0x0000000000E00000-0x00000000012C0000-memory.dmpFilesize
4.8MB
-
memory/1736-7-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/1736-21-0x0000000000E00000-0x00000000012C0000-memory.dmpFilesize
4.8MB
-
memory/1736-10-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/1736-3-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/1736-4-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/1736-5-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/1736-8-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/1736-0-0x0000000000E00000-0x00000000012C0000-memory.dmpFilesize
4.8MB
-
memory/2580-346-0x0000023EAA4F0000-0x0000023EAA512000-memory.dmpFilesize
136KB
-
memory/2580-357-0x0000023EAA750000-0x0000023EAA75A000-memory.dmpFilesize
40KB
-
memory/2580-356-0x0000023EAA860000-0x0000023EAA872000-memory.dmpFilesize
72KB
-
memory/2580-351-0x0000023E92400000-0x0000023E92410000-memory.dmpFilesize
64KB
-
memory/2580-347-0x0000023E92400000-0x0000023E92410000-memory.dmpFilesize
64KB
-
memory/2580-362-0x00007FFE6B6F0000-0x00007FFE6C1B2000-memory.dmpFilesize
10.8MB
-
memory/2580-340-0x00007FFE6B6F0000-0x00007FFE6C1B2000-memory.dmpFilesize
10.8MB
-
memory/4988-483-0x0000000000780000-0x0000000000B4C000-memory.dmpFilesize
3.8MB
-
memory/4988-482-0x0000000000780000-0x0000000000B4C000-memory.dmpFilesize
3.8MB
-
memory/4988-692-0x0000000000780000-0x0000000000B4C000-memory.dmpFilesize
3.8MB
-
memory/5140-628-0x0000000000B90000-0x0000000001050000-memory.dmpFilesize
4.8MB
-
memory/5300-447-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/5300-451-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/5300-460-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/5300-448-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/5300-461-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/5300-626-0x00000000005B0000-0x0000000000A5F000-memory.dmpFilesize
4.7MB
-
memory/5300-449-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/5300-443-0x00000000005B0000-0x0000000000A5F000-memory.dmpFilesize
4.7MB
-
memory/5300-450-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/5300-446-0x00000000005B0000-0x0000000000A5F000-memory.dmpFilesize
4.7MB
-
memory/5300-452-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/5396-454-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/5396-453-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/5396-456-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/5396-455-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/5396-462-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/5396-445-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/5396-458-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/5396-459-0x0000000000980000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/5396-457-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/5496-261-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/5496-308-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/5496-257-0x0000000000EF0000-0x000000000139F000-memory.dmpFilesize
4.7MB
-
memory/5496-258-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/5496-259-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/5496-263-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/5496-264-0x0000000000EF0000-0x000000000139F000-memory.dmpFilesize
4.7MB
-
memory/5496-262-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/5496-260-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/5496-313-0x0000000000EF0000-0x000000000139F000-memory.dmpFilesize
4.7MB
-
memory/5496-309-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/5628-825-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-874-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-836-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-834-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-830-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-828-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-840-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-822-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-820-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-818-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-816-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-814-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-813-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-851-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-838-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-882-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-880-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-878-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-876-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-884-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-872-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-869-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5628-861-0x0000000005790000-0x00000000059A6000-memory.dmpFilesize
2.1MB
-
memory/5828-504-0x0000000000E60000-0x000000000101C000-memory.dmpFilesize
1.7MB
-
memory/5940-518-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB