Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 12:59
Static task
static1
Behavioral task
behavioral1
Sample
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
Resource
win10v2004-20240226-en
General
-
Target
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
-
Size
1.9MB
-
MD5
bf765192fb7e18bf2c9025248d43906b
-
SHA1
1083b78af5811beedf7d4e0f8c7dcb742c531b83
-
SHA256
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20
-
SHA512
85bb10c7045a4b28a07eb1aa9d576910a8849433d29a9c0079e173a3d5eba33b6b4755ef4527b94e83f9229546b638e3871ae2758d08b879959c8998a3e52a39
-
SSDEEP
49152:jIS2DUkA/ZCcWeLrfU671Jc4BvvXoCR3BbAbmlM5:PkaZdWeLLj7jcsJAbF
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
amert.exe01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exe93247754b3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 93247754b3.exe -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 69 4812 rundll32.exe 78 5356 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorha.exe93247754b3.exeamert.exe01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 93247754b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 93247754b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation explorha.exe -
Executes dropped EXE 4 IoCs
Processes:
explorha.exe93247754b3.exego.exeamert.exepid process 2872 explorha.exe 2036 93247754b3.exe 4024 go.exe 5660 amert.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
93247754b3.exeamert.exe01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Wine 93247754b3.exe Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Wine 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Wine explorha.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 5196 rundll32.exe 4812 rundll32.exe 5356 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorha.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93247754b3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\93247754b3.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exeamert.exepid process 2548 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe 2872 explorha.exe 5660 amert.exe -
Drops file in Windows directory 2 IoCs
Processes:
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeamert.exedescription ioc process File created C:\Windows\Tasks\explorha.job 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe File created C:\Windows\Tasks\explorgu.job amert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exemsedge.exemsedge.exemsedge.exeamert.exerundll32.exeidentity_helper.exepowershell.exemsedge.exepid process 2548 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe 2548 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe 2872 explorha.exe 2872 explorha.exe 2252 msedge.exe 2252 msedge.exe 2352 msedge.exe 2352 msedge.exe 3772 msedge.exe 3772 msedge.exe 5660 amert.exe 5660 amert.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 5396 identity_helper.exe 5396 identity_helper.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4536 powershell.exe 4536 powershell.exe 4536 powershell.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4536 powershell.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exego.exemsedge.exepid process 2548 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe 4024 go.exe 4024 go.exe 4024 go.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
go.exemsedge.exepid process 4024 go.exe 4024 go.exe 4024 go.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 2548 wrote to memory of 2872 2548 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe explorha.exe PID 2548 wrote to memory of 2872 2548 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe explorha.exe PID 2548 wrote to memory of 2872 2548 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe explorha.exe PID 2872 wrote to memory of 2036 2872 explorha.exe 93247754b3.exe PID 2872 wrote to memory of 2036 2872 explorha.exe 93247754b3.exe PID 2872 wrote to memory of 2036 2872 explorha.exe 93247754b3.exe PID 2872 wrote to memory of 2204 2872 explorha.exe explorha.exe PID 2872 wrote to memory of 2204 2872 explorha.exe explorha.exe PID 2872 wrote to memory of 2204 2872 explorha.exe explorha.exe PID 2872 wrote to memory of 4024 2872 explorha.exe go.exe PID 2872 wrote to memory of 4024 2872 explorha.exe go.exe PID 2872 wrote to memory of 4024 2872 explorha.exe go.exe PID 4024 wrote to memory of 4236 4024 go.exe msedge.exe PID 4024 wrote to memory of 4236 4024 go.exe msedge.exe PID 4236 wrote to memory of 3512 4236 msedge.exe msedge.exe PID 4236 wrote to memory of 3512 4236 msedge.exe msedge.exe PID 4024 wrote to memory of 3772 4024 go.exe msedge.exe PID 4024 wrote to memory of 3772 4024 go.exe msedge.exe PID 3772 wrote to memory of 5000 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 5000 3772 msedge.exe msedge.exe PID 4024 wrote to memory of 4788 4024 go.exe msedge.exe PID 4024 wrote to memory of 4788 4024 go.exe msedge.exe PID 4788 wrote to memory of 4932 4788 msedge.exe msedge.exe PID 4788 wrote to memory of 4932 4788 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe PID 3772 wrote to memory of 2080 3772 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe"C:\Users\Admin\AppData\Local\Temp\01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\93247754b3.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\93247754b3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff984246f8,0x7fff98424708,0x7fff984247185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3240003867950130398,7313724525615654278,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3240003867950130398,7313724525615654278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff984246f8,0x7fff98424708,0x7fff984247185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15021557254256727838,7421515232814129781,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff984246f8,0x7fff98424708,0x7fff984247185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8016956068585645088,11415155317589426507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:35⤵
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\757987694264_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
960B
MD578e91fd9bd1f268bae09bfbed203d7bc
SHA13c3cc2c7a8c73c6e093e00d5cad76d94a960697d
SHA256ca002324bb36da406e74be7379c50fe9179a1ba811b453092e463d8714b98869
SHA5127f5b594c66d1388675481d13af9562315677ac9550a012794e4ba67638bad3d212b5ab2e9991861d2caccc7c32aa16b41c3a873ce965c503cbe4b67bc94d674f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD54f8ebf544945c1087ee77b6a137564df
SHA12d24eab2cd186e609e112d3f99221d49cbc97032
SHA25692249916b51736dabab1956b74c29f3f103e0d725fea8c0cb327e72b5fe823f8
SHA51205213ad2859819437e5efeb0c04ea2210bc16029c6e58b6919280f6127a1f9eb26bcda3d8c7716d43bbf3b44d71440ac42abe656859f0ba1414c55878b28187e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5eab989edf143203ee38dad3e3d11d34c
SHA175416bc0b2f37f8d49b62943cdf142b1a5f28bb4
SHA25687f93d34fc4d9e23e01073fbdc0d30913a8d92d0b59a50f6a8ce6c6e5666f124
SHA51202df827fabfec0241bbe3827a008c9fa8af43e4bddeace5511e96f77ab1cdf7112f6d071ea206ee515be6c6052344531f3c7bc1521920ed2f7f307a6e7faec0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50bfbba2977516805f5ba1f631cee1ce6
SHA1a714dc6ca80a6c371144ccd1c58e653be56a8d52
SHA2569b9f829d3bd765c5cca0d34f8fa869d4c81cbe13a7b5d036e4a2b04c7c3bf94b
SHA512b99e5d127533cc65c17378650015df9ddc28dcf50f67b4bf405bb2b3cbed0250d100ebedca94889f447f5c090f3a2d82adf391688b9e3e1cfd2515f6a18d62ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD515a1377044c6829cb4a801cd9a4c556a
SHA1882e7568498de7201202d3ec7b716632602cb7e6
SHA256993e1a40234937519026760131ce6c06253618c043c9b536e3dc60198af8d100
SHA512752f88e2b688e581f0fed540d19f62d3efbca32dd9b140fca92e4a4cb5c052f9dc698e5131dd27e34f6d5bee3938c8cf20023412c1490603a3d6d203ab6eed66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5e6cde973163a2596e0ef23a812d3c812
SHA1e5fffb672a5815c70bbaf8c80ca1d165bb8144ea
SHA256e0f36ebd2e5c252a1804695a5bfbb39ffd57cadddd0d32e67c4ab1b1a575a4e9
SHA512cd3ff299de383e2ab72b4529a36cf42e9840f58b44809216a9a7c51e9a47ebd873390e6013f72e3297a861c106d79db0388db5487674bb4fade68170ee0b5147
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5c22e123ad1c10691f9ae6e20ccb6642f
SHA1d6f37869919ec9c3b3a46b86444541c6425e1113
SHA2564b725384e024235e4b819dfb967507384aa5e93bf42922151dd0be021b053017
SHA5128ac845f1821ba8e8a8491c431fee93720c8a0ba2889b78fbc8d09652c696a3bab8fd8b786016663c6c463e0b29011c827e2ad5c9c5b94355890a27e37dececfb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD50b4d27b2d3d53c5f6d40686365bc4df9
SHA17b77b41b94a1214a0a43a37c713db603b92160cb
SHA256034c3c2b9a1950d681a87306e3453b552625f85e712c022b3518833f680a3c56
SHA512826fb8077740553c50cb6425f30234a7a32e10461df927dc948839686247e4fcd920b63909e89bb465b156cca3ea992ee7a1409d3f99b26b6acb39a3fafcebe3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5c82557f86c4f7a476e397c1ee774b717
SHA1b63289a1ad563cf00e863e18edcbc43e8e3b3e7f
SHA256e0e1f4fab8379b5cabb3211169e7deb8e9cf6a1209034be2d1965a48319748de
SHA51201c1f71333d84b723cfe3a6a8bd3e6f16d2c2dc49448e59d9ef44839a5b2d3387126ac0a2e64765bea5514f2aa30a8643367925fd09821bbe5f5203dd2797437
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c8fd.TMPFilesize
707B
MD59b1a59277ddb4b1cd5e4c4e600793761
SHA100b87b31a392ed9fc3e23497fcc13bc776980c43
SHA256af914283de4e2b9171e70e43cdfb2170a3825068b4fb5ad8de555193b70a35ca
SHA512d37a58bbfdcc2d82c9822f411a17db6cbc3dc1d232b9f9d7015aedbe8bab210a859d3a73061ecc060cee7999e1e618cfdd09a675465539db9cb9e07dcbf59cad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD53fa52dda248f43635cc171be99708bc5
SHA19b3df19a64a4fd4388b28266ba1d8c1032f3664e
SHA2560091ec2c3d900dc9ba533db5a3318929d0ac3ffbcb7b5440d3b3c143fd198a49
SHA51226307badfa01d4322e5a91dc94ce8c69d8fe25f274eb8442f8e198c86b33270db96d2a4751075f7f0a380c33873e7c719d5c4e59ea4445e2ee2719d1cd06f467
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD560407fd70783590fc0f4aa4f76e95846
SHA1ccf3292bcf89550307559a9996b486098063075e
SHA2569da536e13e4b376159ee69a20e396e6ae83ee95290c8fbaa22326b7be4795197
SHA51249ba70c324143a09d70c4b1538ff44000cd922269bb05862b33c38ab9e2d8b6284f2d42c844fe79ff2d1f74e588e0bcf3dfc25eded42f74c90e54841bd097573
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a9b5cea8926aab8c60fb6fa70c2b3abf
SHA1fc4135fc30e2a6dd5f7a0ef06e9bc792288dbeb1
SHA256526fe9f9d011f92e274069efccf562250e6fc2d238f69780a29ec58d0b2293a7
SHA51296d386c2536cfee9986c0d4b2c7d91d365a2216649694010f4f6ca6a5a1fa4219733a64fc471f10d2f7a64b018e517ba87d987b3575bbe789d1ce147f1a0f6fa
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.9MB
MD5bf765192fb7e18bf2c9025248d43906b
SHA11083b78af5811beedf7d4e0f8c7dcb742c531b83
SHA25601283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20
SHA51285bb10c7045a4b28a07eb1aa9d576910a8849433d29a9c0079e173a3d5eba33b6b4755ef4527b94e83f9229546b638e3871ae2758d08b879959c8998a3e52a39
-
C:\Users\Admin\AppData\Local\Temp\1000042001\93247754b3.exeFilesize
3.1MB
MD503560350b623d3325d16a46f69be90fc
SHA163d3d99dade999f15cfbad22ff040dacd13a8e1b
SHA256fd6a73027fb19ad5b50bbdd8d6b8dd3a144d1bfd5fe14a1b61d8b95207ea6c0e
SHA512d102273cff603acc6ce9e865b0d92fb6c2dd33eb7186cece8363eca6244279c1e201466211bb21c46115fb490c126d70b4c56e2fe2ee2d8922c5365606526dff
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD5727c54fa3a9c67f729c897be63eb2ee0
SHA1c94e05a7dd1573c0df9d2f8e9a2f1e10d0174c23
SHA256cd91b436df70efb3b0d4cf141d257282ace5d9daa990161b85d46d266514e886
SHA512ebf23a591fc7a602e9b1983ea54b724bdc455a4ef2e1ab40117f44fae66c5c249d34ec8809798129bdacf1a6c03f8aefde4c1bd8a4b4cea753b1dd267bee196c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ykq1lmim.yr4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
\??\pipe\LOCAL\crashpad_3772_GMRGDXDXPSSSRTZOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2036-53-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-417-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-350-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-55-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-468-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-470-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-472-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-474-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-485-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-489-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-351-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-502-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-379-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-434-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-428-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-404-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2036-406-0x0000000000DB0000-0x0000000001174000-memory.dmpFilesize
3.8MB
-
memory/2548-7-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/2548-0-0x00000000002F0000-0x00000000007CF000-memory.dmpFilesize
4.9MB
-
memory/2548-2-0x00000000002F0000-0x00000000007CF000-memory.dmpFilesize
4.9MB
-
memory/2548-3-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/2548-6-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/2548-11-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/2548-10-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/2548-8-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/2548-9-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/2548-5-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/2548-4-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/2548-24-0x00000000002F0000-0x00000000007CF000-memory.dmpFilesize
4.9MB
-
memory/2548-1-0x0000000076F44000-0x0000000076F46000-memory.dmpFilesize
8KB
-
memory/2872-33-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/2872-27-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/2872-23-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-501-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-32-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/2872-31-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2872-488-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-30-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/2872-324-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-484-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-368-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-29-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/2872-28-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/2872-380-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-473-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-471-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-26-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/2872-469-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-405-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-25-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-407-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-34-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/2872-458-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-427-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-215-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/2872-433-0x0000000000420000-0x00000000008FF000-memory.dmpFilesize
4.9MB
-
memory/4536-337-0x000001B5130A0000-0x000001B5130B0000-memory.dmpFilesize
64KB
-
memory/4536-336-0x000001B5130A0000-0x000001B5130B0000-memory.dmpFilesize
64KB
-
memory/4536-338-0x000001B52B770000-0x000001B52B782000-memory.dmpFilesize
72KB
-
memory/4536-339-0x000001B52B750000-0x000001B52B75A000-memory.dmpFilesize
40KB
-
memory/4536-345-0x00007FFF94870000-0x00007FFF95331000-memory.dmpFilesize
10.8MB
-
memory/4536-335-0x00007FFF94870000-0x00007FFF95331000-memory.dmpFilesize
10.8MB
-
memory/4536-325-0x000001B52B290000-0x000001B52B2B2000-memory.dmpFilesize
136KB
-
memory/5660-220-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/5660-225-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/5660-226-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/5660-275-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/5660-274-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/5660-282-0x0000000000EB0000-0x0000000001370000-memory.dmpFilesize
4.8MB
-
memory/5660-224-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/5660-223-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/5660-217-0x0000000000EB0000-0x0000000001370000-memory.dmpFilesize
4.8MB
-
memory/5660-222-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/5660-218-0x0000000000EB0000-0x0000000001370000-memory.dmpFilesize
4.8MB
-
memory/5660-219-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB