Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-03-2024 14:05
Static task
static1
General
-
Target
e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
-
Size
1.8MB
-
MD5
82a0e9df77991b4703d35b285fc54e02
-
SHA1
e5a417e3c955ef4ad266ee25d965beb1a73923f0
-
SHA256
e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92
-
SHA512
94d019ddbb31885afa8babbcc6c3c0b10be3fce76ff4ae44e6a13394fc71388ccb641317ac913fefe8ac4ebff7be4c776f5c5b5ec2940afa06d6b52d0b78f0fa
-
SSDEEP
49152:aZ8PRsjLw6rzMLz8LA6ChqOds5hIcjxU:NRJ6rQYCoOMhI1
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/5444-1123-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/588-1124-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5960-1190-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/6516-1341-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/6532-1342-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/6540-1343-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
GVB4WVbt6lub5QXa6WvoEyUW.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" GVB4WVbt6lub5QXa6WvoEyUW.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 3040 created 2852 3040 RegAsm.exe sihost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
Processes:
845765797d.exeamert.exeexplorha.exeexplorgu.exeGVB4WVbt6lub5QXa6WvoEyUW.exeexplorha.exee672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exeexplorha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 845765797d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GVB4WVbt6lub5QXa6WvoEyUW.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exeflow pid process 43 5292 rundll32.exe 51 5340 rundll32.exe 86 1904 rundll32.exe 103 6284 rundll32.exe 51 5340 rundll32.exe 103 6284 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 5300 netsh.exe 3128 netsh.exe 1680 netsh.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeGVB4WVbt6lub5QXa6WvoEyUW.exe845765797d.exeexplorha.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GVB4WVbt6lub5QXa6WvoEyUW.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 845765797d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 845765797d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GVB4WVbt6lub5QXa6WvoEyUW.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe -
Executes dropped EXE 37 IoCs
Processes:
explorha.exe845765797d.exego.exeamert.exeexplorha.exeexplorgu.exekoooooo.exeNewB.exefile300un.exensEk8tLapmXJUwPLNptpRYaf.exe3tAUUAFnOsGnIZlZOiWwaT0A.exepDTVFZcmrgmUEckZDi5iM2jk.exeEaA7jWUT5Mk5zv8oV8rBf6pX.exeujoASDvSG0oFc7iaVfomXa4f.exeu4e0.0.exeu4e0.1.exe3tAUUAFnOsGnIZlZOiWwaT0A.exeujoASDvSG0oFc7iaVfomXa4f.exensEk8tLapmXJUwPLNptpRYaf.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeGVB4WVbt6lub5QXa6WvoEyUW.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.execsrss.exeHCAAEGIJKE.exeinjector.exewindefender.exewindefender.exeexplorha.exeNewB.exeexplorha.exeNewB.exepid process 2452 explorha.exe 4596 845765797d.exe 2520 go.exe 5776 amert.exe 1948 explorha.exe 4028 explorgu.exe 5492 koooooo.exe 1112 NewB.exe 6132 file300un.exe 5444 nsEk8tLapmXJUwPLNptpRYaf.exe 588 3tAUUAFnOsGnIZlZOiWwaT0A.exe 5688 pDTVFZcmrgmUEckZDi5iM2jk.exe 4768 EaA7jWUT5Mk5zv8oV8rBf6pX.exe 5960 ujoASDvSG0oFc7iaVfomXa4f.exe 4616 u4e0.0.exe 6196 u4e0.1.exe 6516 3tAUUAFnOsGnIZlZOiWwaT0A.exe 6532 ujoASDvSG0oFc7iaVfomXa4f.exe 6540 nsEk8tLapmXJUwPLNptpRYaf.exe 6880 q6uCvgSm9hhrjhUiHod1QGuX.exe 6912 q6uCvgSm9hhrjhUiHod1QGuX.exe 7112 q6uCvgSm9hhrjhUiHod1QGuX.exe 6208 q6uCvgSm9hhrjhUiHod1QGuX.exe 6304 q6uCvgSm9hhrjhUiHod1QGuX.exe 5460 GVB4WVbt6lub5QXa6WvoEyUW.exe 5368 Assistant_108.0.5067.20_Setup.exe_sfx.exe 6984 assistant_installer.exe 6932 assistant_installer.exe 5284 csrss.exe 6712 HCAAEGIJKE.exe 7068 injector.exe 4340 windefender.exe 3972 windefender.exe 6764 explorha.exe 1020 NewB.exe 6820 explorha.exe 5488 NewB.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorha.exee672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exe845765797d.exeamert.exeexplorha.exeexplorgu.exeexplorha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine 845765797d.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe -
Loads dropped DLL 17 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeu4e0.0.exerundll32.exeassistant_installer.exeassistant_installer.exepid process 5272 rundll32.exe 5292 rundll32.exe 5340 rundll32.exe 5256 rundll32.exe 1904 rundll32.exe 6880 q6uCvgSm9hhrjhUiHod1QGuX.exe 6912 q6uCvgSm9hhrjhUiHod1QGuX.exe 7112 q6uCvgSm9hhrjhUiHod1QGuX.exe 6208 q6uCvgSm9hhrjhUiHod1QGuX.exe 6304 q6uCvgSm9hhrjhUiHod1QGuX.exe 4616 u4e0.0.exe 4616 u4e0.0.exe 6284 rundll32.exe 6984 assistant_installer.exe 6984 assistant_installer.exe 6932 assistant_installer.exe 6932 assistant_installer.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe themida behavioral2/memory/5460-1214-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp themida behavioral2/memory/5460-1218-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp themida behavioral2/memory/5460-1221-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp themida behavioral2/memory/5460-1226-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp themida behavioral2/memory/5460-1228-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp themida behavioral2/memory/5460-1230-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp themida behavioral2/memory/5460-1231-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
ujoASDvSG0oFc7iaVfomXa4f.exe3tAUUAFnOsGnIZlZOiWwaT0A.execsrss.exeexplorha.exensEk8tLapmXJUwPLNptpRYaf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" ujoASDvSG0oFc7iaVfomXa4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3tAUUAFnOsGnIZlZOiWwaT0A.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\845765797d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\845765797d.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" nsEk8tLapmXJUwPLNptpRYaf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
GVB4WVbt6lub5QXa6WvoEyUW.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GVB4WVbt6lub5QXa6WvoEyUW.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
q6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exedescription ioc process File opened (read-only) \??\D: q6uCvgSm9hhrjhUiHod1QGuX.exe File opened (read-only) \??\F: q6uCvgSm9hhrjhUiHod1QGuX.exe File opened (read-only) \??\D: q6uCvgSm9hhrjhUiHod1QGuX.exe File opened (read-only) \??\F: q6uCvgSm9hhrjhUiHod1QGuX.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 api.myip.com 27 ipinfo.io 97 api.myip.com 99 ipinfo.io -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Drops file in System32 directory 17 IoCs
Processes:
GVB4WVbt6lub5QXa6WvoEyUW.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini GVB4WVbt6lub5QXa6WvoEyUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI GVB4WVbt6lub5QXa6WvoEyUW.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy GVB4WVbt6lub5QXa6WvoEyUW.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol GVB4WVbt6lub5QXa6WvoEyUW.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeGVB4WVbt6lub5QXa6WvoEyUW.exeexplorha.exeexplorha.exepid process 1532 e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe 2452 explorha.exe 5776 amert.exe 1948 explorha.exe 4028 explorgu.exe 5460 GVB4WVbt6lub5QXa6WvoEyUW.exe 6764 explorha.exe 6820 explorha.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
koooooo.exefile300un.exeEaA7jWUT5Mk5zv8oV8rBf6pX.exedescription pid process target process PID 5492 set thread context of 4516 5492 koooooo.exe RegAsm.exe PID 6132 set thread context of 1392 6132 file300un.exe regasm.exe PID 4768 set thread context of 3040 4768 EaA7jWUT5Mk5zv8oV8rBf6pX.exe RegAsm.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
ujoASDvSG0oFc7iaVfomXa4f.exensEk8tLapmXJUwPLNptpRYaf.exe3tAUUAFnOsGnIZlZOiWwaT0A.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN ujoASDvSG0oFc7iaVfomXa4f.exe File opened (read-only) \??\VBoxMiniRdrDN nsEk8tLapmXJUwPLNptpRYaf.exe File opened (read-only) \??\VBoxMiniRdrDN 3tAUUAFnOsGnIZlZOiWwaT0A.exe -
Drops file in Windows directory 10 IoCs
Processes:
csrss.exe3tAUUAFnOsGnIZlZOiWwaT0A.exeamert.exensEk8tLapmXJUwPLNptpRYaf.exeujoASDvSG0oFc7iaVfomXa4f.exee672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exedescription ioc process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 3tAUUAFnOsGnIZlZOiWwaT0A.exe File created C:\Windows\Tasks\explorgu.job amert.exe File opened for modification C:\Windows\rss nsEk8tLapmXJUwPLNptpRYaf.exe File created C:\Windows\rss\csrss.exe nsEk8tLapmXJUwPLNptpRYaf.exe File opened for modification C:\Windows\rss ujoASDvSG0oFc7iaVfomXa4f.exe File created C:\Windows\rss\csrss.exe ujoASDvSG0oFc7iaVfomXa4f.exe File created C:\Windows\rss\csrss.exe 3tAUUAFnOsGnIZlZOiWwaT0A.exe File created C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\explorha.job e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3040 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6064 5492 WerFault.exe koooooo.exe 3864 4768 WerFault.exe EaA7jWUT5Mk5zv8oV8rBf6pX.exe 6068 3040 WerFault.exe RegAsm.exe 4432 3040 WerFault.exe RegAsm.exe 6280 5688 WerFault.exe pDTVFZcmrgmUEckZDi5iM2jk.exe 3600 4616 WerFault.exe u4e0.0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u4e0.1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4e0.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4e0.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4e0.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u4e0.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u4e0.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u4e0.0.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 6100 schtasks.exe 6656 schtasks.exe 6652 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
ujoASDvSG0oFc7iaVfomXa4f.exe3tAUUAFnOsGnIZlZOiWwaT0A.exepowershell.exepowershell.exepowershell.exewindefender.exensEk8tLapmXJUwPLNptpRYaf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" ujoASDvSG0oFc7iaVfomXa4f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 3tAUUAFnOsGnIZlZOiWwaT0A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 3tAUUAFnOsGnIZlZOiWwaT0A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" nsEk8tLapmXJUwPLNptpRYaf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 3tAUUAFnOsGnIZlZOiWwaT0A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" ujoASDvSG0oFc7iaVfomXa4f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" nsEk8tLapmXJUwPLNptpRYaf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" nsEk8tLapmXJUwPLNptpRYaf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" 3tAUUAFnOsGnIZlZOiWwaT0A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" nsEk8tLapmXJUwPLNptpRYaf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" ujoASDvSG0oFc7iaVfomXa4f.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" ujoASDvSG0oFc7iaVfomXa4f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" 3tAUUAFnOsGnIZlZOiWwaT0A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 3tAUUAFnOsGnIZlZOiWwaT0A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" ujoASDvSG0oFc7iaVfomXa4f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" nsEk8tLapmXJUwPLNptpRYaf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" nsEk8tLapmXJUwPLNptpRYaf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" ujoASDvSG0oFc7iaVfomXa4f.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 3tAUUAFnOsGnIZlZOiWwaT0A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" ujoASDvSG0oFc7iaVfomXa4f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" ujoASDvSG0oFc7iaVfomXa4f.exe -
Processes:
q6uCvgSm9hhrjhUiHod1QGuX.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 q6uCvgSm9hhrjhUiHod1QGuX.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e q6uCvgSm9hhrjhUiHod1QGuX.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e q6uCvgSm9hhrjhUiHod1QGuX.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeamert.exerundll32.exepowershell.exemsedge.exeidentity_helper.exeexplorha.exeexplorgu.exeRegAsm.exepowershell.exepowershell.exepowershell.exeRegAsm.exedialer.exerundll32.exeu4e0.0.exepid process 1532 e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe 1532 e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe 2452 explorha.exe 2452 explorha.exe 4796 msedge.exe 4796 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 1876 msedge.exe 1876 msedge.exe 2052 msedge.exe 2052 msedge.exe 5776 amert.exe 5776 amert.exe 5292 rundll32.exe 5292 rundll32.exe 5292 rundll32.exe 5292 rundll32.exe 5292 rundll32.exe 5292 rundll32.exe 5292 rundll32.exe 5292 rundll32.exe 5292 rundll32.exe 5292 rundll32.exe 5460 powershell.exe 5460 powershell.exe 5460 powershell.exe 5724 msedge.exe 5724 msedge.exe 2836 identity_helper.exe 2836 identity_helper.exe 1948 explorha.exe 1948 explorha.exe 4028 explorgu.exe 4028 explorgu.exe 4516 RegAsm.exe 4516 RegAsm.exe 4516 RegAsm.exe 4516 RegAsm.exe 2876 powershell.exe 2876 powershell.exe 1864 powershell.exe 1864 powershell.exe 5260 powershell.exe 5260 powershell.exe 5260 powershell.exe 3040 RegAsm.exe 3040 RegAsm.exe 2876 powershell.exe 1864 powershell.exe 2088 dialer.exe 2088 dialer.exe 2088 dialer.exe 2088 dialer.exe 1904 rundll32.exe 1904 rundll32.exe 1904 rundll32.exe 1904 rundll32.exe 1904 rundll32.exe 1904 rundll32.exe 4616 u4e0.0.exe 4616 u4e0.0.exe 1904 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
powershell.exeregasm.exepowershell.exepowershell.exepowershell.exepowershell.exensEk8tLapmXJUwPLNptpRYaf.exe3tAUUAFnOsGnIZlZOiWwaT0A.exeujoASDvSG0oFc7iaVfomXa4f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.execsrss.exesc.exedescription pid process Token: SeDebugPrivilege 5460 powershell.exe Token: SeDebugPrivilege 1392 regasm.exe Token: SeDebugPrivilege 5260 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 228 powershell.exe Token: SeDebugPrivilege 5444 nsEk8tLapmXJUwPLNptpRYaf.exe Token: SeDebugPrivilege 588 3tAUUAFnOsGnIZlZOiWwaT0A.exe Token: SeImpersonatePrivilege 5444 nsEk8tLapmXJUwPLNptpRYaf.exe Token: SeImpersonatePrivilege 588 3tAUUAFnOsGnIZlZOiWwaT0A.exe Token: SeDebugPrivilege 5960 ujoASDvSG0oFc7iaVfomXa4f.exe Token: SeImpersonatePrivilege 5960 ujoASDvSG0oFc7iaVfomXa4f.exe Token: SeDebugPrivilege 6928 powershell.exe Token: SeDebugPrivilege 6952 powershell.exe Token: SeDebugPrivilege 6936 powershell.exe Token: SeDebugPrivilege 6572 powershell.exe Token: SeDebugPrivilege 6972 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeDebugPrivilege 3940 powershell.exe Token: SeDebugPrivilege 6904 powershell.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 6956 powershell.exe Token: SeDebugPrivilege 6568 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 3128 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeSystemEnvironmentPrivilege 5284 csrss.exe Token: SeSecurityPrivilege 3040 sc.exe Token: SeSecurityPrivilege 3040 sc.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
go.exemsedge.exeu4e0.1.exepid process 2520 go.exe 2520 go.exe 2520 go.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
go.exemsedge.exeu4e0.1.exepid process 2520 go.exe 2520 go.exe 2520 go.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe 6196 u4e0.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 1532 wrote to memory of 2452 1532 e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe explorha.exe PID 1532 wrote to memory of 2452 1532 e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe explorha.exe PID 1532 wrote to memory of 2452 1532 e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe explorha.exe PID 2452 wrote to memory of 4596 2452 explorha.exe 845765797d.exe PID 2452 wrote to memory of 4596 2452 explorha.exe 845765797d.exe PID 2452 wrote to memory of 4596 2452 explorha.exe 845765797d.exe PID 2452 wrote to memory of 2260 2452 explorha.exe explorha.exe PID 2452 wrote to memory of 2260 2452 explorha.exe explorha.exe PID 2452 wrote to memory of 2260 2452 explorha.exe explorha.exe PID 2452 wrote to memory of 2520 2452 explorha.exe go.exe PID 2452 wrote to memory of 2520 2452 explorha.exe go.exe PID 2452 wrote to memory of 2520 2452 explorha.exe go.exe PID 2520 wrote to memory of 4828 2520 go.exe msedge.exe PID 2520 wrote to memory of 4828 2520 go.exe msedge.exe PID 4828 wrote to memory of 1920 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1920 4828 msedge.exe msedge.exe PID 2520 wrote to memory of 2236 2520 go.exe msedge.exe PID 2520 wrote to memory of 2236 2520 go.exe msedge.exe PID 2236 wrote to memory of 5032 2236 msedge.exe msedge.exe PID 2236 wrote to memory of 5032 2236 msedge.exe msedge.exe PID 2520 wrote to memory of 1936 2520 go.exe msedge.exe PID 2520 wrote to memory of 1936 2520 go.exe msedge.exe PID 1936 wrote to memory of 2356 1936 msedge.exe msedge.exe PID 1936 wrote to memory of 2356 1936 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe PID 4828 wrote to memory of 1696 4828 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2852
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088
-
C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe"C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee1353cb8,0x7ffee1353cc8,0x7ffee1353cd85⤵PID:1920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:25⤵PID:1696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:85⤵PID:4620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:15⤵PID:4376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:15⤵PID:1604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:15⤵PID:2964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:15⤵PID:2176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:15⤵PID:5140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5724 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:15⤵PID:2264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:15⤵PID:5336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:15⤵PID:2512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:15⤵PID:2936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5732 /prefetch:25⤵PID:912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee1353cb8,0x7ffee1353cc8,0x7ffee1353cd85⤵PID:5032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,11730444883340221998,15796735358467417627,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:25⤵PID:2776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,11730444883340221998,15796735358467417627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee1353cb8,0x7ffee1353cc8,0x7ffee1353cd85⤵PID:2356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,608283380746736222,8905572082569204458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5776 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
PID:5272 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5292 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:5312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5460 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5340
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2596
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2240
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe"C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 4603⤵
- Program crash
PID:6064 -
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"2⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F3⤵
- Creates scheduled task(s)
PID:6100 -
C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe"C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5260 -
C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe"C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6928 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:2248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4552
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
PID:3128 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3940 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5284 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6956 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:6656 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:5300
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵PID:3196
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3128 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:6572
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
PID:7068 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:6652 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵PID:1156
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe"C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe"C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6952 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:5768
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
PID:1680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4864 -
C:\Users\Admin\Pictures\pDTVFZcmrgmUEckZDi5iM2jk.exe"C:\Users\Admin\Pictures\pDTVFZcmrgmUEckZDi5iM2jk.exe"4⤵
- Executes dropped EXE
PID:5688 -
C:\Users\Admin\AppData\Local\Temp\u4e0.0.exe"C:\Users\Admin\AppData\Local\Temp\u4e0.0.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"6⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"7⤵
- Executes dropped EXE
PID:6712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe8⤵PID:5384
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30009⤵
- Runs ping.exe
PID:4120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 28486⤵
- Program crash
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe"C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6196 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD16⤵
- Suspicious use of AdjustPrivilegeToken
PID:6568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 11605⤵
- Program crash
PID:6280 -
C:\Users\Admin\Pictures\EaA7jWUT5Mk5zv8oV8rBf6pX.exe"C:\Users\Admin\Pictures\EaA7jWUT5Mk5zv8oV8rBf6pX.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 5326⤵
- Program crash
PID:6068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 5526⤵
- Program crash
PID:4432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 8845⤵
- Program crash
PID:3864 -
C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe"C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe"C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6936 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:5380
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
PID:5300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6904 -
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe"C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:6880 -
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exeC:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x298,0x6e70e1d0,0x6e70e1dc,0x6e70e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6912 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q6uCvgSm9hhrjhUiHod1QGuX.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q6uCvgSm9hhrjhUiHod1QGuX.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7112 -
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe"C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6880 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329140620" --session-guid=e69f7e68-1247-4e2f-9070-8055d54aa567 --server-tracking-blob=NzhhMjMyOGUzNzMxMDZmYjE4MTkyYWUxODdkM2I1MzkwODU1M2U3N2RlNGU5OWU0OTlmOTNlMTgxYTRmYTMwMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3MjExNjkuNjI3NCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjhkZmNkNTc2LWEyZDQtNGE1Yy04ODRmLTlkNDMwMzRkNTE0NyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=48050000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:6208 -
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exeC:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6dd8e1d0,0x6dd8e1dc,0x6dd8e1e86⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6304 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
PID:5368 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6984 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x1190040,0x119004c,0x11900586⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6932 -
C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe"C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe"4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5460 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
PID:5256 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1904 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:4552
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious use of AdjustPrivilegeToken
PID:228 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5492 -ip 54921⤵PID:5756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4768 -ip 47681⤵PID:256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3040 -ip 30401⤵PID:1876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3040 -ip 30401⤵PID:6028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5688 -ip 56881⤵PID:6216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4616 -ip 46161⤵PID:5080
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3972
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6764
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
PID:1020
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6820
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
PID:5488
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD519a8bcb40a17253313345edd2a0da1e7
SHA186fac74b5bbc59e910248caebd1176a48a46d72e
SHA256b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e
SHA5129f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD596899614360333c9904499393c6e3d75
SHA1bbfa17cf8df01c266323965735f00f0e9e04cd34
SHA256486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c
SHA512974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
960B
MD5bf7a23099f3d75460595ecf903194065
SHA1545e5b251c4474c01a8b33a88f401c1e4c2441d3
SHA2567cb7e339b1200fd5d9d289fb3f75e978c52c01caf676f2d9faeb43e72de068ef
SHA5121e0901ff032f899bc2d3b0fc53444f45f9e3b1e448ec4efd1b2c1b7dc0a17b5166cf231f130dab10ec666d92bc3246cd5123eb2071ab0842d74a6a5db02faa38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
116KB
MD54fb9df4eb079c2bffb0227ea64d63399
SHA1a1ccbdcb713e549fd1a3b83a17a0ec9d90691937
SHA256ab18e530d11cd5d425770dbe80f32e167740bba0e287653b8adc4f9c3e894352
SHA5126a26185b5e330dbfced80a8f22e4d38640738153c24386ac55dbf9c0c895cf23bcad5d3a10a379e1d1ba364436505865d4a80331192733b1a0f4359ed2b663eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD53fbbd3d9cf04e842f3dd24382abeed91
SHA1be67923828eeecb8abbdfdc1def1d5bf83a5deff
SHA25654e3a39d9e3dfd9bdaab2e086d24131b1f0a868936d0294edc6dfc7f58b682b9
SHA5126471613d22b7c29b7a90d5a872efdddba54158ea61723d85fa93f0f6d80365f0844f5b329b18f451f11eba4667c6a69bfbb8889d72652ee82f85df60db3ce92b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5ea57a81bf9d6ca2a64f9765c6b9eedfe
SHA1703994a287038daa3d97c866edcaa2ac37f586c5
SHA256a93c655a666d9ad4f274b6e5e060c6fe0c2f04b76c19b6cb0b1ca6fda3506fb5
SHA512e3bd0e897fb75b931d64eb258cb663d4924591badc17f674b1124dc2785c1021c06dc90cb25215e5bbc07ebb6c12b8d63c4c6344b18cfef32f82a8a687770379
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a350f7025b6ec2ca72d9b3059b59c05e
SHA111c3d56c8c82858be1f8c7b0b8f40dea3aaff9f4
SHA256ffefbefdf7622cc57dcf66ed161faa4bb884f4ab9d84169a11295cb17bc997a3
SHA5122d55971ac93065c1f5d2d4f0f8b1227fce971c3eab01885822943bc853da57e7b7576fd7e0877b3a7e37e636d14509c367d63c33b9ebb3419f09618f1a0ec942
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5cb02ffd446115f374a57f36078f11d47
SHA11577d565146aef62149a55b66ec99822b4b54494
SHA2566a3594d2bc5834afb8e770d29fb2535d3a79822648bcc158d6fedb8039ed37d8
SHA5121f1e8eb9fa3b21993555fb09c3470136a205c779b28c8322c6888e0c45933fd5ffcf8b7af8fe8a40abd21cc01094f0e1910e4714b00d5ac7df30409de11fd040
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
703B
MD544ce53d002b78721df702ed382646b17
SHA146d0dace10c41107dcb260d5a7e050047bddd729
SHA256811d2fdc6b2c55e2f10a6925f627706f228eb213eae2c936a001a6d446c0d2ee
SHA5124a5656af5005b17d5e9c3d2c0a08911a89b92f4b0679959e7d7cb058176687aaf5857a86005b1e79f615554e89f489cc152d10f3a214c96badf423c1a0e7f036
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
703B
MD5c0510196b184f4b015b976c689f0094d
SHA1db7bd93ae2aac5a603c6148815f6e13565bc7041
SHA256cbcf1fc079308b59d768fc0bbec8481ab9cfad5195f091e4a7d6ebde891c0180
SHA5125710a3fec1c2782a4701a5840de0032e4add480aa40044c0b91b09b9aea1e5dd3a1b84bcc38fab11159d9deb51a70f64175257999d901adf57ffc4c56aff31c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
703B
MD5489b1ea99adc34f28b90fe48663c5d53
SHA1e317bce2f262819f97166eafadddac76d8c431c1
SHA2560397585b0fa64fa8eb4a200ea4c22f23069e951d46b6c035819bdca03baab96f
SHA51242efd5ff92cb341b1fb2951dddd2cc82b570d3381b32efa47dd491de98a2d79785bc9c26d402ea05126912daec61534f559a89c843ce4ad3f159b81b1746fc49
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
705B
MD5668f9d617501cdc12ebfd5d322578e27
SHA14fc2c88d2008b3c2a0a61a6c5adf3405e42d31e8
SHA256bcda0781c81001752b3378cf654a1696439564310a1155e29771f2e5bcb0d72d
SHA5120cdfcd4fa98d92b7ce5754b0f53ab91bfe1e747606c38527eeabe08a877d1c89e1d08bcc2eb6b15d215868e9060b5c021fea5bf1eba92c1ef60b6a7389f93f8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c062.TMPFilesize
703B
MD5706ddeec3081d0882fdc567078004004
SHA1ddea3ba0ecf25ebcfa30704a9cc117dad6525b51
SHA2566f9946d79ee043c61173678d7c1add769c40ebd5327383ce5063bb4f9cd8730a
SHA512c2b363d5cec0894209907e689cb613c69308d529b66a5b94aa2667214ddd7b019625cef86b1867fbf8775c50829d23b1a3d6a8f2cdff2b7374301718f254ed72
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5f424d3df754036b00256f58459e8f03c
SHA14726fff03a2780f9ed0ad72ec2702412ffe2d27c
SHA25655144e0bd6c2d4fc0c7597eb20ca5e0496dd4e78ecb32f50b8f571b8bf9b3070
SHA512b8807b69e0d5e1c3fbd050743bdd1a4ef6feb41c59eebeed196338e24d88e74042322ede9507567998cab9a5922a84c39b2e35d81baa507045a3298524752b9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5d08c499009b59a2186104515a9d4ba8d
SHA1428bebee89ea29cf6200a6aa47dfe704d329e358
SHA2563cac08427b32b840c5b994511c4b320bdcb09b710aa503af2e6d7b231cb693bc
SHA5121cfe6d7472922e29818b1632c3fc3fcf37ab103119fafbe772c7307f352f46c0a564929ad961e6a97ccd8f9e6a31d9f33852f4cbc56a78879caa81b71b023a7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58b2c84cfdc6a5a8fcb8f1ee907dc5682
SHA1f5118d6fdc6ac7255c325d5155a005dfecf4e927
SHA2561ee6a2de6af93f07a4023654c72754d1af4ec9e2a392c9f12f4ecf15140af0ff
SHA512c58434ded15435cda5fb0cf98aaa9eb5e6ad23def4b069440fe08af165bfd61d837ef2c0da6336a8971c11d4d2af292293cdf4a4e4887f35aa0cd6df89213c28
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5168f0454e9abbea7887f7b88bc07e534
SHA19ebdef9db6f81d589816242b93f42461afc95069
SHA256572c76633388f5cb4ad3b3c429d2e401b40fed93e49423c4a3030ff94e637753
SHA512dfc8c7c6bfa2b98373d02015533d7f8a798bbe43221bf1fbd042895a7b7c2cbfd33b1088f0dffc24ad4488b5301d1427f9fe0cb4cc3598f0e92be08dc50bcd39
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exeFilesize
2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\opera_packageFilesize
103.9MB
MD5401c352990789be2f40fe8f9c5c7a5ac
SHA1d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.8MB
MD582a0e9df77991b4703d35b285fc54e02
SHA1e5a417e3c955ef4ad266ee25d965beb1a73923f0
SHA256e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92
SHA51294d019ddbb31885afa8babbcc6c3c0b10be3fce76ff4ae44e6a13394fc71388ccb641317ac913fefe8ac4ebff7be4c776f5c5b5ec2940afa06d6b52d0b78f0fa
-
C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exeFilesize
3.0MB
MD5800229e81ac8622c7303cf08d8ba5336
SHA1cd601151c5f3fcdfa0c213594e1aee78a7420879
SHA256eead74d6e44ef88fc319d627fffc927a0c6594c6a7e7896f3cedd0f4ba08c861
SHA512a6110fee0ee93e92571cc5ab7d6b096d66373252b52feb6967f5fb1019ea7e939e187a0b8f80d5867f5f4081a74f1d02b33b50210b42228aeee6e9f6f1e6f968
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD56f1ca07821a548cc136ced5b2e6d5c48
SHA1a149e288de958cd5f14ac5f58b1c330091e25a3c
SHA256c9a2b7b61eecdabdbcf5dd2ac65a8d54b12649b46382fbd55ed47d1dfcc5cd2f
SHA512051816a11e02d6c4dc891f7a36c02131e77ae82113738078828943f0182a77ecd19925f892a06004a09677e57444ee74088259bd9f25cd9a57104514fa1041dd
-
C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exeFilesize
379KB
MD590f41880d631e243cec086557cb74d63
SHA1cb385e4172cc227ba72baf29ca1c4411fa99a26d
SHA25623b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0
SHA512eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exeFilesize
386KB
MD516f67f1a6e10f044bc15abe8c71b3bd6
SHA1ce0101205b919899a2a2f577100377c2a6546171
SHA25641cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89
SHA512a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403291406200977112.dllFilesize
4.6MB
MD5117176ddeaf70e57d1747704942549e4
SHA175e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA2563c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cw1x45a1.h2c.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5a808ec080c3edcba7d767a15c2fc3dbe
SHA1b08c571f4fffab4961562cf5ac7667ac0726b05b
SHA25691f39883331ea6336ea9a91be3ce65461b0b2e7835cb4f80de8ea6a63bb1dcce
SHA5123dfa0c251ffc7cec410999ff89cb9c562f79425b682336b5f49fce3994ef0cadc10a86a982d7a51a09f5bf40e7d8e4c129fa9885468593d51fb330b025f3e46e
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD54dc4986d725923f2a75d912863644e07
SHA1afdae11b17a8cba266c6f4472ff2bcd121a432ce
SHA25635611e6095c5ea0280881d7c8c589c36d5d212730181a9df4ec50b62d6ad0481
SHA512cf51d08962f3f1420b9bfef7c74774813b32af366de644a92dd5e643ec035c5187d9a36a03c2d0c893c23b141049ad640873082a8ce447142ee948157a8d24b7
-
C:\Users\Admin\AppData\Local\Temp\u4e0.0.exeFilesize
233KB
MD5f655c987a74774fcc43beda4ef44477d
SHA1e263b1d33cf69561c5e02ff078df90dfb9b0700c
SHA2564ddb70f6593a3b8989c814b1cf9bc6607ee72c316685f904bf1e7014f87e85a2
SHA512464d0059e7353dbed812c9bc4f0fd8c90e0accc8bf299014b5536d5ed0597950fc946b61a2618d7cef43c010f6f9c58194e224a4d47fa944ced44b961615d8d1
-
C:\Users\Admin\AppData\Local\Temp\u4e0.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\Pictures\0qOOU1oxPzTF8JvwVvLX0F7Y.exeFilesize
3KB
MD5e5a2e32b8a6a1e79db6ff6189655dd95
SHA18c003d7197ec2e5196d4d737832c5319d247a736
SHA256eeb993b173620cd2a3617f06d684a90eb25faa4da5cda5a8e9a805a0e1810b42
SHA512d5ac0eef38b456f699c0ab86f392575d102b5bdf9a91df61e37d4f85f220bb9715bc2c2970b28503b113dea06ac5250aa1bea0356a4e16ff0c09068de6e766d5
-
C:\Users\Admin\Pictures\5jvb0sJCvsSuoNy7dGWsjjRz.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\EaA7jWUT5Mk5zv8oV8rBf6pX.exeFilesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exeFilesize
4.3MB
MD5858bb0a3b4fa6a54586402e3ee117076
SHA1997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd
-
C:\Users\Admin\Pictures\TXsS3RBBZvJj2YFIcSqIk0Cu.exeFilesize
3KB
MD5793df98bdc2ec5cf6cf01135ef610816
SHA15eb739268e4c0dc91ae2f457db30c118fad791f6
SHA25672a6cc136fa08cd8468b9f168dcb8122cc2c91b40b986986ee50e839456eb21d
SHA512b47e4360419b81d877dc64725613610758d5776879c610d1c66e29ef5065a1d29ae99114f33f462a6f3b3b21e58423d58b5397fc66aba5e1b86a822846e086d6
-
C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exeFilesize
4.1MB
MD5a7837001588691fb8bc8304f72ef19ee
SHA1eb7a63f9514900f4598b92e2fbec146e68b6726d
SHA256fe69939c74e1d2aa7966eb332c70dd24946050105d82706124d6687900044662
SHA512fe2231ca4ab7dafea143b299e0ffc6bff75c6fc9e945e3e03cf70d2073c7bb6f7bb1d1145e18c933b6e9203c78c25cd3ee0994c876f6ac134e44148fbfb7760b
-
C:\Users\Admin\Pictures\pDTVFZcmrgmUEckZDi5iM2jk.exeFilesize
378KB
MD56f17bbc203edea71880585d74262f262
SHA16987d2e4d289921f84bab709bd74db970bd8056b
SHA2565c3759c4051742b1366d7d2b7b4162c2a0035288970808a3ccbaedd19d6d18d1
SHA51211e3635a2ee674b3e9175b8fd89e5afd417efbf2a6e8a7368523e41f2efdd48a6c07533417ac98cce9dd1e1c77f5519796f768637d1114df77fc47fbc4fbd7a8
-
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exeFilesize
5.1MB
MD50c80996832279a0be6c01d3249c08187
SHA10432ebcdb62229959ffc8ae8e4427cb98266d751
SHA2560e6ec0f79198e5f602aa6fc6f760991e5f60f10108a3d1805357c9792e823305
SHA512510316c18966cb69c9fbe4f5cee00afdf0aabac01d32fd27951f61eef48910f35e902ea6535e3855a83f8acab48b025ac8c078372aea6522195a684077d168f8
-
C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exeFilesize
4.1MB
MD560bcf281239531a5cc5910bd7afb51b6
SHA187a7a117464fe016ee163cd294e646710321b3e7
SHA256425eabbe8a3d4829ca4c56e18a908e9d19704727d6e6af070073fa427b0ba34b
SHA5128a30b984469d90b1a17337c58b756244795d9470bf2b274266ce9200d1d3dc0be5a87a4af1ddbee5e5ea1c8056ad01e9e3fcfba3f73c5c751184763cb97cc400
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\??\pipe\LOCAL\crashpad_4828_PUCPJKOASXXFHSANMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/588-1124-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1392-688-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1532-8-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/1532-1-0x0000000077B26000-0x0000000077B28000-memory.dmpFilesize
8KB
-
memory/1532-21-0x0000000000ED0000-0x000000000136F000-memory.dmpFilesize
4.6MB
-
memory/1532-10-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/1532-9-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/1532-0-0x0000000000ED0000-0x000000000136F000-memory.dmpFilesize
4.6MB
-
memory/1532-7-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/1532-5-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/1532-6-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/1532-2-0x0000000000ED0000-0x000000000136F000-memory.dmpFilesize
4.6MB
-
memory/1532-4-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/1532-3-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/1948-391-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1948-390-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/1948-386-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/1948-418-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/1948-394-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/1948-392-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/1948-393-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/1948-396-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/1948-395-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/2088-956-0x0000000002870000-0x0000000002C70000-memory.dmpFilesize
4.0MB
-
memory/2088-952-0x0000000000CD0000-0x0000000000CD9000-memory.dmpFilesize
36KB
-
memory/2088-966-0x0000000076630000-0x0000000076882000-memory.dmpFilesize
2.3MB
-
memory/2452-381-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/2452-26-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/2452-30-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/2452-29-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/2452-28-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/2452-31-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/2452-23-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/2452-24-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/2452-25-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/2452-32-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/2452-677-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/2452-1339-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/2452-246-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/2452-322-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/2452-1057-0x0000000000290000-0x000000000072F000-memory.dmpFilesize
4.6MB
-
memory/2452-27-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/3040-895-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3040-899-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3040-943-0x0000000003A80000-0x0000000003E80000-memory.dmpFilesize
4.0MB
-
memory/3040-947-0x00007FFF01880000-0x00007FFF01A89000-memory.dmpFilesize
2.0MB
-
memory/3040-944-0x0000000003A80000-0x0000000003E80000-memory.dmpFilesize
4.0MB
-
memory/3040-950-0x0000000076630000-0x0000000076882000-memory.dmpFilesize
2.3MB
-
memory/4028-398-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/4028-397-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/4028-403-0x0000000000790000-0x0000000000C47000-memory.dmpFilesize
4.7MB
-
memory/4028-1213-0x0000000000790000-0x0000000000C47000-memory.dmpFilesize
4.7MB
-
memory/4028-388-0x0000000000790000-0x0000000000C47000-memory.dmpFilesize
4.7MB
-
memory/4028-402-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/4028-399-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/4028-420-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/4028-893-0x0000000000790000-0x0000000000C47000-memory.dmpFilesize
4.7MB
-
memory/4028-400-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/4028-419-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/4028-401-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/4516-445-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4516-448-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4516-450-0x0000000001670000-0x00000000016B0000-memory.dmpFilesize
256KB
-
memory/4596-954-0x0000000000210000-0x00000000005CC000-memory.dmpFilesize
3.7MB
-
memory/4596-440-0x0000000000210000-0x00000000005CC000-memory.dmpFilesize
3.7MB
-
memory/4596-51-0x0000000000210000-0x00000000005CC000-memory.dmpFilesize
3.7MB
-
memory/4596-52-0x0000000000210000-0x00000000005CC000-memory.dmpFilesize
3.7MB
-
memory/4596-1256-0x0000000000210000-0x00000000005CC000-memory.dmpFilesize
3.7MB
-
memory/4596-384-0x0000000000210000-0x00000000005CC000-memory.dmpFilesize
3.7MB
-
memory/4596-344-0x0000000000210000-0x00000000005CC000-memory.dmpFilesize
3.7MB
-
memory/4616-1301-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4616-1049-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/5444-1123-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5460-335-0x00000263D8BE0000-0x00000263D8BF0000-memory.dmpFilesize
64KB
-
memory/5460-1221-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmpFilesize
11.0MB
-
memory/5460-343-0x00007FFEDE9E0000-0x00007FFEDF4A2000-memory.dmpFilesize
10.8MB
-
memory/5460-337-0x00000263D8A10000-0x00000263D8A1A000-memory.dmpFilesize
40KB
-
memory/5460-336-0x00000263D8BB0000-0x00000263D8BC2000-memory.dmpFilesize
72KB
-
memory/5460-334-0x00000263D8BE0000-0x00000263D8BF0000-memory.dmpFilesize
64KB
-
memory/5460-331-0x00000263D8A20000-0x00000263D8A42000-memory.dmpFilesize
136KB
-
memory/5460-1214-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmpFilesize
11.0MB
-
memory/5460-1218-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmpFilesize
11.0MB
-
memory/5460-332-0x00007FFEDE9E0000-0x00007FFEDF4A2000-memory.dmpFilesize
10.8MB
-
memory/5460-1226-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmpFilesize
11.0MB
-
memory/5460-1228-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmpFilesize
11.0MB
-
memory/5460-1230-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmpFilesize
11.0MB
-
memory/5460-1231-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmpFilesize
11.0MB
-
memory/5460-333-0x00000263D8BE0000-0x00000263D8BF0000-memory.dmpFilesize
64KB
-
memory/5492-449-0x0000000002990000-0x0000000004990000-memory.dmpFilesize
32.0MB
-
memory/5492-443-0x0000000072F70000-0x0000000073721000-memory.dmpFilesize
7.7MB
-
memory/5492-441-0x00000000003F0000-0x0000000000456000-memory.dmpFilesize
408KB
-
memory/5688-1103-0x0000000000400000-0x0000000000563000-memory.dmpFilesize
1.4MB
-
memory/5776-266-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/5776-265-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/5776-275-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/5776-254-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/5776-273-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/5776-309-0x00000000004A0000-0x0000000000957000-memory.dmpFilesize
4.7MB
-
memory/5776-247-0x00000000004A0000-0x0000000000957000-memory.dmpFilesize
4.7MB
-
memory/5776-252-0x00000000004A0000-0x0000000000957000-memory.dmpFilesize
4.7MB
-
memory/5776-253-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/5776-304-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/5960-1190-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/6196-1340-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/6516-1341-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/6532-1342-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/6540-1343-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB