Resubmissions
29-03-2024 14:25
240329-rrdgpsad9yAnalysis
-
max time kernel
1800s -
max time network
1805s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
29-03-2024 17:48
Static task
static1
Behavioral task
behavioral1
Sample
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe
Resource
win11-20240319-en
General
-
Target
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe
-
Size
1.9MB
-
MD5
864674e8be395eb28bb181184add5c01
-
SHA1
79bb9c0ae54bf8572328af06b6576327bd0a386c
-
SHA256
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da
-
SHA512
7f85146e5cca26f5a388aeea88cf9d86819aed6e240c3b94569967a2074654327e531be66f1335f9fa0790f13844c65315a3020d0e9c6bdce40c3605164abc25
-
SSDEEP
49152:EJ8NNvupgJi+RYYhQx/QAfi4oxa03C+v7sOh9yPQtE:Xvu+RIx/QAfiTY03C+z/yP
Malware Config
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
1366613
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
MAJORIA1
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
toys4us
Extracted
Protocol: smtp- Host:
smtp.homtail.co.uk - Port:
587 - Username:
[email protected] - Password:
paige123
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
pRECIOUS
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
081265
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
00704089
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
douglas954
Extracted
Protocol: smtp- Host:
mx.mannbdinfo.org - Port:
587 - Username:
[email protected] - Password:
kHnFvq8E
Extracted
Protocol: smtp- Host:
mail.zilladog.com - Port:
587 - Username:
[email protected] - Password:
terakoodom
Extracted
Protocol: smtp- Host:
smtp.hotamil.com - Port:
587 - Username:
[email protected] - Password:
Mirian03
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
cats2
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
mygirls2
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
ej4yv4o6AE
Extracted
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
3d8Cubaj2E
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
102465
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
102205
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
lilil699466
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
ga400ga
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
92497
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
152245
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
AsShole666
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
GOODDAD411
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
beer4u2
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
airforce
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
Asp007@
Extracted
Protocol: smtp- Host:
smtp.jcom.home.ne.jp - Port:
587 - Username:
[email protected] - Password:
chesheir06076
Extracted
Protocol: smtp- Host:
mx.hotil.it - Port:
587 - Username:
[email protected] - Password:
Aaaaaa1!w
Extracted
Protocol: smtp- Host:
smtp.jcom.home.ne.jp - Port:
587 - Username:
[email protected] - Password:
bun1933
Extracted
Protocol: smtp- Host:
kimkulish.com - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
mooses1217
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
Shithead12
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
nikki9966
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
SS209XD9
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
w7M6xefr
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
NEWLIFENOW
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
greta
Extracted
Protocol: smtp- Host:
mail.ohara.org.uk - Port:
587 - Username:
[email protected] - Password:
L31c35t3r$$*1@
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
CETHIE
Extracted
Protocol: smtp- Host:
mail01.ebiz.hosting.mt.im - Port:
587 - Username:
[email protected] - Password:
Scallywag
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
buttermiseancerretani93
Extracted
Protocol: smtp- Host:
smtp.jcom.home.ne.jp - Port:
587 - Username:
[email protected] - Password:
eiko0326
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Whiskers1
Extracted
Protocol: smtp- Host:
smtp.citlink.net - Port:
587 - Username:
[email protected] - Password:
shargill
Extracted
Protocol: smtp- Host:
mx.progiftstore.org - Port:
587 - Username:
[email protected] - Password:
3EHd1ixi1Y3eHd1ixi1Y!
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
samples
Extracted
Protocol: smtp- Host:
mx.abcnetworkingu.pl - Port:
587 - Username:
[email protected] - Password:
rootGa1spz35r1b
Extracted
Protocol: smtp- Host:
smtp.nifty.ne.jp - Port:
587 - Username:
[email protected] - Password:
nana77
Extracted
Protocol: smtp- Host:
smtp-box-01.iol.pt - Port:
587 - Username:
[email protected] - Password:
zztop
Extracted
Protocol: smtp- Host:
smtp-box-01.iol.pt - Port:
587 - Username:
[email protected] - Password:
ed11cfe3
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
redline
Jok123
185.215.113.67:26260
Extracted
amadey
4.17
http://185.215.113.32
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
4.185.137.132:1632
Extracted
lumma
https://enthusiasimtitleow.shop/api
Signatures
-
Detect ZGRat V1 13 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 behavioral2/memory/664-57-0x0000000000060000-0x000000000021C000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe family_zgrat_v1 behavioral2/memory/6032-452-0x0000000005880000-0x0000000005ABB000-memory.dmp family_zgrat_v1 behavioral2/memory/6032-453-0x0000000005880000-0x0000000005ABB000-memory.dmp family_zgrat_v1 behavioral2/memory/6032-455-0x0000000005880000-0x0000000005ABB000-memory.dmp family_zgrat_v1 behavioral2/memory/6032-459-0x0000000005880000-0x0000000005ABB000-memory.dmp family_zgrat_v1 behavioral2/memory/6032-463-0x0000000005880000-0x0000000005ABB000-memory.dmp family_zgrat_v1 behavioral2/memory/6032-477-0x0000000005880000-0x0000000005ABB000-memory.dmp family_zgrat_v1 behavioral2/memory/6032-484-0x0000000005880000-0x0000000005ABB000-memory.dmp family_zgrat_v1 behavioral2/memory/6032-488-0x0000000005880000-0x0000000005ABB000-memory.dmp family_zgrat_v1 behavioral2/memory/6032-492-0x0000000005880000-0x0000000005ABB000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline behavioral2/memory/232-109-0x00000000004B0000-0x0000000000502000-memory.dmp family_redline behavioral2/memory/1268-115-0x0000000000BE0000-0x0000000000C30000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline behavioral2/memory/3744-168-0x0000000000690000-0x000000000071C000-memory.dmp family_redline behavioral2/memory/2060-242-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 36 IoCs
Processes:
explorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeamadka.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exerandom.exe423a9955c7.exeexplorha.exe7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeamert.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 423a9955c7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exeflow pid process 22 4932 rundll32.exe 27 1304 rundll32.exe 35 5360 rundll32.exe 38 1180 rundll32.exe -
Contacts a large (672) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
random.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exe423a9955c7.exeexplorha.exeexplorha.exeamadka.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeamert.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exe7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exeexplorha.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 423a9955c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 423a9955c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
go.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Control Panel\International\Geo\Nation go.exe -
Executes dropped EXE 64 IoCs
Processes:
explorgu.exerandom.exealex1234.exeamadka.exeTraffic.exepropro.exeredlinepanel.exeexplorha.exe32456.exegoldprimeldlldf.exeNewB.exe423a9955c7.exego.exeamert.exeSecond2.exeTcgprylsch.exekoooooo.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exe$77879d2e$77d1ba65explorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exeNewB.exeexplorha.exepid process 4900 explorgu.exe 1808 random.exe 664 alex1234.exe 3612 amadka.exe 3744 Traffic.exe 232 propro.exe 1268 redlinepanel.exe 4700 explorha.exe 4180 32456.exe 2392 goldprimeldlldf.exe 2132 NewB.exe 2468 423a9955c7.exe 1600 go.exe 3768 amert.exe 5256 Second2.exe 6032 Tcgprylsch.exe 3520 koooooo.exe 7036 explorha.exe 6344 NewB.exe 60 explorha.exe 3616 NewB.exe 4704 explorha.exe 1356 NewB.exe 6844 explorha.exe 5028 NewB.exe 6228 $77879d2e 832 $77d1ba65 5908 explorha.exe 6008 NewB.exe 3240 explorha.exe 7020 NewB.exe 6916 explorha.exe 6716 NewB.exe 3984 explorha.exe 6056 NewB.exe 5784 explorha.exe 7160 NewB.exe 6560 explorha.exe 7264 NewB.exe 8188 explorha.exe 7256 NewB.exe 7972 explorha.exe 7448 NewB.exe 7196 explorha.exe 8256 NewB.exe 8256 explorha.exe 8224 NewB.exe 9164 explorha.exe 8596 NewB.exe 10040 explorha.exe 10200 NewB.exe 9940 explorha.exe 10144 NewB.exe 10284 explorha.exe 10432 NewB.exe 10556 explorha.exe 10824 NewB.exe 10972 explorha.exe 11312 NewB.exe 11056 explorha.exe 11568 NewB.exe 5648 explorha.exe 11500 NewB.exe 3916 explorha.exe -
Identifies Wine through registry keys 2 TTPs 36 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exe7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorgu.exerandom.exeamadka.exe423a9955c7.exeamert.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine 7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine 423a9955c7.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Wine explorha.exe -
Loads dropped DLL 7 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeSecond2.exepid process 216 rundll32.exe 4932 rundll32.exe 1304 rundll32.exe 5300 rundll32.exe 5360 rundll32.exe 1180 rundll32.exe 5256 Second2.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
explorgu.exeexplorha.exeTcgprylsch.exe$77d1ba65description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Nuccfglmu = "C:\\Users\\Admin\\AppData\\Roaming\\$77Nuccfglmu.exe" Tcgprylsch.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\$77d1ba65'\"" $77d1ba65 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs
Processes:
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exeexplorgu.exeamadka.exeexplorha.exeamert.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exepid process 4940 7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe 4900 explorgu.exe 3612 amadka.exe 4700 explorha.exe 3768 amert.exe 7036 explorha.exe 60 explorha.exe 4704 explorha.exe 6844 explorha.exe 5908 explorha.exe 3240 explorha.exe 6916 explorha.exe 3984 explorha.exe 5784 explorha.exe 6560 explorha.exe 8188 explorha.exe 7972 explorha.exe 7196 explorha.exe 8256 explorha.exe 9164 explorha.exe 10040 explorha.exe 9940 explorha.exe 10284 explorha.exe 10556 explorha.exe 10972 explorha.exe 11056 explorha.exe 5648 explorha.exe 3916 explorha.exe 1316 explorha.exe 12816 explorha.exe 14328 explorha.exe 14108 explorha.exe 14972 explorha.exe 14604 explorha.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
alex1234.exegoldprimeldlldf.exekoooooo.exeSecond2.exeTcgprylsch.exedescription pid process target process PID 664 set thread context of 1816 664 alex1234.exe RegAsm.exe PID 2392 set thread context of 2060 2392 goldprimeldlldf.exe RegAsm.exe PID 3520 set thread context of 5740 3520 koooooo.exe RegAsm.exe PID 5256 set thread context of 6324 5256 Second2.exe MsBuild.exe PID 6032 set thread context of 6228 6032 Tcgprylsch.exe $77879d2e PID 6032 set thread context of 832 6032 Tcgprylsch.exe $77d1ba65 -
Drops file in Windows directory 12 IoCs
Processes:
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeamadka.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\Tasks\explorgu.job 7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\Tasks\explorha.job amadka.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5244 3520 WerFault.exe koooooo.exe 2016 6324 WerFault.exe MsBuild.exe 2224 6228 WerFault.exe $77879d2e -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
browser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ec7e4a7a0182da01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 7a2d047e0182da01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "418516270" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 54654e830182da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe -
Processes:
propro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 propro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 propro.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exeexplorgu.exeamadka.exerundll32.exeexplorha.exepowershell.exeamert.exerundll32.exepowershell.exeRegAsm.exeexplorha.exeRegAsm.exeTraffic.exeexplorha.exe32456.exepropro.exeredlinepanel.exepid process 4940 7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe 4940 7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe 4900 explorgu.exe 4900 explorgu.exe 3612 amadka.exe 3612 amadka.exe 4932 rundll32.exe 4932 rundll32.exe 4932 rundll32.exe 4932 rundll32.exe 4932 rundll32.exe 4932 rundll32.exe 4700 explorha.exe 4700 explorha.exe 4932 rundll32.exe 4932 rundll32.exe 4932 rundll32.exe 4932 rundll32.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 3768 amert.exe 3768 amert.exe 5360 rundll32.exe 5360 rundll32.exe 5360 rundll32.exe 5360 rundll32.exe 5360 rundll32.exe 5360 rundll32.exe 5360 rundll32.exe 5360 rundll32.exe 5360 rundll32.exe 5360 rundll32.exe 6060 powershell.exe 6060 powershell.exe 6060 powershell.exe 6060 powershell.exe 5740 RegAsm.exe 5740 RegAsm.exe 5740 RegAsm.exe 5740 RegAsm.exe 7036 explorha.exe 7036 explorha.exe 2060 RegAsm.exe 2060 RegAsm.exe 3744 Traffic.exe 3744 Traffic.exe 60 explorha.exe 60 explorha.exe 3744 Traffic.exe 3744 Traffic.exe 4180 32456.exe 4180 32456.exe 2060 RegAsm.exe 2060 RegAsm.exe 232 propro.exe 232 propro.exe 2060 RegAsm.exe 2060 RegAsm.exe 4180 32456.exe 4180 32456.exe 1268 redlinepanel.exe 1268 redlinepanel.exe -
Suspicious behavior: MapViewOfSection 11 IoCs
Processes:
MicrosoftEdgeCP.exepid process 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
Traffic.exe32456.exepowershell.exeTcgprylsch.exepowershell.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeRegAsm.exepropro.exeredlinepanel.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3744 Traffic.exe Token: SeDebugPrivilege 4180 32456.exe Token: SeBackupPrivilege 3744 Traffic.exe Token: SeSecurityPrivilege 3744 Traffic.exe Token: SeSecurityPrivilege 3744 Traffic.exe Token: SeSecurityPrivilege 3744 Traffic.exe Token: SeSecurityPrivilege 3744 Traffic.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeBackupPrivilege 4180 32456.exe Token: SeSecurityPrivilege 4180 32456.exe Token: SeSecurityPrivilege 4180 32456.exe Token: SeSecurityPrivilege 4180 32456.exe Token: SeSecurityPrivilege 4180 32456.exe Token: SeDebugPrivilege 6032 Tcgprylsch.exe Token: SeDebugPrivilege 6060 powershell.exe Token: SeDebugPrivilege 5396 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5396 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5396 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5396 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6496 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6496 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2060 RegAsm.exe Token: SeDebugPrivilege 232 propro.exe Token: SeDebugPrivilege 1268 redlinepanel.exe Token: SeDebugPrivilege 1816 RegAsm.exe Token: SeDebugPrivilege 6032 Tcgprylsch.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exeamadka.exego.exepid process 4940 7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe 3612 amadka.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
go.exepid process 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe 1600 go.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 2864 MicrosoftEdge.exe 5928 MicrosoftEdgeCP.exe 5396 MicrosoftEdgeCP.exe 5928 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
explorgu.exealex1234.exeRegAsm.exeamadka.exerundll32.exerundll32.exegoldprimeldlldf.exeexplorha.exeNewB.exedescription pid process target process PID 4900 wrote to memory of 1808 4900 explorgu.exe random.exe PID 4900 wrote to memory of 1808 4900 explorgu.exe random.exe PID 4900 wrote to memory of 1808 4900 explorgu.exe random.exe PID 4900 wrote to memory of 664 4900 explorgu.exe alex1234.exe PID 4900 wrote to memory of 664 4900 explorgu.exe alex1234.exe PID 4900 wrote to memory of 664 4900 explorgu.exe alex1234.exe PID 4900 wrote to memory of 3612 4900 explorgu.exe amadka.exe PID 4900 wrote to memory of 3612 4900 explorgu.exe amadka.exe PID 4900 wrote to memory of 3612 4900 explorgu.exe amadka.exe PID 664 wrote to memory of 1816 664 alex1234.exe RegAsm.exe PID 664 wrote to memory of 1816 664 alex1234.exe RegAsm.exe PID 664 wrote to memory of 1816 664 alex1234.exe RegAsm.exe PID 664 wrote to memory of 1816 664 alex1234.exe RegAsm.exe PID 664 wrote to memory of 1816 664 alex1234.exe RegAsm.exe PID 664 wrote to memory of 1816 664 alex1234.exe RegAsm.exe PID 664 wrote to memory of 1816 664 alex1234.exe RegAsm.exe PID 664 wrote to memory of 1816 664 alex1234.exe RegAsm.exe PID 1816 wrote to memory of 232 1816 RegAsm.exe propro.exe PID 1816 wrote to memory of 232 1816 RegAsm.exe propro.exe PID 1816 wrote to memory of 232 1816 RegAsm.exe propro.exe PID 1816 wrote to memory of 3744 1816 RegAsm.exe Traffic.exe PID 1816 wrote to memory of 3744 1816 RegAsm.exe Traffic.exe PID 4900 wrote to memory of 1268 4900 explorgu.exe redlinepanel.exe PID 4900 wrote to memory of 1268 4900 explorgu.exe redlinepanel.exe PID 4900 wrote to memory of 1268 4900 explorgu.exe redlinepanel.exe PID 3612 wrote to memory of 4700 3612 amadka.exe explorha.exe PID 3612 wrote to memory of 4700 3612 amadka.exe explorha.exe PID 3612 wrote to memory of 4700 3612 amadka.exe explorha.exe PID 4900 wrote to memory of 216 4900 explorgu.exe rundll32.exe PID 4900 wrote to memory of 216 4900 explorgu.exe rundll32.exe PID 4900 wrote to memory of 216 4900 explorgu.exe rundll32.exe PID 4900 wrote to memory of 4180 4900 explorgu.exe 32456.exe PID 4900 wrote to memory of 4180 4900 explorgu.exe 32456.exe PID 216 wrote to memory of 4932 216 rundll32.exe rundll32.exe PID 216 wrote to memory of 4932 216 rundll32.exe rundll32.exe PID 4932 wrote to memory of 328 4932 rundll32.exe browser_broker.exe PID 4932 wrote to memory of 328 4932 rundll32.exe browser_broker.exe PID 4900 wrote to memory of 2392 4900 explorgu.exe goldprimeldlldf.exe PID 4900 wrote to memory of 2392 4900 explorgu.exe goldprimeldlldf.exe PID 4900 wrote to memory of 2392 4900 explorgu.exe goldprimeldlldf.exe PID 4900 wrote to memory of 2132 4900 explorgu.exe NewB.exe PID 4900 wrote to memory of 2132 4900 explorgu.exe NewB.exe PID 4900 wrote to memory of 2132 4900 explorgu.exe NewB.exe PID 2392 wrote to memory of 2060 2392 goldprimeldlldf.exe RegAsm.exe PID 2392 wrote to memory of 2060 2392 goldprimeldlldf.exe RegAsm.exe PID 2392 wrote to memory of 2060 2392 goldprimeldlldf.exe RegAsm.exe PID 2392 wrote to memory of 2060 2392 goldprimeldlldf.exe RegAsm.exe PID 2392 wrote to memory of 2060 2392 goldprimeldlldf.exe RegAsm.exe PID 2392 wrote to memory of 2060 2392 goldprimeldlldf.exe RegAsm.exe PID 2392 wrote to memory of 2060 2392 goldprimeldlldf.exe RegAsm.exe PID 2392 wrote to memory of 2060 2392 goldprimeldlldf.exe RegAsm.exe PID 4700 wrote to memory of 2468 4700 explorha.exe 423a9955c7.exe PID 4700 wrote to memory of 2468 4700 explorha.exe 423a9955c7.exe PID 4700 wrote to memory of 2468 4700 explorha.exe 423a9955c7.exe PID 4700 wrote to memory of 4708 4700 explorha.exe explorha.exe PID 4700 wrote to memory of 4708 4700 explorha.exe explorha.exe PID 4700 wrote to memory of 4708 4700 explorha.exe explorha.exe PID 2132 wrote to memory of 388 2132 NewB.exe schtasks.exe PID 2132 wrote to memory of 388 2132 NewB.exe schtasks.exe PID 2132 wrote to memory of 388 2132 NewB.exe schtasks.exe PID 4932 wrote to memory of 1356 4932 rundll32.exe NewB.exe PID 4932 wrote to memory of 1356 4932 rundll32.exe NewB.exe PID 4700 wrote to memory of 1600 4700 explorha.exe go.exe PID 4700 wrote to memory of 1600 4700 explorha.exe go.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe"C:\Users\Admin\AppData\Local\Temp\7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\423a9955c7.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\423a9955c7.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\360119756166_Desktop.zip' -CompressionLevel Optimal6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\360119756166_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1001061001\Second2.exe"C:\Users\Admin\AppData\Local\Temp\1001061001\Second2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 20804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1001063001\Tcgprylsch.exe"C:\Users\Admin\AppData\Local\Temp\1001063001\Tcgprylsch.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77879d2e"C:\Users\Admin\AppData\Local\Temp\$77879d2e"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 3564⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\$77d1ba65"C:\Users\Admin\AppData\Local\Temp\$77d1ba65"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\1001065001\koooooo.exe"C:\Users\Admin\AppData\Local\Temp\1001065001\koooooo.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 8003⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\IECompatData.xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\K7USB5M3\4Kv5U5b1o3f[1].pngFilesize
610B
MD5a81a5e7f71ae4153e6f888f1c92e5e11
SHA139c3945c30abff65b372a7d8c691178ae9d9eee0
SHA2562bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e
SHA5121df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\K7USB5M3\favicon[1].pngFilesize
5KB
MD53e764f0f737767b30a692fab1de3ce49
SHA158fa0755a8ee455819769ee0e77c23829bf488dd
SHA25688ae5454a7c32c630703440849d35c58f570d8eecc23c071dbe68d63ce6a40d7
SHA5122831536a2ca9a2562b7be1053df21c2ed51807c9d332878cf349dc0b718d09eeb587423b488c415672c89e42d98d9a9218face1fcf8e773492535cb5bd67e278
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KHJBVU9U\favicon[1].icoFilesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\VPF73OPT\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\ggcipx0\imagestore.datFilesize
12KB
MD52caf986a0b12d71f67473d98c2f5eacd
SHA1df5a941df889c31a8f146ce99d1face18b64b78e
SHA256f9fc1a4b06a8596b3e32a0a5687689c2add1caba3da58ce5ee111d1ad2a8219f
SHA512ae17028eab07cc8baa6037a0b30ddcd74f5130da5c02150c88e3292c6d651472bdb3c10c16d456269a55c56fd79cf822c500b86e50a702432f023008d64f0698
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\O60DQ2L2.cookieFilesize
314B
MD5ad5024d76b6a12e6c15e5302430f4143
SHA19bb2314b89b9becbdfeebf51a34c0a734320035d
SHA256a41b1b756f1d7e4ecbb8f07280ed0a052bdc8030aa68db72a200b6deb6e5646b
SHA512ebd795610d4d6ec66b05662fbb5cf643bd377beab95667d4452e6372ee398108d7a1cc3a9807c3a67b59d3edd1125bfa56e2230367a053fac879d5a905b34517
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5a3a57662a1095afd27ab6d62641b7303
SHA12f9d1ab0941054042bfe3ff1daf8423f510fb71c
SHA256c253d7ff72688d726f8541743c321270e01ef0eb773fbd2ddf617183849f4569
SHA512c356d9323d68ceac154310973ebde80e35c1dfdd888e908beec4f4068519d2b9239a830bc4409964894ef4ad5aaa4a6ec919a13176d45abc2bf9c232bd902c08
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15Filesize
472B
MD5642cfb21aa53a72ac8abb649ff92c232
SHA164584283642383066430afd8a8435a0f23be4f99
SHA25670ac8050d0ef9976c6a15d49c715a6df84dfcf4fbd81a9dd1d239b957c2aa057
SHA5124f51fe86323d97653f7bd04ec0a2054117ca5cc546598e5d9d2cc85cd9e63f170d65d9209549ec2c8d6b7582734406dfcabe6f9c9d8dc6827a4edbb6116a716b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABFilesize
471B
MD5554f73760e37f19a03bacfcf524e1c09
SHA18544e2779976557139db217ec68bef5f414f6755
SHA256a599b9bd44c2cfe5faf399c6f4d08f4d10d9891d8ccd00df673772997e5074b4
SHA512b98b9ee5f19c15ae956e1b7e65ca5220c13ce95bd43b9359cafab3debbbda6f5425ceb56098e3bf42294a607c5c8a06240429718f3d00bebb26a7c276fbe304b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5bd981052f28a0adf4329e6728575c608
SHA1868773e82eeebd9b9671fb667d6291be57d60a5a
SHA2566ead5be3e261ba844f92c4298cc60ce3ca5238a57a46a8346ffe75d3028eb8d3
SHA512af67efcbf90a6a44a3b6e3915d759c72e03ddfe6cfcd0394cce5dae6395dd40487a5ccca6ce67abbd1e0b50e787b0f564a8aebc3d1255efed8686d72f809cfcb
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15Filesize
402B
MD561acc13efef9fa62ec80c6d767d4fc93
SHA181f18991bf56121ed5e6d95bb591de25b9dba163
SHA256829c1d45da5a85cc119a33dd0e2c5c4a8128b315d86b9f0b95d57d8f6b980075
SHA512548156e91ca4c33c6c36bc167f29994ee48f9ee21717ed3953717195ae4137a579326ebb3f15d8a930710a7674e9e8680818edc733e23aa2c689956c25ce0022
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_3D65F78045EB197CCA4BB898D46D5AFAFilesize
408B
MD5f5ae0cb05d2ab4ead3bfee587b0b20da
SHA19aa14997b9c194fe18c8f670626cb01c899bdc72
SHA25674702919919e1e637f68009c37aa277ece51bc9b24ed8f396ce8f5bef982dc17
SHA5124f48f04b7288eeba0e9c95e51c67d8faf5d04e1f970ec171912e22dddde112e9c8cb86bdda2360f72a6f9881088b34d0c5002a7960629165a7ad0fa17af7f88f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD5950109819e2b472a0c253a1d5dd48540
SHA160d826f69cd4fd5cfc4604a6329113f2c4f29f07
SHA256218bacff7fc3a8c69d96a53d3b4e4c0f2e4abd6f44ac3d04b8e94cbe687cd7be
SHA5129d5f97f6e5fe8f0348d929b7b7b002105cd564e0874438cbb83e0e8c56b597b1baaef2a483bb4cf8c8f71ba61954b6ed46977ad1d7f31b9273db81b19c67d27e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD540779c5aee8a391c58e309689d3f2751
SHA160f6120d8d2174d68223dda84c8ba6f5246bf239
SHA256c0806a2c014bc7c303b6adea93a207557e9d1d2693a5f9e80f3e97bb00fc54e8
SHA512f3567abda994a123256550e0e9da4b27f09764430ce5fdf0521f429df97881a44228e4ee8b724cace9ce0562b2bf8b05ce35eab597a53a1c77cd332bb2044dd0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABFilesize
396B
MD5535094b68d6e67a2bd51ef808610571d
SHA1da089801c610f5c5717430f1ceac080aa9723866
SHA2562fb74c3d94c6739b46e4b45578aad94dd5104549cd3f873cc49a41f24383cea5
SHA512d13bd3ce0c7f3b021e94cc6ca8438afde6f5a8af72ce2c61f71380b5ced6a381408d0fdf0030cac3ff8974006c76db446163d4e8d82d5b241becca3d91e45b64
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.9MB
MD5864674e8be395eb28bb181184add5c01
SHA179bb9c0ae54bf8572328af06b6576327bd0a386c
SHA2567ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da
SHA5127f85146e5cca26f5a388aeea88cf9d86819aed6e240c3b94569967a2074654327e531be66f1335f9fa0790f13844c65315a3020d0e9c6bdce40c3605164abc25
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD5e987c0d1f94b8822546051f3c26f5642
SHA11e794dfe9466635fecbe6d56ae101ec78574612b
SHA256554dd18b0e628c29403b6347705302cc346656bc26ae31d9cf811ea09534c3e6
SHA512a80bb8a7890a7de141fa33bf200f097c6e6e3cf307fa34d73c37c5b9a3508e5dbd06dc289ebd5f0ed74368f2c80c0ed2e8b0d56797e89055bb3cca815d320e86
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exeFilesize
3.0MB
MD5eb7de560bf4235d6726be4f9bf79d237
SHA1e3040ce9afdd5f138bc386e3b5a155d0d36b040d
SHA25649005f855f20cd3ed6d7b142af30f8eb229ab93ffe4e9740f8615bf5f148ee84
SHA5129268f92fb31d9c1cb3976c0eb7211fafabe4e215d806cb42ea56ca0a4cee48ce8cd086886604f62fdc1404b5e051e41cb7c2bb99b3037197eb3f2bfbb79ff513
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exeFilesize
1.9MB
MD5c4414cc9ec67035a4edb2f20cc56fcdd
SHA13b48efb50dcb74a1f3a71498d8b33aa802a85c3f
SHA256fab6f5c11615b7b2814ab9e02d105f196c0781e19b5f67dc716b1f0f5cf0f141
SHA5122b1e9d21a0c7788e4d2b83c82163414ef38ec91ec9401a175623056c16779448380bebc5da7d3325775147ed05eb3cfa4b3005d63267111618c5eab5377ba909
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001061001\Second2.exeFilesize
4.6MB
MD50c2d303852f827c4852bf46550ea2ed8
SHA17bb54cb67135bbb94d8a26356f3d1e170a71a1a7
SHA256194234e48c362f1bf3be6d02c5b380bfc900a2cf7911a1fc658a5a2ec0d0164f
SHA512c2ab4c4a4bcfd4f9f350e946a08a9be3ded6741ac3981a977c52331a403488b4f224c7f0b01d24af3e351e532b3c3cdeedfe356785e5858411c80793fb3ca307
-
C:\Users\Admin\AppData\Local\Temp\1001063001\Tcgprylsch.exeFilesize
2.4MB
MD569c9404e02e3d62bf925fb6f3e904393
SHA1d9e1c766d54244ed5ad97bed3055ccecbd7e08fd
SHA2566ee5b0595ce9ca29e97c2029236b7df8e4161cd1015954cc9a2c15760c88806c
SHA512209975e9cfe82e3aa0d02410936633eb95682fbf5d31cb8947361fbabcbfad8341fc0888989d5585be86d6a54d55d1c3d57b05cde71014860cf815118ab90e89
-
C:\Users\Admin\AppData\Local\Temp\1001065001\koooooo.exeFilesize
379KB
MD590f41880d631e243cec086557cb74d63
SHA1cb385e4172cc227ba72baf29ca1c4411fa99a26d
SHA25623b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0
SHA512eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3
-
C:\Users\Admin\AppData\Local\Temp\TmpBA33.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wa2ggvh.f3u.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3360119756-166634443-3920521668-1000\76b53b3ec448f7ccdda2063b15d2bfc3_cca97d3d-5df4-4f51-a984-5ff4eab03edaFilesize
2KB
MD5f9ea923850c7b26723ee36296362b6a6
SHA1c387f1ede07c56d6d76a8a4699a6851005ea1149
SHA25672418d5a84bb3799e59082014280bce7633320010b60e083efa84b774a4705ea
SHA512e721c2bd401216496eb55eb563851cd71db3b59e5656c907ee349b60360b9ce20b416e7a9e5b117f158e87cc8f58ebfacbf1a360d12c52d03482fd8c14b6e894
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5a1dc3db23a58cef5911ee0cb9236786d
SHA179c9edff48c6ffbb1da8eae05efb430f851e3ecb
SHA256356d0d4f593efc9691870621eed71f8404d0f6af361b1a92020f4938aeddde51
SHA512d4fab870c7039f83ca0a853a214aa9dddba05a39663169e2f3a34bd222ae7348602d9861a947e9322fe057135e587d8009a6b558ebbbeddd8cb8a3c6f4ca64b1
-
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dllFilesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
memory/232-109-0x00000000004B0000-0x0000000000502000-memory.dmpFilesize
328KB
-
memory/232-120-0x0000000004D70000-0x0000000004E02000-memory.dmpFilesize
584KB
-
memory/232-166-0x00000000058B0000-0x0000000005926000-memory.dmpFilesize
472KB
-
memory/232-114-0x00000000725D0000-0x0000000072CBE000-memory.dmpFilesize
6.9MB
-
memory/232-182-0x00000000061C0000-0x00000000061DE000-memory.dmpFilesize
120KB
-
memory/232-123-0x0000000004ED0000-0x0000000004EDA000-memory.dmpFilesize
40KB
-
memory/232-124-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/232-117-0x00000000051D0000-0x00000000056CE000-memory.dmpFilesize
5.0MB
-
memory/664-82-0x00000000725D0000-0x0000000072CBE000-memory.dmpFilesize
6.9MB
-
memory/664-57-0x0000000000060000-0x000000000021C000-memory.dmpFilesize
1.7MB
-
memory/664-58-0x00000000725D0000-0x0000000072CBE000-memory.dmpFilesize
6.9MB
-
memory/664-59-0x00000000025E0000-0x00000000025F0000-memory.dmpFilesize
64KB
-
memory/664-83-0x0000000002650000-0x0000000004650000-memory.dmpFilesize
32.0MB
-
memory/1268-184-0x0000000005770000-0x00000000057BB000-memory.dmpFilesize
300KB
-
memory/1268-177-0x0000000005E30000-0x0000000005F3A000-memory.dmpFilesize
1.0MB
-
memory/1268-121-0x00000000725D0000-0x0000000072CBE000-memory.dmpFilesize
6.9MB
-
memory/1268-178-0x0000000005630000-0x0000000005642000-memory.dmpFilesize
72KB
-
memory/1268-115-0x0000000000BE0000-0x0000000000C30000-memory.dmpFilesize
320KB
-
memory/1268-122-0x0000000005660000-0x0000000005670000-memory.dmpFilesize
64KB
-
memory/1268-180-0x0000000005730000-0x000000000576E000-memory.dmpFilesize
248KB
-
memory/1268-165-0x0000000006440000-0x0000000006A46000-memory.dmpFilesize
6.0MB
-
memory/1808-42-0x0000000001140000-0x00000000014FF000-memory.dmpFilesize
3.7MB
-
memory/1808-196-0x0000000001140000-0x00000000014FF000-memory.dmpFilesize
3.7MB
-
memory/1808-161-0x0000000001140000-0x00000000014FF000-memory.dmpFilesize
3.7MB
-
memory/1808-43-0x0000000001140000-0x00000000014FF000-memory.dmpFilesize
3.7MB
-
memory/1808-458-0x0000000001140000-0x00000000014FF000-memory.dmpFilesize
3.7MB
-
memory/1808-331-0x0000000001140000-0x00000000014FF000-memory.dmpFilesize
3.7MB
-
memory/1816-77-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1816-84-0x00000000725D0000-0x0000000072CBE000-memory.dmpFilesize
6.9MB
-
memory/2060-242-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2468-401-0x0000000000070000-0x000000000042F000-memory.dmpFilesize
3.7MB
-
memory/2864-460-0x000001D4A0500000-0x000001D4A068A000-memory.dmpFilesize
1.5MB
-
memory/2864-426-0x000001D4A00F0000-0x000001D4A00F2000-memory.dmpFilesize
8KB
-
memory/2864-310-0x000001D49FD20000-0x000001D49FD30000-memory.dmpFilesize
64KB
-
memory/2864-356-0x000001D49FF20000-0x000001D49FF30000-memory.dmpFilesize
64KB
-
memory/3612-89-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/3612-85-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/3612-119-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/3612-87-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/3612-86-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3612-118-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/3612-75-0x0000000001140000-0x000000000160F000-memory.dmpFilesize
4.8MB
-
memory/3612-88-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/3612-90-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/3612-174-0x0000000001140000-0x000000000160F000-memory.dmpFilesize
4.8MB
-
memory/3612-91-0x0000000001140000-0x000000000160F000-memory.dmpFilesize
4.8MB
-
memory/3744-181-0x00007FF82AC90000-0x00007FF82B67C000-memory.dmpFilesize
9.9MB
-
memory/3744-183-0x0000000000EE0000-0x0000000000EF0000-memory.dmpFilesize
64KB
-
memory/3744-168-0x0000000000690000-0x000000000071C000-memory.dmpFilesize
560KB
-
memory/4700-200-0x0000000000B70000-0x000000000103F000-memory.dmpFilesize
4.8MB
-
memory/4700-201-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/4700-279-0x0000000000B70000-0x000000000103F000-memory.dmpFilesize
4.8MB
-
memory/4700-445-0x0000000000B70000-0x000000000103F000-memory.dmpFilesize
4.8MB
-
memory/4700-186-0x0000000000B70000-0x000000000103F000-memory.dmpFilesize
4.8MB
-
memory/4900-25-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/4900-246-0x00000000000D0000-0x00000000005A8000-memory.dmpFilesize
4.8MB
-
memory/4900-28-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/4900-27-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/4900-395-0x00000000000D0000-0x00000000005A8000-memory.dmpFilesize
4.8MB
-
memory/4900-18-0x00000000000D0000-0x00000000005A8000-memory.dmpFilesize
4.8MB
-
memory/4900-76-0x00000000000D0000-0x00000000005A8000-memory.dmpFilesize
4.8MB
-
memory/4900-26-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/4900-19-0x00000000000D0000-0x00000000005A8000-memory.dmpFilesize
4.8MB
-
memory/4900-20-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/4900-22-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/4900-21-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/4900-24-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/4900-23-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/4900-111-0x00000000000D0000-0x00000000005A8000-memory.dmpFilesize
4.8MB
-
memory/4940-2-0x0000000000150000-0x0000000000628000-memory.dmpFilesize
4.8MB
-
memory/4940-8-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/4940-7-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/4940-6-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/4940-5-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/4940-4-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/4940-9-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/4940-0-0x0000000000150000-0x0000000000628000-memory.dmpFilesize
4.8MB
-
memory/4940-3-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/4940-1-0x0000000077624000-0x0000000077625000-memory.dmpFilesize
4KB
-
memory/4940-15-0x0000000000150000-0x0000000000628000-memory.dmpFilesize
4.8MB
-
memory/4940-10-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/6032-453-0x0000000005880000-0x0000000005ABB000-memory.dmpFilesize
2.2MB
-
memory/6032-492-0x0000000005880000-0x0000000005ABB000-memory.dmpFilesize
2.2MB
-
memory/6032-488-0x0000000005880000-0x0000000005ABB000-memory.dmpFilesize
2.2MB
-
memory/6032-484-0x0000000005880000-0x0000000005ABB000-memory.dmpFilesize
2.2MB
-
memory/6032-477-0x0000000005880000-0x0000000005ABB000-memory.dmpFilesize
2.2MB
-
memory/6032-463-0x0000000005880000-0x0000000005ABB000-memory.dmpFilesize
2.2MB
-
memory/6032-459-0x0000000005880000-0x0000000005ABB000-memory.dmpFilesize
2.2MB
-
memory/6032-455-0x0000000005880000-0x0000000005ABB000-memory.dmpFilesize
2.2MB
-
memory/6032-452-0x0000000005880000-0x0000000005ABB000-memory.dmpFilesize
2.2MB