Analysis
-
max time kernel
38s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2024 19:40
Static task
static1
Behavioral task
behavioral1
Sample
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe
Resource
win7-20240221-en
General
-
Target
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe
-
Size
1.8MB
-
MD5
da93cf6f4a8373fa42f8f0dbff19618e
-
SHA1
c7331e83122bbd3f3ff76f93bc475cc5389dc841
-
SHA256
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180
-
SHA512
ea767c5d3fa1d9b64d9c71732e86e14c6b5201aaba58a2cae5e4a6ffb7546eda7637c710ffad990fa62588c0f0ca20de92f6fa6c44610d9d405f3de29f74c8e2
-
SSDEEP
49152:b0fG78RFqFTxo8JBWWajC7FbP672rkmvHR7fvghKURVSg1T:b01RFsxo8ac79PnDZgKIL1
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exeexplorha.exe2ef968bcba.exeamert.exeexplorha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2ef968bcba.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 55 4248 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exeexplorha.exeamert.exeexplorha.exe2ef968bcba.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2ef968bcba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2ef968bcba.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exeexplorha.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation explorha.exe -
Executes dropped EXE 5 IoCs
Processes:
explorha.exe2ef968bcba.exego.exeamert.exeexplorha.exepid process 2272 explorha.exe 1216 2ef968bcba.exe 64 go.exe 1476 amert.exe 3056 explorha.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exeexplorha.exe2ef968bcba.exeamert.exeexplorha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine 2ef968bcba.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine explorha.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4024 rundll32.exe 4248 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorha.exe2ef968bcba.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" 2ef968bcba.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 114 ipinfo.io -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exeexplorha.exeamert.exeexplorha.exepid process 4976 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe 2272 explorha.exe 1476 amert.exe 3056 explorha.exe -
Drops file in Windows directory 2 IoCs
Processes:
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exeamert.exedescription ioc process File created C:\Windows\Tasks\explorha.job 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe File created C:\Windows\Tasks\explorgu.job amert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1000 schtasks.exe 4844 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exeexplorha.exeamert.exeexplorha.exerundll32.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exeidentity_helper.exepid process 4976 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe 4976 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe 2272 explorha.exe 2272 explorha.exe 1476 amert.exe 1476 amert.exe 3056 explorha.exe 3056 explorha.exe 4248 rundll32.exe 4248 rundll32.exe 4248 rundll32.exe 4248 rundll32.exe 4248 rundll32.exe 4248 rundll32.exe 1036 msedge.exe 1036 msedge.exe 4628 msedge.exe 4628 msedge.exe 2316 msedge.exe 2316 msedge.exe 5428 msedge.exe 5428 msedge.exe 4248 rundll32.exe 4248 rundll32.exe 4248 rundll32.exe 4248 rundll32.exe 4092 powershell.exe 4092 powershell.exe 4092 powershell.exe 5724 identity_helper.exe 5724 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4092 powershell.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exego.exemsedge.exepid process 4976 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe 64 go.exe 64 go.exe 64 go.exe 64 go.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe -
Suspicious use of SendNotifyMessage 28 IoCs
Processes:
go.exemsedge.exepid process 64 go.exe 64 go.exe 64 go.exe 64 go.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exerundll32.exerundll32.exedescription pid process target process PID 4976 wrote to memory of 2272 4976 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe explorha.exe PID 4976 wrote to memory of 2272 4976 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe explorha.exe PID 4976 wrote to memory of 2272 4976 0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe explorha.exe PID 2272 wrote to memory of 1216 2272 explorha.exe 2ef968bcba.exe PID 2272 wrote to memory of 1216 2272 explorha.exe 2ef968bcba.exe PID 2272 wrote to memory of 1216 2272 explorha.exe 2ef968bcba.exe PID 2272 wrote to memory of 1452 2272 explorha.exe explorha.exe PID 2272 wrote to memory of 1452 2272 explorha.exe explorha.exe PID 2272 wrote to memory of 1452 2272 explorha.exe explorha.exe PID 2272 wrote to memory of 64 2272 explorha.exe go.exe PID 2272 wrote to memory of 64 2272 explorha.exe go.exe PID 2272 wrote to memory of 64 2272 explorha.exe go.exe PID 64 wrote to memory of 4524 64 go.exe msedge.exe PID 64 wrote to memory of 4524 64 go.exe msedge.exe PID 64 wrote to memory of 2316 64 go.exe msedge.exe PID 64 wrote to memory of 2316 64 go.exe msedge.exe PID 64 wrote to memory of 1832 64 go.exe msedge.exe PID 64 wrote to memory of 1832 64 go.exe msedge.exe PID 1832 wrote to memory of 3432 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 3432 1832 msedge.exe msedge.exe PID 2316 wrote to memory of 4936 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4936 2316 msedge.exe msedge.exe PID 4524 wrote to memory of 4616 4524 msedge.exe msedge.exe PID 4524 wrote to memory of 4616 4524 msedge.exe msedge.exe PID 2272 wrote to memory of 1476 2272 explorha.exe amert.exe PID 2272 wrote to memory of 1476 2272 explorha.exe amert.exe PID 2272 wrote to memory of 1476 2272 explorha.exe amert.exe PID 2272 wrote to memory of 4024 2272 explorha.exe rundll32.exe PID 2272 wrote to memory of 4024 2272 explorha.exe rundll32.exe PID 2272 wrote to memory of 4024 2272 explorha.exe rundll32.exe PID 4024 wrote to memory of 4248 4024 rundll32.exe rundll32.exe PID 4024 wrote to memory of 4248 4024 rundll32.exe rundll32.exe PID 4248 wrote to memory of 3360 4248 rundll32.exe netsh.exe PID 4248 wrote to memory of 3360 4248 rundll32.exe netsh.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1780 2316 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe"C:\Users\Admin\AppData\Local\Temp\0f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\2ef968bcba.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\2ef968bcba.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdfb9f46f8,0x7ffdfb9f4708,0x7ffdfb9f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11580887679903827464,8415082553135087669,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11580887679903827464,8415082553135087669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfb9f46f8,0x7ffdfb9f4708,0x7ffdfb9f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,5212393093282944482,17534386745269635095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdfb9f46f8,0x7ffdfb9f4708,0x7ffdfb9f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16307335027496527167,3133539659762123917,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,16307335027496527167,3133539659762123917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\85a8e4f6-54fc-4670-b0c0-cd6c0309ceea.tmpFilesize
8KB
MD5fee1ca33dc115aefe528444e6aeece77
SHA1b12ad2bc11bff0110afe5081b3df7d2aea02e170
SHA256482bfbb1ba8780effabbf9a14bf34ece3b37024ddbd8799b31e5b6edbd64eb81
SHA51210cf476d9fced64545407ed90c8221f03e46c4a6ecaf4045b4a1eb1a3126e65a97569595be9a23a4aec6b6f45a6a9f630ab36c9ae5e2d7254aa98c2d6de5b163
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e494d16e4b331d7fc483b3ae3b2e0973
SHA1d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50764f5481d3c05f5d391a36463484b49
SHA12c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2659ca5c-b14a-462e-85f1-c3eefb0f9acc.tmpFilesize
7KB
MD5b7c56b83f7c18e2f7e958bbbf1b4577a
SHA1318e4bae281d25b69f50ee54abe6ce08e3a35da4
SHA256928dd09f4819e8c980497db3a1df8ac4a79dce1ca75f8e2b7c6cb6eaba0271ec
SHA51228859689d87fde28e6995c066bcc4709e0b88423ff7d8f63828b22c9e392611cbb29be964461ac4d7fd9950438a100f2db6a4e6e1e13ba80ca0d2d1cb0ed1515
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b7c32b45bb98964febd4b667671b3f5c
SHA1ce3ae1716c7607d625d7b967d9e951f6a5325920
SHA256abbd11d0eb995741f7f4300dea6a109e4287ba227803bbeafd0fbde7556e1839
SHA5126529158f1a59219e7aa78c6c9608bae41d045d8bfa747a43cd254d1f8210570e673f08bb4fe3ecc73e9857f8023bb0965dc07a562bbee30d1704513647dc619e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD56d69baca5e27f76f8f5092a761be6c54
SHA143d4a10ec467f71afa27f5590983597e4d6a4653
SHA2564f0eae4925db74fc2bad9754f4eca40cd6d718fd780fa907bfaedfd066f65ebc
SHA512862148dcaa9d9612eae261a19c8e057506051af7355745da84d57fbddf810331d900cf21395c5ac2bfea9e4cce71565d3f9f837c7cff71d45b4baca313efd732
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b08692fa09c07030620af0871ab30d92
SHA101fa7297700d10b8a1c7a6b5159ec735f1af315d
SHA256649ed218df82c908eeb5f37f1d7d146034e69076e17a16262d2538b1f800840a
SHA5123cda7069e8f38879bdbacbde9ec21aaf018a3379056a1d463ec691c3d07b112c6b9e0ef10cf7d6a9b23458a20e47e138fa5a7d3e9946766437d147001456857b
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.8MB
MD5da93cf6f4a8373fa42f8f0dbff19618e
SHA1c7331e83122bbd3f3ff76f93bc475cc5389dc841
SHA2560f44e34e1a2c2894760e1971e106ec2685bbcdbcdca39bf6b8f2f8be1bc8e180
SHA512ea767c5d3fa1d9b64d9c71732e86e14c6b5201aaba58a2cae5e4a6ffb7546eda7637c710ffad990fa62588c0f0ca20de92f6fa6c44610d9d405f3de29f74c8e2
-
C:\Users\Admin\AppData\Local\Temp\1000042001\2ef968bcba.exeFilesize
3.0MB
MD5ae80054293e65c4d073fd8dca56ba91d
SHA113ed51991111e4be141ac493f986a7dc5cd1c83a
SHA256f01eaf77c2ec1d3f3a101f2240a6b3e4a4fafda6b6ed5bd04b218f0265e38c11
SHA51215849c7c32dd2147fef2b767943fcf24f6e752ece91e789683050edfbf08bd671638852c16bbbc36b6194f6ba1c4b9d15ce4328813353d92215497e505f83141
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD5f8870c415acc3112620e0ec054767bca
SHA13a75f1e3b606952ed19ce9a4f6c5aed2a43c0fde
SHA25618b2f19fbd72ea2ca0183f0a85cb3171068557b80f16fba6a1f22b1189f92ead
SHA5128933ac2dd9d27f2a29e4a37c1f18ecbfcb08233f383b2e1d02546119ff525a7cf7b3ee6127ad0793c5a5aca7d7e6af98a9219b65dd064399f97a3c25bfa8a7b3
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cr5wn0n.yio.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
\??\pipe\LOCAL\crashpad_2316_OOYDLVEXWPSRXBKHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1216-133-0x00000000003C0000-0x0000000000779000-memory.dmpFilesize
3.7MB
-
memory/1216-385-0x00000000003C0000-0x0000000000779000-memory.dmpFilesize
3.7MB
-
memory/1216-64-0x00000000003C0000-0x0000000000779000-memory.dmpFilesize
3.7MB
-
memory/1216-51-0x00000000003C0000-0x0000000000779000-memory.dmpFilesize
3.7MB
-
memory/1476-97-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/1476-98-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/1476-96-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/1476-197-0x0000000000A60000-0x0000000000F19000-memory.dmpFilesize
4.7MB
-
memory/1476-99-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/1476-94-0x0000000000A60000-0x0000000000F19000-memory.dmpFilesize
4.7MB
-
memory/1476-100-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/1476-101-0x0000000000A60000-0x0000000000F19000-memory.dmpFilesize
4.7MB
-
memory/1476-95-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/1476-103-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/2272-32-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/2272-254-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/2272-33-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/2272-26-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/2272-28-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/2272-29-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/2272-30-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/2272-406-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/2272-31-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/2272-27-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/2272-113-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/2272-87-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/2272-25-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/3056-114-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/3056-145-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/3056-137-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/3056-138-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/3056-136-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/3056-134-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/3056-135-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/3056-157-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/3056-167-0x00000000006A0000-0x0000000000B59000-memory.dmpFilesize
4.7MB
-
memory/3056-151-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/4092-300-0x000001C11BFB0000-0x000001C11BFBA000-memory.dmpFilesize
40KB
-
memory/4092-299-0x000001C11BFD0000-0x000001C11BFE2000-memory.dmpFilesize
72KB
-
memory/4092-316-0x00007FFDF7B70000-0x00007FFDF8631000-memory.dmpFilesize
10.8MB
-
memory/4092-257-0x000001C11BDD0000-0x000001C11BDE0000-memory.dmpFilesize
64KB
-
memory/4092-255-0x000001C11BDD0000-0x000001C11BDE0000-memory.dmpFilesize
64KB
-
memory/4092-253-0x00007FFDF7B70000-0x00007FFDF8631000-memory.dmpFilesize
10.8MB
-
memory/4092-236-0x000001C103C80000-0x000001C103CA2000-memory.dmpFilesize
136KB
-
memory/4976-11-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/4976-4-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/4976-3-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/4976-2-0x00000000005D0000-0x0000000000A89000-memory.dmpFilesize
4.7MB
-
memory/4976-10-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/4976-24-0x00000000005D0000-0x0000000000A89000-memory.dmpFilesize
4.7MB
-
memory/4976-20-0x00000000005D0000-0x0000000000A89000-memory.dmpFilesize
4.7MB
-
memory/4976-5-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/4976-8-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/4976-7-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/4976-6-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/4976-9-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/4976-1-0x0000000077274000-0x0000000077276000-memory.dmpFilesize
8KB
-
memory/4976-0-0x00000000005D0000-0x0000000000A89000-memory.dmpFilesize
4.7MB