amadey | b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a

Analysis

max time kernel
150s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
01-04-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
Size

1.9MB
MD5

6c3c57013cb6c8dc5c801fd7e29410c6
SHA1

5c721eef037b3c4610da64fd65b190e0cd8975e5
SHA256

b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a
SHA512

189f7c358ff013f7ef9a1f773dd99a6361e0c4c8a5400dd38dd1ec0d9739b9dfe9c56e40f8dc3fce1949eebfb192087fc28ba943325a541e2ce1019f63b7be0a
SSDEEP

49152:PI+I2kzfvcjVSJJmM0zB6wxC5Y3BKZ69PMizDO:Q+I2mvcjV2JeHOCBKZ6hMoK

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeexplorgu.exeexplorha.exeexplorha.exeb9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exeexplorha.exe845ad03dba.exeamert.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	845ad03dba.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

8 3728 rundll32.exe
47 5268 rundll32.exe
57 1980 rundll32.exe
58 4836 rundll32.exe
Downloads MZ/PE file

flow	pid	process
8	3728	rundll32.exe
47	5268	rundll32.exe
57	1980	rundll32.exe
58	4836	rundll32.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exeexplorha.exeexplorgu.exeexplorha.exeamert.exeexplorha.exeexplorha.exe845ad03dba.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	845ad03dba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	845ad03dba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Executes dropped EXE 8 IoCs

Processes:

explorha.exe845ad03dba.exego.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exe

pid process

4728 explorha.exe
3868 845ad03dba.exe
1420 go.exe
5564 amert.exe
5884 explorha.exe
5884 explorgu.exe
5196 explorha.exe
5964 explorha.exe

pid	process
4728	explorha.exe
3868	845ad03dba.exe
1420	go.exe
5564	amert.exe
5884	explorha.exe
5884	explorgu.exe
5196	explorha.exe
5964	explorha.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeexplorha.exeb9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exeexplorha.exe845ad03dba.exeamert.exeexplorha.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	845ad03dba.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorgu.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

1792 rundll32.exe
3728 rundll32.exe
5268 rundll32.exe
1012 rundll32.exe
1980 rundll32.exe
4836 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1792	rundll32.exe
3728	rundll32.exe
5268	rundll32.exe
1012	rundll32.exe
1980	rundll32.exe
4836	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\845ad03dba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\845ad03dba.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeexplorha.exe

pid	process
756	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
4728	explorha.exe
5564	amert.exe
5884	explorha.exe
5884	explorgu.exe
5196	explorha.exe
5964	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exeexplorha.exerundll32.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exeamert.exeidentity_helper.exeexplorha.exemsedge.exeexplorgu.exeexplorha.exerundll32.exepowershell.exemsedge.exeexplorha.exe

pid	process
756	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
756	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
4728	explorha.exe
4728	explorha.exe
3728	rundll32.exe
3728	rundll32.exe
3728	rundll32.exe
3728	rundll32.exe
3728	rundll32.exe
3728	rundll32.exe
2088	msedge.exe
2088	msedge.exe
2696	msedge.exe
2696	msedge.exe
560	msedge.exe
560	msedge.exe
4740	msedge.exe
4740	msedge.exe
3728	rundll32.exe
3728	rundll32.exe
3728	rundll32.exe
3728	rundll32.exe
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe
5564	amert.exe
5564	amert.exe
5928	identity_helper.exe
5928	identity_helper.exe
5884	explorha.exe
5884	explorha.exe
2904	msedge.exe
2904	msedge.exe
5884	explorgu.exe
5884	explorgu.exe
5196	explorha.exe
5196	explorha.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
4776	powershell.exe
4776	powershell.exe
4776	powershell.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
5964	explorha.exe
5964	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2508 powershell.exe
Token: SeDebugPrivilege 4776 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exego.exemsedge.exe

pid	process
756	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
1420	go.exe
1420	go.exe
1420	go.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

go.exemsedge.exe

pid	process
1420	go.exe
1420	go.exe
1420	go.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exeexplorha.exerundll32.exerundll32.exego.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 756 wrote to memory of 4728	756	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe	explorha.exe
PID 756 wrote to memory of 4728	756	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe	explorha.exe
PID 756 wrote to memory of 4728	756	b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe	explorha.exe
PID 4728 wrote to memory of 3868	4728	explorha.exe	845ad03dba.exe
PID 4728 wrote to memory of 3868	4728	explorha.exe	845ad03dba.exe
PID 4728 wrote to memory of 3868	4728	explorha.exe	845ad03dba.exe
PID 4728 wrote to memory of 1148	4728	explorha.exe	explorha.exe
PID 4728 wrote to memory of 1148	4728	explorha.exe	explorha.exe
PID 4728 wrote to memory of 1148	4728	explorha.exe	explorha.exe
PID 4728 wrote to memory of 1792	4728	explorha.exe	rundll32.exe
PID 4728 wrote to memory of 1792	4728	explorha.exe	rundll32.exe
PID 4728 wrote to memory of 1792	4728	explorha.exe	rundll32.exe
PID 4728 wrote to memory of 1420	4728	explorha.exe	go.exe
PID 4728 wrote to memory of 1420	4728	explorha.exe	go.exe
PID 4728 wrote to memory of 1420	4728	explorha.exe	go.exe
PID 1792 wrote to memory of 3728	1792	rundll32.exe	rundll32.exe
PID 1792 wrote to memory of 3728	1792	rundll32.exe	rundll32.exe
PID 3728 wrote to memory of 2996	3728	rundll32.exe	netsh.exe
PID 3728 wrote to memory of 2996	3728	rundll32.exe	netsh.exe
PID 1420 wrote to memory of 2696	1420	go.exe	msedge.exe
PID 1420 wrote to memory of 2696	1420	go.exe	msedge.exe
PID 2696 wrote to memory of 1120	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 1120	2696	msedge.exe	msedge.exe
PID 1420 wrote to memory of 4328	1420	go.exe	msedge.exe
PID 1420 wrote to memory of 4328	1420	go.exe	msedge.exe
PID 4328 wrote to memory of 4028	4328	msedge.exe	msedge.exe
PID 4328 wrote to memory of 4028	4328	msedge.exe	msedge.exe
PID 1420 wrote to memory of 2108	1420	go.exe	msedge.exe
PID 1420 wrote to memory of 2108	1420	go.exe	msedge.exe
PID 2108 wrote to memory of 2244	2108	msedge.exe	msedge.exe
PID 2108 wrote to memory of 2244	2108	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe
PID 2696 wrote to memory of 4828	2696	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe
"C:\Users\Admin\AppData\Local\Temp\b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\1000042001\845ad03dba.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\845ad03dba.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:3868
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
- - C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
    "C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x78,0x10c,0x7ffa78363cb8,0x7ffa78363cc8,0x7ffa78363cd8
        5⤵
        
        PID:1120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        5⤵
        
        PID:4828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
        5⤵
        
        PID:1080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
        5⤵
        
        PID:2932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
        5⤵
        
        PID:1696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
        5⤵
        
        PID:2408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
        5⤵
        
        PID:2328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
        5⤵
        
        PID:3252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
        5⤵
        
        PID:2368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2900 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
        5⤵
        
        PID:5392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
        5⤵
        
        PID:1032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
        5⤵
        
        PID:4944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
        5⤵
        
        PID:5504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
        5⤵
        
        PID:2208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
        5⤵
        
        PID:2272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
        5⤵
        
        PID:5624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
        5⤵
        
        PID:5736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,7558886312697764696,5481633824171863695,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3328 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa78363cb8,0x7ffa78363cc8,0x7ffa78363cd8
        5⤵
        
        PID:4028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,7601567292765559965,5466578649983886665,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
        5⤵
        
        PID:1700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,7601567292765559965,5466578649983886665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x7c,0x10c,0x7ffa78363cb8,0x7ffa78363cc8,0x7ffa78363cd8
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,10560762767006012129,9404043448997061937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
- - C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5564
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:5268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5884

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5884
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:1012
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1980
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4776
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4836

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5196

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
0c1a5e72bbae26d0a0b65a0b9b32629e

SHA1
b8ab2942b800e62e22955a7283734fe9507f6821

SHA256
8f0f7f1e2c53afe20a42e47ed43ec8d61134f5045bf5e4d1567b1dc4b99f5735

SHA512
b1f8d86176827dd0e3ef90ed9d3a499a9822e7543eb853b1a343980fd9c54624fb0713a19c4e448886f9d850850ded8702970bb29a974824ca8220bb9cdc4837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
78d0a9ffd1523a5f45106640c5ab9235

SHA1
f90609f2ddf5108a8d6b341dc5c72cd041779a70

SHA256
4ed56509fd55c082942dcb0a8af42f5a0b9e5753e2a0e74580b97bbeb0e066db

SHA512
d68b10f56b2bb118637a5d0f0b95b993919c306390e7d4dfbd358b7968d4bf450a0955eb2b427f27c5fb22733222e59b1cd6f4515a95c0597912edbe494edee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0564ccca6d517b111862322395492790

SHA1
4ccb92cb8ad07b74f5f743f9358e141a41889fb9

SHA256
6093addccb39c6d8e4ff87bfe323c4c64b656ec9a448054720b57cbac62765df

SHA512
1c6f3bbeb4d1c16002a6cf3c4378b51a9c1bd00a15c611a0647f504b99c5cdbe8bccc12bfc032c8f9af6462d1328dfedde8787f4a214614149c8954ee9000a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a0dbcd03a2c844593b568a9d3cad8f8d

SHA1
dc74f7738895ab1597445560f6d1e49d9140e895

SHA256
65d972c6214d24eb3c8274eb0096bf01ce3e34e7c82300e1a45eb87227fb35f7

SHA512
a4b6901bcdb7ad00642773ba2b074bf0cffc4dfba174ba7f13f436a76517df69b2189157fc534763f9d5a2476094d0229e478d1a1b7e96a1241da63b4bc9f517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c3044325ad14fc822946b4c0e26785c

SHA1
0bfcb68fbb70438b029c5d2065d05b7d9481a6d9

SHA256
8a492a1c9b97685464baf11ce81f9268c4f9612d77b708c369382761323d6c89

SHA512
631354f471664360f5394e8d32c578184d4dad7dbc9c4dbeec012dad0bd1e61239da97d3b1d2ba65247811f60f2b9c6c7a6d4982a61b51527f451d4ea6f941d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
540B

MD5
b3ee07c200c9100f5de594702e29eb21

SHA1
6e81327d7e456618e058df15856a6d52a4c64116

SHA256
498321aa9a5a87603b2ecf7e7b85cec18effc88d3a1818674e2d818e04c78b67

SHA512
9d74b8272d009160bc72bbeaf0ba1e0e42fab14fbb8b07e810aa543108656fc8501188818339e96e11049d2b6ab0c4dec1d7fee4bb4b5ba701cd053bd8c8016e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
540B

MD5
8d973241751b9db096bfa13f2234c3f4

SHA1
da459e3497c57df59fb13e7e0b7f5e49ebbeed50

SHA256
b1437aaacc60a61cb24a8cc2e7e9e851ef7cabb608a95a8c09c7c8952320c414

SHA512
1ef466b68e9115a236688f1003ae14198a44b5164e5b6b44574d205c403062e8af23c2b518802f57b44f9f9e516e0067f50121ec3bb0d64e948e28cd7c2f73a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
540B

MD5
9710302848f46af265de62e5700b0d4c

SHA1
9fa32d0f990590473edac9e18aa129a0ec753b46

SHA256
053af6131698890ba01d002c3fa274e9dd99b7e701daa73ab0a3a48f4fd30e10

SHA512
28e99987d0a7458aee27006e1ba844dc91575bef5d4a0e4335a28b2240ee8c87c65ea6f1054b6e1dac73f826e0dd12e124313ae2a027d8f0a38e12940c342500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58078d.TMP

Filesize
540B

MD5
8a9d362e2fb35b201faf5be6613409ff

SHA1
df4a15c882c2fe310ac2f80a44027d866290b02a

SHA256
7809d70a651d4e211d0ebab7f52cd2e39e291258fe762dbef99a9f02961cecc4

SHA512
8b073f9f0cce27c541bed8d5f4b3035d5df56975c826d977071286dc3a006a146cdca4fecfd08f204e52905185583170a68fbc92bbae154c62b0f5cd5750f916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
536a348e660801a33884ee82ddda8da0

SHA1
9828a341c0ccbc8ce09a28c9a5d8862dda196944

SHA256
e5b1b9c1540214a776f33eb24e535237214f79acac460fd953593af213d08338

SHA512
a4a79f931d83fa85dff89dd1977e6565855ce388bd65ee76bf24d3e46bd7277e7fb98cae1d62b7069e6e8f7af6ee38ab169d1f131d0243c625013d868207e34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2a40f0d553d9dae4c0381a931ed4e4cd

SHA1
70d13ac66de5764cb8265ea88a1b60196527d3ae

SHA256
c4873d6fed977b0d36c503c97ee37b4632327c6f48041ec99259b3534535f593

SHA512
338cfe1236bb595222b91f6a99de1e9181ae92159ba44001286e68111dc31a12844f0146d485bf72033f4145af477a0227193db45a1b3bf03e4a638f1384c4ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d32df6bd22cc921d150896da79bb4906

SHA1
dc87f122ef4146fe766204c224e50ee57015384c

SHA256
a50f3b3edf6222d8d2b4c238aa27e713cac64cec6937556439ea149569c3cdfe

SHA512
efd42c9d47d36436ac11d156669c7e54b078d48306e73626fbc9ab8ce6e453f1d4bdacfe7b0a17051ea85892d68230aee194cced991bab13b58adebcc71da283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b06dfa49502c5fc871f0a8203146f35f

SHA1
b229ef7664f7b1a4ab8ef67a9758ce0d65c6a474

SHA256
f671e25c95a58883d74505bd1ddf40dddec2e3fac880e24d8635891fe00e38e1

SHA512
9ac4488c887db86c3397eed1902e4ad3ae8664c6c2698ca606ba0a75468c0ddfcd3a12a4c9ff3e38a84e4510b10ca9a9e9ae526637098c325d4dbad67ba8af05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b3a83d0196afc480a90a1e7444210036

SHA1
6376ef283df20976769287b3bdc6bcd5d5ce371f

SHA256
3ac4190b1c447f3b5365b056150575ec779ffba10b82d940c93009e2f6809a07

SHA512
dfff8f23370ae8ab390b8a3dd675dd71ca6a8d0fac0f0c9a8b43453763ba5fa96a79a4b5a8891bcac86996471b912ca51dfc6b877d647391d14e355191d77370

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.9MB

MD5
6c3c57013cb6c8dc5c801fd7e29410c6

SHA1
5c721eef037b3c4610da64fd65b190e0cd8975e5

SHA256
b9c6320cbd028a4e9d3af0e79285c736ce2c52d750ff9d97666cac68fa5a434a

SHA512
189f7c358ff013f7ef9a1f773dd99a6361e0c4c8a5400dd38dd1ec0d9739b9dfe9c56e40f8dc3fce1949eebfb192087fc28ba943325a541e2ce1019f63b7be0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\845ad03dba.exe

Filesize
3.0MB

MD5
b3988b126acf5f6b0e019e2363130d54

SHA1
344b1642fc3c7ad1a00a722009090f8ef4d4c476

SHA256
84b2b67a779ffc313f3f704f813b0cb74637bcb0052234a2d9af0cb02e47675e

SHA512
1f7690061575f7f437f6405963f2389bd9a030e9167f5b30a371242db565326163859e206f69522e18dea732c847b37d3e64e3ad8916b95115bd9febf63269d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe

Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe

Filesize
1.8MB

MD5
5d09d77fa64cc1422dc52ea1e6255242

SHA1
3590074f02b0c2ba8f2cc9c67a16ff7eecac0552

SHA256
87ccb95b8f560ac61f574a7fc0f2506ec6cf522a4dddd285eb9877acb30b166c

SHA512
831938948059b1b9275a553f5a5cf7c93540ec92fc205de1ee46162b191c6ed69bf050da756f334379437f09544e9c1db5268f93c5e8bab2ef88679b4844bb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwwdkrph.qx0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\LOCAL\crashpad_2696_GNWOGZSZNHVBDAGD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/756-8-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/756-0-0x0000000000140000-0x0000000000610000-memory.dmp

Filesize
4.8MB

Download
memory/756-9-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/756-4-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/756-7-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/756-1-0x0000000077AF6000-0x0000000077AF8000-memory.dmp

Filesize
8KB

Download
memory/756-2-0x0000000000140000-0x0000000000610000-memory.dmp

Filesize
4.8MB

Download
memory/756-21-0x0000000000140000-0x0000000000610000-memory.dmp

Filesize
4.8MB

Download
memory/756-3-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/756-6-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/756-5-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/2508-153-0x0000016AFD360000-0x0000016AFD370000-memory.dmp

Filesize
64KB

Download
memory/2508-225-0x0000016AFD400000-0x0000016AFD40A000-memory.dmp

Filesize
40KB

Download
memory/2508-237-0x00007FFA768C0000-0x00007FFA77382000-memory.dmp

Filesize
10.8MB

Download
memory/2508-224-0x0000016AFD520000-0x0000016AFD532000-memory.dmp

Filesize
72KB

Download
memory/2508-154-0x0000016AFD360000-0x0000016AFD370000-memory.dmp

Filesize
64KB

Download
memory/2508-152-0x00007FFA768C0000-0x00007FFA77382000-memory.dmp

Filesize
10.8MB

Download
memory/2508-151-0x0000016AFD370000-0x0000016AFD392000-memory.dmp

Filesize
136KB

Download
memory/3868-49-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-508-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-585-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-460-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-578-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-283-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-452-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-561-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-430-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-428-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-558-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-403-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-390-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-544-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-385-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-353-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/3868-50-0x0000000000520000-0x00000000008DE000-memory.dmp

Filesize
3.7MB

Download
memory/4728-155-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-25-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/4728-462-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-30-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/4728-51-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-29-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/4728-28-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/4728-26-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4728-142-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-545-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-391-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-586-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-27-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/4728-509-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-24-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/4728-418-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-338-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-429-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-559-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-23-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-442-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-562-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-453-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-579-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/4728-22-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/5196-477-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/5196-476-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/5196-466-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/5196-482-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/5196-474-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/5196-475-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/5196-478-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/5564-333-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/5564-346-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/5564-288-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/5564-321-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/5564-325-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/5564-324-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/5564-326-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/5564-322-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/5564-334-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/5564-345-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/5564-350-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/5884-342-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/5884-560-0x00000000006E0000-0x0000000000B96000-memory.dmp

Filesize
4.7MB

Download
memory/5884-510-0x00000000006E0000-0x0000000000B96000-memory.dmp

Filesize
4.7MB

Download
memory/5884-341-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/5884-351-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/5884-343-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/5884-464-0x00000000006E0000-0x0000000000B96000-memory.dmp

Filesize
4.7MB

Download
memory/5884-546-0x00000000006E0000-0x0000000000B96000-memory.dmp

Filesize
4.7MB

Download
memory/5884-339-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/5884-340-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/5884-337-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/5884-344-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/5884-352-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download
memory/5884-468-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/5884-563-0x00000000006E0000-0x0000000000B96000-memory.dmp

Filesize
4.7MB

Download
memory/5884-469-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/5884-471-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/5884-472-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/5884-580-0x00000000006E0000-0x0000000000B96000-memory.dmp

Filesize
4.7MB

Download
memory/5884-473-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/5884-470-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/5884-588-0x00000000006E0000-0x0000000000B96000-memory.dmp

Filesize
4.7MB

Download
memory/5884-467-0x00000000006E0000-0x0000000000B96000-memory.dmp

Filesize
4.7MB

Download
memory/5964-598-0x0000000000090000-0x0000000000560000-memory.dmp

Filesize
4.8MB

Download