Analysis
-
max time kernel
89s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe
Resource
win10v2004-20240226-en
General
-
Target
4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe
-
Size
1.8MB
-
MD5
49f89f83647e54b0f496f20b0df58e1e
-
SHA1
5c2f8a91817f95d4878297313ffd70255307a949
-
SHA256
4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328
-
SHA512
73587f588cae207b17b20560feb55666f3f37b73dbf3a2e1d0359fdbb811b447b4e11bca7b033bfb9e55f85a51872320b6260913b6655ec8cbe0fbc9ab486048
-
SSDEEP
49152:CQn88Fvx4hPTXsF8Q/ZfswF4lFQq7uixtv:9nr8Q/KwylFruQtv
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
Jok123
185.215.113.67:26260
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1 30 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 behavioral1/memory/3752-69-0x0000000000590000-0x000000000074C000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 behavioral1/memory/5048-437-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-438-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-443-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-446-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-453-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-457-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-460-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-474-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-464-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-477-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-481-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-483-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-487-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-489-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-491-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-493-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-495-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-497-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-509-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-512-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-514-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-516-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-533-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-545-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-550-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-553-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 behavioral1/memory/5048-529-0x00000000057A0000-0x00000000059B6000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline behavioral1/memory/2560-104-0x0000000000CC0000-0x0000000000D12000-memory.dmp family_redline behavioral1/memory/5044-111-0x0000000000490000-0x000000000051C000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline behavioral1/memory/2796-187-0x0000000000A60000-0x0000000000AB0000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exeexplorgu.exerandom.exeamadka.exeexplorha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exeflow pid process 53 916 rundll32.exe 91 912 rundll32.exe 92 5452 rundll32.exe 110 4936 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2504 netsh.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorgu.exerandom.exeexplorha.exe4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exeamadka.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NewB.exeISetup8.exeexplorha.exeu3qk.0.exeCFHCBKKFIJ.exeexplorgu.exeRegAsm.exeamadka.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation NewB.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ISetup8.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation explorha.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation u3qk.0.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation CFHCBKKFIJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation explorgu.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation amadka.exe -
Executes dropped EXE 20 IoCs
Processes:
explorgu.exerandom.exealex1234.exeTraffic.exepropro.exeamadka.exeredlinepanel.exeexplorha.exe32456.exeNewB.exeISetup8.exetoolspub1.exeEljlre.exeu3qk.0.exeu3qk.1.exe4767d2e713f2021e8fe856e3ea638b58.exe4767d2e713f2021e8fe856e3ea638b58.exeCFHCBKKFIJ.exe8355.exe8355.exepid process 1712 explorgu.exe 4628 random.exe 3752 alex1234.exe 5044 Traffic.exe 2560 propro.exe 748 amadka.exe 2796 redlinepanel.exe 2244 explorha.exe 3116 32456.exe 4248 NewB.exe 4844 ISetup8.exe 3044 toolspub1.exe 5048 Eljlre.exe 4768 u3qk.0.exe 1924 u3qk.1.exe 5144 4767d2e713f2021e8fe856e3ea638b58.exe 376 4767d2e713f2021e8fe856e3ea638b58.exe 3456 CFHCBKKFIJ.exe 4744 8355.exe 3368 8355.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exeexplorgu.exerandom.exeamadka.exeexplorha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine 4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine explorha.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeu3qk.0.exerundll32.exepid process 4060 rundll32.exe 916 rundll32.exe 912 rundll32.exe 5420 rundll32.exe 5452 rundll32.exe 4768 u3qk.0.exe 4768 u3qk.0.exe 4936 rundll32.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\u3qk.1.exe upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorgu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 170 raw.githubusercontent.com 171 raw.githubusercontent.com 174 drive.google.com 175 drive.google.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 126 api.2ip.ua 127 api.2ip.ua -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exeexplorgu.exeamadka.exeexplorha.exepid process 3356 4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe 1712 explorgu.exe 748 amadka.exe 2244 explorha.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
alex1234.exe8355.exedescription pid process target process PID 3752 set thread context of 5072 3752 alex1234.exe RegAsm.exe PID 4744 set thread context of 3368 4744 8355.exe 8355.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
4767d2e713f2021e8fe856e3ea638b58.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 4767d2e713f2021e8fe856e3ea638b58.exe -
Drops file in Windows directory 2 IoCs
Processes:
4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exeamadka.exedescription ioc process File created C:\Windows\Tasks\explorgu.job 4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe File created C:\Windows\Tasks\explorha.job amadka.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 6044 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3056 4844 WerFault.exe ISetup8.exe 5932 4768 WerFault.exe u3qk.0.exe 5308 4768 WerFault.exe u3qk.0.exe 4696 316 WerFault.exe 9911.exe 5656 4296 WerFault.exe 8355.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
toolspub1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u3qk.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u3qk.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u3qk.0.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3848 schtasks.exe 6028 schtasks.exe 4900 schtasks.exe 5044 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exe4767d2e713f2021e8fe856e3ea638b58.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe -
Processes:
propro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 propro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 propro.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exeexplorgu.exeamadka.exerundll32.exeexplorha.exeTraffic.exepowershell.exepropro.exetoolspub1.exeredlinepanel.exeu3qk.0.exe32456.exepid process 3356 4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe 3356 4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe 1712 explorgu.exe 1712 explorgu.exe 748 amadka.exe 748 amadka.exe 916 rundll32.exe 916 rundll32.exe 916 rundll32.exe 916 rundll32.exe 916 rundll32.exe 916 rundll32.exe 2244 explorha.exe 2244 explorha.exe 5044 Traffic.exe 5044 Traffic.exe 916 rundll32.exe 916 rundll32.exe 916 rundll32.exe 916 rundll32.exe 2608 powershell.exe 2608 powershell.exe 2608 powershell.exe 2560 propro.exe 2560 propro.exe 3044 toolspub1.exe 3044 toolspub1.exe 2560 propro.exe 2560 propro.exe 2796 redlinepanel.exe 2796 redlinepanel.exe 2796 redlinepanel.exe 2796 redlinepanel.exe 2560 propro.exe 2560 propro.exe 4768 u3qk.0.exe 4768 u3qk.0.exe 3116 32456.exe 3116 32456.exe 3396 3396 3396 3396 3396 3396 3396 3396 2796 redlinepanel.exe 2796 redlinepanel.exe 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
toolspub1.exepid process 3044 toolspub1.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Traffic.exe32456.exepowershell.exepropro.exeEljlre.exeredlinepanel.exeRegAsm.exepowershell.exepowershell.exe4767d2e713f2021e8fe856e3ea638b58.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 5044 Traffic.exe Token: SeBackupPrivilege 5044 Traffic.exe Token: SeSecurityPrivilege 5044 Traffic.exe Token: SeSecurityPrivilege 5044 Traffic.exe Token: SeSecurityPrivilege 5044 Traffic.exe Token: SeSecurityPrivilege 5044 Traffic.exe Token: SeDebugPrivilege 3116 32456.exe Token: SeBackupPrivilege 3116 32456.exe Token: SeSecurityPrivilege 3116 32456.exe Token: SeSecurityPrivilege 3116 32456.exe Token: SeSecurityPrivilege 3116 32456.exe Token: SeSecurityPrivilege 3116 32456.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2560 propro.exe Token: SeDebugPrivilege 5048 Eljlre.exe Token: SeDebugPrivilege 2796 redlinepanel.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 5072 RegAsm.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 4908 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 2808 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 5144 4767d2e713f2021e8fe856e3ea638b58.exe Token: SeImpersonatePrivilege 5144 4767d2e713f2021e8fe856e3ea638b58.exe Token: SeDebugPrivilege 5276 powershell.exe Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeShutdownPrivilege 3396 Token: SeCreatePagefilePrivilege 3396 Token: SeDebugPrivilege 5468 powershell.exe Token: SeShutdownPrivilege 3396 -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe 5724 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
u3qk.1.exepid process 1924 u3qk.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
explorgu.exealex1234.exeRegAsm.exeamadka.exerundll32.exerundll32.exeNewB.exeISetup8.exeu3qk.1.exedescription pid process target process PID 1712 wrote to memory of 4628 1712 explorgu.exe random.exe PID 1712 wrote to memory of 4628 1712 explorgu.exe random.exe PID 1712 wrote to memory of 4628 1712 explorgu.exe random.exe PID 1712 wrote to memory of 3752 1712 explorgu.exe alex1234.exe PID 1712 wrote to memory of 3752 1712 explorgu.exe alex1234.exe PID 1712 wrote to memory of 3752 1712 explorgu.exe alex1234.exe PID 3752 wrote to memory of 5072 3752 alex1234.exe RegAsm.exe PID 3752 wrote to memory of 5072 3752 alex1234.exe RegAsm.exe PID 3752 wrote to memory of 5072 3752 alex1234.exe RegAsm.exe PID 3752 wrote to memory of 5072 3752 alex1234.exe RegAsm.exe PID 3752 wrote to memory of 5072 3752 alex1234.exe RegAsm.exe PID 3752 wrote to memory of 5072 3752 alex1234.exe RegAsm.exe PID 3752 wrote to memory of 5072 3752 alex1234.exe RegAsm.exe PID 3752 wrote to memory of 5072 3752 alex1234.exe RegAsm.exe PID 5072 wrote to memory of 2560 5072 RegAsm.exe propro.exe PID 5072 wrote to memory of 2560 5072 RegAsm.exe propro.exe PID 5072 wrote to memory of 2560 5072 RegAsm.exe propro.exe PID 5072 wrote to memory of 5044 5072 RegAsm.exe Traffic.exe PID 5072 wrote to memory of 5044 5072 RegAsm.exe Traffic.exe PID 1712 wrote to memory of 748 1712 explorgu.exe amadka.exe PID 1712 wrote to memory of 748 1712 explorgu.exe amadka.exe PID 1712 wrote to memory of 748 1712 explorgu.exe amadka.exe PID 1712 wrote to memory of 2796 1712 explorgu.exe redlinepanel.exe PID 1712 wrote to memory of 2796 1712 explorgu.exe redlinepanel.exe PID 1712 wrote to memory of 2796 1712 explorgu.exe redlinepanel.exe PID 748 wrote to memory of 2244 748 amadka.exe explorha.exe PID 748 wrote to memory of 2244 748 amadka.exe explorha.exe PID 748 wrote to memory of 2244 748 amadka.exe explorha.exe PID 1712 wrote to memory of 4060 1712 explorgu.exe rundll32.exe PID 1712 wrote to memory of 4060 1712 explorgu.exe rundll32.exe PID 1712 wrote to memory of 4060 1712 explorgu.exe rundll32.exe PID 4060 wrote to memory of 916 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 916 4060 rundll32.exe rundll32.exe PID 916 wrote to memory of 3604 916 rundll32.exe netsh.exe PID 916 wrote to memory of 3604 916 rundll32.exe netsh.exe PID 1712 wrote to memory of 3116 1712 explorgu.exe 32456.exe PID 1712 wrote to memory of 3116 1712 explorgu.exe 32456.exe PID 916 wrote to memory of 2608 916 rundll32.exe powershell.exe PID 916 wrote to memory of 2608 916 rundll32.exe powershell.exe PID 1712 wrote to memory of 4248 1712 explorgu.exe NewB.exe PID 1712 wrote to memory of 4248 1712 explorgu.exe NewB.exe PID 1712 wrote to memory of 4248 1712 explorgu.exe NewB.exe PID 4248 wrote to memory of 3848 4248 NewB.exe schtasks.exe PID 4248 wrote to memory of 3848 4248 NewB.exe schtasks.exe PID 4248 wrote to memory of 3848 4248 NewB.exe schtasks.exe PID 4248 wrote to memory of 4844 4248 NewB.exe ISetup8.exe PID 4248 wrote to memory of 4844 4248 NewB.exe ISetup8.exe PID 4248 wrote to memory of 4844 4248 NewB.exe ISetup8.exe PID 4248 wrote to memory of 3044 4248 NewB.exe toolspub1.exe PID 4248 wrote to memory of 3044 4248 NewB.exe toolspub1.exe PID 4248 wrote to memory of 3044 4248 NewB.exe toolspub1.exe PID 1712 wrote to memory of 5048 1712 explorgu.exe Eljlre.exe PID 1712 wrote to memory of 5048 1712 explorgu.exe Eljlre.exe PID 1712 wrote to memory of 5048 1712 explorgu.exe Eljlre.exe PID 4844 wrote to memory of 4768 4844 ISetup8.exe u3qk.0.exe PID 4844 wrote to memory of 4768 4844 ISetup8.exe u3qk.0.exe PID 4844 wrote to memory of 4768 4844 ISetup8.exe u3qk.0.exe PID 4844 wrote to memory of 1924 4844 ISetup8.exe u3qk.1.exe PID 4844 wrote to memory of 1924 4844 ISetup8.exe u3qk.1.exe PID 4844 wrote to memory of 1924 4844 ISetup8.exe u3qk.1.exe PID 1712 wrote to memory of 912 1712 explorgu.exe rundll32.exe PID 1712 wrote to memory of 912 1712 explorgu.exe rundll32.exe PID 1712 wrote to memory of 912 1712 explorgu.exe rundll32.exe PID 1924 wrote to memory of 4676 1924 u3qk.1.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe"C:\Users\Admin\AppData\Local\Temp\4f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\270530367132_Desktop.zip' -CompressionLevel Optimal6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2KG0353⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff93ba46f8,0x7fff93ba4708,0x7fff93ba47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,4377701481969620330,18150859778507664736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\270530367132_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u3qk.0.exe"C:\Users\Admin\AppData\Local\Temp\u3qk.0.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFHCBKKFIJ.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\CFHCBKKFIJ.exe"C:\Users\Admin\AppData\Local\Temp\CFHCBKKFIJ.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CFHCBKKFIJ.exe7⤵
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 20205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 25365⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u3qk.1.exe"C:\Users\Admin\AppData\Local\Temp\u3qk.1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 11964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe"4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4844 -ip 48441⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4768 -ip 47681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4768 -ip 47681⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6F20.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\8355.exeC:\Users\Admin\AppData\Local\Temp\8355.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\8355.exeC:\Users\Admin\AppData\Local\Temp\8355.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6a094b8f-3162-4aa4-910c-f6764c7caf03" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\8355.exe"C:\Users\Admin\AppData\Local\Temp\8355.exe" --Admin IsNotAutoStart IsNotTask3⤵
-
C:\Users\Admin\AppData\Local\Temp\8355.exe"C:\Users\Admin\AppData\Local\Temp\8355.exe" --Admin IsNotAutoStart IsNotTask4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 5685⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\9911.exeC:\Users\Admin\AppData\Local\Temp\9911.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 8202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 316 -ip 3161⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D521.exeC:\Users\Admin\AppData\Local\Temp\D521.exe1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DA90.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4296 -ip 42961⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\2F49.exeC:\Users\Admin\AppData\Local\Temp\2F49.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\3FA5.exeC:\Users\Admin\AppData\Local\Temp\3FA5.exe1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
-
C:\Users\Admin\AppData\Local\Temp\3FA5.exe"C:\Users\Admin\AppData\Local\Temp\3FA5.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5f213915edaae28d50459918c3bb1de6d
SHA155c71f771f67ca04df6876eebc30453b328352fc
SHA256e226380b93bacad0e4cb95ecb5369941396f49c3bd6c869367a2b840def41ee9
SHA5121dd92cafe3c45c7739aaa3ede9868597f6a689bc221d18f69d7676f8f2323ced160a22e1df661413465544afe9620f34606078dcc6baf83125d912c768bd1303
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5ea503234d09431f23249193312a5d51f
SHA12a19cd82a3c581a04f983c85567ae120f30c894b
SHA25650af9c84004b4ab7d1c53e0ee536b882639381352809604bb11565f665bdcb5a
SHA5129488150c3897a5606c30b84d6f617ac9f0c2a4744962a3e1dcf3319d32d51370cef1e6609dfbb26625897271cb888c0c96da7bb69c1a4fd00eaa67b99caa181d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD585dfbf0843ef02fe31f4a8db5fac8b23
SHA190205de63f60ee8a53455d1401a00193489f84ec
SHA256329410625dfa882eaa3a6134075d8c5e153768131163035ba28940b4e9639118
SHA512c27b69c1763112ce90f7a6fb90e78edb03ebe5413c98e1090f82ea3062105cfe37c664429d2a814ced98d34768e176a8711e2343ed7c4c216f2448705de9154a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f0d1e207232e98515374c6eeb44f286f
SHA1a2e244a453c93713a813c2e3a9600d941cf39322
SHA25684d0f16eb9483dfeafa5880c3b9e28dd3028c1bae73c210bd605ba14a1a5bb60
SHA5123f26d05963c4fe2ad22af6c582bc3a32e00ec5aa45317e1993efafa6f3bce66865b3cf1ffd624f684c3715eb36a236ba7c805bdcf25cd35063b0fc4d8c7019e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a5beef2cb24d67722791818a64e7fcaf
SHA17ff8f557d93727c2c01d6c51a07d16b81dcb6a10
SHA256029ada3107edecf7905cd428a3b239683d1f7478484c41b3428bfa20e3e198c9
SHA512c30448f9fcc48e85ade032d7007ae8575e4164d2fed38831236fc3c590ca2b0f39fc28e26428ef5541258111f02594834e1204564c4ee8425cf84b564177f944
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59e73ef026bb84bce91eccb91ba852d44
SHA1bb52eeec576aacb2db95168bdd9f9c716030efcb
SHA256c78aea4003173b8d3a32eb926a312174bacad1c2b1086f883ebd9199b5aa28c3
SHA51237e2cfae50df6195af2f4a953bf38a80739138e493b7e99febdefba881d2fac1abef22cbaa378450f933fe496d698b3f30bc65698aa357aa2c3f223fd23eeba7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57f5130f8643f9c281b6384704d27b900
SHA1c384737918a1e492e8742800a251d31de1842de2
SHA256e5a21b6e080bd51ab39ae0aa91aa0573951a52aafd2f021263141d0755e1cf8f
SHA512ff471d00db8f4ec88cd0d52894e4f1a91ad32473cb173b7a5d431def9717cbe106c2ae431869651a3a9fc1801f9997a9d35d22a85cdb605ed98731e6dc129161
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.8MB
MD549f89f83647e54b0f496f20b0df58e1e
SHA15c2f8a91817f95d4878297313ffd70255307a949
SHA2564f2b899794b2d6a919315f5c36c6933786744c09f10ccb2b4c2cd8001d121328
SHA51273587f588cae207b17b20560feb55666f3f37b73dbf3a2e1d0359fdbb811b447b4e11bca7b033bfb9e55f85a51872320b6260913b6655ec8cbe0fbc9ab486048
-
C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exeFilesize
403KB
MD5c70d5b4855cc9deb2ca620c465b30a4b
SHA1ff61e1e6dc0620646362c33bfccac1537ef425b3
SHA25648d49afa1224b8ef1d556847efcfccb04930886bf6d32f79d750dc11dc9e330c
SHA5120e4ea248ed0abda1562934160dd0ab7f1fda79ed699529f02443314d3fe30788bb87dfb899446786d756b226742b7b132c00c43cbb29271739aa2c25fdd6f36d
-
C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exeFilesize
259KB
MD5e5477d6420e21e75a4bb411a3947201a
SHA17120bf0ba0196ecc8cc04dd0c3166185ee3f7892
SHA25691e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a
SHA512de56dddda25e1cf9c5835613e38375f463bbcabe858b846077359b704493ef75b14e6187f21f110103bde70cc61efe17e5dac6d229456271b33afa3406c7020d
-
C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exeFilesize
4.1MB
MD5e0edd9b07fa182ecfc0320899f087db9
SHA1a78d516342cfb94f3579f7b013188e813983bdda
SHA25673c4d042e53ab64382274401a75b82aec4de42bb13e1bc9a659e6b32f09dfabd
SHA512d6d5c811dafc688c7f46ae27bc1e86bb80d198a67fcec14d5babf989850269e5d7ede6365f99ba5cfbefc807d353a2cfc1a2ce8adfeedf8650cf1dc5cb2e4607
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exeFilesize
3.0MB
MD58eea3e3fc27e21f4a99d101103759917
SHA16df09445462ddffface8cfec4024883d2dee7bee
SHA256c8f2ced9adecbd1d293fcbe0e89ef337693b3e62cf56929501a655ff57c6c8de
SHA5129dc2f160a4e9dcefa1a8411ec37e7e1ddb46c69d59ab0433c9dd19268534e196a3be1dd2d173b72adbd047211a8abb2236ac190d12e46283db834044b1d9f523
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exeFilesize
1.8MB
MD583ce29b8b677f39c74970d09ffe12e93
SHA164455f93d77ebeb85c535f8281a5a3c2ec65a3a8
SHA256780b263b06a0a62a0d704015d721385c49ecc31abf1f23e53e274c33179ad278
SHA512fab97baeb47f233b99c2f572e780e3a2fac97664be9735fd4d32e6fcab8a12feba69a45e6b16b8af82e318316823bedc87490ae8d096a1cc922313baec75f59b
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001051001\Umr.exeFilesize
296B
MD5f2f4183ae342466a505cb5b8dc850ce2
SHA13f6ddc6152d0190108953e410ec62e8abcdc51d1
SHA256fc56488690aec272d2853fb59f6678391f19fc67707ed0e31688d337d5159b7d
SHA512aa5cfb6e787255918880e1e71703c2280e0012ed08d5eaf5a91f8d43d984a8f30107b852bfc74eb1b6004032e4c91cb985629fea3a0a3579ac64564f8c542c73
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exeFilesize
2.8MB
MD51e1152424d7721a51a154a725fe2465e
SHA162bc3d11e915e1dbd3cc3ef5a11afec755c995d9
SHA256674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c
SHA512752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02
-
C:\Users\Admin\AppData\Local\Temp\DA90.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\TmpE753.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2elejhv.f4x.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp695.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp782.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\u3qk.0.exeFilesize
258KB
MD53078a59a8df3e7afd4ba65dfb1b0b4c6
SHA1aae6d8e48b57596153fa3c6e25c4f41d04938a6c
SHA256c62d67f8e725933722f11acd9d7f2f0d44393379f2f6c33c850aa844680e8ad5
SHA5120c2e4fd492a5d6da5980c02ea7ede701787aaf4985e236a9423d3406e658eecbf38a69a2f1d27447a1f973c18c83594043b65eb9d82106ddfe5e8461443e0bac
-
C:\Users\Admin\AppData\Local\Temp\u3qk.1.exeFilesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Temp\Task.batFilesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5647cf79b07d7d6dd385a523378a440cd
SHA13c72e78b1e526df2717d50f9d520cfd200f9f248
SHA256d082a59462865c80a291b09a16a01382460c7766b69cd72646d86ddb31646d69
SHA5129f1cb2ea12905c62322644817d4cb259213ce1b64833aafec8df1efcc88e17a7a7fe6e8b6885f013c782663f180c6181d292989f2a83579af7758d3bcec6c47e
-
C:\Users\Public\Desktop\Microsoft Edge.lnkFilesize
2KB
MD581f7aafeabbd8d16497e6282c87f5c56
SHA18cc47c0a078c1236485ed45921a396a5e1506f9d
SHA25657fb53999db0c6944ded866e05ebe505f141bd1f74af8deb797f0ff9386641cd
SHA512cfda6f93030bf497e8b74b066fee42cb571bc21f0e5c02c3cecd05863883489ef339e2056055e7776e66719ddcfeef58a1a71803dc824b907b8480fec7437790
-
\??\pipe\LOCAL\crashpad_5724_IXLFSLQXVUAZMKJRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/748-206-0x0000000000490000-0x0000000000950000-memory.dmpFilesize
4.8MB
-
memory/748-164-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/748-161-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/748-160-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/748-159-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/748-162-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/748-163-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/748-157-0x0000000000490000-0x0000000000950000-memory.dmpFilesize
4.8MB
-
memory/748-165-0x0000000000490000-0x0000000000950000-memory.dmpFilesize
4.8MB
-
memory/1712-22-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/1712-156-0x0000000000B90000-0x0000000001038000-memory.dmpFilesize
4.7MB
-
memory/1712-20-0x0000000000B90000-0x0000000001038000-memory.dmpFilesize
4.7MB
-
memory/1712-24-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/1712-19-0x0000000000B90000-0x0000000001038000-memory.dmpFilesize
4.7MB
-
memory/1712-23-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/1712-25-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/1712-427-0x0000000000B90000-0x0000000001038000-memory.dmpFilesize
4.7MB
-
memory/1712-21-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/1712-26-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/1712-27-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/1712-28-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/1712-107-0x0000000000B90000-0x0000000001038000-memory.dmpFilesize
4.7MB
-
memory/1712-81-0x0000000000B90000-0x0000000001038000-memory.dmpFilesize
4.7MB
-
memory/2560-138-0x0000000006D90000-0x0000000006DCC000-memory.dmpFilesize
240KB
-
memory/2560-136-0x0000000006DF0000-0x0000000006EFA000-memory.dmpFilesize
1.0MB
-
memory/2560-139-0x0000000006F00000-0x0000000006F4C000-memory.dmpFilesize
304KB
-
memory/2560-109-0x0000000005580000-0x0000000005590000-memory.dmpFilesize
64KB
-
memory/2560-110-0x00000000056A0000-0x00000000056AA000-memory.dmpFilesize
40KB
-
memory/2560-103-0x0000000072980000-0x0000000073130000-memory.dmpFilesize
7.7MB
-
memory/2560-132-0x0000000006A20000-0x0000000006A3E000-memory.dmpFilesize
120KB
-
memory/2560-104-0x0000000000CC0000-0x0000000000D12000-memory.dmpFilesize
328KB
-
memory/2560-105-0x0000000005A80000-0x0000000006024000-memory.dmpFilesize
5.6MB
-
memory/2560-137-0x0000000006D30000-0x0000000006D42000-memory.dmpFilesize
72KB
-
memory/2560-130-0x0000000006230000-0x00000000062A6000-memory.dmpFilesize
472KB
-
memory/2560-135-0x00000000072A0000-0x00000000078B8000-memory.dmpFilesize
6.1MB
-
memory/2560-106-0x00000000055D0000-0x0000000005662000-memory.dmpFilesize
584KB
-
memory/2796-187-0x0000000000A60000-0x0000000000AB0000-memory.dmpFilesize
320KB
-
memory/2796-186-0x0000000072980000-0x0000000073130000-memory.dmpFilesize
7.7MB
-
memory/3044-535-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/3356-10-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/3356-8-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/3356-7-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/3356-1-0x0000000077004000-0x0000000077006000-memory.dmpFilesize
8KB
-
memory/3356-2-0x00000000003D0000-0x0000000000878000-memory.dmpFilesize
4.7MB
-
memory/3356-4-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/3356-3-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/3356-9-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/3356-0-0x00000000003D0000-0x0000000000878000-memory.dmpFilesize
4.7MB
-
memory/3356-5-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/3356-6-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/3356-12-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/3356-16-0x00000000003D0000-0x0000000000878000-memory.dmpFilesize
4.7MB
-
memory/3396-530-0x0000000002940000-0x0000000002956000-memory.dmpFilesize
88KB
-
memory/3752-80-0x0000000002C10000-0x0000000004C10000-memory.dmpFilesize
32.0MB
-
memory/3752-69-0x0000000000590000-0x000000000074C000-memory.dmpFilesize
1.7MB
-
memory/3752-70-0x0000000072980000-0x0000000073130000-memory.dmpFilesize
7.7MB
-
memory/3752-71-0x00000000051E0000-0x00000000051F0000-memory.dmpFilesize
64KB
-
memory/3752-79-0x0000000072980000-0x0000000073130000-memory.dmpFilesize
7.7MB
-
memory/4628-48-0x00000000000B0000-0x000000000045A000-memory.dmpFilesize
3.7MB
-
memory/4628-158-0x00000000000B0000-0x000000000045A000-memory.dmpFilesize
3.7MB
-
memory/4628-49-0x00000000000B0000-0x000000000045A000-memory.dmpFilesize
3.7MB
-
memory/4628-252-0x00000000000B0000-0x000000000045A000-memory.dmpFilesize
3.7MB
-
memory/4628-131-0x00000000000B0000-0x000000000045A000-memory.dmpFilesize
3.7MB
-
memory/4844-534-0x0000000000400000-0x0000000000B0E000-memory.dmpFilesize
7.1MB
-
memory/5044-113-0x00007FFF982C0000-0x00007FFF98D81000-memory.dmpFilesize
10.8MB
-
memory/5044-185-0x000000001E2E0000-0x000000001E3EA000-memory.dmpFilesize
1.0MB
-
memory/5044-188-0x000000001B470000-0x000000001B482000-memory.dmpFilesize
72KB
-
memory/5044-189-0x000000001B4D0000-0x000000001B50C000-memory.dmpFilesize
240KB
-
memory/5044-129-0x000000001B160000-0x000000001B170000-memory.dmpFilesize
64KB
-
memory/5044-111-0x0000000000490000-0x000000000051C000-memory.dmpFilesize
560KB
-
memory/5048-489-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-516-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-514-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-512-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-533-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-545-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-550-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-509-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-553-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-497-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-529-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-495-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-493-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-491-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-487-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-483-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-481-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-477-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-464-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-474-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-460-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-457-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-453-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-446-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-443-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-438-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5048-437-0x00000000057A0000-0x00000000059B6000-memory.dmpFilesize
2.1MB
-
memory/5072-83-0x0000000005530000-0x0000000005540000-memory.dmpFilesize
64KB
-
memory/5072-82-0x0000000072980000-0x0000000073130000-memory.dmpFilesize
7.7MB
-
memory/5072-74-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB