Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20240319-en -
resource tags
arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-03-2024 19:26
Static task
static1
Behavioral task
behavioral1
Sample
f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe
Resource
win10v2004-20240226-en
General
-
Target
f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe
-
Size
1.8MB
-
MD5
8fa9ecda4e2cc34c6948abc1837fc0c0
-
SHA1
ad42078d3e4f4283d5fb048d44030dcceee1804e
-
SHA256
f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea
-
SHA512
8051e46c8b7c132ff559330cfb90edfda6933cdcbf00f6c8c59f9e5341478e4898098b5c2b6cfbe327c2c0902e09b7aba63c6536d2e4c0b6095f5797ed6df3a7
-
SSDEEP
49152:6whzti2kGYSiysrT0HRXiZadJzSutzQHyFCi43f:6szt2nysrTLsAutuyF943f
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
Jok123
185.215.113.67:26260
Signatures
-
Detect ZGRat V1 33 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 behavioral2/memory/72-66-0x0000000000810000-0x00000000009CC000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 behavioral2/memory/2484-230-0x0000000000C50000-0x0000000000CD2000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-388-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-390-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-392-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-394-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-396-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-398-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-400-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-402-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-404-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-406-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-409-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-412-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-415-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-418-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-421-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-424-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-427-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-431-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-433-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-437-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-440-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-442-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-446-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-448-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-452-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-455-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-457-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-459-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 behavioral2/memory/4908-463-0x0000000005D60000-0x0000000005F76000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline behavioral2/memory/2420-100-0x0000000000EF0000-0x0000000000F42000-memory.dmp family_redline behavioral2/memory/3444-141-0x0000000000470000-0x00000000004FC000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline behavioral2/memory/4028-192-0x0000000000450000-0x00000000004A0000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline behavioral2/memory/2484-230-0x0000000000C50000-0x0000000000CD2000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exeexplorgu.exerandom.exeamadka.exeexplorha.exeexplorha.exeexplorha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exeflow pid process 12 5068 rundll32.exe 18 3624 rundll32.exe 20 1316 rundll32.exe 21 3828 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorgu.exeamadka.exeexplorha.exef5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exeexplorha.exeexplorha.exerandom.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe -
Executes dropped EXE 16 IoCs
Processes:
explorgu.exerandom.exealex1234.exepropro.exeTraffic.exeamadka.exeredlinepanel.exe32456.exeexplorha.exeNewB.exeEljlre.exee8c1e5d4e7.exeexplorha.exeNewB.exeNewB.exeexplorha.exepid process 4528 explorgu.exe 1768 random.exe 72 alex1234.exe 2420 propro.exe 3444 Traffic.exe 1032 amadka.exe 4028 redlinepanel.exe 2484 32456.exe 2920 explorha.exe 2336 NewB.exe 4908 Eljlre.exe 2936 e8c1e5d4e7.exe 5000 explorha.exe 4608 NewB.exe 2216 NewB.exe 2776 explorha.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorha.exeexplorha.exeexplorha.exef5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exeexplorgu.exerandom.exeamadka.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine amadka.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 2288 rundll32.exe 5068 rundll32.exe 3624 rundll32.exe 3204 rundll32.exe 1316 rundll32.exe 3828 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorgu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exeexplorgu.exeamadka.exeexplorha.exeexplorha.exeexplorha.exepid process 4744 f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe 4528 explorgu.exe 1032 amadka.exe 2920 explorha.exe 5000 explorha.exe 2776 explorha.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
alex1234.exedescription pid process target process PID 72 set thread context of 2300 72 alex1234.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exeamadka.exedescription ioc process File created C:\Windows\Tasks\explorgu.job f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe File created C:\Windows\Tasks\explorha.job amadka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
propro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 propro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 propro.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exeexplorgu.exeamadka.exerundll32.exeexplorha.exepowershell.exeTraffic.exepropro.exe32456.exerundll32.exeredlinepanel.exepowershell.exeexplorha.exeexplorha.exepid process 4744 f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe 4744 f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe 4528 explorgu.exe 4528 explorgu.exe 1032 amadka.exe 1032 amadka.exe 5068 rundll32.exe 5068 rundll32.exe 5068 rundll32.exe 5068 rundll32.exe 5068 rundll32.exe 5068 rundll32.exe 2920 explorha.exe 2920 explorha.exe 5068 rundll32.exe 5068 rundll32.exe 5068 rundll32.exe 5068 rundll32.exe 2940 powershell.exe 2940 powershell.exe 2940 powershell.exe 3444 Traffic.exe 3444 Traffic.exe 2420 propro.exe 2420 propro.exe 2420 propro.exe 2420 propro.exe 2484 32456.exe 2484 32456.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 4028 redlinepanel.exe 4028 redlinepanel.exe 4028 redlinepanel.exe 4028 redlinepanel.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 3020 powershell.exe 3020 powershell.exe 3020 powershell.exe 5000 explorha.exe 5000 explorha.exe 2776 explorha.exe 2776 explorha.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
Traffic.exe32456.exepowershell.exeEljlre.exepropro.exeredlinepanel.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3444 Traffic.exe Token: SeDebugPrivilege 2484 32456.exe Token: SeBackupPrivilege 3444 Traffic.exe Token: SeSecurityPrivilege 3444 Traffic.exe Token: SeSecurityPrivilege 3444 Traffic.exe Token: SeSecurityPrivilege 3444 Traffic.exe Token: SeSecurityPrivilege 3444 Traffic.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeBackupPrivilege 2484 32456.exe Token: SeSecurityPrivilege 2484 32456.exe Token: SeSecurityPrivilege 2484 32456.exe Token: SeSecurityPrivilege 2484 32456.exe Token: SeSecurityPrivilege 2484 32456.exe Token: SeDebugPrivilege 4908 Eljlre.exe Token: SeDebugPrivilege 2420 propro.exe Token: SeDebugPrivilege 4028 redlinepanel.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 2300 RegAsm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exeamadka.exepid process 4744 f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe 1032 amadka.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
explorgu.exealex1234.exeRegAsm.exerundll32.exerundll32.exeamadka.exeNewB.exeexplorha.exerundll32.exerundll32.exedescription pid process target process PID 4528 wrote to memory of 1768 4528 explorgu.exe random.exe PID 4528 wrote to memory of 1768 4528 explorgu.exe random.exe PID 4528 wrote to memory of 1768 4528 explorgu.exe random.exe PID 4528 wrote to memory of 72 4528 explorgu.exe alex1234.exe PID 4528 wrote to memory of 72 4528 explorgu.exe alex1234.exe PID 4528 wrote to memory of 72 4528 explorgu.exe alex1234.exe PID 72 wrote to memory of 4092 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 4092 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 4092 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 2300 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 2300 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 2300 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 2300 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 2300 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 2300 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 2300 72 alex1234.exe RegAsm.exe PID 72 wrote to memory of 2300 72 alex1234.exe RegAsm.exe PID 2300 wrote to memory of 2420 2300 RegAsm.exe propro.exe PID 2300 wrote to memory of 2420 2300 RegAsm.exe propro.exe PID 2300 wrote to memory of 2420 2300 RegAsm.exe propro.exe PID 2300 wrote to memory of 3444 2300 RegAsm.exe Traffic.exe PID 2300 wrote to memory of 3444 2300 RegAsm.exe Traffic.exe PID 4528 wrote to memory of 1032 4528 explorgu.exe amadka.exe PID 4528 wrote to memory of 1032 4528 explorgu.exe amadka.exe PID 4528 wrote to memory of 1032 4528 explorgu.exe amadka.exe PID 4528 wrote to memory of 4028 4528 explorgu.exe redlinepanel.exe PID 4528 wrote to memory of 4028 4528 explorgu.exe redlinepanel.exe PID 4528 wrote to memory of 4028 4528 explorgu.exe redlinepanel.exe PID 4528 wrote to memory of 2288 4528 explorgu.exe rundll32.exe PID 4528 wrote to memory of 2288 4528 explorgu.exe rundll32.exe PID 4528 wrote to memory of 2288 4528 explorgu.exe rundll32.exe PID 2288 wrote to memory of 5068 2288 rundll32.exe rundll32.exe PID 2288 wrote to memory of 5068 2288 rundll32.exe rundll32.exe PID 5068 wrote to memory of 4904 5068 rundll32.exe netsh.exe PID 5068 wrote to memory of 4904 5068 rundll32.exe netsh.exe PID 4528 wrote to memory of 2484 4528 explorgu.exe 32456.exe PID 4528 wrote to memory of 2484 4528 explorgu.exe 32456.exe PID 1032 wrote to memory of 2920 1032 amadka.exe explorha.exe PID 1032 wrote to memory of 2920 1032 amadka.exe explorha.exe PID 1032 wrote to memory of 2920 1032 amadka.exe explorha.exe PID 4528 wrote to memory of 2336 4528 explorgu.exe NewB.exe PID 4528 wrote to memory of 2336 4528 explorgu.exe NewB.exe PID 4528 wrote to memory of 2336 4528 explorgu.exe NewB.exe PID 2336 wrote to memory of 4732 2336 NewB.exe schtasks.exe PID 2336 wrote to memory of 4732 2336 NewB.exe schtasks.exe PID 2336 wrote to memory of 4732 2336 NewB.exe schtasks.exe PID 5068 wrote to memory of 2940 5068 rundll32.exe powershell.exe PID 5068 wrote to memory of 2940 5068 rundll32.exe powershell.exe PID 4528 wrote to memory of 4908 4528 explorgu.exe Eljlre.exe PID 4528 wrote to memory of 4908 4528 explorgu.exe Eljlre.exe PID 4528 wrote to memory of 4908 4528 explorgu.exe Eljlre.exe PID 2920 wrote to memory of 2936 2920 explorha.exe e8c1e5d4e7.exe PID 2920 wrote to memory of 2936 2920 explorha.exe e8c1e5d4e7.exe PID 2920 wrote to memory of 2936 2920 explorha.exe e8c1e5d4e7.exe PID 4528 wrote to memory of 3624 4528 explorgu.exe rundll32.exe PID 4528 wrote to memory of 3624 4528 explorgu.exe rundll32.exe PID 4528 wrote to memory of 3624 4528 explorgu.exe rundll32.exe PID 2920 wrote to memory of 3204 2920 explorha.exe rundll32.exe PID 2920 wrote to memory of 3204 2920 explorha.exe rundll32.exe PID 2920 wrote to memory of 3204 2920 explorha.exe rundll32.exe PID 3204 wrote to memory of 1316 3204 rundll32.exe rundll32.exe PID 3204 wrote to memory of 1316 3204 rundll32.exe rundll32.exe PID 1316 wrote to memory of 1680 1316 rundll32.exe netsh.exe PID 1316 wrote to memory of 1680 1316 rundll32.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe"C:\Users\Admin\AppData\Local\Temp\f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000041001\e8c1e5d4e7.exe"C:\Users\Admin\AppData\Local\Temp\1000041001\e8c1e5d4e7.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\233663403127_Desktop.zip' -CompressionLevel Optimal6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\233663403127_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ae626d9a72417b14570daa8fcd5d34a4
SHA1c103ebaf4d760df722d620df87e6f07c0486439f
SHA25652cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b3a83d0196afc480a90a1e7444210036
SHA16376ef283df20976769287b3bdc6bcd5d5ce371f
SHA2563ac4190b1c447f3b5365b056150575ec779ffba10b82d940c93009e2f6809a07
SHA512dfff8f23370ae8ab390b8a3dd675dd71ca6a8d0fac0f0c9a8b43453763ba5fa96a79a4b5a8891bcac86996471b912ca51dfc6b877d647391d14e355191d77370
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.8MB
MD58fa9ecda4e2cc34c6948abc1837fc0c0
SHA1ad42078d3e4f4283d5fb048d44030dcceee1804e
SHA256f5a03aece5dbd56922afdb0aa80a0642b49de093e4e5b218d018fa8f8ee821ea
SHA5128051e46c8b7c132ff559330cfb90edfda6933cdcbf00f6c8c59f9e5341478e4898098b5c2b6cfbe327c2c0902e09b7aba63c6536d2e4c0b6095f5797ed6df3a7
-
C:\Users\Admin\AppData\Local\Temp\1000041001\e8c1e5d4e7.exeFilesize
802KB
MD5387de0d7c483a81c9cf541d9c7b21f0f
SHA1a761ad1d01ef276c41530a758830ec940122e984
SHA2560ec3395676f63a30efa1dbb9cbb9552d45f109f0883392290cef25aa561f34f7
SHA512ca5ee7cf11cc017683b9cdb6e9cca3dae8df6440dde0cb8e35650a865045d9910adc77cbccfc9b9aefaf1b7e571fe75c2de58d78aa6605b89487d7b5963bf78b
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exeFilesize
3.0MB
MD5161e486bef0714a47d0952e227991d31
SHA1e6aff34b809d8048b9ad737da1dc5c3f751d9867
SHA256380338a4bae29701ed729b1a2011c524251b0dfa60cb9abb8f37ee214e6585df
SHA5124eb96cd90430d3717ffbb89015dc345d3ebcb9d3026e1b2461822878cc7b0a2ae0a4a520c73085f49b14c68badf648f0d42532e9524c51cb751d7423829cb7d3
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exeFilesize
1.8MB
MD52df48eca90c65bd7d080bd3a3ed2a046
SHA101f5657be277c1bb8588bc452fe01a2932de0d93
SHA256bfaaa91e8792e01743c34c2516b547639f8bf808c06a38fe40dc79411cf121b8
SHA512ba02f7ce86c8e5c1bb83fe6bc836d251f2f8095f26257298c91a633bccec9acfee477009dacf91fe2639fec0c6bc4d7ae49c02a32676540592ec767ef8f342ad
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001051001\Umr.exeFilesize
296B
MD5f2f4183ae342466a505cb5b8dc850ce2
SHA13f6ddc6152d0190108953e410ec62e8abcdc51d1
SHA256fc56488690aec272d2853fb59f6678391f19fc67707ed0e31688d337d5159b7d
SHA512aa5cfb6e787255918880e1e71703c2280e0012ed08d5eaf5a91f8d43d984a8f30107b852bfc74eb1b6004032e4c91cb985629fea3a0a3579ac64564f8c542c73
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exeFilesize
2.8MB
MD51e1152424d7721a51a154a725fe2465e
SHA162bc3d11e915e1dbd3cc3ef5a11afec755c995d9
SHA256674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c
SHA512752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02
-
C:\Users\Admin\AppData\Local\Temp\Tmp344A.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acpaneun.o1g.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp6E86.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp707D.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1233663403-1277323514-675434005-1000\76b53b3ec448f7ccdda2063b15d2bfc3_51f76018-0820-469a-b12d-f27f55f8b028Filesize
2KB
MD52f293cde607f7a04743d01bae4b438ee
SHA1ed85fc9c3648f2902fdbc5fef369a1a9b3c7642a
SHA256ee99cff978fe163f615c468c5419c2cec6920f4833d21fc8c4929f8178db49fc
SHA512bf86d096b8d266419ecabf92a92ab488056eafd55e526610535301528427e54434d834fc79ecd84707f3d7d5ca9924fb36fe1123b2d35c34b14eb58b13614ef2
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD58ce12f72e092d6b856a8f7b4ed4b89bb
SHA19a9ec6877e0201356eda43bea1cb0ce5263ba7ca
SHA256ddc6caafc71d42b3de2d7e39a902d6561af6d0e9deb33d1e0ac43be2803cf117
SHA5121dc7d62b3535093a20f8f27f11d9d4ef10498da780a95ce91547aac2704f12b44a8be8cec7fa2417f778f0e06699b9c58ed639faa10c187a010fa9410dc1dfcb
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD54638e4d5380391c8012ef3448ccdf1d0
SHA11f42302d0ace00e0f06d26b29e72f0e418f60d72
SHA256d184a7f6075fa5bb566e85f5055302755097965d53b51444bf2fa4def43d7f6a
SHA51259b5c786a86bf648e4a84a7b8fac9f472513d987edeaae856b611f47f787b89c6e0879826215aa01b19713ef93a12cea9768c08e0336a9cfce2afc4aca25d2bd
-
memory/72-245-0x0000000002EA0000-0x0000000004EA0000-memory.dmpFilesize
32.0MB
-
memory/72-66-0x0000000000810000-0x00000000009CC000-memory.dmpFilesize
1.7MB
-
memory/72-67-0x0000000072CF0000-0x00000000734A1000-memory.dmpFilesize
7.7MB
-
memory/72-68-0x00000000053F0000-0x0000000005400000-memory.dmpFilesize
64KB
-
memory/72-76-0x0000000072CF0000-0x00000000734A1000-memory.dmpFilesize
7.7MB
-
memory/72-77-0x0000000002EA0000-0x0000000004EA0000-memory.dmpFilesize
32.0MB
-
memory/1032-145-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/1032-156-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/1032-157-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/1032-225-0x0000000000A20000-0x0000000000EDA000-memory.dmpFilesize
4.7MB
-
memory/1032-144-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/1032-160-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/1032-170-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/1032-176-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/1032-122-0x0000000000A20000-0x0000000000EDA000-memory.dmpFilesize
4.7MB
-
memory/1032-174-0x0000000000A20000-0x0000000000EDA000-memory.dmpFilesize
4.7MB
-
memory/1032-143-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/1768-228-0x0000000000740000-0x0000000000AE3000-memory.dmpFilesize
3.6MB
-
memory/1768-181-0x0000000000740000-0x0000000000AE3000-memory.dmpFilesize
3.6MB
-
memory/1768-172-0x0000000000740000-0x0000000000AE3000-memory.dmpFilesize
3.6MB
-
memory/1768-46-0x0000000000740000-0x0000000000AE3000-memory.dmpFilesize
3.6MB
-
memory/1768-363-0x0000000000740000-0x0000000000AE3000-memory.dmpFilesize
3.6MB
-
memory/1768-45-0x0000000000740000-0x0000000000AE3000-memory.dmpFilesize
3.6MB
-
memory/2300-80-0x0000000072CF0000-0x00000000734A1000-memory.dmpFilesize
7.7MB
-
memory/2300-79-0x0000000005520000-0x0000000005530000-memory.dmpFilesize
64KB
-
memory/2300-71-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2420-178-0x00000000070A0000-0x00000000070DC000-memory.dmpFilesize
240KB
-
memory/2420-101-0x0000000072CF0000-0x00000000734A1000-memory.dmpFilesize
7.7MB
-
memory/2420-155-0x0000000006CF0000-0x0000000006D0E000-memory.dmpFilesize
120KB
-
memory/2420-140-0x00000000063E0000-0x0000000006456000-memory.dmpFilesize
472KB
-
memory/2420-100-0x0000000000EF0000-0x0000000000F42000-memory.dmpFilesize
328KB
-
memory/2420-169-0x00000000075B0000-0x0000000007BC8000-memory.dmpFilesize
6.1MB
-
memory/2420-124-0x00000000058D0000-0x00000000058DA000-memory.dmpFilesize
40KB
-
memory/2420-123-0x0000000005A30000-0x0000000005A40000-memory.dmpFilesize
64KB
-
memory/2420-173-0x0000000007100000-0x000000000720A000-memory.dmpFilesize
1.0MB
-
memory/2420-175-0x0000000007040000-0x0000000007052000-memory.dmpFilesize
72KB
-
memory/2420-112-0x0000000005DB0000-0x0000000006356000-memory.dmpFilesize
5.6MB
-
memory/2420-118-0x00000000058E0000-0x0000000005972000-memory.dmpFilesize
584KB
-
memory/2420-191-0x0000000007210000-0x000000000725C000-memory.dmpFilesize
304KB
-
memory/2484-230-0x0000000000C50000-0x0000000000CD2000-memory.dmpFilesize
520KB
-
memory/2920-356-0x0000000000180000-0x000000000063A000-memory.dmpFilesize
4.7MB
-
memory/2920-226-0x0000000000180000-0x000000000063A000-memory.dmpFilesize
4.7MB
-
memory/3444-142-0x00007FF8E40A0000-0x00007FF8E4B62000-memory.dmpFilesize
10.8MB
-
memory/3444-161-0x000000001B340000-0x000000001B350000-memory.dmpFilesize
64KB
-
memory/3444-141-0x0000000000470000-0x00000000004FC000-memory.dmpFilesize
560KB
-
memory/4028-192-0x0000000000450000-0x00000000004A0000-memory.dmpFilesize
320KB
-
memory/4028-194-0x0000000004F40000-0x0000000004F50000-memory.dmpFilesize
64KB
-
memory/4028-193-0x0000000072CF0000-0x00000000734A1000-memory.dmpFilesize
7.7MB
-
memory/4528-25-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/4528-78-0x0000000001000000-0x00000000014C7000-memory.dmpFilesize
4.8MB
-
memory/4528-121-0x0000000001000000-0x00000000014C7000-memory.dmpFilesize
4.8MB
-
memory/4528-24-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/4528-111-0x0000000001000000-0x00000000014C7000-memory.dmpFilesize
4.8MB
-
memory/4528-23-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/4528-248-0x0000000001000000-0x00000000014C7000-memory.dmpFilesize
4.8MB
-
memory/4528-22-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/4528-19-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/4528-21-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/4528-20-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/4528-18-0x0000000001000000-0x00000000014C7000-memory.dmpFilesize
4.8MB
-
memory/4528-17-0x0000000001000000-0x00000000014C7000-memory.dmpFilesize
4.8MB
-
memory/4744-9-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/4744-14-0x0000000000A00000-0x0000000000EC7000-memory.dmpFilesize
4.8MB
-
memory/4744-0-0x0000000000A00000-0x0000000000EC7000-memory.dmpFilesize
4.8MB
-
memory/4744-8-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/4744-7-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/4744-6-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/4744-1-0x00000000775F6000-0x00000000775F8000-memory.dmpFilesize
8KB
-
memory/4744-2-0x0000000000A00000-0x0000000000EC7000-memory.dmpFilesize
4.8MB
-
memory/4744-3-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/4744-5-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/4744-4-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/4908-415-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-437-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-400-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-402-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-404-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-406-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-409-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-412-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-396-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-418-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-421-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-424-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-427-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-431-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-433-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-398-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-440-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-442-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-446-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-448-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-452-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-455-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-457-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-459-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-463-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-394-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-392-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-390-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB
-
memory/4908-388-0x0000000005D60000-0x0000000005F76000-memory.dmpFilesize
2.1MB