Analysis
-
max time kernel
39s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 00:05
General
-
Target
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe
-
Size
1.8MB
-
MD5
22aeb43ba6ab6f8985f494951dd988d5
-
SHA1
52dbcc33bd585750d8cad31bf2e5d0525cf77440
-
SHA256
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb
-
SHA512
3432e70efae0c0f2b5dd590e3bf00457c27958905dbf5453ca3a3687509787f8b1fb264ccbe1daccd9bce5dafc2987a8f4a7ab473a9f5effc4dd9d61b5bffaaa
-
SSDEEP
49152:ezFG8VqgsE5WUoefxBNyyHvPAbz0CDCxGXyZGeTPxhe:eADuoKDHnKzpCxRFD
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
redline
LiveTraffic
4.185.137.132:1632
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 23 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 31 IoCs
-
Suspicious use of SendNotifyMessage 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe"C:\Users\Admin\AppData\Local\Temp\a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\b61690162d.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\b61690162d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff934e046f8,0x7ff934e04708,0x7ff934e047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6380048582328833124,15174660947858335723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,6380048582328833124,15174660947858335723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff934e046f8,0x7ff934e04708,0x7ff934e047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2788986010777725122,7316807720168993048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2788986010777725122,7316807720168993048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff934e046f8,0x7ff934e04708,0x7ff934e047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\134859772495_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\134859772495_Desktop.zip' -CompressionLevel Optimal4⤵
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
-
C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exe"C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="3⤵
-
C:\Users\Admin\AppData\Roaming\a.exe"C:\Users\Admin\AppData\Roaming\a.exe"3⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "TDFIYZSJ"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "TDFIYZSJ" binpath= "C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "TDFIYZSJ"4⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\b.exe"C:\Users\Admin\AppData\Roaming\b.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
-
C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exeC:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\conhost.execonhost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c6136bc98a5aedca2ea3004e9fbe67d
SHA174318d997f4c9c351eef86d040bc9b085ce1ad4f
SHA25650c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2
SHA5122d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55c6aef82e50d05ffc0cf52a6c6d69c91
SHA1c203efe5b45b0630fee7bd364fe7d63b769e2351
SHA256d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32
SHA51277ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54cfda73723784ba63a8afebe5144dc29
SHA10e40517c70192968ec58bfcd7c83fdb05eef7926
SHA256f19900bcda58b26d80b19a96172bb8e3b8cdae0a0fafce70ef8efa976b22aa10
SHA512b403940a13108fec332e3892910491e7ba64bf4d4091bb3386540065582df47bef5a6d1afe2fcb1e6801d51a8ea80028fa4424b28fbd2bce43063a975a9ad05f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b3b1f470ce6c2b66c7cb2631b1c3601e
SHA13e2cc6cecfe91ce2a83b5e341cc03bb92d72ae7a
SHA25687b96aca6b849ab58689e5bbcba8c328d0fea38d5c46cb93408cee5e26216e0a
SHA512eb08e3aadeefd7afe750557aae9f778d728e45289a2bc291ade4fa4fc41c08198b24c20dab7635e44ebb755374d6d8b7bdd8e0de64ab848b51c6c7bc2f176e27
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD55521edccdea5812be4a9aca4813bf403
SHA1edfc4fe2a570ef00c3a383909d7ae4c321d66419
SHA25606dc0e3c037063807ef76434c3367b16b34b600d8e93fab4c18ec11433f72484
SHA512fe3f992fe86a0a9d43fd763c3be8a588f949e5d693366491b22ede0ebe20e96f757f299fe2c62d9bf5030b6b276700a86d84d5c0e0f2cef5531b4002f347a7e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
705B
MD577d7364f1df82427a45e5f0193c06041
SHA1f433ce4ea2575044cf7e8b0158764a22084de904
SHA25673083bcfb38e1422b280b553232298258714031475b0f85970c63d46e356d1ed
SHA5120fe58e29dd7c9fb612f4b69bfa956fec66fda200fbb430a959503801ed86f47a18f27012e114d8b982aa3d55d646bb4e4fb64aec9a3e7abd35144c36092f1677
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
703B
MD548dd8a221bbab3ea1dbb6962168a740b
SHA1bdf2b2008405d03741fc769248df861f656c6161
SHA256f2455fd8c275be3a4fffb2c15ccaa2f5c082a760b9aef49383178c9af8975b10
SHA51232a51f3918d2dec5887d2f975abf2724f28a2e4dc66082dc884b67a8fa920bc0f0445da722c5864683fa63bd870ff4dab9db6bab1ea7546dea093e8c762adb09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5854f1.TMPFilesize
705B
MD5e78d1c3a0f929e93031bafceee3a1bbe
SHA11e6c7c6f407045dd4a2cb8f48c5934a02725fb07
SHA256ab30bbf9116754b71af0bfaf021f4d7446834ef1e6fe2b0aaf68fa084e561e0c
SHA512992ae6f09c7fdd5c31a83f676d23dd41cd53a39da019dbca872f7308490d4ac01e45a357eb3c9de93855801743b96b57d12fa47a5e1045755533fe8e11e6706b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5448b5041d342fb72a71583c57bfccc40
SHA182a97bfd58dc0a43f783a10f07e67f5ebbcddb1f
SHA2568315d246e4451334bf275cb9b950a7b2bfbfd036856980d0d5c27f5da1641ab9
SHA5121468f49957dfa3d75a3ddad2198a789df6c717c11ca1d629beb569d181eb2df84838bc6aec3f126b5cab0dd7b916a471e1c42c5740c755f6ec3e81192ff7faf2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5e8ea50f744986c568b08f6bfbe6dbba8
SHA1b1c6878d4c725764aef1dc4bed52a8359e688e1d
SHA25673b6a7a451d104fa7c27b61a900dc9b5446f8dd185da46bf2283092673b321d1
SHA5128f0d0f3d902a6081e6c62f1957bd51e41fdb50ab77254cbf928ff24f97ceb152c3ce6fa36ad55ed27fb20eb3659a3988a2b1dd9348d0001d1258ff86e6c529a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD521f412975befaee7f5d192005a2423fe
SHA120c2bf390361b80140511505818b4831d65ab6df
SHA256faaf950c4ae2f928707284fa637e2af768700c2579cc45d32f0a05e885285ce8
SHA5120b9d13faafa069df73a373577a799de998f21c97a2e394fde5540f73ef3f918fe46523ca4740bb81590929b0d9d9116e2663bdff7e3661a5881cbb0debba2964
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ae834d8c8d0bab534b23707d88f651f9
SHA1f7977a01c9fe4541a00eca82224bdacb992997b0
SHA2563d4e02dec8dba272ac4a6b132d60dd8df81b8fc7d90dfc0e821b2fd73f54c3da
SHA512b5dd3a4abaa4467e3b90640ea63d35896124a7658b6cd9443dd4f0455e61a0204e2ac0e254ce7507e260818f527a1cafe75021d3fd043e2a52d46db2ae5b984e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52c8e0cff76e03294c4fab8ad6fcdd67d
SHA1f4488affe2e50bec68fde98bab4d2864c5a5ce0c
SHA25673599d7e4570aa74e370cd437b5b042e2571b7f86f78401884d068f971029f43
SHA512467830e8909505bbafc5733d31da89ee77e34c04a74174145de0d624f4a34d99bd8a7448978a737534382c0b50427e932af7cfe11b3022bf8a1439302b612514
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.8MB
MD522aeb43ba6ab6f8985f494951dd988d5
SHA152dbcc33bd585750d8cad31bf2e5d0525cf77440
SHA256a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb
SHA5123432e70efae0c0f2b5dd590e3bf00457c27958905dbf5453ca3a3687509787f8b1fb264ccbe1daccd9bce5dafc2987a8f4a7ab473a9f5effc4dd9d61b5bffaaa
-
C:\Users\Admin\AppData\Local\Temp\1000042001\b61690162d.exeFilesize
3.0MB
MD58f596cf662d3070c4778030b0ebf1697
SHA1ca4e9791887dfd346392e84670f3606e08b0da70
SHA256beac4e6145269334ebaf3d723fa089c0b336dac94ad12da55574b713c496516a
SHA5126db0f316dacf5ee6191d1574316ecc1ac7c90c21faf3d60795cb4fd2f9c57724bb1162286a37b104741ce64e63366480a1468a49bdd114e28110c8577f4b820c
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD5da3a4922260236756281fd86faee9f41
SHA1c3e479cd6cf9bbc27a090ac448e02f3baa4ad359
SHA256bfa445e1f0447b0634242f1e3118004f3a04fd23a8db560e67de229f709a6385
SHA512bb844606c9280a8c9c8fa6e7934ec1f711f7aa37c5ad381f2e8318433d05f5c6c09cdb3bb7190d223f9cc037502be138fdd8bce1bf293eb6f75454bdd06f5eba
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001051001\Umr.exeFilesize
296B
MD5f2f4183ae342466a505cb5b8dc850ce2
SHA13f6ddc6152d0190108953e410ec62e8abcdc51d1
SHA256fc56488690aec272d2853fb59f6678391f19fc67707ed0e31688d337d5159b7d
SHA512aa5cfb6e787255918880e1e71703c2280e0012ed08d5eaf5a91f8d43d984a8f30107b852bfc74eb1b6004032e4c91cb985629fea3a0a3579ac64564f8c542c73
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exeFilesize
2.8MB
MD51e1152424d7721a51a154a725fe2465e
SHA162bc3d11e915e1dbd3cc3ef5a11afec755c995d9
SHA256674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c
SHA512752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exeFilesize
2.6MB
MD555e393da1714013720ddf266c7906f43
SHA191a636913604184c010c2d9e0b331a804a2c0ab4
SHA2566f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957
SHA51240a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a
-
C:\Users\Admin\AppData\Local\Temp\Tmp32D3.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oldomobk.gzv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpBA55.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmpBA87.tmpFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tmpD207.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmpDA8A.tmpFilesize
92KB
MD5202f2ef53f2db2c911585e9fc250d7b8
SHA1eb88b73f2fbeb0994b21c08aa71d467ef12c1546
SHA256c6f58d159d4de36d38a1b6c4ebdc89f68ee371086da8f478478d3f581ccedfee
SHA512ec980b528288e9169862b6a7c058bf7794ec8ac68ef10a262d34aecd63d47c41874b23fed43ea85d21d3dfc707b97a549523afbb6aff1ad36ee74a25bc2a0407
-
C:\Users\Admin\AppData\Local\Temp\tmpDB47.tmpFilesize
20KB
MD5c283c815f21d07fddd70caec166cb25f
SHA1f638638593ef5ab17c717bb2c4a24e4dd1539d10
SHA25663988f369b64e4955962fd4719ca45cebaa44a0ca5a7c46d9e411e3e927be38e
SHA512d0508c5ff15271cfd26744cf233172082641d51022f855f683cc5434d412fc61efd62ba0fae975c22281ac41cf2db43d64efb9ba0cc278a070de473b567d0a9b
-
C:\Users\Admin\AppData\Local\Temp\tmpDCDC.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\a.exeFilesize
2.5MB
MD56fd62e635b39a02ba8cac6fc124c9475
SHA1e13080b9cc546e44a9f1c419ba86aeb190a14b2d
SHA25678b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870
SHA512e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\b.exeFilesize
95KB
MD5184ac479b3a878e9ac5535770ca34a2b
SHA11f99039911cc2cfd1a62ce348429ddd0f4435a60
SHA2568e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c
SHA512e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
\??\pipe\LOCAL\crashpad_1088_VAYDMLRWIENOWHEHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1628-132-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/1628-161-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/1628-159-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/1628-141-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/1628-109-0x0000000000B70000-0x0000000001030000-memory.dmpFilesize
4.8MB
-
memory/1628-134-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/1628-135-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/1628-181-0x0000000000B70000-0x0000000001030000-memory.dmpFilesize
4.8MB
-
memory/1628-125-0x0000000000B70000-0x0000000001030000-memory.dmpFilesize
4.8MB
-
memory/1628-126-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/1628-131-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/1628-133-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/1792-11-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/1792-2-0x00000000005F0000-0x0000000000AB0000-memory.dmpFilesize
4.8MB
-
memory/1792-4-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/1792-5-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/1792-6-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/1792-7-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/1792-3-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/1792-1-0x0000000077C94000-0x0000000077C96000-memory.dmpFilesize
8KB
-
memory/1792-8-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/1792-9-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/1792-0-0x00000000005F0000-0x0000000000AB0000-memory.dmpFilesize
4.8MB
-
memory/1792-23-0x00000000005F0000-0x0000000000AB0000-memory.dmpFilesize
4.8MB
-
memory/1792-10-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/3280-582-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-778-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-53-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-55-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-384-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-219-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-262-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-734-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3380-27-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/3380-25-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-30-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/3380-672-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-845-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-28-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/3380-329-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-26-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/3380-220-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-29-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/3380-121-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-776-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-31-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/3380-432-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-142-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-32-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/3380-34-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/3380-33-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/3380-24-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/4152-273-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/4152-274-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/4152-837-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-261-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-431-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-781-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-270-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-279-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/4152-615-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-278-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/4152-271-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/4152-277-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/4152-272-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/4152-275-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/5644-260-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/5644-265-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/5644-276-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/5644-264-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/5644-269-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/5644-268-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/5644-267-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5644-266-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/5644-263-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/5724-528-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/5768-738-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/6132-236-0x00000204C9500000-0x00000204C9510000-memory.dmpFilesize
64KB
-
memory/6132-233-0x00007FF930080000-0x00007FF930B41000-memory.dmpFilesize
10.8MB
-
memory/6132-235-0x00000204C9500000-0x00000204C9510000-memory.dmpFilesize
64KB
-
memory/6132-234-0x00000204C9500000-0x00000204C9510000-memory.dmpFilesize
64KB
-
memory/6132-221-0x00000204B0E90000-0x00000204B0EB2000-memory.dmpFilesize
136KB
-
memory/6132-317-0x00000204C9830000-0x00000204C9842000-memory.dmpFilesize
72KB
-
memory/6424-477-0x0000000000580000-0x0000000000A40000-memory.dmpFilesize
4.8MB
-
memory/6712-806-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-850-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-810-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-827-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-829-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-831-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-833-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-836-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-800-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-839-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-841-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-803-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-846-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-825-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-856-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-858-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-862-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-785-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-797-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-793-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6780-863-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB
-
memory/6780-783-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB
-
memory/6780-700-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB
-
memory/6780-331-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB
-
memory/6780-495-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB