Analysis
-
max time kernel
39s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 00:05
Static task
static1
Behavioral task
behavioral1
Sample
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe
Resource
win10v2004-20240226-en
General
-
Target
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe
-
Size
1.8MB
-
MD5
22aeb43ba6ab6f8985f494951dd988d5
-
SHA1
52dbcc33bd585750d8cad31bf2e5d0525cf77440
-
SHA256
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb
-
SHA512
3432e70efae0c0f2b5dd590e3bf00457c27958905dbf5453ca3a3687509787f8b1fb264ccbe1daccd9bce5dafc2987a8f4a7ab473a9f5effc4dd9d61b5bffaaa
-
SSDEEP
49152:ezFG8VqgsE5WUoefxBNyyHvPAbz0CDCxGXyZGeTPxhe:eADuoKDHnKzpCxRFD
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
redline
LiveTraffic
4.185.137.132:1632
Signatures
-
Detect ZGRat V1 23 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe family_zgrat_v1 behavioral1/memory/6712-785-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-793-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-797-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-803-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-806-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-800-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-810-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-825-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-827-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-829-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-831-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-833-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-836-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-839-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-841-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-846-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-850-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-856-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-858-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 behavioral1/memory/6712-862-0x0000000005190000-0x00000000053A6000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline behavioral1/memory/5768-738-0x0000000000400000-0x0000000000450000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\b.exe family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\b.exe family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
Processes:
explorha.exerandom.exeamadka.exea86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exeexplorha.exeb61690162d.exeamert.exeexplorgu.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b61690162d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exeflow pid process 79 5404 rundll32.exe 98 7024 rundll32.exe 124 6672 rundll32.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
amert.exerandom.exeamadka.exeexplorha.exeexplorgu.exeb61690162d.exea86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exeexplorha.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b61690162d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b61690162d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exeexplorha.exeexplorgu.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation explorha.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation explorgu.exe -
Executes dropped EXE 11 IoCs
Processes:
explorha.exeb61690162d.exego.exeamert.exeexplorha.exeexplorgu.exerandom.exealex1234.exeamadka.exeredlinepanel.exe32456.exepid process 3380 explorha.exe 3280 b61690162d.exe 4636 go.exe 1628 amert.exe 5644 explorha.exe 4152 explorgu.exe 6780 random.exe 5844 alex1234.exe 6424 amadka.exe 2384 redlinepanel.exe 5400 32456.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorgu.exeexplorha.exerandom.exeamadka.exea86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exeexplorha.exeb61690162d.exeamert.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine b61690162d.exe Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine amert.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 5412 rundll32.exe 5404 rundll32.exe 7024 rundll32.exe 6156 rundll32.exe 6672 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
explorha.exeexplorgu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b61690162d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\b61690162d.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeamadka.exepid process 1792 a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe 3380 explorha.exe 1628 amert.exe 5644 explorha.exe 4152 explorgu.exe 6424 amadka.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
alex1234.exedescription pid process target process PID 5844 set thread context of 5724 5844 alex1234.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exeamert.exedescription ioc process File created C:\Windows\Tasks\explorha.job a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe File created C:\Windows\Tasks\explorgu.job amert.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4164 sc.exe 6728 sc.exe 6020 sc.exe 6040 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exeexplorha.exeamert.exemsedge.exemsedge.exemsedge.exemsedge.exerundll32.exepowershell.exeexplorha.exeexplorgu.exeidentity_helper.exeamadka.exerundll32.exepid process 1792 a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe 1792 a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe 3380 explorha.exe 3380 explorha.exe 1628 amert.exe 1628 amert.exe 772 msedge.exe 772 msedge.exe 1392 msedge.exe 1392 msedge.exe 5032 msedge.exe 5032 msedge.exe 5764 msedge.exe 5764 msedge.exe 5404 rundll32.exe 5404 rundll32.exe 5404 rundll32.exe 5404 rundll32.exe 5404 rundll32.exe 5404 rundll32.exe 5404 rundll32.exe 5404 rundll32.exe 5404 rundll32.exe 5404 rundll32.exe 6132 powershell.exe 6132 powershell.exe 6132 powershell.exe 5644 explorha.exe 5644 explorha.exe 4152 explorgu.exe 4152 explorgu.exe 6348 identity_helper.exe 6348 identity_helper.exe 6424 amadka.exe 6424 amadka.exe 6672 rundll32.exe 6672 rundll32.exe 6672 rundll32.exe 6672 rundll32.exe 6672 rundll32.exe 6672 rundll32.exe 6672 rundll32.exe 6672 rundll32.exe 6672 rundll32.exe 6672 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 6132 powershell.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exego.exemsedge.exeamert.exepid process 1792 a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe 4636 go.exe 4636 go.exe 4636 go.exe 4636 go.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 1628 amert.exe -
Suspicious use of SendNotifyMessage 28 IoCs
Processes:
go.exemsedge.exepid process 4636 go.exe 4636 go.exe 4636 go.exe 4636 go.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 1792 wrote to memory of 3380 1792 a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe explorha.exe PID 1792 wrote to memory of 3380 1792 a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe explorha.exe PID 1792 wrote to memory of 3380 1792 a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe explorha.exe PID 3380 wrote to memory of 3280 3380 explorha.exe b61690162d.exe PID 3380 wrote to memory of 3280 3380 explorha.exe b61690162d.exe PID 3380 wrote to memory of 3280 3380 explorha.exe b61690162d.exe PID 3380 wrote to memory of 3300 3380 explorha.exe explorha.exe PID 3380 wrote to memory of 3300 3380 explorha.exe explorha.exe PID 3380 wrote to memory of 3300 3380 explorha.exe explorha.exe PID 3380 wrote to memory of 4636 3380 explorha.exe go.exe PID 3380 wrote to memory of 4636 3380 explorha.exe go.exe PID 3380 wrote to memory of 4636 3380 explorha.exe go.exe PID 4636 wrote to memory of 4904 4636 go.exe msedge.exe PID 4636 wrote to memory of 4904 4636 go.exe msedge.exe PID 4636 wrote to memory of 1088 4636 go.exe msedge.exe PID 4636 wrote to memory of 1088 4636 go.exe msedge.exe PID 1088 wrote to memory of 4500 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 4500 1088 msedge.exe msedge.exe PID 4904 wrote to memory of 2392 4904 msedge.exe msedge.exe PID 4904 wrote to memory of 2392 4904 msedge.exe msedge.exe PID 4636 wrote to memory of 5032 4636 go.exe msedge.exe PID 4636 wrote to memory of 5032 4636 go.exe msedge.exe PID 5032 wrote to memory of 4316 5032 msedge.exe msedge.exe PID 5032 wrote to memory of 4316 5032 msedge.exe msedge.exe PID 3380 wrote to memory of 1628 3380 explorha.exe amert.exe PID 3380 wrote to memory of 1628 3380 explorha.exe amert.exe PID 3380 wrote to memory of 1628 3380 explorha.exe amert.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe PID 1088 wrote to memory of 3900 1088 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe"C:\Users\Admin\AppData\Local\Temp\a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\b61690162d.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\b61690162d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff934e046f8,0x7ff934e04708,0x7ff934e047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6380048582328833124,15174660947858335723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,6380048582328833124,15174660947858335723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff934e046f8,0x7ff934e04708,0x7ff934e047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2788986010777725122,7316807720168993048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2788986010777725122,7316807720168993048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff934e046f8,0x7ff934e04708,0x7ff934e047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5480723224062898938,13397559253931680077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\134859772495_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\134859772495_Desktop.zip' -CompressionLevel Optimal4⤵
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
-
C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exe"C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="3⤵
-
C:\Users\Admin\AppData\Roaming\a.exe"C:\Users\Admin\AppData\Roaming\a.exe"3⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "TDFIYZSJ"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "TDFIYZSJ" binpath= "C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "TDFIYZSJ"4⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\b.exe"C:\Users\Admin\AppData\Roaming\b.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
-
C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exeC:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\conhost.execonhost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c6136bc98a5aedca2ea3004e9fbe67d
SHA174318d997f4c9c351eef86d040bc9b085ce1ad4f
SHA25650c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2
SHA5122d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55c6aef82e50d05ffc0cf52a6c6d69c91
SHA1c203efe5b45b0630fee7bd364fe7d63b769e2351
SHA256d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32
SHA51277ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54cfda73723784ba63a8afebe5144dc29
SHA10e40517c70192968ec58bfcd7c83fdb05eef7926
SHA256f19900bcda58b26d80b19a96172bb8e3b8cdae0a0fafce70ef8efa976b22aa10
SHA512b403940a13108fec332e3892910491e7ba64bf4d4091bb3386540065582df47bef5a6d1afe2fcb1e6801d51a8ea80028fa4424b28fbd2bce43063a975a9ad05f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b3b1f470ce6c2b66c7cb2631b1c3601e
SHA13e2cc6cecfe91ce2a83b5e341cc03bb92d72ae7a
SHA25687b96aca6b849ab58689e5bbcba8c328d0fea38d5c46cb93408cee5e26216e0a
SHA512eb08e3aadeefd7afe750557aae9f778d728e45289a2bc291ade4fa4fc41c08198b24c20dab7635e44ebb755374d6d8b7bdd8e0de64ab848b51c6c7bc2f176e27
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD55521edccdea5812be4a9aca4813bf403
SHA1edfc4fe2a570ef00c3a383909d7ae4c321d66419
SHA25606dc0e3c037063807ef76434c3367b16b34b600d8e93fab4c18ec11433f72484
SHA512fe3f992fe86a0a9d43fd763c3be8a588f949e5d693366491b22ede0ebe20e96f757f299fe2c62d9bf5030b6b276700a86d84d5c0e0f2cef5531b4002f347a7e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
705B
MD577d7364f1df82427a45e5f0193c06041
SHA1f433ce4ea2575044cf7e8b0158764a22084de904
SHA25673083bcfb38e1422b280b553232298258714031475b0f85970c63d46e356d1ed
SHA5120fe58e29dd7c9fb612f4b69bfa956fec66fda200fbb430a959503801ed86f47a18f27012e114d8b982aa3d55d646bb4e4fb64aec9a3e7abd35144c36092f1677
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
703B
MD548dd8a221bbab3ea1dbb6962168a740b
SHA1bdf2b2008405d03741fc769248df861f656c6161
SHA256f2455fd8c275be3a4fffb2c15ccaa2f5c082a760b9aef49383178c9af8975b10
SHA51232a51f3918d2dec5887d2f975abf2724f28a2e4dc66082dc884b67a8fa920bc0f0445da722c5864683fa63bd870ff4dab9db6bab1ea7546dea093e8c762adb09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5854f1.TMPFilesize
705B
MD5e78d1c3a0f929e93031bafceee3a1bbe
SHA11e6c7c6f407045dd4a2cb8f48c5934a02725fb07
SHA256ab30bbf9116754b71af0bfaf021f4d7446834ef1e6fe2b0aaf68fa084e561e0c
SHA512992ae6f09c7fdd5c31a83f676d23dd41cd53a39da019dbca872f7308490d4ac01e45a357eb3c9de93855801743b96b57d12fa47a5e1045755533fe8e11e6706b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5448b5041d342fb72a71583c57bfccc40
SHA182a97bfd58dc0a43f783a10f07e67f5ebbcddb1f
SHA2568315d246e4451334bf275cb9b950a7b2bfbfd036856980d0d5c27f5da1641ab9
SHA5121468f49957dfa3d75a3ddad2198a789df6c717c11ca1d629beb569d181eb2df84838bc6aec3f126b5cab0dd7b916a471e1c42c5740c755f6ec3e81192ff7faf2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5e8ea50f744986c568b08f6bfbe6dbba8
SHA1b1c6878d4c725764aef1dc4bed52a8359e688e1d
SHA25673b6a7a451d104fa7c27b61a900dc9b5446f8dd185da46bf2283092673b321d1
SHA5128f0d0f3d902a6081e6c62f1957bd51e41fdb50ab77254cbf928ff24f97ceb152c3ce6fa36ad55ed27fb20eb3659a3988a2b1dd9348d0001d1258ff86e6c529a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD521f412975befaee7f5d192005a2423fe
SHA120c2bf390361b80140511505818b4831d65ab6df
SHA256faaf950c4ae2f928707284fa637e2af768700c2579cc45d32f0a05e885285ce8
SHA5120b9d13faafa069df73a373577a799de998f21c97a2e394fde5540f73ef3f918fe46523ca4740bb81590929b0d9d9116e2663bdff7e3661a5881cbb0debba2964
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ae834d8c8d0bab534b23707d88f651f9
SHA1f7977a01c9fe4541a00eca82224bdacb992997b0
SHA2563d4e02dec8dba272ac4a6b132d60dd8df81b8fc7d90dfc0e821b2fd73f54c3da
SHA512b5dd3a4abaa4467e3b90640ea63d35896124a7658b6cd9443dd4f0455e61a0204e2ac0e254ce7507e260818f527a1cafe75021d3fd043e2a52d46db2ae5b984e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52c8e0cff76e03294c4fab8ad6fcdd67d
SHA1f4488affe2e50bec68fde98bab4d2864c5a5ce0c
SHA25673599d7e4570aa74e370cd437b5b042e2571b7f86f78401884d068f971029f43
SHA512467830e8909505bbafc5733d31da89ee77e34c04a74174145de0d624f4a34d99bd8a7448978a737534382c0b50427e932af7cfe11b3022bf8a1439302b612514
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.8MB
MD522aeb43ba6ab6f8985f494951dd988d5
SHA152dbcc33bd585750d8cad31bf2e5d0525cf77440
SHA256a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb
SHA5123432e70efae0c0f2b5dd590e3bf00457c27958905dbf5453ca3a3687509787f8b1fb264ccbe1daccd9bce5dafc2987a8f4a7ab473a9f5effc4dd9d61b5bffaaa
-
C:\Users\Admin\AppData\Local\Temp\1000042001\b61690162d.exeFilesize
3.0MB
MD58f596cf662d3070c4778030b0ebf1697
SHA1ca4e9791887dfd346392e84670f3606e08b0da70
SHA256beac4e6145269334ebaf3d723fa089c0b336dac94ad12da55574b713c496516a
SHA5126db0f316dacf5ee6191d1574316ecc1ac7c90c21faf3d60795cb4fd2f9c57724bb1162286a37b104741ce64e63366480a1468a49bdd114e28110c8577f4b820c
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD5da3a4922260236756281fd86faee9f41
SHA1c3e479cd6cf9bbc27a090ac448e02f3baa4ad359
SHA256bfa445e1f0447b0634242f1e3118004f3a04fd23a8db560e67de229f709a6385
SHA512bb844606c9280a8c9c8fa6e7934ec1f711f7aa37c5ad381f2e8318433d05f5c6c09cdb3bb7190d223f9cc037502be138fdd8bce1bf293eb6f75454bdd06f5eba
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001051001\Umr.exeFilesize
296B
MD5f2f4183ae342466a505cb5b8dc850ce2
SHA13f6ddc6152d0190108953e410ec62e8abcdc51d1
SHA256fc56488690aec272d2853fb59f6678391f19fc67707ed0e31688d337d5159b7d
SHA512aa5cfb6e787255918880e1e71703c2280e0012ed08d5eaf5a91f8d43d984a8f30107b852bfc74eb1b6004032e4c91cb985629fea3a0a3579ac64564f8c542c73
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exeFilesize
2.8MB
MD51e1152424d7721a51a154a725fe2465e
SHA162bc3d11e915e1dbd3cc3ef5a11afec755c995d9
SHA256674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c
SHA512752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exeFilesize
2.6MB
MD555e393da1714013720ddf266c7906f43
SHA191a636913604184c010c2d9e0b331a804a2c0ab4
SHA2566f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957
SHA51240a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a
-
C:\Users\Admin\AppData\Local\Temp\Tmp32D3.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oldomobk.gzv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpBA55.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmpBA87.tmpFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tmpD207.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmpDA8A.tmpFilesize
92KB
MD5202f2ef53f2db2c911585e9fc250d7b8
SHA1eb88b73f2fbeb0994b21c08aa71d467ef12c1546
SHA256c6f58d159d4de36d38a1b6c4ebdc89f68ee371086da8f478478d3f581ccedfee
SHA512ec980b528288e9169862b6a7c058bf7794ec8ac68ef10a262d34aecd63d47c41874b23fed43ea85d21d3dfc707b97a549523afbb6aff1ad36ee74a25bc2a0407
-
C:\Users\Admin\AppData\Local\Temp\tmpDB47.tmpFilesize
20KB
MD5c283c815f21d07fddd70caec166cb25f
SHA1f638638593ef5ab17c717bb2c4a24e4dd1539d10
SHA25663988f369b64e4955962fd4719ca45cebaa44a0ca5a7c46d9e411e3e927be38e
SHA512d0508c5ff15271cfd26744cf233172082641d51022f855f683cc5434d412fc61efd62ba0fae975c22281ac41cf2db43d64efb9ba0cc278a070de473b567d0a9b
-
C:\Users\Admin\AppData\Local\Temp\tmpDCDC.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\a.exeFilesize
2.5MB
MD56fd62e635b39a02ba8cac6fc124c9475
SHA1e13080b9cc546e44a9f1c419ba86aeb190a14b2d
SHA25678b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870
SHA512e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\b.exeFilesize
95KB
MD5184ac479b3a878e9ac5535770ca34a2b
SHA11f99039911cc2cfd1a62ce348429ddd0f4435a60
SHA2568e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c
SHA512e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
\??\pipe\LOCAL\crashpad_1088_VAYDMLRWIENOWHEHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1628-132-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/1628-161-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/1628-159-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/1628-141-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/1628-109-0x0000000000B70000-0x0000000001030000-memory.dmpFilesize
4.8MB
-
memory/1628-134-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/1628-135-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/1628-181-0x0000000000B70000-0x0000000001030000-memory.dmpFilesize
4.8MB
-
memory/1628-125-0x0000000000B70000-0x0000000001030000-memory.dmpFilesize
4.8MB
-
memory/1628-126-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/1628-131-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/1628-133-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/1792-11-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/1792-2-0x00000000005F0000-0x0000000000AB0000-memory.dmpFilesize
4.8MB
-
memory/1792-4-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/1792-5-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/1792-6-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/1792-7-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/1792-3-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/1792-1-0x0000000077C94000-0x0000000077C96000-memory.dmpFilesize
8KB
-
memory/1792-8-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/1792-9-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/1792-0-0x00000000005F0000-0x0000000000AB0000-memory.dmpFilesize
4.8MB
-
memory/1792-23-0x00000000005F0000-0x0000000000AB0000-memory.dmpFilesize
4.8MB
-
memory/1792-10-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/3280-582-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-778-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-53-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-55-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-384-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-219-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-262-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3280-734-0x00000000008E0000-0x0000000000C7D000-memory.dmpFilesize
3.6MB
-
memory/3380-27-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/3380-25-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-30-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/3380-672-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-845-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-28-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/3380-329-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-26-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/3380-220-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-29-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/3380-121-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-776-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-31-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/3380-432-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-142-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/3380-32-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/3380-34-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/3380-33-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/3380-24-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/4152-273-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/4152-274-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/4152-837-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-261-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-431-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-781-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-270-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-279-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/4152-615-0x0000000000C90000-0x0000000001150000-memory.dmpFilesize
4.8MB
-
memory/4152-278-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/4152-271-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/4152-277-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/4152-272-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/4152-275-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/5644-260-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/5644-265-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/5644-276-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/5644-264-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/5644-269-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/5644-268-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/5644-267-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5644-266-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/5644-263-0x0000000000010000-0x00000000004D0000-memory.dmpFilesize
4.8MB
-
memory/5724-528-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/5768-738-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/6132-236-0x00000204C9500000-0x00000204C9510000-memory.dmpFilesize
64KB
-
memory/6132-233-0x00007FF930080000-0x00007FF930B41000-memory.dmpFilesize
10.8MB
-
memory/6132-235-0x00000204C9500000-0x00000204C9510000-memory.dmpFilesize
64KB
-
memory/6132-234-0x00000204C9500000-0x00000204C9510000-memory.dmpFilesize
64KB
-
memory/6132-221-0x00000204B0E90000-0x00000204B0EB2000-memory.dmpFilesize
136KB
-
memory/6132-317-0x00000204C9830000-0x00000204C9842000-memory.dmpFilesize
72KB
-
memory/6424-477-0x0000000000580000-0x0000000000A40000-memory.dmpFilesize
4.8MB
-
memory/6712-806-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-850-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-810-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-827-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-829-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-831-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-833-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-836-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-800-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-839-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-841-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-803-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-846-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-825-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-856-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-858-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-862-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-785-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-797-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6712-793-0x0000000005190000-0x00000000053A6000-memory.dmpFilesize
2.1MB
-
memory/6780-863-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB
-
memory/6780-783-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB
-
memory/6780-700-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB
-
memory/6780-331-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB
-
memory/6780-495-0x0000000000680000-0x0000000000A1D000-memory.dmpFilesize
3.6MB