Analysis
-
max time kernel
140s -
max time network
174s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-03-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
Resource
win11-20240221-en
General
-
Target
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe
-
Size
1.8MB
-
MD5
c67f86a4d71035df46b89d1b630c3cbb
-
SHA1
1c1911efdd9ed8e7289b3a6a444b1c5afd7ab9a6
-
SHA256
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5
-
SHA512
e329c0433eb91d7026cdc7aaf2c2d0d25a997533d6d870c26c298632f8bbf6a3e8ddb9c78282979c9455bb22d816178e93b954c71b826433896fdd68a30fe784
-
SSDEEP
49152:bwFA3XkkrXUwmkHadZQVjkRK3VaLHkhG0RWN1MIrO2bJP:USX7DUwHwUjkRKFThG0A15rdbN
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
4.185.137.132:1632
Signatures
-
Detect ZGRat V1 18 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe family_zgrat_v1 behavioral2/memory/200-824-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-822-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-828-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-834-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-848-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-851-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-858-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-866-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-862-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-883-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-870-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-887-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-895-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-899-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 behavioral2/memory/200-901-0x0000000005D40000-0x0000000005F56000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline behavioral2/memory/4196-752-0x0000000000400000-0x0000000000450000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\b.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\b.exe family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
Processes:
028feab495.exeexplorha.exeexplorgu.exee9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exeamert.exeexplorha.exerandom.exeamadka.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 028feab495.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exeflow pid process 36 4832 rundll32.exe 40 3240 rundll32.exe 59 3272 rundll32.exe 63 3800 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorgu.exeamert.exeexplorha.exeexplorha.exerandom.exeamadka.exee9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exe028feab495.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 028feab495.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 028feab495.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe -
Executes dropped EXE 17 IoCs
Processes:
explorha.exe028feab495.exego.exeamert.exeexplorha.exeexplorgu.exeexplorha.exerandom.exealex1234.exeredlinepanel.exeamadka.exe32456.exeNewB.exeEljlre.exegoldprimeldlldf.exePayload.exefile300un.exepid process 2868 explorha.exe 3672 028feab495.exe 1756 go.exe 768 amert.exe 5244 explorha.exe 3680 explorgu.exe 3232 explorha.exe 3248 random.exe 4888 alex1234.exe 5864 redlinepanel.exe 4424 amadka.exe 1116 32456.exe 2016 NewB.exe 200 Eljlre.exe 4320 goldprimeldlldf.exe 3908 Payload.exe 4980 file300un.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
amert.exeexplorha.exeexplorgu.exeamadka.exeexplorha.exe028feab495.exerandom.exee9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine 028feab495.exe Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine explorha.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 4888 rundll32.exe 3240 rundll32.exe 4832 rundll32.exe 5284 rundll32.exe 3272 rundll32.exe 3800 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
explorha.exeexplorgu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\028feab495.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\028feab495.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeamadka.exepid process 3356 e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe 2868 explorha.exe 768 amert.exe 5244 explorha.exe 3680 explorgu.exe 3232 explorha.exe 4424 amadka.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
goldprimeldlldf.exealex1234.exedescription pid process target process PID 4320 set thread context of 4196 4320 goldprimeldlldf.exe RegAsm.exe PID 4888 set thread context of 2820 4888 alex1234.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeamert.exedescription ioc process File created C:\Windows\Tasks\explorha.job e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe File created C:\Windows\Tasks\explorgu.job amert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exerundll32.exemsedge.exemsedge.exeamert.exemsedge.exemsedge.exeexplorha.exepowershell.exemsedge.exeidentity_helper.exeexplorgu.exeexplorha.exeamadka.exerundll32.exepowershell.exepid process 3356 e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe 3356 e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe 2868 explorha.exe 2868 explorha.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3040 msedge.exe 3040 msedge.exe 2324 msedge.exe 2324 msedge.exe 768 amert.exe 768 amert.exe 2172 msedge.exe 2172 msedge.exe 5388 msedge.exe 5388 msedge.exe 5244 explorha.exe 5244 explorha.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 5436 powershell.exe 5436 powershell.exe 5436 powershell.exe 2800 msedge.exe 2800 msedge.exe 4372 identity_helper.exe 4372 identity_helper.exe 3680 explorgu.exe 3680 explorgu.exe 3232 explorha.exe 3232 explorha.exe 4424 amadka.exe 4424 amadka.exe 3272 rundll32.exe 3272 rundll32.exe 3272 rundll32.exe 3272 rundll32.exe 3272 rundll32.exe 3272 rundll32.exe 3272 rundll32.exe 3272 rundll32.exe 3272 rundll32.exe 3272 rundll32.exe 5492 powershell.exe 5492 powershell.exe 5492 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exe32456.exepowershell.exeEljlre.exedescription pid process Token: SeDebugPrivilege 5436 powershell.exe Token: SeDebugPrivilege 1116 32456.exe Token: SeDebugPrivilege 5492 powershell.exe Token: SeDebugPrivilege 200 Eljlre.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exego.exemsedge.exepid process 3356 e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe 1756 go.exe 1756 go.exe 1756 go.exe 1756 go.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
go.exemsedge.exepid process 1756 go.exe 1756 go.exe 1756 go.exe 1756 go.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe 2172 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exerundll32.exedescription pid process target process PID 3356 wrote to memory of 2868 3356 e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe explorha.exe PID 3356 wrote to memory of 2868 3356 e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe explorha.exe PID 3356 wrote to memory of 2868 3356 e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe explorha.exe PID 2868 wrote to memory of 3672 2868 explorha.exe 028feab495.exe PID 2868 wrote to memory of 3672 2868 explorha.exe 028feab495.exe PID 2868 wrote to memory of 3672 2868 explorha.exe 028feab495.exe PID 2868 wrote to memory of 2740 2868 explorha.exe explorha.exe PID 2868 wrote to memory of 2740 2868 explorha.exe explorha.exe PID 2868 wrote to memory of 2740 2868 explorha.exe explorha.exe PID 2868 wrote to memory of 1756 2868 explorha.exe go.exe PID 2868 wrote to memory of 1756 2868 explorha.exe go.exe PID 2868 wrote to memory of 1756 2868 explorha.exe go.exe PID 1756 wrote to memory of 3184 1756 go.exe msedge.exe PID 1756 wrote to memory of 3184 1756 go.exe msedge.exe PID 3184 wrote to memory of 408 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 408 3184 msedge.exe msedge.exe PID 1756 wrote to memory of 2172 1756 go.exe msedge.exe PID 1756 wrote to memory of 2172 1756 go.exe msedge.exe PID 2172 wrote to memory of 1152 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 1152 2172 msedge.exe msedge.exe PID 1756 wrote to memory of 4652 1756 go.exe msedge.exe PID 1756 wrote to memory of 4652 1756 go.exe msedge.exe PID 2868 wrote to memory of 4888 2868 explorha.exe rundll32.exe PID 2868 wrote to memory of 4888 2868 explorha.exe rundll32.exe PID 2868 wrote to memory of 4888 2868 explorha.exe rundll32.exe PID 4652 wrote to memory of 1056 4652 msedge.exe msedge.exe PID 4652 wrote to memory of 1056 4652 msedge.exe msedge.exe PID 4888 wrote to memory of 3240 4888 rundll32.exe rundll32.exe PID 4888 wrote to memory of 3240 4888 rundll32.exe rundll32.exe PID 2868 wrote to memory of 768 2868 explorha.exe amert.exe PID 2868 wrote to memory of 768 2868 explorha.exe amert.exe PID 2868 wrote to memory of 768 2868 explorha.exe amert.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe PID 2172 wrote to memory of 864 2172 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe"C:\Users\Admin\AppData\Local\Temp\e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\028feab495.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\028feab495.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84ba13cb8,0x7ff84ba13cc8,0x7ff84ba13cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1748,8842255078333989568,4742450409896715244,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1748,8842255078333989568,4742450409896715244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84ba13cb8,0x7ff84ba13cc8,0x7ff84ba13cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7148 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,4578466186042288054,16537196899612176272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff84ba13cb8,0x7ff84ba13cc8,0x7ff84ba13cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,13234737412589391013,11876684398434716876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\852399462405_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\852399462405_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exe"C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="3⤵
-
C:\Users\Admin\AppData\Roaming\a.exe"C:\Users\Admin\AppData\Roaming\a.exe"3⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
-
C:\Users\Admin\AppData\Roaming\b.exe"C:\Users\Admin\AppData\Roaming\b.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
-
C:\Users\Admin\Pictures\8rel7TXKDfMAjwbwzpl8EmnW.exe"C:\Users\Admin\Pictures\8rel7TXKDfMAjwbwzpl8EmnW.exe"4⤵
-
C:\Users\Admin\Pictures\qqdIgrWv9y0DHnRiYidIgdUw.exe"C:\Users\Admin\Pictures\qqdIgrWv9y0DHnRiYidIgdUw.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Users\Admin\Pictures\Uw0X3o1l8jUbAsPrDULPLjxC.exe"C:\Users\Admin\Pictures\Uw0X3o1l8jUbAsPrDULPLjxC.exe"4⤵
-
C:\Users\Admin\Pictures\vr6dxF57XXSr9QZgUQetXLBq.exe"C:\Users\Admin\Pictures\vr6dxF57XXSr9QZgUQetXLBq.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5341f6b71eb8fcb1e52a749a673b2819c
SHA16c81b6acb3ce5f64180cb58a6aae927b882f4109
SHA25657934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29
SHA51257ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD588e9aaca62aa2aed293699f139d7e7e1
SHA109d9ccfbdff9680366291d5d1bc311b0b56a05e9
SHA25627dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c
SHA512d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
960B
MD5992ae8de6277ed25e534b7ee597e32ed
SHA1f5a8c0ae73d9b5dea7491f004656b1bb8d56d949
SHA25667fe6a36b3294e6d503dac10518a3ad09b60989c7646a56ac1eb1389fe37fc6f
SHA5124e6de51910eb812ad9ed7fea098c35e300552a0369ff3c46322b2d3fc158a480c37898015f4c0896c58d9cc4f5ebd2b5b4e1895642e1b19f3ef0af66b4e745bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5c14581fc8232cbc2953fa335c91d39bb
SHA10c73ea077256835d7300cc873cbc26fb8561410b
SHA2561017ac1d2ae4cb2d8ee8fa2f96b0c58dd0b05a77aa130850004a6ec1b6cbe3a1
SHA512edcd9b9363bb9fa2a83c1629d05fdbc416809fb8ea502f65a60cc1ce48a6b89460bb769d524bbab632a79d12e7c68b25592f185d62e3e5806f92e87e43de2a79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58fde125224961115d5e689361146733a
SHA12ffcc7b5e3357386b7e6647edc3d33feb0d6f689
SHA2560b8b616ab100fe4d75ede128d499a44007f0a856dd50f78cafc95f5a12bfa2b5
SHA512b29819ea6956a9ae9d7b76c87b65b048e58ae7fe99d9268ae93e8aa74d4ba8e50e2380d1ce51d29c82be4d7853275722b695bf6fc8303eb4934f84dceeb0f24c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD580e4884f7dc89ab13613e95e4713e6e7
SHA1b4348df1454315545d0fa0ba6e0f031d54a1e9b5
SHA25696dd03bd501a28f564d6a92facf5e3c5c5768502c5d40c1e9dcd2677c49ac355
SHA512a3850b3182afd0bf2504ad59214c33a5877d949e0d0111d070f1d72d327dbdbf73746b42822c13e5318a5f826c328830c7b47ff116e6e00e51ab98bd2b15924f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD522998a62bbad141c0a44f2e137275f6d
SHA1ba3bbd24cd15c8023480b3d03ffd3c7c99e05036
SHA256c2dd4b17335281cef3efd0dd69e93e2a1ef2bca8e3235d5c0b64aa09c81f371b
SHA512b72681f3f503432dfab52207ae7d883bf235aeafe63564345ed632a9fc1b720aa7acf101397dcbf6535a67e6bb78d8979b63b1053ce62d789db422f49456d633
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5e8f99c2a6edafd3a44c0b301d7f09cd5
SHA1d5dcf8e4b2e438ffc615b2f7970863166a026394
SHA2567e1b6243fb1127cd9fde6b4a4d84838b417f9969349253c126f9f1c2cc466cb9
SHA512afe337b0f5af8b75a170f3e9d5c235fafea74dbf1476da2df7073f19329e0b9fe412ee6bdd4f9610633a68d3c09793dbd4387ef99f26378f918139dd82af203b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5cd381a9cb4b4e8f9ee496fd1f53c9aa9
SHA12a744743155178687b4f085f4e8617c515ff8032
SHA25639a1f539bddb349fd57db0514adfe1c5d8442c847d7baa6642637927ef3bc02b
SHA512aded0b004cec489b0403b1f05366f793381a1939d2a0d02080409362f0eb6050a8cbf29318cf65bc3e1ef2aa1926fd8e1fc87c339856ddc4025707149943954f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD5c669d8109df8bfcf3544e852cb5332e4
SHA1be210d77419e4c3eb5a9c79ed478adec9030f53f
SHA256fd2874b7ee538213464f06543c2a53af39dd8b8d3e6d52cc28e5cb6fcf7e5326
SHA512b10c2092dfccb96500b43c525ac7349025ebff8d6ddf0e6c57f9b132741aa9edd3273857faf899033c8151a4713370a4254fbc3a3a404fa3af30dcb621cafac3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
707B
MD503be0c84d469d84d200e09f98fc8d367
SHA1ff4e779104a754d8b57260d60031f588f9fb51c5
SHA256b39279b03b01713d39dc34e202a75522cf5d34df2214da4698e05c6ada609c69
SHA512a5b3a7fdc353c1f7490db550fe3eff59052122951a9a193fe18e07653289cb57f014614ed029930c68bcba92bca22fd001df38f66a7bceee1f6b385556852794
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591ee8.TMPFilesize
707B
MD51d0865db66f62a4cf63ddb8c2eef8181
SHA1fbec32773735372b2e232a905bd3fdcb9d0b99cf
SHA25640a36e6ae77b962b2da62904ff26a3a0cbd38354391f9fab22d1bb6abd8ac00f
SHA512c1a3718e47ef5c88090084374e9d53de94af1abbb6a7055c4d20bff429844fe84aaf1dc667e99d623e9b530c8c2cba3d50e582a2c62f42db19cf6b39b088bf57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5fc1230794999ecd35ca425f19eb3e06f
SHA1644308a2e77d959dd4c127ceec4cd9a49dfaee0e
SHA25658423a5815261fb5f6c6cd3b5073d69b380ff1c6bf7b1c3beed336c119d2b658
SHA5125e6d5b2f17a05034bfeb85641ac3513c0c3fe22b32e8f7a5c09c2a82a22cd9d3cbbe89909fb011545cdb073bb8da7d8308c5a923db3647e1e8e93c69f0469fc5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD596b228edec4ec97977d1c5fe6409e947
SHA11f4907e15ed04a896944940b1c01a3fc79c4d0fe
SHA256aafd7f48ff2f383033d559768f5264752c138bd9492dd16cb8036f19f4672c22
SHA5128dfdf3beb0fce989ba1c73e163349829796a94e29038da656e112c961e67da0f3f805672ba4a9807b6cd754c7f5475ed1e3b6f566c1b79fcbfffcc1a42c86ba3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD564d22615a3d72608b82f43feffaacdf4
SHA1df42abda6d43d3e3d895e25a9cd32964e134cf77
SHA256f79e8de53f8893109fdf48ad0c96ccae61fd99019e9e9879856edc5d78247a6b
SHA512eb75a96155314c284431ae7d858352c5c8cb4b3ea04ec083211136b6d6023ef13e7059dcc32682c005a5d4de1167076648676991b715246d7b6c6498c12c70e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5969e1525e45a4ae99aed34ab4010b5ef
SHA120cb661905b70d7a69864c33ab237f5ac42e2079
SHA256c33a64c48d057fc3ca8c206d614fdd9d9b3231ad338963c32de08cfaa1c88e7e
SHA5124cb0229c69d9907685c69316b100e6457bb461ad7b8abd16d6fccad42c6feab1be8bdcd4907f284f8694181c70b1caa759609abf4dee569839b5df8630069464
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.8MB
MD5c67f86a4d71035df46b89d1b630c3cbb
SHA11c1911efdd9ed8e7289b3a6a444b1c5afd7ab9a6
SHA256e9e81307986d5a8d7fb172032e65e19556f7bd4051b84525a0dbc1a9634023c5
SHA512e329c0433eb91d7026cdc7aaf2c2d0d25a997533d6d870c26c298632f8bbf6a3e8ddb9c78282979c9455bb22d816178e93b954c71b826433896fdd68a30fe784
-
C:\Users\Admin\AppData\Local\Temp\1000042001\028feab495.exeFilesize
3.0MB
MD58f596cf662d3070c4778030b0ebf1697
SHA1ca4e9791887dfd346392e84670f3606e08b0da70
SHA256beac4e6145269334ebaf3d723fa089c0b336dac94ad12da55574b713c496516a
SHA5126db0f316dacf5ee6191d1574316ecc1ac7c90c21faf3d60795cb4fd2f9c57724bb1162286a37b104741ce64e63366480a1468a49bdd114e28110c8577f4b820c
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD5c24cc500387c37edb2c4ac0f460dd272
SHA1bebd2b99916372d6f4293c276387e904096b50cd
SHA256dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3
SHA51216c07ff0c0feb7f2c64671d11737b683e5f243c63263a46dec5ca765d0d2401dde85e57a2619e87391eefaec4f3b10a5eb2aee786d7b4d456c4bcb5fcd2a8570
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exeFilesize
2.8MB
MD51e1152424d7721a51a154a725fe2465e
SHA162bc3d11e915e1dbd3cc3ef5a11afec755c995d9
SHA256674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c
SHA512752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1001054001\Payload.exeFilesize
2.6MB
MD555e393da1714013720ddf266c7906f43
SHA191a636913604184c010c2d9e0b331a804a2c0ab4
SHA2566f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957
SHA51240a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a
-
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exeFilesize
386KB
MD516f67f1a6e10f044bc15abe8c71b3bd6
SHA1ce0101205b919899a2a2f577100377c2a6546171
SHA25641cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89
SHA512a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c
-
C:\Users\Admin\AppData\Local\Temp\TmpF497.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbny4hnv.ejz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\y3FeZmEguniNI5AJZFvacA8X.exeFilesize
4.1MB
MD5ac5f59828c7112f4d6f37f3daea03a4c
SHA1780cbc00e9a044da535af3f1da25445c893a8e53
SHA2566b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc
SHA5127b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\a.exeFilesize
2.5MB
MD56fd62e635b39a02ba8cac6fc124c9475
SHA1e13080b9cc546e44a9f1c419ba86aeb190a14b2d
SHA25678b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870
SHA512e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\b.exeFilesize
95KB
MD5184ac479b3a878e9ac5535770ca34a2b
SHA11f99039911cc2cfd1a62ce348429ddd0f4435a60
SHA2568e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c
SHA512e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Pictures\1kjeFopmUlGBvXxodMLhGDht.exeFilesize
3KB
MD51518ca527dd08b68ab98b5a0897c112d
SHA1f3e828d90c18e4763d4a63f7844f22225d042a15
SHA256509c2d674d844083927dd3b67971e8d2fa31e6b4905dfa901c3532bcb18922da
SHA5124d36a93b165a97eb526677f7edc69002443b99e86ea775463475fe7d68f364fb329faf39bdf95b4f8aa98be508e07e0f72493b438cc4f7bd91f09f6eba683676
-
C:\Users\Admin\Pictures\6vE9mpJYvchhS8XVmARvG7R9.exeFilesize
3KB
MD5b42cc2ab7659f1530fb15d4c0b1c6245
SHA162ecd62d873626d3ca31d2233e3ed14437d18889
SHA25653c55437ef32f9c0129bb3e02d6e8867b93193cd2fb91d307aedb8f88565431a
SHA512c44e8a015e02f8e571a727457ed3f5bf5b530720854df5e8dd90c49ee29d981a515189d83c38bbc6c4fa2358a642b0763881d7235b01deef8da980a2489b43c9
-
C:\Users\Admin\Pictures\8rel7TXKDfMAjwbwzpl8EmnW.exeFilesize
405KB
MD504b64be2aee124ca06181ea6b5aceed3
SHA19093feccff2d574b2e9f1e35fb6c77f217d1ff7f
SHA25667c5d6538ebf16eb5cd205230c0b45468228b3ce6b602eaaebec50e230976d00
SHA512353015bdbd18001c7d04e81facbe78fef0e681de072778723b6d11bb59270ca99638486074886911b66df12d087ce1a6818a8079d5afc6ec5298cf102600d428
-
C:\Users\Admin\Pictures\Vd5xTYUNsTcvlxb4fMzuskII.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\qqdIgrWv9y0DHnRiYidIgdUw.exeFilesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
C:\Users\Admin\Pictures\vr6dxF57XXSr9QZgUQetXLBq.exeFilesize
372KB
MD5e2a6c1f58b137874e490b8d94382fcdb
SHA171529c5d708091b1e1a580227dc52e62a140edd1
SHA2564801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA51224d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff
-
\??\pipe\LOCAL\crashpad_2172_UAAXQQAZRHRXYKOCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/200-862-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-851-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-895-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-899-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-901-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-870-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-848-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-887-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-883-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-828-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-866-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-858-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-834-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-822-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/200-824-0x0000000005D40000-0x0000000005F56000-memory.dmpFilesize
2.1MB
-
memory/768-144-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/768-148-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/768-146-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/768-147-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/768-116-0x0000000000EE0000-0x00000000013A5000-memory.dmpFilesize
4.8MB
-
memory/768-150-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/768-194-0x0000000000EE0000-0x00000000013A5000-memory.dmpFilesize
4.8MB
-
memory/768-145-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/768-149-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/768-141-0x0000000000EE0000-0x00000000013A5000-memory.dmpFilesize
4.8MB
-
memory/768-143-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/768-142-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/2820-753-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2868-25-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/2868-596-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-23-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-386-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-364-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-24-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-158-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-26-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/2868-28-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/2868-29-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/2868-433-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-678-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-30-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/2868-453-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-27-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/2868-31-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/2868-32-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/2868-479-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-33-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/2868-52-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-115-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-283-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-140-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/2868-782-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/3232-492-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/3232-502-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/3248-722-0x0000000000260000-0x00000000005FD000-memory.dmpFilesize
3.6MB
-
memory/3248-630-0x0000000000260000-0x00000000005FD000-memory.dmpFilesize
3.6MB
-
memory/3248-885-0x0000000000260000-0x00000000005FD000-memory.dmpFilesize
3.6MB
-
memory/3356-0-0x0000000000F50000-0x000000000140B000-memory.dmpFilesize
4.7MB
-
memory/3356-8-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/3356-9-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/3356-7-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/3356-11-0x0000000000F50000-0x000000000140B000-memory.dmpFilesize
4.7MB
-
memory/3356-6-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/3356-3-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/3356-5-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/3356-4-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/3356-22-0x0000000000F50000-0x000000000140B000-memory.dmpFilesize
4.7MB
-
memory/3356-2-0x0000000000F50000-0x000000000140B000-memory.dmpFilesize
4.7MB
-
memory/3356-1-0x0000000077D96000-0x0000000077D98000-memory.dmpFilesize
8KB
-
memory/3672-434-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-801-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-248-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-284-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-369-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-597-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-166-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-410-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-463-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-483-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-53-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-679-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3672-55-0x0000000000760000-0x0000000000AFD000-memory.dmpFilesize
3.6MB
-
memory/3680-488-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/3680-598-0x00000000000A0000-0x0000000000565000-memory.dmpFilesize
4.8MB
-
memory/3680-802-0x00000000000A0000-0x0000000000565000-memory.dmpFilesize
4.8MB
-
memory/3680-486-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3680-485-0x00000000000A0000-0x0000000000565000-memory.dmpFilesize
4.8MB
-
memory/3680-489-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/3680-490-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/3680-491-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/3680-482-0x00000000000A0000-0x0000000000565000-memory.dmpFilesize
4.8MB
-
memory/3680-680-0x00000000000A0000-0x0000000000565000-memory.dmpFilesize
4.8MB
-
memory/3680-487-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/4196-752-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4424-624-0x0000000000690000-0x0000000000B4B000-memory.dmpFilesize
4.7MB
-
memory/5244-172-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/5244-170-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5244-169-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/5244-171-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/5244-186-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/5244-167-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/5244-168-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/5244-165-0x0000000000A70000-0x0000000000F2B000-memory.dmpFilesize
4.7MB
-
memory/5244-174-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/5244-173-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/5436-412-0x000002744BCE0000-0x000002744BCEA000-memory.dmpFilesize
40KB
-
memory/5436-363-0x00007FF8379E0000-0x00007FF8384A2000-memory.dmpFilesize
10.8MB
-
memory/5436-344-0x00000274338B0000-0x00000274338D2000-memory.dmpFilesize
136KB
-
memory/5436-371-0x000002744BAD0000-0x000002744BAE0000-memory.dmpFilesize
64KB
-
memory/5436-373-0x000002744BAD0000-0x000002744BAE0000-memory.dmpFilesize
64KB
-
memory/5436-380-0x000002744BAD0000-0x000002744BAE0000-memory.dmpFilesize
64KB
-
memory/5436-411-0x000002744BD00000-0x000002744BD12000-memory.dmpFilesize
72KB
-
memory/5436-418-0x00007FF8379E0000-0x00007FF8384A2000-memory.dmpFilesize
10.8MB