Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-03-2024 06:32
Static task
static1
Behavioral task
behavioral1
Sample
26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
Resource
win11-20240221-en
General
-
Target
26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
-
Size
1.8MB
-
MD5
61da1fea2839b0dc934c187439990209
-
SHA1
8426600680955ef9e564c191d326d09eaf1ddde6
-
SHA256
26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f
-
SHA512
4ac34032bd522bf1e0949b6d89a5ccd3169bc5463735aac3b65449f572422f86be8c483aa6abefe03aecfbd1c5e44c65ccbe352f560d168615b8804c66ddb849
-
SSDEEP
24576:ToeUVYJbgphaghAUV7WjSOWToQXFuhjgoP+tfF8IAZWlKoL7tR+d9L+rKnjf:UvhphSUMmTTothjg4ot0WDLH+v3
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
Jok123
185.215.113.67:26260
Extracted
redline
LiveTraffic
4.185.137.132:1632
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Detect ZGRat V1 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 behavioral2/memory/1444-69-0x0000000000C50000-0x0000000000E0C000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe family_zgrat_v1 -
Glupteba payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1616-1049-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5236-1059-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5132-1072-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
nSZX9fVEo9TfRkLprb5h5d0I.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" nSZX9fVEo9TfRkLprb5h5d0I.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline behavioral2/memory/1736-104-0x0000000000EF0000-0x0000000000F42000-memory.dmp family_redline behavioral2/memory/4612-111-0x0000000000C20000-0x0000000000CAC000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline behavioral2/memory/3104-184-0x0000000000660000-0x00000000006B0000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline behavioral2/memory/5056-384-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 5776 created 3064 5776 RegAsm.exe sihost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
Processes:
1325eeeae7.exeamert.exenSZX9fVEo9TfRkLprb5h5d0I.exe26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeexplorgu.exerandom.exeamadka.exeexplorha.exeexplorha.exeexplorha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1325eeeae7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ nSZX9fVEo9TfRkLprb5h5d0I.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exeflow pid process 52 2864 rundll32.exe 81 2340 rundll32.exe 96 6812 rundll32.exe 52 2864 rundll32.exe 96 6812 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 4476 netsh.exe 6308 netsh.exe 6372 netsh.exe -
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1325eeeae7.exeamert.exenSZX9fVEo9TfRkLprb5h5d0I.exeexplorha.exerandom.exeamadka.exeexplorha.exeexplorgu.exe26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeexplorha.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1325eeeae7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion nSZX9fVEo9TfRkLprb5h5d0I.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1325eeeae7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nSZX9fVEo9TfRkLprb5h5d0I.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe -
Executes dropped EXE 44 IoCs
Processes:
explorgu.exerandom.exealex1234.exeTraffic.exepropro.exeamadka.exeredlinepanel.exeexplorha.exe32456.exe1325eeeae7.exeNewB.exegoldprimeldlldf.exego.exefile300un.exeamert.exeU2USE9Ra2PH86K3J1s8VHSUG.exeEKb0NYH4yPgtjnTIj2qfRL8O.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.exetW8QawWbYo8OHMYJg4S2hPiU.exeF1CMsOeEo5X1pqEkB18N9JzS.exeu40s.0.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeu40s.1.exenSZX9fVEo9TfRkLprb5h5d0I.exeEKb0NYH4yPgtjnTIj2qfRL8O.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeexplorha.exeFIIJJKKFHI.execsrss.exeNewB.exeinjector.exewindefender.exewindefender.exeexplorha.exeNewB.exepid process 424 explorgu.exe 692 random.exe 1444 alex1234.exe 4612 Traffic.exe 1736 propro.exe 3264 amadka.exe 3104 redlinepanel.exe 4980 explorha.exe 2820 32456.exe 1112 1325eeeae7.exe 3988 NewB.exe 4328 goldprimeldlldf.exe 3444 go.exe 1012 file300un.exe 5684 amert.exe 5212 U2USE9Ra2PH86K3J1s8VHSUG.exe 1616 EKb0NYH4yPgtjnTIj2qfRL8O.exe 5236 EhYXhYGLnLV8VSdbD8cTBq9A.exe 5132 ooNsLBPf6tZ2Yd1wW52HaYaB.exe 5988 tW8QawWbYo8OHMYJg4S2hPiU.exe 5748 F1CMsOeEo5X1pqEkB18N9JzS.exe 4132 u40s.0.exe 4280 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 5764 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 1532 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 772 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 6340 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 6520 u40s.1.exe 6272 nSZX9fVEo9TfRkLprb5h5d0I.exe 6172 EKb0NYH4yPgtjnTIj2qfRL8O.exe 5804 EhYXhYGLnLV8VSdbD8cTBq9A.exe 6852 ooNsLBPf6tZ2Yd1wW52HaYaB.exe 6220 Assistant_108.0.5067.20_Setup.exe_sfx.exe 5648 assistant_installer.exe 5576 assistant_installer.exe 3744 explorha.exe 5504 FIIJJKKFHI.exe 6712 csrss.exe 6396 NewB.exe 2868 injector.exe 3652 windefender.exe 880 windefender.exe 5944 explorha.exe 6908 NewB.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeamadka.exe1325eeeae7.exeamert.exeexplorha.exeexplorgu.exerandom.exeexplorha.exeexplorha.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine 26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine 1325eeeae7.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine explorha.exe -
Loads dropped DLL 17 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exerundll32.exeassistant_installer.exeassistant_installer.exeu40s.0.exepid process 5024 rundll32.exe 880 rundll32.exe 2864 rundll32.exe 768 rundll32.exe 2340 rundll32.exe 4280 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 5764 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 1532 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 772 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 6340 HYFxJJHfY3Nz6YNWQZKBkpGn.exe 6812 rundll32.exe 5648 assistant_installer.exe 5648 assistant_installer.exe 5576 assistant_installer.exe 5576 assistant_installer.exe 4132 u40s.0.exe 4132 u40s.0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\nSZX9fVEo9TfRkLprb5h5d0I.exe themida behavioral2/memory/6272-1042-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp themida behavioral2/memory/6272-1050-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp themida behavioral2/memory/6272-1047-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp themida behavioral2/memory/6272-1052-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp themida behavioral2/memory/6272-1053-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp themida behavioral2/memory/6272-1057-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp themida behavioral2/memory/6272-1058-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
explorgu.exeexplorha.exeEKb0NYH4yPgtjnTIj2qfRL8O.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\1325eeeae7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\1325eeeae7.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" EKb0NYH4yPgtjnTIj2qfRL8O.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" EhYXhYGLnLV8VSdbD8cTBq9A.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" ooNsLBPf6tZ2Yd1wW52HaYaB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
nSZX9fVEo9TfRkLprb5h5d0I.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nSZX9fVEo9TfRkLprb5h5d0I.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
HYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exedescription ioc process File opened (read-only) \??\D: HYFxJJHfY3Nz6YNWQZKBkpGn.exe File opened (read-only) \??\F: HYFxJJHfY3Nz6YNWQZKBkpGn.exe File opened (read-only) \??\D: HYFxJJHfY3Nz6YNWQZKBkpGn.exe File opened (read-only) \??\F: HYFxJJHfY3Nz6YNWQZKBkpGn.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 97 api.myip.com 99 ipinfo.io 4 api.myip.com 65 ipinfo.io -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Drops file in System32 directory 17 IoCs
Processes:
nSZX9fVEo9TfRkLprb5h5d0I.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol nSZX9fVEo9TfRkLprb5h5d0I.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy nSZX9fVEo9TfRkLprb5h5d0I.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini nSZX9fVEo9TfRkLprb5h5d0I.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI nSZX9fVEo9TfRkLprb5h5d0I.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeexplorgu.exeamadka.exeexplorha.exeamert.exenSZX9fVEo9TfRkLprb5h5d0I.exeexplorha.exeexplorha.exepid process 4368 26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe 424 explorgu.exe 3264 amadka.exe 4980 explorha.exe 5684 amert.exe 6272 nSZX9fVEo9TfRkLprb5h5d0I.exe 3744 explorha.exe 5944 explorha.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
alex1234.exegoldprimeldlldf.exefile300un.exetW8QawWbYo8OHMYJg4S2hPiU.exedescription pid process target process PID 1444 set thread context of 4216 1444 alex1234.exe RegAsm.exe PID 4328 set thread context of 5056 4328 goldprimeldlldf.exe RegAsm.exe PID 1012 set thread context of 1144 1012 file300un.exe CasPol.exe PID 5988 set thread context of 5776 5988 tW8QawWbYo8OHMYJg4S2hPiU.exe RegAsm.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
ooNsLBPf6tZ2Yd1wW52HaYaB.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeEKb0NYH4yPgtjnTIj2qfRL8O.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN ooNsLBPf6tZ2Yd1wW52HaYaB.exe File opened (read-only) \??\VBoxMiniRdrDN EhYXhYGLnLV8VSdbD8cTBq9A.exe File opened (read-only) \??\VBoxMiniRdrDN EKb0NYH4yPgtjnTIj2qfRL8O.exe -
Drops file in Windows directory 10 IoCs
Processes:
EhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.exe26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeamadka.exeEKb0NYH4yPgtjnTIj2qfRL8O.execsrss.exedescription ioc process File opened for modification C:\Windows\rss EhYXhYGLnLV8VSdbD8cTBq9A.exe File opened for modification C:\Windows\rss ooNsLBPf6tZ2Yd1wW52HaYaB.exe File created C:\Windows\rss\csrss.exe ooNsLBPf6tZ2Yd1wW52HaYaB.exe File created C:\Windows\Tasks\explorgu.job 26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe File created C:\Windows\Tasks\explorha.job amadka.exe File opened for modification C:\Windows\rss EKb0NYH4yPgtjnTIj2qfRL8O.exe File created C:\Windows\rss\csrss.exe EKb0NYH4yPgtjnTIj2qfRL8O.exe File created C:\Windows\rss\csrss.exe EhYXhYGLnLV8VSdbD8cTBq9A.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 5840 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6116 5988 WerFault.exe tW8QawWbYo8OHMYJg4S2hPiU.exe 6420 5776 WerFault.exe RegAsm.exe 6644 5776 WerFault.exe RegAsm.exe 7080 5748 WerFault.exe F1CMsOeEo5X1pqEkB18N9JzS.exe 6512 4132 WerFault.exe u40s.0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u40s.1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u40s.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u40s.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u40s.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u40s.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u40s.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u40s.0.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 6608 schtasks.exe 4424 schtasks.exe 1552 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeEKb0NYH4yPgtjnTIj2qfRL8O.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" EhYXhYGLnLV8VSdbD8cTBq9A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" EKb0NYH4yPgtjnTIj2qfRL8O.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" EKb0NYH4yPgtjnTIj2qfRL8O.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" EKb0NYH4yPgtjnTIj2qfRL8O.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" EKb0NYH4yPgtjnTIj2qfRL8O.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" EKb0NYH4yPgtjnTIj2qfRL8O.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" EKb0NYH4yPgtjnTIj2qfRL8O.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" EhYXhYGLnLV8VSdbD8cTBq9A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" EKb0NYH4yPgtjnTIj2qfRL8O.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" EhYXhYGLnLV8VSdbD8cTBq9A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" EKb0NYH4yPgtjnTIj2qfRL8O.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" EhYXhYGLnLV8VSdbD8cTBq9A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" EhYXhYGLnLV8VSdbD8cTBq9A.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" EKb0NYH4yPgtjnTIj2qfRL8O.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Processes:
HYFxJJHfY3Nz6YNWQZKBkpGn.exepropro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 HYFxJJHfY3Nz6YNWQZKBkpGn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e HYFxJJHfY3Nz6YNWQZKBkpGn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e HYFxJJHfY3Nz6YNWQZKBkpGn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 propro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 propro.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeexplorgu.exeamadka.exerundll32.exeexplorha.exeTraffic.exepowershell.exepropro.exeredlinepanel.exemsedge.exemsedge.exeamert.exe32456.exeRegAsm.exerundll32.exemsedge.exepid process 4368 26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe 4368 26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe 424 explorgu.exe 424 explorgu.exe 3264 amadka.exe 3264 amadka.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe 4980 explorha.exe 4980 explorha.exe 4612 Traffic.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe 1656 powershell.exe 1656 powershell.exe 1656 powershell.exe 1736 propro.exe 1736 propro.exe 3104 redlinepanel.exe 3104 redlinepanel.exe 3104 redlinepanel.exe 3104 redlinepanel.exe 880 msedge.exe 880 msedge.exe 1848 msedge.exe 1848 msedge.exe 5684 amert.exe 5684 amert.exe 2820 32456.exe 2820 32456.exe 3104 redlinepanel.exe 3104 redlinepanel.exe 5056 RegAsm.exe 5056 RegAsm.exe 2340 rundll32.exe 2340 rundll32.exe 2340 rundll32.exe 2340 rundll32.exe 2340 rundll32.exe 2340 rundll32.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1736 propro.exe 1404 msedge.exe 1404 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
Traffic.exe32456.exepowershell.exepropro.exeCasPol.exeredlinepanel.exeRegAsm.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.exeEKb0NYH4yPgtjnTIj2qfRL8O.exepowershell.exepowershell.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exedescription pid process Token: SeDebugPrivilege 4612 Traffic.exe Token: SeBackupPrivilege 4612 Traffic.exe Token: SeSecurityPrivilege 4612 Traffic.exe Token: SeSecurityPrivilege 4612 Traffic.exe Token: SeSecurityPrivilege 4612 Traffic.exe Token: SeSecurityPrivilege 4612 Traffic.exe Token: SeDebugPrivilege 2820 32456.exe Token: SeBackupPrivilege 2820 32456.exe Token: SeSecurityPrivilege 2820 32456.exe Token: SeSecurityPrivilege 2820 32456.exe Token: SeSecurityPrivilege 2820 32456.exe Token: SeSecurityPrivilege 2820 32456.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 1736 propro.exe Token: SeDebugPrivilege 1144 CasPol.exe Token: SeDebugPrivilege 3104 redlinepanel.exe Token: SeDebugPrivilege 5056 RegAsm.exe Token: SeDebugPrivilege 5728 powershell.exe Token: SeDebugPrivilege 4216 RegAsm.exe Token: SeDebugPrivilege 5124 powershell.exe Token: SeDebugPrivilege 5824 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 5236 EhYXhYGLnLV8VSdbD8cTBq9A.exe Token: SeDebugPrivilege 5132 ooNsLBPf6tZ2Yd1wW52HaYaB.exe Token: SeImpersonatePrivilege 5236 EhYXhYGLnLV8VSdbD8cTBq9A.exe Token: SeImpersonatePrivilege 5132 ooNsLBPf6tZ2Yd1wW52HaYaB.exe Token: SeDebugPrivilege 1616 EKb0NYH4yPgtjnTIj2qfRL8O.exe Token: SeImpersonatePrivilege 1616 EKb0NYH4yPgtjnTIj2qfRL8O.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 5996 powershell.exe Token: SeDebugPrivilege 6968 powershell.exe Token: SeDebugPrivilege 3704 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 4480 powershell.exe Token: SeDebugPrivilege 6392 powershell.exe Token: SeDebugPrivilege 5460 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 6044 powershell.exe Token: SeDebugPrivilege 6196 powershell.exe Token: SeDebugPrivilege 5480 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeSystemEnvironmentPrivilege 6712 csrss.exe Token: SeSecurityPrivilege 5840 sc.exe Token: SeSecurityPrivilege 5840 sc.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
go.exemsedge.exeu40s.1.exepid process 3444 go.exe 3444 go.exe 3444 go.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 3444 go.exe 3444 go.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
go.exemsedge.exeu40s.1.exepid process 3444 go.exe 3444 go.exe 3444 go.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 3444 go.exe 3444 go.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe 6520 u40s.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
explorgu.exealex1234.exeRegAsm.exerundll32.exeamadka.exerundll32.exeexplorha.exeNewB.exegoldprimeldlldf.exedescription pid process target process PID 424 wrote to memory of 692 424 explorgu.exe random.exe PID 424 wrote to memory of 692 424 explorgu.exe random.exe PID 424 wrote to memory of 692 424 explorgu.exe random.exe PID 424 wrote to memory of 1444 424 explorgu.exe alex1234.exe PID 424 wrote to memory of 1444 424 explorgu.exe alex1234.exe PID 424 wrote to memory of 1444 424 explorgu.exe alex1234.exe PID 1444 wrote to memory of 4216 1444 alex1234.exe RegAsm.exe PID 1444 wrote to memory of 4216 1444 alex1234.exe RegAsm.exe PID 1444 wrote to memory of 4216 1444 alex1234.exe RegAsm.exe PID 1444 wrote to memory of 4216 1444 alex1234.exe RegAsm.exe PID 1444 wrote to memory of 4216 1444 alex1234.exe RegAsm.exe PID 1444 wrote to memory of 4216 1444 alex1234.exe RegAsm.exe PID 1444 wrote to memory of 4216 1444 alex1234.exe RegAsm.exe PID 1444 wrote to memory of 4216 1444 alex1234.exe RegAsm.exe PID 4216 wrote to memory of 4612 4216 RegAsm.exe Traffic.exe PID 4216 wrote to memory of 4612 4216 RegAsm.exe Traffic.exe PID 4216 wrote to memory of 1736 4216 RegAsm.exe propro.exe PID 4216 wrote to memory of 1736 4216 RegAsm.exe propro.exe PID 4216 wrote to memory of 1736 4216 RegAsm.exe propro.exe PID 424 wrote to memory of 3264 424 explorgu.exe amadka.exe PID 424 wrote to memory of 3264 424 explorgu.exe amadka.exe PID 424 wrote to memory of 3264 424 explorgu.exe amadka.exe PID 424 wrote to memory of 3104 424 explorgu.exe redlinepanel.exe PID 424 wrote to memory of 3104 424 explorgu.exe redlinepanel.exe PID 424 wrote to memory of 3104 424 explorgu.exe redlinepanel.exe PID 424 wrote to memory of 5024 424 explorgu.exe rundll32.exe PID 424 wrote to memory of 5024 424 explorgu.exe rundll32.exe PID 424 wrote to memory of 5024 424 explorgu.exe rundll32.exe PID 5024 wrote to memory of 880 5024 rundll32.exe msedge.exe PID 5024 wrote to memory of 880 5024 rundll32.exe msedge.exe PID 3264 wrote to memory of 4980 3264 amadka.exe explorha.exe PID 3264 wrote to memory of 4980 3264 amadka.exe explorha.exe PID 3264 wrote to memory of 4980 3264 amadka.exe explorha.exe PID 880 wrote to memory of 4892 880 rundll32.exe netsh.exe PID 880 wrote to memory of 4892 880 rundll32.exe netsh.exe PID 424 wrote to memory of 2820 424 explorgu.exe 32456.exe PID 424 wrote to memory of 2820 424 explorgu.exe 32456.exe PID 880 wrote to memory of 1656 880 rundll32.exe powershell.exe PID 880 wrote to memory of 1656 880 rundll32.exe powershell.exe PID 4980 wrote to memory of 1112 4980 explorha.exe 1325eeeae7.exe PID 4980 wrote to memory of 1112 4980 explorha.exe 1325eeeae7.exe PID 4980 wrote to memory of 1112 4980 explorha.exe 1325eeeae7.exe PID 424 wrote to memory of 3988 424 explorgu.exe NewB.exe PID 424 wrote to memory of 3988 424 explorgu.exe NewB.exe PID 424 wrote to memory of 3988 424 explorgu.exe NewB.exe PID 4980 wrote to memory of 1604 4980 explorha.exe explorha.exe PID 4980 wrote to memory of 1604 4980 explorha.exe explorha.exe PID 4980 wrote to memory of 1604 4980 explorha.exe explorha.exe PID 3988 wrote to memory of 1552 3988 NewB.exe schtasks.exe PID 3988 wrote to memory of 1552 3988 NewB.exe schtasks.exe PID 3988 wrote to memory of 1552 3988 NewB.exe schtasks.exe PID 424 wrote to memory of 4328 424 explorgu.exe goldprimeldlldf.exe PID 424 wrote to memory of 4328 424 explorgu.exe goldprimeldlldf.exe PID 424 wrote to memory of 4328 424 explorgu.exe goldprimeldlldf.exe PID 4328 wrote to memory of 5056 4328 goldprimeldlldf.exe RegAsm.exe PID 4328 wrote to memory of 5056 4328 goldprimeldlldf.exe RegAsm.exe PID 4328 wrote to memory of 5056 4328 goldprimeldlldf.exe RegAsm.exe PID 4328 wrote to memory of 5056 4328 goldprimeldlldf.exe RegAsm.exe PID 4328 wrote to memory of 5056 4328 goldprimeldlldf.exe RegAsm.exe PID 4328 wrote to memory of 5056 4328 goldprimeldlldf.exe RegAsm.exe PID 4328 wrote to memory of 5056 4328 goldprimeldlldf.exe RegAsm.exe PID 4328 wrote to memory of 5056 4328 goldprimeldlldf.exe RegAsm.exe PID 4980 wrote to memory of 3444 4980 explorha.exe go.exe PID 4980 wrote to memory of 3444 4980 explorha.exe go.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe"C:\Users\Admin\AppData\Local\Temp\26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000042001\1325eeeae7.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\1325eeeae7.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3edd3cb8,0x7ffb3edd3cc8,0x7ffb3edd3cd86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3256 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3116 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3edd3cb8,0x7ffb3edd3cc8,0x7ffb3edd3cd86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3edd3cb8,0x7ffb3edd3cc8,0x7ffb3edd3cd86⤵
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\U2USE9Ra2PH86K3J1s8VHSUG.exe"C:\Users\Admin\Pictures\U2USE9Ra2PH86K3J1s8VHSUG.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u40s.0.exe"C:\Users\Admin\AppData\Local\Temp\u40s.0.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe8⤵
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30009⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 34846⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u40s.1.exe"C:\Users\Admin\AppData\Local\Temp\u40s.1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD16⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\EKb0NYH4yPgtjnTIj2qfRL8O.exe"C:\Users\Admin\Pictures\EKb0NYH4yPgtjnTIj2qfRL8O.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\EKb0NYH4yPgtjnTIj2qfRL8O.exe"C:\Users\Admin\Pictures\EKb0NYH4yPgtjnTIj2qfRL8O.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\EhYXhYGLnLV8VSdbD8cTBq9A.exe"C:\Users\Admin\Pictures\EhYXhYGLnLV8VSdbD8cTBq9A.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\EhYXhYGLnLV8VSdbD8cTBq9A.exe"C:\Users\Admin\Pictures\EhYXhYGLnLV8VSdbD8cTBq9A.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\ooNsLBPf6tZ2Yd1wW52HaYaB.exe"C:\Users\Admin\Pictures\ooNsLBPf6tZ2Yd1wW52HaYaB.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\ooNsLBPf6tZ2Yd1wW52HaYaB.exe"C:\Users\Admin\Pictures\ooNsLBPf6tZ2Yd1wW52HaYaB.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\tW8QawWbYo8OHMYJg4S2hPiU.exe"C:\Users\Admin\Pictures\tW8QawWbYo8OHMYJg4S2hPiU.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 5326⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 5046⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 8805⤵
- Program crash
-
C:\Users\Admin\Pictures\F1CMsOeEo5X1pqEkB18N9JzS.exe"C:\Users\Admin\Pictures\F1CMsOeEo5X1pqEkB18N9JzS.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 12725⤵
- Program crash
-
C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe"C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exeC:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6b8be1d0,0x6b8be1dc,0x6b8be1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\HYFxJJHfY3Nz6YNWQZKBkpGn.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\HYFxJJHfY3Nz6YNWQZKBkpGn.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe"C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4280 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329063333" --session-guid=7478d726-9f4e-4a97-8440-947e14411507 --server-tracking-blob=ZjdlNjhkZGViZTgyZmNhODQ1M2FkZjk2ZmQwNTk1NGU3MTFjMjgwMzM4MjBhZWQyOGZiYTg1Y2Y4MTFkODllYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2OTQwMDcuNjc5MyIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjdmYzc1MTI1LWY3ZmUtNGY0NS04YjIxLWU5ODA0Njk1OTExNSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2C040000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exeC:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6af3e1d0,0x6af3e1dc,0x6af3e1e86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xf60040,0xf6004c,0xf600586⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\nSZX9fVEo9TfRkLprb5h5d0I.exe"C:\Users\Admin\Pictures\nSZX9fVEo9TfRkLprb5h5d0I.exe"4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5988 -ip 59881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5776 -ip 57761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5776 -ip 57761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5748 -ip 57481⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4132 -ip 41321⤵
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
2Impair Defenses
1Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD519a8bcb40a17253313345edd2a0da1e7
SHA186fac74b5bbc59e910248caebd1176a48a46d72e
SHA256b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e
SHA5129f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD596899614360333c9904499393c6e3d75
SHA1bbfa17cf8df01c266323965735f00f0e9e04cd34
SHA256486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c
SHA512974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5400bfedf017dccce64879e2a21799f67
SHA1c30acf0128cf967372fb1c5501c4044e2802d650
SHA256ef5ca20e9aaed667d2980430d0c061dde015bb56367b058576dcff42bd1eaa39
SHA51202e19125f1abf9768d49287c4c993aa399d1cf3f079a33877a243c36f91b7b211efcd43c39f0d507f0aa2677b6bcd37dcbaf62e172166172f2d602905dff04fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD590cc2ae6a59751907b84f9b3600db8cd
SHA10a259947cca9d4c29e80db062e54a5f0bd61e974
SHA256a4970bbfeb22d1da2453f9aee64349dc635ee4409e3db43401fad96258a46d86
SHA5121946a7ebb0b7c62b8f89c408fd021897213d2d1a0f62b830e88be7ff487e341594d41c05cf0c84e3b8b8ff6d117700813009afb8e56c0bd349195591c6d4d515
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5964a222a114384db6d856b5c375b345b
SHA1fc0c924361e674803e44d677ddf4dd1cbcbe579c
SHA256b800fc5b8fe15bb1ada691dd6b69792e13cf2844f78c7129e68d3731dc94411d
SHA5129d96ab324f4deec9973ff7018777921afde551747f7abb30513dc2d9bae3829ff600dca056ff98c592eb1f9841983778a09ce6f5d0833d7b7c8108f925cd3337
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\additional_file0.tmpFilesize
2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\opera_packageFilesize
103.9MB
MD5401c352990789be2f40fe8f9c5c7a5ac
SHA1d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.8MB
MD561da1fea2839b0dc934c187439990209
SHA18426600680955ef9e564c191d326d09eaf1ddde6
SHA25626121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f
SHA5124ac34032bd522bf1e0949b6d89a5ccd3169bc5463735aac3b65449f572422f86be8c483aa6abefe03aecfbd1c5e44c65ccbe352f560d168615b8804c66ddb849
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exeFilesize
3.0MB
MD5e488cfbae46ec2e28a00444eddca301a
SHA12dea08a459a484351e780570078f2d23791435bf
SHA256aaafcf47fe02530c7a146ef3e6993e1ab77813e39e7a966b0338a79ad6083ce9
SHA512c1a6921acb27b961418223e8720079cbedd75c023f9d1fc52c4ca18a1c6414b0fb9059d89285a776335dfc2ca1137ad19c3dcddd4327169f24b5d6ffe1c6c7c2
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exeFilesize
1.8MB
MD5483eaef6d08b7a5d6a720b9f4978aada
SHA183344a04fe22dec608f490fb48f7e887a8cd6a95
SHA256ef9c475eb2ec3660fb623e1ba966c531918f6afd4b610b71fd098a05b892d5d1
SHA5128d0de7782d711712ab5b9dbf63b8666c1071703f18c5f9225ac99ea8a32ce6369cfec74fd67c41b135392b38d312e4b13e35d209f848db995a2e67f92ee6ec1c
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exeFilesize
386KB
MD516f67f1a6e10f044bc15abe8c71b3bd6
SHA1ce0101205b919899a2a2f577100377c2a6546171
SHA25641cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89
SHA512a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403290633337821532.dllFilesize
4.6MB
MD5117176ddeaf70e57d1747704942549e4
SHA175e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA2563c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9
-
C:\Users\Admin\AppData\Local\Temp\TmpA4DB.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4guqp0m.1qb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD56cc889a418d9cd679cfb6349aa1a3b5a
SHA1e0cc73454776f3c683bd9e157b546992afcfc9d5
SHA256fd2191550191a82398954b88811705f29bea95c07b320f3a833230ce26a38b30
SHA512d1cdb1735b407863c5687d66843dcba6d91bcf5859b485b1ac028e62ef63e8921a69ca7de8e8c97d9c6632ef568e5d4a761746a9c4665c3b5bd5087a59881756
-
C:\Users\Admin\AppData\Local\Temp\tmpBF6A.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmpC048.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmpE35F.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\tmpE401.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\AppData\Local\Temp\u40s.0.exeFilesize
234KB
MD51075a1d370cf984825e54e157de25e24
SHA1a5c6d208b2d4dc8a579d9c194a32478e553a4edc
SHA2569b758debb6d73ad050d4f30c343cf451b6d24814a40499e9ec4b67def54ee2f1
SHA51239f7eacd5c85bd68626fd070e0d5062e30dd75b851fc8a769a99af4c10a7901d4876fa986a3e0c6fc30a958637a76a0954b0b4cc592861ca93007bc5b69e7055
-
C:\Users\Admin\AppData\Local\Temp\u40s.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5f4f7cbdf4f608ea4d38a9973e37999c0
SHA1e18578d13bb78ed3eea2785547b443c5c8744fd6
SHA2562188341c3a18077920e95179ab72c883b2e75e8ad27f78551225eb3e676b646d
SHA51281e9d71a2d0d428bdea7b938436e17b12ba3ac998f569a781c1b4b0fbbfdac9180e109f7e2a59952ec2e8ed061c1de5319dd435434b3af96da0eb02da5c43aba
-
C:\Users\Admin\Pictures\EKb0NYH4yPgtjnTIj2qfRL8O.exeFilesize
4.1MB
MD5b4a29c6846c8a44e1a6734c60b227229
SHA138de05fd5fd68592e32ecb65f5a813225df97643
SHA2566054defae9ecdea5a1c503d24aecd93f1c94ef6db3f83a72e36ddcb5676023b6
SHA51217a6d1d9807e30141c0f87bd25d695338f656b45d5d3eadb9629fa3e195c52d63ca56d1dbb567835de2947e687cd724b1e9e30de97e2250fbafc968dfaae37ff
-
C:\Users\Admin\Pictures\EhYXhYGLnLV8VSdbD8cTBq9A.exeFilesize
4.1MB
MD5618cd883a0a2c571c10b46143d39138e
SHA1a732b4ec8c4cb329c5f8d6dd3b399c3999882201
SHA256df40eeaf731c202b504a5c147013ea345f4ff0f8dca04396e526941f24294980
SHA5125091e58862f431afb49d48aeb30480986a49db4836c60c8da175445600c3299417d7e82bd5cb81c4fef819aae744e0035307110f87e8839f1cebd79c19e58dbd
-
C:\Users\Admin\Pictures\F1CMsOeEo5X1pqEkB18N9JzS.exeFilesize
372KB
MD5e2a6c1f58b137874e490b8d94382fcdb
SHA171529c5d708091b1e1a580227dc52e62a140edd1
SHA2564801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA51224d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff
-
C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exeFilesize
5.1MB
MD55618c881772e18c8b17a199bff98291d
SHA16a8492d9b97e85202469408e906bd70b2ef0b075
SHA2561207c1d2517c4fa76dbe309c1006fd21e92c33d42708f247b9c80b03f3f17b74
SHA512249c907dd0219dd25de31bbcbdb3f486107c79b2d179aa666b53f7cdffee2674932d1a12f5a79bce12861d5f530ccffa837bcf6a462fceb3a5644ccb8e2b9f84
-
C:\Users\Admin\Pictures\JCDj2mN4He9JZFkyUkXiVbO2.exeFilesize
3KB
MD59a1715d86eb80012edd5587130079f44
SHA1c163cc5a3c9889a586318cfe3866671a76754521
SHA2560b98d5b3fdcf57fb1279ab6bfe092e1b4e3368dd121710b541d0b97ebae06e84
SHA512d26c947e642ce4cb719d413dbedc615be06165df5410de1299a09fe5e22eae72ce70bb8c7971347d83429717424758ebf24f2c181069cbc7eaaee547f86e7941
-
C:\Users\Admin\Pictures\TarJcFzSTgeYtcQNlzh2Co9H.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\U2USE9Ra2PH86K3J1s8VHSUG.exeFilesize
378KB
MD5b17c454113b64091df4e2e23048d2c74
SHA1bf6fe6673cea5a2e0b53441f07a02ad4e3158ed2
SHA25614bca415c4977f4c05429fc0ea97bc8f6e5361def1e8543b0937492670892be5
SHA5122e67ebe165c04309d3a1d828dc7196f80af69f11d0e9043ff1b9beb6706737ad916aa8218e230c65036836e2e03e34f9411dbe0a0437c9c51e63cb3ae031b5d3
-
C:\Users\Admin\Pictures\YdUZucGl098lejAlBFAhDOV3.exeFilesize
3KB
MD5d4bc43b7074bc273c27651b90c7997d2
SHA1c909ff4adb0bd8ddb2a58b4cb32daa66499ace3b
SHA256c913190ce6e35f155bf9e8c5fb45e90facc30622368360b6c8c30741bfa19cf6
SHA512bf82e328200468bda3b2242e2202144e3c928e8cc3519e6d8ba569dcc2ca14e07fa37dfe5c7df5fd8df363a5a9c3518dc439ac5987679a8bb814aad6a501e743
-
C:\Users\Admin\Pictures\nSZX9fVEo9TfRkLprb5h5d0I.exeFilesize
4.3MB
MD5858bb0a3b4fa6a54586402e3ee117076
SHA1997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd
-
C:\Users\Admin\Pictures\tW8QawWbYo8OHMYJg4S2hPiU.exeFilesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD59e2d2705de158beb677518f27bbbdfea
SHA1be0024165b635700a7da3f524462c60d0ee01a01
SHA256b964bdc957f40bb29e05ad7b7bd52ef902aba414698706ea1421045d7ce72311
SHA512a21f79cdaae763ef6762886efe7d0e03eebd4e792a53eb214f39b19232e5d1264fdf6574256aeba55c7f1d3b22571869d8d720f8e2da0fc165f26df093d94a9d
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\??\pipe\LOCAL\crashpad_1848_TOULMYZMLZYFAKIZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/424-26-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/424-481-0x0000000000450000-0x0000000000901000-memory.dmpFilesize
4.7MB
-
memory/424-840-0x0000000000450000-0x0000000000901000-memory.dmpFilesize
4.7MB
-
memory/424-1116-0x0000000000450000-0x0000000000901000-memory.dmpFilesize
4.7MB
-
memory/424-19-0x0000000000450000-0x0000000000901000-memory.dmpFilesize
4.7MB
-
memory/424-82-0x0000000000450000-0x0000000000901000-memory.dmpFilesize
4.7MB
-
memory/424-20-0x0000000000450000-0x0000000000901000-memory.dmpFilesize
4.7MB
-
memory/424-22-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/424-23-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/424-153-0x0000000000450000-0x0000000000901000-memory.dmpFilesize
4.7MB
-
memory/424-21-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/424-24-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/424-25-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/424-28-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/424-27-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/424-108-0x0000000000450000-0x0000000000901000-memory.dmpFilesize
4.7MB
-
memory/692-962-0x0000000000CE0000-0x000000000108F000-memory.dmpFilesize
3.7MB
-
memory/692-49-0x0000000000CE0000-0x000000000108F000-memory.dmpFilesize
3.7MB
-
memory/692-48-0x0000000000CE0000-0x000000000108F000-memory.dmpFilesize
3.7MB
-
memory/692-1163-0x0000000000CE0000-0x000000000108F000-memory.dmpFilesize
3.7MB
-
memory/692-156-0x0000000000CE0000-0x000000000108F000-memory.dmpFilesize
3.7MB
-
memory/692-305-0x0000000000CE0000-0x000000000108F000-memory.dmpFilesize
3.7MB
-
memory/692-154-0x0000000000CE0000-0x000000000108F000-memory.dmpFilesize
3.7MB
-
memory/692-725-0x0000000000CE0000-0x000000000108F000-memory.dmpFilesize
3.7MB
-
memory/1112-1169-0x0000000000AF0000-0x0000000000E9F000-memory.dmpFilesize
3.7MB
-
memory/1112-994-0x0000000000AF0000-0x0000000000E9F000-memory.dmpFilesize
3.7MB
-
memory/1112-726-0x0000000000AF0000-0x0000000000E9F000-memory.dmpFilesize
3.7MB
-
memory/1144-534-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1444-70-0x0000000073220000-0x00000000739D1000-memory.dmpFilesize
7.7MB
-
memory/1444-80-0x0000000003340000-0x0000000005340000-memory.dmpFilesize
32.0MB
-
memory/1444-79-0x0000000073220000-0x00000000739D1000-memory.dmpFilesize
7.7MB
-
memory/1444-187-0x0000000003340000-0x0000000005340000-memory.dmpFilesize
32.0MB
-
memory/1444-71-0x00000000031B0000-0x00000000031C0000-memory.dmpFilesize
64KB
-
memory/1444-69-0x0000000000C50000-0x0000000000E0C000-memory.dmpFilesize
1.7MB
-
memory/1616-1049-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1736-104-0x0000000000EF0000-0x0000000000F42000-memory.dmpFilesize
328KB
-
memory/1736-136-0x00000000070C0000-0x000000000710C000-memory.dmpFilesize
304KB
-
memory/1736-103-0x0000000073220000-0x00000000739D1000-memory.dmpFilesize
7.7MB
-
memory/1736-105-0x0000000005DB0000-0x0000000006356000-memory.dmpFilesize
5.6MB
-
memory/1736-106-0x00000000058C0000-0x0000000005952000-memory.dmpFilesize
584KB
-
memory/1736-110-0x0000000005A80000-0x0000000005A90000-memory.dmpFilesize
64KB
-
memory/1736-109-0x0000000005A60000-0x0000000005A6A000-memory.dmpFilesize
40KB
-
memory/1736-127-0x0000000006460000-0x00000000064D6000-memory.dmpFilesize
472KB
-
memory/1736-129-0x0000000006CE0000-0x0000000006CFE000-memory.dmpFilesize
120KB
-
memory/1736-132-0x0000000007460000-0x0000000007A78000-memory.dmpFilesize
6.1MB
-
memory/1736-133-0x0000000006FB0000-0x00000000070BA000-memory.dmpFilesize
1.0MB
-
memory/1736-134-0x0000000006EF0000-0x0000000006F02000-memory.dmpFilesize
72KB
-
memory/1736-135-0x0000000006F50000-0x0000000006F8C000-memory.dmpFilesize
240KB
-
memory/2524-945-0x0000000075BB0000-0x0000000075E02000-memory.dmpFilesize
2.3MB
-
memory/2524-931-0x0000000002C70000-0x0000000003070000-memory.dmpFilesize
4.0MB
-
memory/2524-935-0x00007FFB65D80000-0x00007FFB65F89000-memory.dmpFilesize
2.0MB
-
memory/2524-919-0x0000000000DB0000-0x0000000000DB9000-memory.dmpFilesize
36KB
-
memory/3104-183-0x0000000073220000-0x00000000739D1000-memory.dmpFilesize
7.7MB
-
memory/3104-184-0x0000000000660000-0x00000000006B0000-memory.dmpFilesize
320KB
-
memory/3264-218-0x0000000000F70000-0x0000000001434000-memory.dmpFilesize
4.8MB
-
memory/3264-161-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/3264-160-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/3264-162-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/3264-157-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/3264-155-0x0000000000F70000-0x0000000001434000-memory.dmpFilesize
4.8MB
-
memory/3264-163-0x0000000000F70000-0x0000000001434000-memory.dmpFilesize
4.8MB
-
memory/3264-158-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/3264-185-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/3264-159-0x00000000059E0000-0x00000000059E1000-memory.dmpFilesize
4KB
-
memory/4132-965-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4132-1119-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4216-83-0x0000000073220000-0x00000000739D1000-memory.dmpFilesize
7.7MB
-
memory/4216-188-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB
-
memory/4216-74-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4216-81-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB
-
memory/4368-7-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/4368-16-0x0000000000990000-0x0000000000E41000-memory.dmpFilesize
4.7MB
-
memory/4368-8-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/4368-11-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/4368-2-0x0000000000990000-0x0000000000E41000-memory.dmpFilesize
4.7MB
-
memory/4368-0-0x0000000000990000-0x0000000000E41000-memory.dmpFilesize
4.7MB
-
memory/4368-9-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/4368-1-0x0000000077B26000-0x0000000077B28000-memory.dmpFilesize
8KB
-
memory/4368-5-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/4368-6-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/4368-3-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/4368-4-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/4368-10-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/4612-126-0x00007FFB44F70000-0x00007FFB45A32000-memory.dmpFilesize
10.8MB
-
memory/4612-128-0x000000001B910000-0x000000001B920000-memory.dmpFilesize
64KB
-
memory/4612-111-0x0000000000C20000-0x0000000000CAC000-memory.dmpFilesize
560KB
-
memory/4980-529-0x0000000000D30000-0x00000000011F4000-memory.dmpFilesize
4.8MB
-
memory/4980-1118-0x0000000000D30000-0x00000000011F4000-memory.dmpFilesize
4.8MB
-
memory/4980-909-0x0000000000D30000-0x00000000011F4000-memory.dmpFilesize
4.8MB
-
memory/5056-384-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/5132-1072-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5212-951-0x0000000000400000-0x0000000000563000-memory.dmpFilesize
1.4MB
-
memory/5236-1059-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5684-552-0x0000000000B20000-0x0000000000FD1000-memory.dmpFilesize
4.7MB
-
memory/5748-1022-0x0000000000400000-0x0000000000B06000-memory.dmpFilesize
7.0MB
-
memory/5776-910-0x00007FFB65D80000-0x00007FFB65F89000-memory.dmpFilesize
2.0MB
-
memory/5776-915-0x0000000075BB0000-0x0000000075E02000-memory.dmpFilesize
2.3MB
-
memory/5776-832-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/5776-839-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/5776-902-0x0000000003F30000-0x0000000004330000-memory.dmpFilesize
4.0MB
-
memory/5776-904-0x0000000003F30000-0x0000000004330000-memory.dmpFilesize
4.0MB
-
memory/6272-1052-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmpFilesize
11.0MB
-
memory/6272-1050-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmpFilesize
11.0MB
-
memory/6272-1042-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmpFilesize
11.0MB
-
memory/6272-1047-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmpFilesize
11.0MB
-
memory/6272-1058-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmpFilesize
11.0MB
-
memory/6272-1053-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmpFilesize
11.0MB
-
memory/6272-1057-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmpFilesize
11.0MB
-
memory/6520-1145-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB