Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 16:04
Static task
static1
Behavioral task
behavioral1
Sample
e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe
Resource
win10v2004-20240226-en
General
-
Target
e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe
-
Size
1.8MB
-
MD5
4e345d271484c49483a98e3feb8b0c28
-
SHA1
feef7df7a334cb691cc97bf83f6f1c90aef2c904
-
SHA256
e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16
-
SHA512
6772e6ecb169c43de0b5f1ba5807a3188fe68d8eb717db81882dbad8dce656a25dd24a8798095ec8b5ad580a990a78e5b4b768fcf9dd803d800ec609572704e5
-
SSDEEP
49152:0E5B6AWCQKFuH6yyEmsu2ugud3ehaXBFuSdOtB:0KBKKcHlyEBu2awUXZA7
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
4.185.137.132:1632
Extracted
vidar
8.6
22d12fb91f01647fe2107fec81f0cc22
https://steamcommunity.com/profiles/76561199658817715
https://t.me/sa9ok
-
profile_id_v2
22d12fb91f01647fe2107fec81f0cc22
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Signatures
-
Detect Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/5696-646-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/5696-649-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 -
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe family_redline C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe family_redline behavioral1/memory/6052-383-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
Processes:
amert.exeexplorha.exeexplorgu.exeamadka.exee09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exeexplorha.exe29102cfda5.exerandom.exeexplorha.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 29102cfda5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exeflow pid process 126 4100 rundll32.exe 139 5728 rundll32.exe 204 2172 rundll32.exe 216 4992 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
amert.exeexplorha.exerandom.exeamadka.exeexplorha.exeexplorha.exe29102cfda5.exee09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exeexplorgu.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 29102cfda5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 29102cfda5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exeexplorha.exeexplorgu.exeRegAsm.exeNewB.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation explorha.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation explorgu.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation NewB.exe -
Executes dropped EXE 18 IoCs
Processes:
explorha.exe29102cfda5.exego.exeamert.exeexplorha.exeexplorgu.exerandom.exealex1234.exeamadka.exeredlinepanel.exeTraffic.exepropro.exe32456.exegoldprimeldlldf.exeNewB.exeSecond2.exeexplorha.exeNewB.exepid process 1836 explorha.exe 1360 29102cfda5.exe 2028 go.exe 2732 amert.exe 6112 explorha.exe 6116 explorgu.exe 1700 random.exe 5244 alex1234.exe 4100 amadka.exe 6096 redlinepanel.exe 4172 Traffic.exe 6136 propro.exe 5304 32456.exe 5924 goldprimeldlldf.exe 4016 NewB.exe 5796 Second2.exe 6120 explorha.exe 2264 NewB.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
29102cfda5.exerandom.exeamadka.exeexplorha.exee09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exeexplorha.exeamert.exeexplorha.exeexplorgu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine 29102cfda5.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine explorgu.exe -
Loads dropped DLL 7 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeSecond2.exepid process 4576 rundll32.exe 4100 rundll32.exe 5728 rundll32.exe 5280 rundll32.exe 2172 rundll32.exe 4992 rundll32.exe 5796 Second2.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
explorgu.exeexplorha.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeamadka.exeexplorha.exepid process 5036 e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe 1836 explorha.exe 2732 amert.exe 6112 explorha.exe 6116 explorgu.exe 4100 amadka.exe 6120 explorha.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
alex1234.exegoldprimeldlldf.exeSecond2.exedescription pid process target process PID 5244 set thread context of 3940 5244 alex1234.exe RegAsm.exe PID 5924 set thread context of 6052 5924 goldprimeldlldf.exe RegAsm.exe PID 5796 set thread context of 5696 5796 Second2.exe MsBuild.exe -
Drops file in Windows directory 2 IoCs
Processes:
amert.exee09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exedescription ioc process File created C:\Windows\Tasks\explorgu.job amert.exe File created C:\Windows\Tasks\explorha.job e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 928 5696 WerFault.exe MsBuild.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
propro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 propro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 propro.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exeexplorha.exerundll32.exeamert.exepowershell.exeexplorha.exeexplorgu.exeamadka.exerundll32.exepowershell.exeredlinepanel.exepropro.exepid process 5036 e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe 5036 e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe 1836 explorha.exe 1836 explorha.exe 4100 rundll32.exe 4100 rundll32.exe 4100 rundll32.exe 4100 rundll32.exe 4100 rundll32.exe 4100 rundll32.exe 2732 amert.exe 2732 amert.exe 4100 rundll32.exe 4100 rundll32.exe 4100 rundll32.exe 4100 rundll32.exe 5468 powershell.exe 5468 powershell.exe 5468 powershell.exe 6112 explorha.exe 6112 explorha.exe 6116 explorgu.exe 6116 explorgu.exe 4100 amadka.exe 4100 amadka.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 5416 powershell.exe 5416 powershell.exe 5416 powershell.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6096 redlinepanel.exe 6136 propro.exe 6136 propro.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exeTraffic.exe32456.exepowershell.exeredlinepanel.exepropro.exeRegAsm.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 5468 powershell.exe Token: SeDebugPrivilege 4172 Traffic.exe Token: SeDebugPrivilege 5304 32456.exe Token: SeDebugPrivilege 5416 powershell.exe Token: SeBackupPrivilege 4172 Traffic.exe Token: SeSecurityPrivilege 4172 Traffic.exe Token: SeSecurityPrivilege 4172 Traffic.exe Token: SeSecurityPrivilege 4172 Traffic.exe Token: SeSecurityPrivilege 4172 Traffic.exe Token: SeBackupPrivilege 5304 32456.exe Token: SeSecurityPrivilege 5304 32456.exe Token: SeSecurityPrivilege 5304 32456.exe Token: SeSecurityPrivilege 5304 32456.exe Token: SeSecurityPrivilege 5304 32456.exe Token: SeDebugPrivilege 6096 redlinepanel.exe Token: SeDebugPrivilege 6136 propro.exe Token: SeDebugPrivilege 6052 RegAsm.exe Token: SeDebugPrivilege 3940 RegAsm.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exego.exepid process 5036 e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe 2028 go.exe 2028 go.exe 2028 go.exe 2028 go.exe 2028 go.exe 2028 go.exe 2028 go.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
go.exepid process 2028 go.exe 2028 go.exe 2028 go.exe 2028 go.exe 2028 go.exe 2028 go.exe 2028 go.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exeexplorha.exego.exerundll32.exerundll32.exeexplorgu.exealex1234.exeRegAsm.exedescription pid process target process PID 5036 wrote to memory of 1836 5036 e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe explorha.exe PID 5036 wrote to memory of 1836 5036 e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe explorha.exe PID 5036 wrote to memory of 1836 5036 e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe explorha.exe PID 1836 wrote to memory of 1916 1836 explorha.exe explorha.exe PID 1836 wrote to memory of 1916 1836 explorha.exe explorha.exe PID 1836 wrote to memory of 1916 1836 explorha.exe explorha.exe PID 1836 wrote to memory of 1360 1836 explorha.exe 29102cfda5.exe PID 1836 wrote to memory of 1360 1836 explorha.exe 29102cfda5.exe PID 1836 wrote to memory of 1360 1836 explorha.exe 29102cfda5.exe PID 1836 wrote to memory of 2028 1836 explorha.exe go.exe PID 1836 wrote to memory of 2028 1836 explorha.exe go.exe PID 1836 wrote to memory of 2028 1836 explorha.exe go.exe PID 2028 wrote to memory of 4776 2028 go.exe msedge.exe PID 2028 wrote to memory of 4776 2028 go.exe msedge.exe PID 2028 wrote to memory of 3356 2028 go.exe msedge.exe PID 2028 wrote to memory of 3356 2028 go.exe msedge.exe PID 2028 wrote to memory of 1688 2028 go.exe msedge.exe PID 2028 wrote to memory of 1688 2028 go.exe msedge.exe PID 1836 wrote to memory of 4576 1836 explorha.exe rundll32.exe PID 1836 wrote to memory of 4576 1836 explorha.exe rundll32.exe PID 1836 wrote to memory of 4576 1836 explorha.exe rundll32.exe PID 4576 wrote to memory of 4100 4576 rundll32.exe rundll32.exe PID 4576 wrote to memory of 4100 4576 rundll32.exe rundll32.exe PID 4100 wrote to memory of 4524 4100 rundll32.exe netsh.exe PID 4100 wrote to memory of 4524 4100 rundll32.exe netsh.exe PID 1836 wrote to memory of 2732 1836 explorha.exe amert.exe PID 1836 wrote to memory of 2732 1836 explorha.exe amert.exe PID 1836 wrote to memory of 2732 1836 explorha.exe amert.exe PID 4100 wrote to memory of 5468 4100 rundll32.exe powershell.exe PID 4100 wrote to memory of 5468 4100 rundll32.exe powershell.exe PID 1836 wrote to memory of 5728 1836 explorha.exe rundll32.exe PID 1836 wrote to memory of 5728 1836 explorha.exe rundll32.exe PID 1836 wrote to memory of 5728 1836 explorha.exe rundll32.exe PID 6116 wrote to memory of 1700 6116 explorgu.exe random.exe PID 6116 wrote to memory of 1700 6116 explorgu.exe random.exe PID 6116 wrote to memory of 1700 6116 explorgu.exe random.exe PID 6116 wrote to memory of 5244 6116 explorgu.exe alex1234.exe PID 6116 wrote to memory of 5244 6116 explorgu.exe alex1234.exe PID 6116 wrote to memory of 5244 6116 explorgu.exe alex1234.exe PID 6116 wrote to memory of 4100 6116 explorgu.exe amadka.exe PID 6116 wrote to memory of 4100 6116 explorgu.exe amadka.exe PID 6116 wrote to memory of 4100 6116 explorgu.exe amadka.exe PID 5244 wrote to memory of 5884 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 5884 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 5884 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 3940 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 3940 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 3940 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 3940 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 3940 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 3940 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 3940 5244 alex1234.exe RegAsm.exe PID 5244 wrote to memory of 3940 5244 alex1234.exe RegAsm.exe PID 6116 wrote to memory of 6096 6116 explorgu.exe redlinepanel.exe PID 6116 wrote to memory of 6096 6116 explorgu.exe redlinepanel.exe PID 6116 wrote to memory of 6096 6116 explorgu.exe redlinepanel.exe PID 3940 wrote to memory of 4172 3940 RegAsm.exe Traffic.exe PID 3940 wrote to memory of 4172 3940 RegAsm.exe Traffic.exe PID 3940 wrote to memory of 6136 3940 RegAsm.exe propro.exe PID 3940 wrote to memory of 6136 3940 RegAsm.exe propro.exe PID 3940 wrote to memory of 6136 3940 RegAsm.exe propro.exe PID 6116 wrote to memory of 5304 6116 explorgu.exe 32456.exe PID 6116 wrote to memory of 5304 6116 explorgu.exe 32456.exe PID 6116 wrote to memory of 5924 6116 explorgu.exe goldprimeldlldf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe"C:\Users\Admin\AppData\Local\Temp\e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000042001\29102cfda5.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\29102cfda5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5364 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4960 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4696 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4920 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5760 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5740 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1001061001\Second2.exe"C:\Users\Admin\AppData\Local\Temp\1001061001\Second2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 20124⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6084 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6024 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5696 -ip 56961⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD528ab7dcce3d62b5c8ccd681d9968b672
SHA1005ccbc3246ff88960a97f557a4067c3aad400e4
SHA256d473a8ce9b47fedbf7413bc6aac2ec10e90512d9441b80d89a778697e29d79ca
SHA5129b0ba427a787c812308ed18b825e23e67185f70de6ff68707a44ea30a1b3847a9d2392c0ac832a9d987c41016253ddb754710cbc0b9ea335f31510272ea99817
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
1.8MB
MD54e345d271484c49483a98e3feb8b0c28
SHA1feef7df7a334cb691cc97bf83f6f1c90aef2c904
SHA256e09a4bf1df729f84de4a9bb01a104f0e0f2518666fd89a75d8620b080ad8fd16
SHA5126772e6ecb169c43de0b5f1ba5807a3188fe68d8eb717db81882dbad8dce656a25dd24a8798095ec8b5ad580a990a78e5b4b768fcf9dd803d800ec609572704e5
-
C:\Users\Admin\AppData\Local\Temp\1000042001\29102cfda5.exeFilesize
3.1MB
MD5aa9d67fcde5204824e05b37eea8a4ad2
SHA1d46c3b7cd920df2a09a9bc62ee57f1c156f653fd
SHA25686b62836d0429a68598227ac462ffc28e0194ab49e0ea3bc0913f623fb326181
SHA51224c966d21fb852633ff8c18512f5bb1cc09f11fc9c98e8f32fac4a2134c99fd433b05927a74e65d3656879c13883a3d6f32eff52bca05111fab4fa9038aacf5e
-
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exeFilesize
894KB
MD52f8912af892c160c1c24c9f38a60c1ab
SHA1d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA25659ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA5120395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb
-
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exeFilesize
1.8MB
MD5505a95d9f55a23d8a9eb74bd4c1dacd4
SHA1538fdc3bb6d7a65530b7d6bf18a92908d3b4fc1f
SHA256b78cedb8b9f43c2e31e431e5e3f24ea2ec6f58678a2c417b8ac5f65b403f15c8
SHA5126afda8e4f84bfe103000f4c52dfb7b5a22e29d32846a08b98f546b5f8d3a9cbf841d82ab9a7c181c2191386a89c57dcd3deece56a6c65f7ca1dc38fa02bfe36e
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1001061001\Second2.exeFilesize
4.6MB
MD50c2d303852f827c4852bf46550ea2ed8
SHA17bb54cb67135bbb94d8a26356f3d1e170a71a1a7
SHA256194234e48c362f1bf3be6d02c5b380bfc900a2cf7911a1fc658a5a2ec0d0164f
SHA512c2ab4c4a4bcfd4f9f350e946a08a9be3ded6741ac3981a977c52331a403488b4f224c7f0b01d24af3e351e532b3c3cdeedfe356785e5858411c80793fb3ca307
-
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dllFilesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
C:\Users\Admin\AppData\Local\Temp\Tmp2495.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zscti1sz.z04.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp7FBA.tmpFilesize
56KB
MD5d444c807029c83b8a892ac0c4971f955
SHA1fa58ce7588513519dc8fed939b26b05dc25e53b5
SHA2568297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259
SHA512b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e
-
C:\Users\Admin\AppData\Local\Temp\tmp7FFC.tmpFilesize
220KB
MD50fa20796bbcb1b9289a09cb3888f45ba
SHA1cfd9d64de8c5cf5de90983c46a59b544265f9b45
SHA256a5c22c6d33d99e568ec486a27687f5ec37f0b825119a6e963f43a29c9c640dc4
SHA512b9200deef273d0fd3fdf72bf70d6e0d839c20862d7b20943b6f248b7f8f5edde24d1ec53cf2b9c9bbfb34ac03cdd0c522b54f319be158ee2897afa99aa7e15c2
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353Filesize
2KB
MD5df94d20b6fae1e8f7b4946822bf24a50
SHA1b0441ada9bdf19339c02a28f519ce016957a51c0
SHA2569cc0884c1d81ba911ded4ecf55a3f188ad9c68c4d2179303662b4643bce9ad3c
SHA512f2d41b6a2326e08e2b7a804596bb64cb2838908d311960d6a643ef8600592eb9aabdcd06d997054d5400647d05194b4d3da792abc806bcd20c27f47c87c5edbf
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD56583c3d7e1adbdbe09099850df718333
SHA14c42f0ef87a79faf41d00c9191bbebe5be7c467a
SHA25628c5e1e74aadc86e4cadb4d61d739e4138d6112e8d084795807a1d46783102a5
SHA5123e86a5a288a0cc32ff774992cf7bbd8c44c9d12acb7b4920ff0ce1ea0264fe28ec3583cdea9d5e5d76a86688e6693c47c6e9df941d8bd539e10e7f8a7815c3d8
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD51aa4c8a8b942fc6bcb48eb0074a8115a
SHA19fd64716658829032a272d64fba6b5b0fcc2faff
SHA256bde42a06c4b56700c437c20f3c8559ebbecb8470eb13f67ea0654e69c62441e4
SHA512d14ff2c99de25c3cf0398892a1a5c34cf97a2a301c6d8391b14925f9d6105c3d0e25e4e19788db336d75a36b7274e6761beeebbda66ec0ada40f060e2d25afa3
-
memory/1360-668-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-623-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-73-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-457-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-524-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-152-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-640-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-102-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-370-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-153-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-54-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-155-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-157-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-203-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1360-673-0x00000000006B0000-0x0000000000A72000-memory.dmpFilesize
3.8MB
-
memory/1700-672-0x0000000000CB0000-0x0000000001072000-memory.dmpFilesize
3.8MB
-
memory/1700-669-0x0000000000CB0000-0x0000000001072000-memory.dmpFilesize
3.8MB
-
memory/1700-624-0x0000000000CB0000-0x0000000001072000-memory.dmpFilesize
3.8MB
-
memory/1700-525-0x0000000000CB0000-0x0000000001072000-memory.dmpFilesize
3.8MB
-
memory/1700-636-0x0000000000CB0000-0x0000000001072000-memory.dmpFilesize
3.8MB
-
memory/1700-458-0x0000000000CB0000-0x0000000001072000-memory.dmpFilesize
3.8MB
-
memory/1836-103-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-28-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/1836-674-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-670-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-653-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-622-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-119-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-612-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-25-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-26-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-118-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-224-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-154-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-74-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-156-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-34-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/1836-158-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-27-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/1836-483-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-415-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/1836-29-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/1836-31-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/1836-30-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/1836-32-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/1836-33-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/2732-106-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/2732-111-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/2732-112-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/2732-101-0x0000000000820000-0x0000000000CD2000-memory.dmpFilesize
4.7MB
-
memory/2732-104-0x0000000000820000-0x0000000000CD2000-memory.dmpFilesize
4.7MB
-
memory/2732-109-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/2732-105-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/2732-107-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/2732-108-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/2732-117-0x0000000000820000-0x0000000000CD2000-memory.dmpFilesize
4.7MB
-
memory/2732-110-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/3940-255-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4100-359-0x0000000000A50000-0x0000000000F07000-memory.dmpFilesize
4.7MB
-
memory/5036-13-0x00000000002C0000-0x0000000000777000-memory.dmpFilesize
4.7MB
-
memory/5036-24-0x00000000002C0000-0x0000000000777000-memory.dmpFilesize
4.7MB
-
memory/5036-1-0x0000000077724000-0x0000000077726000-memory.dmpFilesize
8KB
-
memory/5036-2-0x00000000002C0000-0x0000000000777000-memory.dmpFilesize
4.7MB
-
memory/5036-3-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/5036-4-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/5036-5-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/5036-6-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/5036-8-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/5036-7-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5036-0-0x00000000002C0000-0x0000000000777000-memory.dmpFilesize
4.7MB
-
memory/5036-9-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/5036-11-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/5036-10-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/5468-151-0x00007FFE6B2E0000-0x00007FFE6BDA1000-memory.dmpFilesize
10.8MB
-
memory/5468-145-0x000001A3855D0000-0x000001A3855DA000-memory.dmpFilesize
40KB
-
memory/5468-132-0x000001A3855B0000-0x000001A3855C0000-memory.dmpFilesize
64KB
-
memory/5468-130-0x00007FFE6B2E0000-0x00007FFE6BDA1000-memory.dmpFilesize
10.8MB
-
memory/5468-144-0x000001A39DC60000-0x000001A39DC72000-memory.dmpFilesize
72KB
-
memory/5468-133-0x000001A3855B0000-0x000001A3855C0000-memory.dmpFilesize
64KB
-
memory/5468-131-0x000001A3855B0000-0x000001A3855C0000-memory.dmpFilesize
64KB
-
memory/5468-125-0x000001A39D7B0000-0x000001A39D7D2000-memory.dmpFilesize
136KB
-
memory/5696-649-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/5696-646-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/6052-383-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/6112-171-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/6112-180-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/6112-161-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/6112-166-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/6112-167-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/6112-164-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB
-
memory/6112-165-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/6112-170-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/6112-169-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/6112-168-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/6116-495-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6116-655-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6116-626-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6116-178-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/6116-177-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/6116-176-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/6116-173-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/6116-614-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6116-172-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6116-179-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/6116-675-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6116-175-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/6116-288-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6116-163-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6116-671-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6116-174-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/6116-181-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/6116-449-0x0000000000230000-0x00000000006E2000-memory.dmpFilesize
4.7MB
-
memory/6120-666-0x0000000000A70000-0x0000000000F27000-memory.dmpFilesize
4.7MB