Analysis Overview
SHA256
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12
Threat Level: Known bad
The file c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
RisePro
Amadey
Glupteba
RedLine
Stealc
SectopRAT payload
SectopRAT
ZGRat
Detect ZGRat V1
RedLine payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Downloads MZ/PE file
Blocklisted process makes network request
Checks BIOS information in registry
Reads WinSCP keys stored on the system
Identifies Wine through registry keys
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Manipulates WinMonFS driver.
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-27 13:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-27 13:30
Reported
2024-04-27 13:33
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\1000017002\a870a92ff3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\1000017002\a870a92ff3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\1000017002\a870a92ff3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u49s.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000016001\70c5a24a95.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u49s.3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine | C:\Users\Admin\1000017002\a870a92ff3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u49s.2\run.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\70c5a24a95.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\70c5a24a95.exe" | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a870a92ff3.exe = "C:\\Users\\Admin\\1000017002\\a870a92ff3.exe" | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000017002\a870a92ff3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorta.job | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u49s.3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u49s.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u49s.3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u49s.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u49s.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{0ABBB748-FCEC-4ACD-9ACE-15C7FAE262DB} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u49s.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u49s.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u49s.2\run.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe
"C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"
C:\Users\Admin\AppData\Local\Temp\1000016001\70c5a24a95.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\70c5a24a95.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a06bab58,0x7ff9a06bab68,0x7ff9a06bab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:1
C:\Users\Admin\1000017002\a870a92ff3.exe
"C:\Users\Admin\1000017002\a870a92ff3.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4620 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4788 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4332 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1900,i,6958620670117304495,3857268294345062821,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 876
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 360
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 368
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe
"C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3416 -ip 3416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 352
C:\Users\Admin\AppData\Local\Temp\u49s.0.exe
"C:\Users\Admin\AppData\Local\Temp\u49s.0.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"
C:\Users\Admin\AppData\Local\Temp\u49s.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u49s.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\u49s.3.exe
"C:\Users\Admin\AppData\Local\Temp\u49s.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5536 -ip 5536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 1540
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\906287020291_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\u49s.0.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3052 -ip 3052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1320
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| RU | 193.233.132.139:80 | 193.233.132.139 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.169.78:443 | www.youtube.com | tcp |
| GB | 172.217.169.78:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 173.194.69.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.212.202:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.69.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| GB | 172.217.16.238:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 172.217.16.238:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | cleartotalfisherwo.shop | udp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | 34.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | worryfillvolcawoi.shop | udp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | 32.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dismissalcylinderhostw.shop | udp |
| US | 104.21.22.160:443 | dismissalcylinderhostw.shop | tcp |
| US | 8.8.8.8:53 | 233.18.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.22.21.104.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | diskretainvigorousiw.shop | udp |
| US | 172.67.211.165:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.211.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | pillowbrocccolipe.shop | udp |
| US | 104.21.89.202:443 | tolerateilusidjukl.shop | tcp |
| US | 172.67.144.218:443 | pillowbrocccolipe.shop | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 202.89.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | file-host-host0.com | udp |
| RU | 194.87.210.219:80 | file-host-host0.com | tcp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 172.67.157.23:443 | alcojoldwograpciw.shop | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 172.67.192.138:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | 219.210.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | parrotflight.com | udp |
| US | 104.21.84.71:443 | parrotflight.com | tcp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.84.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.157.143.52.in-addr.arpa | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| US | 8.8.8.8:53 | junglethomas.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 104.21.92.190:443 | junglethomas.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.92.21.104.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| US | 8.8.8.8:53 | 76.128.172.185.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | palmeventeryjusk.shop | udp |
| US | 172.67.155.93:443 | palmeventeryjusk.shop | tcp |
| US | 8.8.8.8:53 | 93.155.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | entitlementappwo.shop | udp |
| US | 104.21.75.133:443 | entitlementappwo.shop | tcp |
| US | 8.8.8.8:53 | economicscreateojsu.shop | udp |
| US | 172.67.145.57:443 | economicscreateojsu.shop | tcp |
| US | 8.8.8.8:53 | 133.75.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.145.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pushjellysingeywus.shop | udp |
| US | 104.21.70.22:443 | pushjellysingeywus.shop | tcp |
| US | 8.8.8.8:53 | absentconvicsjawun.shop | udp |
| US | 104.21.26.86:443 | absentconvicsjawun.shop | tcp |
| US | 8.8.8.8:53 | 22.70.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | suitcaseacanehalk.shop | udp |
| US | 172.67.214.60:443 | suitcaseacanehalk.shop | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.244:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | bordersoarmanusjuw.shop | udp |
| US | 172.67.189.66:443 | bordersoarmanusjuw.shop | tcp |
| US | 8.8.8.8:53 | 86.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.2.93.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.189.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mealplayerpreceodsju.shop | udp |
| US | 104.21.22.58:443 | mealplayerpreceodsju.shop | tcp |
| US | 8.8.8.8:53 | 58.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wifeplasterbakewis.shop | udp |
| US | 172.67.196.237:443 | wifeplasterbakewis.shop | tcp |
| US | 8.8.8.8:53 | 237.196.67.172.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | 66.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 148.155.9.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9f0b95ce-2213-43b2-9b93-80544e7fb925.uuid.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | server7.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 74.125.250.129:19302 | stun.l.google.com | udp |
| BG | 185.82.216.108:443 | server7.databaseupgrade.ru | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 129.250.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server7.databaseupgrade.ru | tcp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/4936-0-0x00000000004D0000-0x0000000000989000-memory.dmp
memory/4936-1-0x00000000777E4000-0x00000000777E6000-memory.dmp
memory/4936-7-0x00000000053F0000-0x00000000053F1000-memory.dmp
memory/4936-6-0x00000000053E0000-0x00000000053E1000-memory.dmp
memory/4936-5-0x0000000005440000-0x0000000005441000-memory.dmp
memory/4936-4-0x0000000005400000-0x0000000005401000-memory.dmp
memory/4936-2-0x0000000005410000-0x0000000005411000-memory.dmp
memory/4936-3-0x0000000005420000-0x0000000005421000-memory.dmp
memory/4936-10-0x0000000005460000-0x0000000005461000-memory.dmp
memory/4936-9-0x0000000005470000-0x0000000005471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
| MD5 | 00d2b75c4c3e234c8576a67d24849596 |
| SHA1 | d5badbb62b2adbcef7e01b3b5bd342d11c09cdb5 |
| SHA256 | c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12 |
| SHA512 | 0fa5377df174c92130fea3352e60a9571e6724c39fb5397a94d93d84fec3b044ad3935a1ba5ab9243a66d2b5dc02756aeb087118e6a7097b810c01da6813cd7d |
memory/4936-22-0x00000000004D0000-0x0000000000989000-memory.dmp
memory/2260-23-0x0000000000DB0000-0x0000000001269000-memory.dmp
memory/2260-29-0x00000000052E0000-0x00000000052E1000-memory.dmp
memory/2260-28-0x00000000052D0000-0x00000000052D1000-memory.dmp
memory/2260-27-0x0000000005330000-0x0000000005331000-memory.dmp
memory/2260-26-0x00000000052F0000-0x00000000052F1000-memory.dmp
memory/2260-25-0x0000000005310000-0x0000000005311000-memory.dmp
memory/2260-24-0x0000000005300000-0x0000000005301000-memory.dmp
memory/2260-31-0x0000000005350000-0x0000000005351000-memory.dmp
memory/2260-30-0x0000000005360000-0x0000000005361000-memory.dmp
memory/4348-34-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-37-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-38-0x0000000000DB0000-0x0000000001269000-memory.dmp
memory/4348-39-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-40-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-45-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-44-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-46-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-49-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-56-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-52-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-50-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-51-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-62-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-63-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-64-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-67-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-66-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-65-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-61-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-60-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-59-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-58-0x0000000000400000-0x00000000009D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
| MD5 | d054b81052bdd5c8a61c39bde9338619 |
| SHA1 | 972cbd9ea1e5fb927e28fe42d46474df5f5c3da2 |
| SHA256 | 24205fa7d0c1726d1c0992549b2eb365c6dd96c5ff31e70de2585dfe480bb4db |
| SHA512 | 21049967ab5fe517e78022b48c47d978681fae4f6e288aa30c610471626b4355686f064e6062a960a653b7dcb34bf864a7cabc012f6bcd3af5f8935727419e3b |
memory/4348-57-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-55-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-54-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-53-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-48-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-47-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-43-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-41-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/4348-42-0x0000000000400000-0x00000000009D5000-memory.dmp
memory/2260-82-0x0000000000DB0000-0x0000000001269000-memory.dmp
memory/5212-84-0x0000000000410000-0x00000000008BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000016001\70c5a24a95.exe
| MD5 | 0c8fb935aa45b49414f71c7c47e76a05 |
| SHA1 | e3d771570534484809d5043a2bef9e4c6a3cb059 |
| SHA256 | f15c5afaa7959c82b66d8343072d5f5f2daf6a5a071571f6ab8fa451e0933e4e |
| SHA512 | f02c6c9bb0386423b9180f96084a5a09dc7b7b1d1a63f0afbed652c52126854160ed79a038ac134f0976c8da997d2b2ad1683816757915d1c91ab6b4280c612b |
memory/5212-108-0x0000000000410000-0x00000000008BB000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3c2ecdf8c5624e342841b5d581cd385d |
| SHA1 | daa312f716da9ff449fd1a74a4758c9911d01e08 |
| SHA256 | 88a38fcbd707e182ed15da4037d3d1170c6daee9e2558ce850e63e5548c04dae |
| SHA512 | c39b0b5e292a4d171dd9ab1f084961d4990b96af3f8c64ec214bfbe67acf5e19d2f3add7f085cac00d1e905ddc65914edf1537af0da91cbd596517a9d5e58de5 |
\??\pipe\crashpad_4172_DLMVVMWOLZKDNUWQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\1000017002\a870a92ff3.exe
| MD5 | cdb5335600bdde4a55be886d5c3ee2cc |
| SHA1 | 34cad7a1c3c108fa23e479b9d69b78533754a310 |
| SHA256 | c3fffbc1cb95ba91eccbd76c62b3878766e7d7a99d4562d5f8876e6090fcceac |
| SHA512 | 2ea5dfcf21740a309c1eb0604eeaddcdd1502139c09eba79fa79daae699e73a4742a5585a397e8f9c3169a8ffcff045062c5a2629b230b8282c5ac5f6a8a4896 |
memory/2260-173-0x0000000000DB0000-0x0000000001269000-memory.dmp
memory/1124-177-0x00000000004F0000-0x0000000000AED000-memory.dmp
memory/3716-189-0x0000000000DB0000-0x0000000001269000-memory.dmp
memory/4004-190-0x00000000009E0000-0x0000000000E8B000-memory.dmp
memory/2260-188-0x0000000000DB0000-0x0000000001269000-memory.dmp
memory/3716-193-0x0000000000DB0000-0x0000000001269000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/2756-213-0x0000000000440000-0x0000000000492000-memory.dmp
memory/3740-216-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3740-218-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5797fe221fb50f36612736784e84f9a0 |
| SHA1 | 9835ffe1a17d2a4493173a6c339ab605d6666073 |
| SHA256 | 9ea7c72a1d01db8bbfa09657b8a2eb59b17eb96f9b40531f21415c3a7ec5d39a |
| SHA512 | 3b9c54af7c873ee5f41fb233c34078e2ca3e9133309a7e970cab68a16e930079a84f0efa9b90868b430050fc1f7ef7c2549b64c2992cd8a16e3c78e5e3a8e3a0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | c248308d91ef2cc7700a2e1b678ed231 |
| SHA1 | f0d85a9c5cfabbb57cdb2310af4508a6f5930e5a |
| SHA256 | 926a2bf2261811f82b7723028920c40102593633bb3c456eb41d8ad975619bde |
| SHA512 | 36d4219a9640e137ce9b963dedfccf3fcb8404b9e2ee400459042b05c9339f92456e419c4656ced4e52b6fe1bca4fb397c3c11d9abbc036de8417763e28a3c23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5fe95a5b57d9bee3ab3768e474021765 |
| SHA1 | cdb5b7d9360ef663526a9b6ac5d1bbc3fa169504 |
| SHA256 | aca9181c18ea2eb55ecc6851e4588d98495f28d7a11bf572ffbb575df86393a7 |
| SHA512 | a779e750486e06fc909ec9d5e7457f64a3b1123abcc461ad94af1cb3df63a21d3416f0793ffffbedbc40f4e870d4046dc16d67fd900f88b9f34762376b7e20d2 |
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/5184-254-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/1240-285-0x0000000000F50000-0x0000000000FA2000-memory.dmp
memory/1240-286-0x0000000005D20000-0x00000000062C4000-memory.dmp
memory/1240-287-0x0000000005860000-0x00000000058F2000-memory.dmp
memory/3640-297-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1240-295-0x0000000005A20000-0x0000000005A2A000-memory.dmp
memory/3640-298-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1716-315-0x0000000000730000-0x00000000007F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp9C40.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1240-316-0x0000000006490000-0x0000000006506000-memory.dmp
memory/1240-317-0x0000000006DB0000-0x0000000006DCE000-memory.dmp
memory/1240-320-0x00000000073F0000-0x0000000007A08000-memory.dmp
memory/1240-322-0x0000000006FC0000-0x0000000006FD2000-memory.dmp
memory/1240-323-0x0000000007020000-0x000000000705C000-memory.dmp
memory/1240-321-0x0000000007080000-0x000000000718A000-memory.dmp
memory/1240-324-0x0000000007190000-0x00000000071DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/1124-339-0x00000000004F0000-0x0000000000AED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
| MD5 | 73f40e4d6b322bf4d7c8b18d120af5c7 |
| SHA1 | 533e7400d1264fe8fb740366e700c035224f83d1 |
| SHA256 | 9317408100896c9251defb1a2f2cfca2627ac72dce9f4d7f0d5c3bfdc736e179 |
| SHA512 | c1e2e2cfa9dc2f829c7bdda1af9dd432a19ff8f3818a1a3ad1b73d6f08f666cbf5cbfb6573e75a7cb0b5288aeccfda6927e5723337a0e822b892fb1d6f280260 |
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
memory/5544-383-0x0000000000540000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 89ea47124419063323eab03b25f2dee8 |
| SHA1 | 9c672f4fc1989e92feb24e03c31a537cc1f86101 |
| SHA256 | b3cb7811420279d62aeacb797073a32e2f1c8ae54e4796f9f94de6a2a4b00fb6 |
| SHA512 | e4a43357e1851bb270cece92b5557e27e2cbd42b6a171b20e58f8eb0311fcf288942441d6acbe433091da0647c7866ed136f2a45fe27fa57b82bcd51b049c991 |
memory/1716-406-0x000000001D690000-0x000000001D706000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3906287020-2915474608-1755617787-1000\76b53b3ec448f7ccdda2063b15d2bfc3_215f2dba-ef84-4dd1-b127-5f514a0c233b
| MD5 | a79c63256330d86c65a8997c9fc83ba9 |
| SHA1 | 9560587f903472b33df6e512fdb9be162295462f |
| SHA256 | e26fbc08f5091cac6fbc748e2bb0e5452d446d8e11c8015528a8f383627868b2 |
| SHA512 | d019f7bce31fd7526fc9122ae8324fec4e1dcf375bdded5a623b29eb7be46caf460da240a932a5b3b2ff9f87e843eb28c5c90820cdf66b4140cc5097b9f7a951 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 17f7daf782738b3ae09406b9b72445d4 |
| SHA1 | 1220fee4675d60de64b000d30f9a9deafc18d28c |
| SHA256 | cbc0338e8d33243880a10b1be9176ca2521004d6264c8aafb956317ed3c83bc6 |
| SHA512 | bb21e68fa4bdc7e92058cd1b3b34f8b30c2177050978b537fb8e99f5d8055d3fe671388383f6cd2c730252ddfeb526ce01631de9a3a2494432da9e8a483f2c65 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 24b78a2d82b708b851741bb37fc85a46 |
| SHA1 | 58aaa9e4f7e4e4d1393991c1c9bde736a20a619f |
| SHA256 | ed2d095ff3ddfe3846edc26b249d36825ea2dc489f6399de5dd78c5310e8470b |
| SHA512 | 0f92cb7495d538d439d1bec043ac16bd6c347f39505fec76ddf40ce1616881215c8151d0e873d080f40c0e05359f3e888a590fd48ce67042b859c91b5029220e |
memory/1716-423-0x000000001DD10000-0x000000001DD2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 9aeec98871cd6e4df29a71cd4e08740e |
| SHA1 | db034ecd8ad727065b8180173ff3ff4c0343d607 |
| SHA256 | 409e3f8a9e9cb339b6ab43989fd067e6cae1ba1f6479e14fa8be5912b49d914d |
| SHA512 | 8832d05049546a8227e4a08807e3b243a3eded6366959e77aede75e38b932a2af490a0b33dfd0c659d139bfc5b9aa9fb5d12c7b4e773ae5be306374f9694d315 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 497562c072bbcba60f10168433ab7345 |
| SHA1 | 92fe6469aaa9f4f25916467f86942813c07c713d |
| SHA256 | 164dc769576d976e05163201ea5647ae564233a6dcf69fc2cc1774845f9a9763 |
| SHA512 | 1145f0d46c4445a515c917e9002d9148814ab8afd36041e4eeceb73cc12bda299c2b301ae508b08b949356944d6864ada0e35547aa1625ab31bef5f21dc52f85 |
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
| MD5 | 2c8f5e7a9e670c3850b2de0d2f3758b2 |
| SHA1 | 42409c886411ce73c1d6f07bbae47bf8f2db713c |
| SHA256 | bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce |
| SHA512 | 1237d9fbc5cfd97e2377c56143a100daeeff8e71ffa90c4fa7227eab94b3edf841e8ca8b68a8ed8c18d9cc03457a4c246a98147ab317079650bcf88877211454 |
memory/756-473-0x00000000001C0000-0x00000000001EE000-memory.dmp
memory/4720-476-0x0000000000400000-0x000000000063B000-memory.dmp
memory/4720-478-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe
| MD5 | 24dd75b0a7bb9a0e0918ee0dd84a581a |
| SHA1 | de796b237488df3d26a99aa8a78098c010aeb2c9 |
| SHA256 | 878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d |
| SHA512 | 53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557 |
memory/1240-503-0x00000000072D0000-0x0000000007336000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u49s.0.exe
| MD5 | bb6c0db2692c14003e15f01713c4eb01 |
| SHA1 | be4472720ad193c57404ad1283d91cdf7a537b73 |
| SHA256 | f8555f4f1b9bced019d3838f1406a3073056595108c23c627139d242cfbd4100 |
| SHA512 | 3d862171e78e795bc3f2b992fa39575c61afb333625fc457665ac0292ab445b5d6f3f05e5943c8b4226879c15b28142819ef8135ae3b78c3502ba8077bd11e63 |
memory/4004-538-0x00000000009E0000-0x0000000000E8B000-memory.dmp
memory/2260-537-0x0000000000DB0000-0x0000000001269000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
| MD5 | 82ae6dfb927677dcf61d90caf8abf108 |
| SHA1 | f9ee0bb036730d783e86b125128f5ef16801424a |
| SHA256 | 06e1bff50ff1db950d373b4cb6661a1fc64272b4ba76286490eedb007ad6b92e |
| SHA512 | 057a4b3471595b73e60b1770b39abb0ce4e9b097d71883efe25bba858ec22278190fd8eeb8b86c83d0cf45ebb1264756a7b1355db64c0f3cc6e57975bba02a1c |
memory/4720-519-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
memory/3416-540-0x0000000000400000-0x0000000002AF3000-memory.dmp
memory/1240-581-0x0000000007D60000-0x0000000007DB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
| MD5 | 6ed714c1a56743f32ed097b0b79e1be2 |
| SHA1 | dc6cd1493016221d853ba8cb84623aee5fc7fde1 |
| SHA256 | 18cbd445ca637b452e9ca89911ab9b30f0adf60a35c2569a42ae13dcd5a44bf9 |
| SHA512 | a1a6a1abda4504859b0a0c21bf2e41485c608a01038f207c6636bf191cc824cbe9ce2fd02e247737e32904e5b89b2b88830af3daf024d8da8d5fbf7521e1005c |
C:\Users\Admin\AppData\Local\Temp\u49s.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u49s.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 7affd30077cfe938e366b3025624ee4a |
| SHA1 | 824db99fe008ffe010b028377e0359ffbc5236f4 |
| SHA256 | 0418fc856ecc392219313f95fd9c8c9bbea62cfa456a66075225ddd803f3765f |
| SHA512 | ae06c3b5c59ec5058a3be627692529667f189770fe839f54154fa1ed0fad5ae539e1e312f767ba720ffd1edb01ab4795ef41236bf5f85c9cca7df786fba1f7c5 |
C:\Users\Admin\AppData\Local\Temp\u49s.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
C:\Users\Admin\AppData\Local\Temp\u49s.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
memory/5612-691-0x000000006BCF0000-0x000000006BE6B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u49s.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
memory/5612-692-0x00007FF9AE950000-0x00007FF9AEB45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u49s.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/5536-731-0x0000000000400000-0x0000000002B1F000-memory.dmp
memory/5544-737-0x0000000007F10000-0x000000000843C000-memory.dmp
memory/5544-736-0x0000000007810000-0x00000000079D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gnew2cjo.ole.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4796-747-0x000001E1D83E0000-0x000001E1D8402000-memory.dmp
memory/5612-748-0x000000006BCF0000-0x000000006BE6B000-memory.dmp
memory/2260-750-0x0000000000DB0000-0x0000000001269000-memory.dmp
memory/4348-754-0x0000000000400000-0x00000000009D5000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
memory/4796-767-0x000001E1F09E0000-0x000001E1F09F2000-memory.dmp
memory/4796-768-0x000001E1F09D0000-0x000001E1F09DA000-memory.dmp
memory/3536-774-0x00000000031D0000-0x0000000003206000-memory.dmp
memory/3536-775-0x0000000005A90000-0x00000000060B8000-memory.dmp
memory/3536-777-0x00000000060C0000-0x0000000006126000-memory.dmp
memory/3536-776-0x00000000059F0000-0x0000000005A12000-memory.dmp
memory/3536-778-0x00000000061D0000-0x0000000006524000-memory.dmp
memory/3536-790-0x00000000067C0000-0x00000000067DE000-memory.dmp
memory/3536-793-0x000000006B2B0000-0x000000006B604000-memory.dmp
memory/3536-804-0x0000000007A30000-0x0000000007AD3000-memory.dmp
memory/3536-803-0x00000000077D0000-0x00000000077EE000-memory.dmp
memory/3536-792-0x000000006FD90000-0x000000006FDDC000-memory.dmp
memory/3536-791-0x0000000007790000-0x00000000077C2000-memory.dmp
memory/3536-814-0x0000000008180000-0x00000000087FA000-memory.dmp
memory/3536-815-0x0000000007B30000-0x0000000007B4A000-memory.dmp
memory/3536-816-0x0000000007BB0000-0x0000000007BBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | cab9f1ba00cd1930ba5b69f6e4718848 |
| SHA1 | e4dd0e5643ece7c7436df9f8d5724b5747db29b6 |
| SHA256 | fd262adad2bf3c3f5d439459c624b1f22e8ec50f0b26957a16cb86f652d8e3fc |
| SHA512 | c43bf017504a1f0fbbbf0f649a3aa2942d961df14464be3626fc3116f3ed5753610000d7f5a4a3ab9eef40c6d20627ec67aaafa57aa526f3fcaf285f842da7cd |
memory/3536-826-0x0000000007DC0000-0x0000000007E56000-memory.dmp
memory/3536-827-0x0000000007D20000-0x0000000007D31000-memory.dmp
memory/3536-828-0x0000000007D50000-0x0000000007D5E000-memory.dmp
memory/3536-829-0x0000000007D60000-0x0000000007D74000-memory.dmp
memory/3536-830-0x0000000007DA0000-0x0000000007DBA000-memory.dmp
memory/3536-831-0x0000000007D90000-0x0000000007D98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 553c0aa75f45d2c2e633c7f9c17e05d9 |
| SHA1 | 7972a17af8e14060a0c4af0cfa51cf9f564c864c |
| SHA256 | 90b20ff63a29dc1bdb9d171774a8499d1c51b76d5595cb304673e8b433d948fe |
| SHA512 | 767dd4fef89242002a60c17f1f9b2d29d373a993af9c40572643f74d56d89880c794f4edfa987bda676b438f7f5532d383a8c6040ce5f1882ff29b2b154025f1 |
memory/4748-854-0x000002A5358C0000-0x000002A5391B8000-memory.dmp
memory/4748-857-0x000002A53AE40000-0x000002A53AE4C000-memory.dmp
memory/4748-858-0x000002A5397A0000-0x000002A5397B4000-memory.dmp
memory/4748-859-0x000002A53AFD0000-0x000002A53AFF4000-memory.dmp
memory/4748-856-0x000002A539790000-0x000002A5397A0000-memory.dmp
memory/4748-855-0x000002A5549B0000-0x000002A554AC0000-memory.dmp
memory/1124-871-0x00000000004F0000-0x0000000000AED000-memory.dmp
memory/872-873-0x0000000000600000-0x00000000006C6000-memory.dmp
memory/872-874-0x0000000004B70000-0x0000000004B7A000-memory.dmp
memory/4748-876-0x000002A5546A0000-0x000002A554752000-memory.dmp
memory/4748-875-0x000002A5395A0000-0x000002A5395AA000-memory.dmp
memory/4748-877-0x000002A53B000000-0x000002A53B02A000-memory.dmp
memory/4748-879-0x000002A554C80000-0x000002A554CE2000-memory.dmp
memory/4748-878-0x000002A554C00000-0x000002A554C7A000-memory.dmp
memory/4748-880-0x000002A5395B0000-0x000002A5395BA000-memory.dmp
memory/4748-884-0x000002A554DE0000-0x000002A5550E0000-memory.dmp
memory/4748-886-0x000002A554D30000-0x000002A554D38000-memory.dmp
memory/4748-888-0x000002A554D50000-0x000002A554D5E000-memory.dmp
memory/4748-887-0x000002A5590C0000-0x000002A5590F8000-memory.dmp
memory/4748-890-0x000002A559A10000-0x000002A559A32000-memory.dmp
memory/4748-889-0x000002A559130000-0x000002A55913A000-memory.dmp
memory/4748-891-0x000002A559F60000-0x000002A55A488000-memory.dmp
memory/4748-894-0x000002A5597E0000-0x000002A559830000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-27 13:30
Reported
2024-04-27 13:33
Platform
win11-20240419-en
Max time kernel
145s
Max time network
66s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorta.job | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4624 wrote to memory of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe |
| PID 4624 wrote to memory of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe |
| PID 4624 wrote to memory of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe
"C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
Network
| Country | Destination | Domain | Proto |
| RU | 193.233.132.139:80 | tcp | |
| RU | 193.233.132.139:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4624-0-0x0000000000E00000-0x00000000012B9000-memory.dmp
memory/4624-1-0x0000000077696000-0x0000000077698000-memory.dmp
memory/4624-7-0x0000000004F20000-0x0000000004F21000-memory.dmp
memory/4624-2-0x0000000004F10000-0x0000000004F11000-memory.dmp
memory/4624-4-0x0000000004F40000-0x0000000004F41000-memory.dmp
memory/4624-5-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
memory/4624-3-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/4624-6-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
memory/4624-8-0x0000000004F60000-0x0000000004F61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
| MD5 | 00d2b75c4c3e234c8576a67d24849596 |
| SHA1 | d5badbb62b2adbcef7e01b3b5bd342d11c09cdb5 |
| SHA256 | c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12 |
| SHA512 | 0fa5377df174c92130fea3352e60a9571e6724c39fb5397a94d93d84fec3b044ad3935a1ba5ab9243a66d2b5dc02756aeb087118e6a7097b810c01da6813cd7d |
memory/456-22-0x0000000000190000-0x0000000000649000-memory.dmp
memory/4624-21-0x0000000000E00000-0x00000000012B9000-memory.dmp
memory/456-29-0x0000000005430000-0x0000000005431000-memory.dmp
memory/456-28-0x00000000053E0000-0x00000000053E1000-memory.dmp
memory/456-27-0x00000000053D0000-0x00000000053D1000-memory.dmp
memory/456-26-0x0000000005440000-0x0000000005441000-memory.dmp
memory/456-25-0x00000000053F0000-0x00000000053F1000-memory.dmp
memory/456-24-0x0000000005410000-0x0000000005411000-memory.dmp
memory/456-23-0x0000000005400000-0x0000000005401000-memory.dmp
memory/456-31-0x0000000005450000-0x0000000005451000-memory.dmp
memory/456-30-0x0000000005460000-0x0000000005461000-memory.dmp
memory/456-32-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-33-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-34-0x0000000000190000-0x0000000000649000-memory.dmp
memory/992-36-0x0000000000190000-0x0000000000649000-memory.dmp
memory/992-40-0x0000000005130000-0x0000000005131000-memory.dmp
memory/992-42-0x0000000005170000-0x0000000005171000-memory.dmp
memory/992-41-0x0000000005140000-0x0000000005141000-memory.dmp
memory/992-39-0x0000000005190000-0x0000000005191000-memory.dmp
memory/992-38-0x0000000005150000-0x0000000005151000-memory.dmp
memory/992-37-0x0000000005160000-0x0000000005161000-memory.dmp
memory/992-43-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-44-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-45-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-46-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-47-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-48-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-50-0x0000000000190000-0x0000000000649000-memory.dmp
memory/4564-51-0x0000000000190000-0x0000000000649000-memory.dmp
memory/4564-52-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-53-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-54-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-55-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-56-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-57-0x0000000000190000-0x0000000000649000-memory.dmp
memory/456-58-0x0000000000190000-0x0000000000649000-memory.dmp
memory/4660-60-0x0000000000190000-0x0000000000649000-memory.dmp
memory/4660-61-0x0000000000190000-0x0000000000649000-memory.dmp