Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 02:16
Static task
static1
Behavioral task
behavioral1
Sample
product.scr
Resource
win7-20221111-en
General
-
Target
product.scr
-
Size
624KB
-
MD5
fff4955ffce3b5e5260408e7fef6872d
-
SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97
-
SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
-
SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
SSDEEP
12288:mcER/WFqpOCIYqv2/eso4QDiWVpDiKiS9BYM1efta7iXS6GnEv0CNisXoNBW9x:mcER/WFqpOCIYqv2/eso4QDiW3DiKiSM
Malware Config
Extracted
pony
http://190.14.37.80/akpos/Panel/Panelz/gate.php
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
mamade.exeScan002.scrmamade.exemamade.exeScan002.scrpid process 1176 mamade.exe 876 Scan002.scr 1380 mamade.exe 1828 mamade.exe 936 Scan002.scr -
Processes:
resource yara_rule behavioral1/memory/1828-93-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral1/memory/1828-97-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral1/memory/1828-99-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral1/memory/936-111-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral1/memory/1828-113-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/936-114-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral1/memory/936-116-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1828-117-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1828-118-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/936-121-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1828-122-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Drops startup file 3 IoCs
Processes:
product.scrmamade.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe product.scr File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe product.scr File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe mamade.exe -
Loads dropped DLL 5 IoCs
Processes:
product.scrcmd.exeScan002.scrpid process 1208 product.scr 1208 product.scr 672 cmd.exe 672 cmd.exe 876 Scan002.scr -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
Scan002.scrmamade.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Scan002.scr Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mamade.exe -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
Scan002.scrmamade.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Scan002.scr Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook mamade.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
mamade.exemamade.exeScan002.scrdescription pid process target process PID 1176 set thread context of 1380 1176 mamade.exe mamade.exe PID 1380 set thread context of 1828 1380 mamade.exe mamade.exe PID 876 set thread context of 936 876 Scan002.scr Scan002.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mamade.exeScan002.scrpid process 1380 mamade.exe 876 Scan002.scr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mamade.exeScan002.scrdescription pid process Token: SeImpersonatePrivilege 1828 mamade.exe Token: SeTcbPrivilege 1828 mamade.exe Token: SeChangeNotifyPrivilege 1828 mamade.exe Token: SeCreateTokenPrivilege 1828 mamade.exe Token: SeBackupPrivilege 1828 mamade.exe Token: SeRestorePrivilege 1828 mamade.exe Token: SeIncreaseQuotaPrivilege 1828 mamade.exe Token: SeAssignPrimaryTokenPrivilege 1828 mamade.exe Token: SeImpersonatePrivilege 936 Scan002.scr Token: SeTcbPrivilege 936 Scan002.scr Token: SeChangeNotifyPrivilege 936 Scan002.scr Token: SeCreateTokenPrivilege 936 Scan002.scr Token: SeBackupPrivilege 936 Scan002.scr Token: SeRestorePrivilege 936 Scan002.scr Token: SeIncreaseQuotaPrivilege 936 Scan002.scr Token: SeAssignPrimaryTokenPrivilege 936 Scan002.scr Token: SeImpersonatePrivilege 1828 mamade.exe Token: SeImpersonatePrivilege 936 Scan002.scr Token: SeTcbPrivilege 1828 mamade.exe Token: SeChangeNotifyPrivilege 1828 mamade.exe Token: SeCreateTokenPrivilege 1828 mamade.exe Token: SeTcbPrivilege 936 Scan002.scr Token: SeBackupPrivilege 1828 mamade.exe Token: SeChangeNotifyPrivilege 936 Scan002.scr Token: SeRestorePrivilege 1828 mamade.exe Token: SeCreateTokenPrivilege 936 Scan002.scr Token: SeBackupPrivilege 936 Scan002.scr Token: SeIncreaseQuotaPrivilege 1828 mamade.exe Token: SeAssignPrimaryTokenPrivilege 1828 mamade.exe Token: SeRestorePrivilege 936 Scan002.scr Token: SeIncreaseQuotaPrivilege 936 Scan002.scr Token: SeAssignPrimaryTokenPrivilege 936 Scan002.scr Token: SeImpersonatePrivilege 1828 mamade.exe Token: SeTcbPrivilege 1828 mamade.exe Token: SeChangeNotifyPrivilege 1828 mamade.exe Token: SeCreateTokenPrivilege 1828 mamade.exe Token: SeBackupPrivilege 1828 mamade.exe Token: SeRestorePrivilege 1828 mamade.exe Token: SeIncreaseQuotaPrivilege 1828 mamade.exe Token: SeAssignPrimaryTokenPrivilege 1828 mamade.exe Token: SeImpersonatePrivilege 936 Scan002.scr Token: SeTcbPrivilege 936 Scan002.scr Token: SeChangeNotifyPrivilege 936 Scan002.scr Token: SeCreateTokenPrivilege 936 Scan002.scr Token: SeBackupPrivilege 936 Scan002.scr Token: SeRestorePrivilege 936 Scan002.scr Token: SeIncreaseQuotaPrivilege 936 Scan002.scr Token: SeAssignPrimaryTokenPrivilege 936 Scan002.scr Token: SeImpersonatePrivilege 1828 mamade.exe Token: SeTcbPrivilege 1828 mamade.exe Token: SeChangeNotifyPrivilege 1828 mamade.exe Token: SeCreateTokenPrivilege 1828 mamade.exe Token: SeBackupPrivilege 1828 mamade.exe Token: SeRestorePrivilege 1828 mamade.exe Token: SeIncreaseQuotaPrivilege 1828 mamade.exe Token: SeAssignPrimaryTokenPrivilege 1828 mamade.exe Token: SeImpersonatePrivilege 936 Scan002.scr Token: SeTcbPrivilege 936 Scan002.scr Token: SeChangeNotifyPrivilege 936 Scan002.scr Token: SeCreateTokenPrivilege 936 Scan002.scr Token: SeBackupPrivilege 936 Scan002.scr Token: SeRestorePrivilege 936 Scan002.scr Token: SeIncreaseQuotaPrivilege 936 Scan002.scr Token: SeAssignPrimaryTokenPrivilege 936 Scan002.scr -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
product.scrmamade.exemamade.exeScan002.scrpid process 1208 product.scr 1176 mamade.exe 1380 mamade.exe 876 Scan002.scr 1380 mamade.exe 876 Scan002.scr -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
product.scrcmd.exemamade.exemamade.exeScan002.scrScan002.scrmamade.exedescription pid process target process PID 1208 wrote to memory of 672 1208 product.scr cmd.exe PID 1208 wrote to memory of 672 1208 product.scr cmd.exe PID 1208 wrote to memory of 672 1208 product.scr cmd.exe PID 1208 wrote to memory of 672 1208 product.scr cmd.exe PID 1208 wrote to memory of 1176 1208 product.scr mamade.exe PID 1208 wrote to memory of 1176 1208 product.scr mamade.exe PID 1208 wrote to memory of 1176 1208 product.scr mamade.exe PID 1208 wrote to memory of 1176 1208 product.scr mamade.exe PID 672 wrote to memory of 876 672 cmd.exe Scan002.scr PID 672 wrote to memory of 876 672 cmd.exe Scan002.scr PID 672 wrote to memory of 876 672 cmd.exe Scan002.scr PID 672 wrote to memory of 876 672 cmd.exe Scan002.scr PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1176 wrote to memory of 1380 1176 mamade.exe mamade.exe PID 1380 wrote to memory of 1828 1380 mamade.exe mamade.exe PID 1380 wrote to memory of 1828 1380 mamade.exe mamade.exe PID 1380 wrote to memory of 1828 1380 mamade.exe mamade.exe PID 1380 wrote to memory of 1828 1380 mamade.exe mamade.exe PID 876 wrote to memory of 936 876 Scan002.scr Scan002.scr PID 876 wrote to memory of 936 876 Scan002.scr Scan002.scr PID 876 wrote to memory of 936 876 Scan002.scr Scan002.scr PID 876 wrote to memory of 936 876 Scan002.scr Scan002.scr PID 1380 wrote to memory of 1828 1380 mamade.exe mamade.exe PID 876 wrote to memory of 936 876 Scan002.scr Scan002.scr PID 1380 wrote to memory of 1828 1380 mamade.exe mamade.exe PID 876 wrote to memory of 936 876 Scan002.scr Scan002.scr PID 1380 wrote to memory of 1828 1380 mamade.exe mamade.exe PID 1380 wrote to memory of 1828 1380 mamade.exe mamade.exe PID 876 wrote to memory of 936 876 Scan002.scr Scan002.scr PID 876 wrote to memory of 936 876 Scan002.scr Scan002.scr PID 936 wrote to memory of 1248 936 Scan002.scr cmd.exe PID 936 wrote to memory of 1248 936 Scan002.scr cmd.exe PID 936 wrote to memory of 1248 936 Scan002.scr cmd.exe PID 936 wrote to memory of 1248 936 Scan002.scr cmd.exe PID 1828 wrote to memory of 2036 1828 mamade.exe cmd.exe PID 1828 wrote to memory of 2036 1828 mamade.exe cmd.exe PID 1828 wrote to memory of 2036 1828 mamade.exe cmd.exe PID 1828 wrote to memory of 2036 1828 mamade.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
mamade.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook mamade.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\product.scr"C:\Users\Admin\AppData\Local\Temp\product.scr" /S1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\Scan002.scr2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrC:\Users\Admin\AppData\Local\Temp\Scan002.scr3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrC:\Users\Admin\AppData\Local\Temp\Scan002.scr4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7220209.bat" "C:\Users\Admin\AppData\Local\Temp\Scan002.scr" "5⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7220194.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe" "5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7220194.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\7220209.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrFilesize
200KB
MD5261f3314b3cafb38d5b2611e3ae97bd5
SHA1de94aa12402a0a16fd36e3b2103f38fe549478b8
SHA25674ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036
SHA5121c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrFilesize
200KB
MD5261f3314b3cafb38d5b2611e3ae97bd5
SHA1de94aa12402a0a16fd36e3b2103f38fe549478b8
SHA25674ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036
SHA5121c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026
-
C:\Users\Admin\AppData\Local\Temp\Scan002.scrFilesize
200KB
MD5261f3314b3cafb38d5b2611e3ae97bd5
SHA1de94aa12402a0a16fd36e3b2103f38fe549478b8
SHA25674ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036
SHA5121c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
\Users\Admin\AppData\Local\Temp\Scan002.scrFilesize
200KB
MD5261f3314b3cafb38d5b2611e3ae97bd5
SHA1de94aa12402a0a16fd36e3b2103f38fe549478b8
SHA25674ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036
SHA5121c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026
-
\Users\Admin\AppData\Local\Temp\Scan002.scrFilesize
200KB
MD5261f3314b3cafb38d5b2611e3ae97bd5
SHA1de94aa12402a0a16fd36e3b2103f38fe549478b8
SHA25674ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036
SHA5121c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026
-
\Users\Admin\AppData\Local\Temp\Scan002.scrFilesize
200KB
MD5261f3314b3cafb38d5b2611e3ae97bd5
SHA1de94aa12402a0a16fd36e3b2103f38fe549478b8
SHA25674ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036
SHA5121c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exeFilesize
624KB
MD5fff4955ffce3b5e5260408e7fef6872d
SHA178b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
-
memory/672-57-0x0000000000000000-mapping.dmp
-
memory/876-67-0x0000000000000000-mapping.dmp
-
memory/876-101-0x0000000000380000-0x0000000000384000-memory.dmpFilesize
16KB
-
memory/936-114-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/936-111-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/936-116-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/936-121-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/936-103-0x000000000041A110-mapping.dmp
-
memory/1176-60-0x0000000000000000-mapping.dmp
-
memory/1208-56-0x00000000759C1000-0x00000000759C3000-memory.dmpFilesize
8KB
-
memory/1248-119-0x0000000000000000-mapping.dmp
-
memory/1380-86-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-77-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-71-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-72-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-87-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-83-0x0000000000407EFE-mapping.dmp
-
memory/1380-82-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-104-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-74-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-78-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-80-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1380-76-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1828-113-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1828-99-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1828-117-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1828-118-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1828-93-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1828-102-0x000000000041A110-mapping.dmp
-
memory/1828-122-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1828-90-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1828-97-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2036-120-0x0000000000000000-mapping.dmp