amadey | 630bc7e23cc99472759d6c778c0ff57f07f5b5e0af4806c0e4fced953166eb60

Analysis

max time kernel
403s
max time network
453s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2023 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura-Digital.7z
Size

7.1MB
MD5

551db99ee591cc96a7eb9cb2d90ce3e5
SHA1

625b7ed0d937fc5fc4a03433104ed326facc7074
SHA256

630bc7e23cc99472759d6c778c0ff57f07f5b5e0af4806c0e4fced953166eb60
SHA512

f1afe7c69e5344b60339556f9d4062494828125cc7a1e5b87cb6df6f9cf779ab2df59c5d3f9214a8321a7c953376e42b458a3b2b652a0e93943d2f1a1982a3f6
SSDEEP

196608:Ny6qg/nmMEduyQPanOZamIkVDlKQt9ajUYhen8:HjgduyyaWF1YGBae8

Score

10^/10

amadey persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.68

213.226.123.14/jd93d22Cb1/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exeoneetx.exefootsimvov.exefootsimvov.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	footsimvov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	footsimvov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

Processes:

Factura-Electronica.exefootsimvov.exefootsimvov.exeoneetx.exeoneetx.exelogiteched.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
1800	Factura-Electronica.exe
848	footsimvov.exe
2180	footsimvov.exe
2456	oneetx.exe
3372	oneetx.exe
3944	logiteched.exe
4624	oneetx.exe
4240	oneetx.exe
5052	oneetx.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

2396 rundll32.exe
4192 rundll32.exe
1868 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2396	rundll32.exe
4192	rundll32.exe
1868	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Factura-Electronica.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Factura-Electronica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Factura-Electronica.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

footsimvov.exeoneetx.exeoneetx.exe

description	pid	process	target process
PID 848 set thread context of 2180	848	footsimvov.exe	footsimvov.exe
PID 2456 set thread context of 3372	2456	oneetx.exe	oneetx.exe
PID 4624 set thread context of 4240	4624	oneetx.exe	oneetx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1340 4192 WerFault.exe rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1700 schtasks.exe

pid	pid_target	process	target process
1340	4192	WerFault.exe	rundll32.exe

pid	process
1700	schtasks.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1760 powershell.exe
1760 powershell.exe
2120 powershell.exe
2120 powershell.exe
1852 powershell.exe
1852 powershell.exe

pid	process
1760	powershell.exe
1760	powershell.exe
2120	powershell.exe
2120	powershell.exe
1852	powershell.exe
1852	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

7zG.exepowershell.exefootsimvov.exepowershell.exeoneetx.exepowershell.exelogiteched.exeoneetx.exe

description	pid	process
Token: SeRestorePrivilege	1848	7zG.exe
Token: 35	1848	7zG.exe
Token: SeSecurityPrivilege	1848	7zG.exe
Token: SeSecurityPrivilege	1848	7zG.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	848	footsimvov.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2456	oneetx.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3944	logiteched.exe
Token: SeDebugPrivilege	4624	oneetx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1848 7zG.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OpenWith.exeFactura-Electronica.exefootsimvov.exeoneetx.exe

pid process

2676 OpenWith.exe
1800 Factura-Electronica.exe
2180 footsimvov.exe
3372 oneetx.exe

pid	process
1848	7zG.exe

pid	process
2676	OpenWith.exe
1800	Factura-Electronica.exe
2180	footsimvov.exe
3372	oneetx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Factura-Electronica.exefootsimvov.exefootsimvov.exeoneetx.exeoneetx.execmd.exeoneetx.exe

description	pid	process	target process
PID 1800 wrote to memory of 848	1800	Factura-Electronica.exe	footsimvov.exe
PID 1800 wrote to memory of 848	1800	Factura-Electronica.exe	footsimvov.exe
PID 1800 wrote to memory of 848	1800	Factura-Electronica.exe	footsimvov.exe
PID 848 wrote to memory of 1760	848	footsimvov.exe	powershell.exe
PID 848 wrote to memory of 1760	848	footsimvov.exe	powershell.exe
PID 848 wrote to memory of 1760	848	footsimvov.exe	powershell.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 848 wrote to memory of 2180	848	footsimvov.exe	footsimvov.exe
PID 2180 wrote to memory of 2456	2180	footsimvov.exe	oneetx.exe
PID 2180 wrote to memory of 2456	2180	footsimvov.exe	oneetx.exe
PID 2180 wrote to memory of 2456	2180	footsimvov.exe	oneetx.exe
PID 2456 wrote to memory of 2120	2456	oneetx.exe	powershell.exe
PID 2456 wrote to memory of 2120	2456	oneetx.exe	powershell.exe
PID 2456 wrote to memory of 2120	2456	oneetx.exe	powershell.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 2456 wrote to memory of 3372	2456	oneetx.exe	oneetx.exe
PID 3372 wrote to memory of 1700	3372	oneetx.exe	schtasks.exe
PID 3372 wrote to memory of 1700	3372	oneetx.exe	schtasks.exe
PID 3372 wrote to memory of 1700	3372	oneetx.exe	schtasks.exe
PID 3372 wrote to memory of 4120	3372	oneetx.exe	cmd.exe
PID 3372 wrote to memory of 4120	3372	oneetx.exe	cmd.exe
PID 3372 wrote to memory of 4120	3372	oneetx.exe	cmd.exe
PID 4120 wrote to memory of 180	4120	cmd.exe	cmd.exe
PID 4120 wrote to memory of 180	4120	cmd.exe	cmd.exe
PID 4120 wrote to memory of 180	4120	cmd.exe	cmd.exe
PID 4120 wrote to memory of 316	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 316	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 316	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 4692	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 4692	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 4692	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 4824	4120	cmd.exe	cmd.exe
PID 4120 wrote to memory of 4824	4120	cmd.exe	cmd.exe
PID 4120 wrote to memory of 4824	4120	cmd.exe	cmd.exe
PID 4120 wrote to memory of 2568	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 2568	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 2568	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 3340	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 3340	4120	cmd.exe	cacls.exe
PID 4120 wrote to memory of 3340	4120	cmd.exe	cacls.exe
PID 3372 wrote to memory of 3944	3372	oneetx.exe	logiteched.exe
PID 3372 wrote to memory of 3944	3372	oneetx.exe	logiteched.exe
PID 3372 wrote to memory of 3944	3372	oneetx.exe	logiteched.exe
PID 4624 wrote to memory of 1852	4624	oneetx.exe	powershell.exe
PID 4624 wrote to memory of 1852	4624	oneetx.exe	powershell.exe
PID 4624 wrote to memory of 1852	4624	oneetx.exe	powershell.exe
PID 4624 wrote to memory of 4240	4624	oneetx.exe	oneetx.exe
PID 4624 wrote to memory of 4240	4624	oneetx.exe	oneetx.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Factura-Digital.7z
1⤵
- Modifies registry class
PID:684

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4292

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Factura-Digital\" -spe -an -ai#7zMap886:86:7zEvent9482
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1848

C:\Users\Admin\Desktop\Factura-Digital\Factura-Electronica.exe
"C:\Users\Admin\Desktop\Factura-Digital\Factura-Electronica.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\footsimvov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\footsimvov.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\footsimvov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\footsimvov.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe" /F
6⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fc24331a33" /P "Admin:N"&&CACLS "..\fc24331a33" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:180

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
7⤵
PID:316

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
7⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4824

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fc24331a33" /P "Admin:N"
7⤵
PID:2568

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fc24331a33" /P "Admin:R" /E
7⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\1000003001\logiteched.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\logiteched.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll, Main
6⤵
- Loads dropped DLL
PID:2396

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll, Main
7⤵
- Loads dropped DLL
PID:4192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4192 -s 644
8⤵
- Program crash
PID:1340

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:1868

C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
2⤵
- Executes dropped EXE
PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4192 -ip 4192
1⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
2⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
2⤵
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oneetx.exe.log
Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
3773f7ed44d5de3131d6fff72c609128

SHA1
ed17f77fdf3c1543aa39cde016a7c33d9c1fcbf4

SHA256
405a3be0e26f55be9d565f0c3d2699bde72b869041e13eeab4971c5ee15a98c8

SHA512
ca4fb6016f682b29a3de58c56aa9aa092a52bc4114721d3744e01b61757fcdd46dd7a270a85fdefd011ee07f34116fdd6fbd4ef9435d0a0cd54300b1fcde55c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
c62c2d7eecb3800ad1c740a406a27e88

SHA1
782aafd5f518e464c073cf65382562f5a9af61f2

SHA256
1b38d31ff792ef2d99483e8445164a8184ae608e147cf035b6d2422c36ff9863

SHA512
b5ad42353fc92a47e871fa5cffc6406ade619395fd50f4470ced1a6942091dcbaa17d93429ed6edbc7b013fe5d708f57afb427a8857fc756202553813d463771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
e3e86b59a93d17532a043bc8793696a1

SHA1
5d7749eaa91af36b6590cdd254898181252098d0

SHA256
0dad9eb60408ebbd49e4cadc599bc3946555f30bc11bf6d3f7973e5267279284

SHA512
084907139331b09846fa99a2c3044672fa41ef30597672576b755674e331b60e98fded18730f8867b3882c40dfb742f8d1bb1bed446dc2dd6e305d20dc70971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\logiteched.exe
Filesize
1023KB

MD5
04e76f69997961082c793267bcc14788

SHA1
bccaf73a94430a71520832fd6c32a0454ed9cef0

SHA256
236caf6eff6062b5ab65172a05150d9cc3648e83b40cd7cba5895192aba70490

SHA512
f845a1df45207c8b68a5bb5d7ab3051a869065fb548ed63cc5c7bf4f88a17935c865a4a0621f2bebd805bf5610eb63a45d7964ad1cce538d2ba7a6259bef826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\logiteched.exe
Filesize
1023KB

MD5
04e76f69997961082c793267bcc14788

SHA1
bccaf73a94430a71520832fd6c32a0454ed9cef0

SHA256
236caf6eff6062b5ab65172a05150d9cc3648e83b40cd7cba5895192aba70490

SHA512
f845a1df45207c8b68a5bb5d7ab3051a869065fb548ed63cc5c7bf4f88a17935c865a4a0621f2bebd805bf5610eb63a45d7964ad1cce538d2ba7a6259bef826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\logiteched.exe
Filesize
1023KB

MD5
04e76f69997961082c793267bcc14788

SHA1
bccaf73a94430a71520832fd6c32a0454ed9cef0

SHA256
236caf6eff6062b5ab65172a05150d9cc3648e83b40cd7cba5895192aba70490

SHA512
f845a1df45207c8b68a5bb5d7ab3051a869065fb548ed63cc5c7bf4f88a17935c865a4a0621f2bebd805bf5610eb63a45d7964ad1cce538d2ba7a6259bef826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\675742406747
Filesize
108KB

MD5
67181baf769b8c98833a294c1d59d9f1

SHA1
46d96402d8854a7ced94df30507a07994cd1c9cb

SHA256
e2c64fc0f961180af5a87202461ed8c02d48d8ea43b4031a8ae4bf8652856bcf

SHA512
af3b816f5ce0da34bf2ab85c8b9b664077d9c511b12621ade97e1f5e9e4c8e9e958b7b9cfd2b3d3f3bca60a73589a98e89f000d2df29712fe385c59748c41986

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\footsimvov.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\footsimvov.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\footsimvov.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sags3pxa.wt0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
Filesize
364.4MB

MD5
fa71acaec278347ef0b2cb81072ecc4f

SHA1
15d5ffdda9d60a7b1a7689f733ddd24e0a501e53

SHA256
2d75aa11f7c7fbb024985d06b3a849be3e2731a0466c05bb81dd234aff3fd87a

SHA512
ee79c6d2ece3666ec7d7fe15db1fc90b68613481d70158e20ee4a1ae0fac9d9b033bff012b800cb5d8263709606da4d9ce1ea396c1994fbb2a67af23305f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc24331a33\oneetx.exe
Filesize
196.5MB

MD5
3276c7dc7110f8bd73cd1756701d22fa

SHA1
d7c3b0d4b1f4530f8db47a47b8729be8488cc28b

SHA256
0dbc299e536aeb00254f31d153943996ca8b4b2deb26053f828fe579bb9b1555

SHA512
fe0c0873b4aa3670a1b0990021e3076abb9c63862241e01d98966fbc553d5d50ed28a20e2a0beb1556a2654c513060571edd54d537e5513d8f42914788606145

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\clip64.dll
Filesize
89KB

MD5
ebf7b1325b78fbebb72c302b8cadc3c4

SHA1
b08b5920bdf8d1a2d2adbb8fada1cf3d445ace3e

SHA256
9a9ec3cdfa95d4ef90a6d3aac7bc7a95ec109b23e2dc42834abfcc15d6e70048

SHA512
861637a89c4879ffbb2f2061fcffbcc76d5af3c27ba2ce547646d2db83f48b716951b0007170cdead9ca83ec5cdaa78cb737ecc8a03aba00ebe080bf4c4b5769

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\clip64.dll
Filesize
89KB

MD5
ebf7b1325b78fbebb72c302b8cadc3c4

SHA1
b08b5920bdf8d1a2d2adbb8fada1cf3d445ace3e

SHA256
9a9ec3cdfa95d4ef90a6d3aac7bc7a95ec109b23e2dc42834abfcc15d6e70048

SHA512
861637a89c4879ffbb2f2061fcffbcc76d5af3c27ba2ce547646d2db83f48b716951b0007170cdead9ca83ec5cdaa78cb737ecc8a03aba00ebe080bf4c4b5769

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\clip64.dll
Filesize
89KB

MD5
ebf7b1325b78fbebb72c302b8cadc3c4

SHA1
b08b5920bdf8d1a2d2adbb8fada1cf3d445ace3e

SHA256
9a9ec3cdfa95d4ef90a6d3aac7bc7a95ec109b23e2dc42834abfcc15d6e70048

SHA512
861637a89c4879ffbb2f2061fcffbcc76d5af3c27ba2ce547646d2db83f48b716951b0007170cdead9ca83ec5cdaa78cb737ecc8a03aba00ebe080bf4c4b5769

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll
Filesize
1.0MB

MD5
b04fd7ff8af18c6abe932ed89a018ccb

SHA1
2cbfdfa4a1a5344c8176e541754cb6d3476b58a9

SHA256
69e400d424fb0e7a0427d20ee82ebb2869a4a662970ed5492f74da60303f12c8

SHA512
0319c5b55feeef47c0468c2e595b6017e56f8abb2bebe757ee8c636fd377afa8ff6b13871ff54fa7ca1d33c4d1efa08583deee54ecf4833d0c5e21837aabee06

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll
Filesize
1.0MB

MD5
b04fd7ff8af18c6abe932ed89a018ccb

SHA1
2cbfdfa4a1a5344c8176e541754cb6d3476b58a9

SHA256
69e400d424fb0e7a0427d20ee82ebb2869a4a662970ed5492f74da60303f12c8

SHA512
0319c5b55feeef47c0468c2e595b6017e56f8abb2bebe757ee8c636fd377afa8ff6b13871ff54fa7ca1d33c4d1efa08583deee54ecf4833d0c5e21837aabee06

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll
Filesize
1.0MB

MD5
b04fd7ff8af18c6abe932ed89a018ccb

SHA1
2cbfdfa4a1a5344c8176e541754cb6d3476b58a9

SHA256
69e400d424fb0e7a0427d20ee82ebb2869a4a662970ed5492f74da60303f12c8

SHA512
0319c5b55feeef47c0468c2e595b6017e56f8abb2bebe757ee8c636fd377afa8ff6b13871ff54fa7ca1d33c4d1efa08583deee54ecf4833d0c5e21837aabee06

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll
Filesize
1.0MB

MD5
b04fd7ff8af18c6abe932ed89a018ccb

SHA1
2cbfdfa4a1a5344c8176e541754cb6d3476b58a9

SHA256
69e400d424fb0e7a0427d20ee82ebb2869a4a662970ed5492f74da60303f12c8

SHA512
0319c5b55feeef47c0468c2e595b6017e56f8abb2bebe757ee8c636fd377afa8ff6b13871ff54fa7ca1d33c4d1efa08583deee54ecf4833d0c5e21837aabee06

Download Submit
C:\Users\Admin\Desktop\Factura-Digital\Factura-Electronica.exe
Filesize
716.6MB

MD5
3daf140992c56155e40c0a88fc42c33c

SHA1
3d5446a56603289bc452f81a135154b03f04275a

SHA256
d69dae1ff14cd89ee4fe97f8c24f95ab2ef88b7f7bda8c87026618958b6b6e56

SHA512
92f3dcaa8345b40c3b386e88b0c41abd95908be93ae869d832e557e3f64fffe2c2f4d1719f3606e79cf9ce85bafb3b8ffc8e7351cb4518f42802d401054fc5b9

Download Submit
C:\Users\Admin\Desktop\Factura-Digital\Factura-Electronica.exe
Filesize
716.6MB

MD5
3daf140992c56155e40c0a88fc42c33c

SHA1
3d5446a56603289bc452f81a135154b03f04275a

SHA256
d69dae1ff14cd89ee4fe97f8c24f95ab2ef88b7f7bda8c87026618958b6b6e56

SHA512
92f3dcaa8345b40c3b386e88b0c41abd95908be93ae869d832e557e3f64fffe2c2f4d1719f3606e79cf9ce85bafb3b8ffc8e7351cb4518f42802d401054fc5b9

Download Submit
memory/668-368-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/668-365-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/848-200-0x0000000005C00000-0x0000000005C10000-memory.dmp

Filesize
64KB

Download
memory/848-180-0x0000000000F10000-0x0000000001118000-memory.dmp

Filesize
2.0MB

Download
memory/848-181-0x0000000005E30000-0x0000000005E52000-memory.dmp

Filesize
136KB

Download
memory/848-182-0x0000000005C00000-0x0000000005C10000-memory.dmp

Filesize
64KB

Download
memory/1760-198-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

Filesize
120KB

Download
memory/1760-201-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/1760-199-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1760-202-0x0000000006180000-0x000000000619A000-memory.dmp

Filesize
104KB

Download
memory/1760-197-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1760-196-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1760-191-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/1760-190-0x0000000004D80000-0x0000000004DE6000-memory.dmp

Filesize
408KB

Download
memory/1760-184-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/1760-183-0x00000000026D0000-0x0000000002706000-memory.dmp

Filesize
216KB

Download
memory/1760-209-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1760-210-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1760-211-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1852-320-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/1852-315-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/1852-318-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/1852-314-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2068-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-373-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-237-0x0000000003500000-0x0000000003510000-memory.dmp

Filesize
64KB

Download
memory/2120-249-0x0000000003500000-0x0000000003510000-memory.dmp

Filesize
64KB

Download
memory/2120-250-0x0000000003500000-0x0000000003510000-memory.dmp

Filesize
64KB

Download
memory/2180-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-218-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-234-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/2456-236-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/3372-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3372-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3372-254-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3372-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3372-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3372-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3372-258-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-316-0x0000000005020000-0x000000000502A000-memory.dmp

Filesize
40KB

Download
memory/3944-300-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/3944-366-0x0000000007160000-0x0000000007182000-memory.dmp

Filesize
136KB

Download
memory/3944-351-0x0000000007FD0000-0x0000000008192000-memory.dmp

Filesize
1.8MB

Download
memory/3944-352-0x00000000086D0000-0x0000000008BFC000-memory.dmp

Filesize
5.2MB

Download
memory/3944-298-0x00000000056E0000-0x0000000005C84000-memory.dmp

Filesize
5.6MB

Download
memory/3944-297-0x00000000009A0000-0x0000000000AA6000-memory.dmp

Filesize
1.0MB

Download
memory/3944-312-0x0000000005130000-0x00000000051CC000-memory.dmp

Filesize
624KB

Download
memory/3944-317-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/4240-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4240-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4240-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4624-313-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/4624-319-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5052-367-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/5052-364-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download