amadey | 48987d9c89542a8cb4f8d34eb34902a4762cc8643c0e491deb6115907db4887b

Analysis

max time kernel
579s
max time network
585s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2023 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_File.exe
Size

28.1MB
MD5

9ddc92ae27b3c01abcc9361f5f10dbeb
SHA1

4ae7273d55275c53ebd66fd8d55d54d5257ad21d
SHA256

48987d9c89542a8cb4f8d34eb34902a4762cc8643c0e491deb6115907db4887b
SHA512

20f81c7cf228b92ef488fc24d1a3ed288f77036903bfcb1a650a7505a9f618c2fafa09e4b7c5e539a5627d6436f7011f1ed0ecf027609524006c07716447e68b
SSDEEP

786432:z6FQ28LUo3oaouyd+sP6qSwbJ+IViZRR/5PwUA1:zAQPLUcoMA+sP6q3pV255rI

Score

10^/10

amadey lumma vidar https://t.me/dastantim spyware stealer trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.85

45.9.74.166/b7djSDcPcZ/index.php

45.9.74.141/b7djSDcPcZ/index.php

Extracted

Family

vidar

Version

4.9

Botnet

https://t.me/dastantim

https://steamcommunity.com/profiles/76561199529242058

Attributes

profile_id_v2
https://t.me/dastantim
user_agent
Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup_File.exeusjhlmmdmsqjfbox.exebstyoops.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Setup_File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	usjhlmmdmsqjfbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	bstyoops.exe

Executes dropped EXE 11 IoCs

Processes:

usjhlmmdmsqjfbox.exebstyoops.exebstyoops.exebstyoops.exePvpzeuozra.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exe

pid	process
3176	usjhlmmdmsqjfbox.exe
5044	bstyoops.exe
4344	bstyoops.exe
3568	bstyoops.exe
4844	Pvpzeuozra.exe
4772	bstyoops.exe
184	bstyoops.exe
740	bstyoops.exe
3932	bstyoops.exe
4532	bstyoops.exe
2788	bstyoops.exe

Loads dropped DLL 2 IoCs

Processes:

csc.exe

pid process

3444 csc.exe
3444 csc.exe

pid	process
3444	csc.exe
3444	csc.exe

VMProtect packed file 22 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\usjhlmmdmsqjfbox.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\usjhlmmdmsqjfbox.exe	vmprotect
behavioral2/memory/3176-219-0x00000000007F0000-0x0000000001486000-memory.dmp	vmprotect
behavioral2/memory/3176-224-0x00000000007F0000-0x0000000001486000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/5044-240-0x0000000000460000-0x00000000010F6000-memory.dmp	vmprotect
behavioral2/memory/5044-245-0x0000000000460000-0x00000000010F6000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Pvpzeuozra.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Pvpzeuozra.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Pvpzeuozra.exe	vmprotect
behavioral2/memory/4844-414-0x0000000000C70000-0x0000000001670000-memory.dmp	vmprotect
behavioral2/memory/4844-419-0x0000000000C70000-0x0000000001670000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Setup_File.exe

description ioc process

File opened (read-only) \??\F: Setup_File.exe

description	ioc	process
File opened (read-only)	\??\F:	Setup_File.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Setup_File.exe

description	pid	process	target process
PID 3004 set thread context of 540	3004	Setup_File.exe	csc.exe
PID 3004 set thread context of 3444	3004	Setup_File.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

796 3444 WerFault.exe csc.exe

pid	pid_target	process	target process
796	3444	WerFault.exe	csc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

csc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	csc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	csc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4692 schtasks.exe

pid	process
4692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

Setup_File.exepowershell.exepowershell.exepowershell.execsc.exepowershell.exepowershell.execsc.exePvpzeuozra.exe

pid	process
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
3004	Setup_File.exe
2068	powershell.exe
2068	powershell.exe
4584	powershell.exe
4584	powershell.exe
2912	powershell.exe
2912	powershell.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
540	csc.exe
2036	powershell.exe
2036	powershell.exe
1164	powershell.exe
1164	powershell.exe
3444	csc.exe
3444	csc.exe
3444	csc.exe
3444	csc.exe
3444	csc.exe
3444	csc.exe
4844	Pvpzeuozra.exe
4844	Pvpzeuozra.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

usjhlmmdmsqjfbox.exe

pid process

3176 usjhlmmdmsqjfbox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup_File.execsc.exeusjhlmmdmsqjfbox.exebstyoops.execmd.exe

description	pid	process	target process
PID 3004 wrote to memory of 2068	3004	Setup_File.exe	powershell.exe
PID 3004 wrote to memory of 2068	3004	Setup_File.exe	powershell.exe
PID 3004 wrote to memory of 540	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 540	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 540	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 4584	3004	Setup_File.exe	powershell.exe
PID 3004 wrote to memory of 4584	3004	Setup_File.exe	powershell.exe
PID 3004 wrote to memory of 540	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 540	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 540	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 540	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 540	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 540	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 2912	3004	Setup_File.exe	powershell.exe
PID 3004 wrote to memory of 2912	3004	Setup_File.exe	powershell.exe
PID 540 wrote to memory of 3176	540	csc.exe	usjhlmmdmsqjfbox.exe
PID 540 wrote to memory of 3176	540	csc.exe	usjhlmmdmsqjfbox.exe
PID 540 wrote to memory of 3176	540	csc.exe	usjhlmmdmsqjfbox.exe
PID 3176 wrote to memory of 5044	3176	usjhlmmdmsqjfbox.exe	bstyoops.exe
PID 3176 wrote to memory of 5044	3176	usjhlmmdmsqjfbox.exe	bstyoops.exe
PID 3176 wrote to memory of 5044	3176	usjhlmmdmsqjfbox.exe	bstyoops.exe
PID 5044 wrote to memory of 4692	5044	bstyoops.exe	schtasks.exe
PID 5044 wrote to memory of 4692	5044	bstyoops.exe	schtasks.exe
PID 5044 wrote to memory of 4692	5044	bstyoops.exe	schtasks.exe
PID 5044 wrote to memory of 4436	5044	bstyoops.exe	cmd.exe
PID 5044 wrote to memory of 4436	5044	bstyoops.exe	cmd.exe
PID 5044 wrote to memory of 4436	5044	bstyoops.exe	cmd.exe
PID 4436 wrote to memory of 1596	4436	cmd.exe	cmd.exe
PID 4436 wrote to memory of 1596	4436	cmd.exe	cmd.exe
PID 4436 wrote to memory of 1596	4436	cmd.exe	cmd.exe
PID 4436 wrote to memory of 1648	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 1648	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 1648	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 3640	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 3640	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 3640	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 5068	4436	cmd.exe	cmd.exe
PID 4436 wrote to memory of 5068	4436	cmd.exe	cmd.exe
PID 4436 wrote to memory of 5068	4436	cmd.exe	cmd.exe
PID 4436 wrote to memory of 1144	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 1144	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 1144	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 3456	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 3456	4436	cmd.exe	cacls.exe
PID 4436 wrote to memory of 3456	4436	cmd.exe	cacls.exe
PID 3004 wrote to memory of 3352	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3352	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3352	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3444	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3444	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3444	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 2036	3004	Setup_File.exe	powershell.exe
PID 3004 wrote to memory of 2036	3004	Setup_File.exe	powershell.exe
PID 3004 wrote to memory of 3444	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3444	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3444	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3444	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3444	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 3444	3004	Setup_File.exe	csc.exe
PID 3004 wrote to memory of 1164	3004	Setup_File.exe	powershell.exe
PID 3004 wrote to memory of 1164	3004	Setup_File.exe	powershell.exe
PID 3004 wrote to memory of 4844	3004	Setup_File.exe	Pvpzeuozra.exe
PID 3004 wrote to memory of 4844	3004	Setup_File.exe	Pvpzeuozra.exe
PID 3004 wrote to memory of 4844	3004	Setup_File.exe	Pvpzeuozra.exe

C:\Users\Admin\AppData\Local\Temp\Setup_File.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_File.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\usjhlmmdmsqjfbox.exe
"C:\Users\Admin\AppData\Local\Temp\usjhlmmdmsqjfbox.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
5⤵
- Creates scheduled task(s)
PID:4692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1596

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:N"
6⤵
PID:1648

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:R" /E
6⤵
PID:3640

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:N"
6⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:5068

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:R" /E
6⤵
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:3352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 1836
3⤵
- Program crash
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAxAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAyADAA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\AppData\Local\Temp\Pvpzeuozra.exe
"C:\Users\Admin\AppData\Local\Temp\Pvpzeuozra.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3444 -ip 3444
1⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:184

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:740

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1bad2704664b4c1a190586ec492be65f

SHA1
1c98e6645c66774152c184d23f7a3178ce522e7b

SHA256
5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e

SHA512
668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f8f07e4909219df138f5d1ffe8f0e7df

SHA1
b3941ec05de3b887e2814adc97eb4acf1cddee3e

SHA256
27fda329cd5e773ace7f57401da07e88e0a011571333d7a9b3a86211749ac4f9

SHA512
6616a031dfe2c2fecb3674cd05bdbb6ca8d9476c6fa54b3b46873db21886fc05334b63c25ed934b604c36ed6d4f366fd7146393a654db3cc87c47031c0e1e228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
96844f94dbe25aaf30a623e2f94bb8c5

SHA1
a578d1e42e41198a7869758c0b22a9dc945f1ef5

SHA256
c408ae287135c4062d438ad44e7688eeadb17fba797bd8580edd53cc4ef312bd

SHA512
ad125c301b8c747f40ee4cb6c9ac384eb31cc90a5c71cc933a5972838b35235eff449c3992aabc4dbeadbe59eb0b6e5db44ff8d0a6c95511bf604507d32db9a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e936ffde1732f536cc835ed3e6c83842

SHA1
05a7c09e599c32003ea21329932a032ace4f592c

SHA256
da9997a3db22d4c3b7900392af3d4a88d09de0df6c4a75d89ea1b271edbb2552

SHA512
35d49450a82c671843080c2ff2ff0d33aa5640234958b7e417a9c2f9e20e24b752a4793a99662253e7ad892dcd70904f6524d5e71c0d80333d7d01741c115870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pvpzeuozra.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pvpzeuozra.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pvpzeuozra.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zddewayd.v0x.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\usjhlmmdmsqjfbox.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\usjhlmmdmsqjfbox.exe
Filesize
6.9MB

MD5
57794b001e1e8c4917aaa864268fec36

SHA1
825e7a4c79f47d61df14a140398c2770ab22fb65

SHA256
5514e5a91e4b192cae4f78fc9d4d10641704c3778d0fd418f305b081ba5b9862

SHA512
5854c92417a8ca5fb9423483000bf26bb6bba7c89c414512efc5189f416f6f074d965d20ef279488033d06ba09a31d253b8de80f198ccaa81e792c463d3bd0a2

Download Submit
memory/540-192-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/540-194-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1164-366-0x000001E4BA9D0000-0x000001E4BA9E0000-memory.dmp

Filesize
64KB

Download
memory/1164-399-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-274-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-369-0x000001E4BA9D0000-0x000001E4BA9E0000-memory.dmp

Filesize
64KB

Download
memory/1164-349-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-286-0x000001E4BA9D0000-0x000001E4BA9E0000-memory.dmp

Filesize
64KB

Download
memory/1164-368-0x000001E4BA9D0000-0x000001E4BA9E0000-memory.dmp

Filesize
64KB

Download
memory/1164-275-0x000001E4BA9D0000-0x000001E4BA9E0000-memory.dmp

Filesize
64KB

Download
memory/2036-264-0x000001F4C5F90000-0x000001F4C5FA0000-memory.dmp

Filesize
64KB

Download
memory/2036-265-0x00007FF9780E0000-0x00007FF978BA1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-267-0x000001F4C5F90000-0x000001F4C5FA0000-memory.dmp

Filesize
64KB

Download
memory/2036-263-0x000001F4C5F90000-0x000001F4C5FA0000-memory.dmp

Filesize
64KB

Download
memory/2036-268-0x000001F4C5F90000-0x000001F4C5FA0000-memory.dmp

Filesize
64KB

Download
memory/2036-262-0x00007FF9780E0000-0x00007FF978BA1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-270-0x00007FF9780E0000-0x00007FF978BA1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-164-0x0000020B9A670000-0x0000020B9A680000-memory.dmp

Filesize
64KB

Download
memory/2068-169-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-149-0x0000020BB4D80000-0x0000020BB4DA2000-memory.dmp

Filesize
136KB

Download
memory/2068-159-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-160-0x0000020B9A670000-0x0000020B9A680000-memory.dmp

Filesize
64KB

Download
memory/2068-161-0x0000020B9A670000-0x0000020B9A680000-memory.dmp

Filesize
64KB

Download
memory/2068-163-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-165-0x0000020B9A670000-0x0000020B9A680000-memory.dmp

Filesize
64KB

Download
memory/2068-166-0x0000020B9A670000-0x0000020B9A680000-memory.dmp

Filesize
64KB

Download
memory/2912-196-0x000002C089B90000-0x000002C089BA0000-memory.dmp

Filesize
64KB

Download
memory/2912-211-0x000002C089B90000-0x000002C089BA0000-memory.dmp

Filesize
64KB

Download
memory/2912-250-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-195-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-213-0x000002C089B90000-0x000002C089BA0000-memory.dmp

Filesize
64KB

Download
memory/2912-197-0x000002C089B90000-0x000002C089BA0000-memory.dmp

Filesize
64KB

Download
memory/2912-208-0x000002C089B90000-0x000002C089BA0000-memory.dmp

Filesize
64KB

Download
memory/2912-210-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-212-0x000002C089B90000-0x000002C089BA0000-memory.dmp

Filesize
64KB

Download
memory/3004-148-0x000001983B900000-0x000001983B94E000-memory.dmp

Filesize
312KB

Download
memory/3004-133-0x00007FF9973F0000-0x00007FF9973F2000-memory.dmp

Filesize
8KB

Download
memory/3004-412-0x00007FF7AC7D0000-0x00007FF7AF609000-memory.dmp

Filesize
46.2MB

Download
memory/3004-147-0x00007FF7AC7D0000-0x00007FF7AF609000-memory.dmp

Filesize
46.2MB

Download
memory/3004-141-0x00007FF7AC7D0000-0x00007FF7AF609000-memory.dmp

Filesize
46.2MB

Download
memory/3004-140-0x00007FF994FC0000-0x00007FF994FC2000-memory.dmp

Filesize
8KB

Download
memory/3004-139-0x00007FF994FB0000-0x00007FF994FB2000-memory.dmp

Filesize
8KB

Download
memory/3004-138-0x00007FF996170000-0x00007FF996172000-memory.dmp

Filesize
8KB

Download
memory/3004-137-0x00007FF7AC7D0000-0x00007FF7AF609000-memory.dmp

Filesize
46.2MB

Download
memory/3004-136-0x00007FF996160000-0x00007FF996162000-memory.dmp

Filesize
8KB

Download
memory/3004-135-0x00007FF997410000-0x00007FF997412000-memory.dmp

Filesize
8KB

Download
memory/3004-134-0x00007FF997400000-0x00007FF997402000-memory.dmp

Filesize
8KB

Download
memory/3176-219-0x00000000007F0000-0x0000000001486000-memory.dmp

Filesize
12.6MB

Download
memory/3176-224-0x00000000007F0000-0x0000000001486000-memory.dmp

Filesize
12.6MB

Download
memory/3444-296-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3444-273-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3444-370-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3444-271-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3444-367-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4584-186-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-184-0x000001EDA5D80000-0x000001EDA5D90000-memory.dmp

Filesize
64KB

Download
memory/4584-191-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-189-0x000001EDA5D80000-0x000001EDA5D90000-memory.dmp

Filesize
64KB

Download
memory/4584-188-0x000001EDA5D80000-0x000001EDA5D90000-memory.dmp

Filesize
64KB

Download
memory/4584-177-0x00007FF978410000-0x00007FF978ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-183-0x000001EDA5D80000-0x000001EDA5D90000-memory.dmp

Filesize
64KB

Download
memory/4584-182-0x000001EDA5D80000-0x000001EDA5D90000-memory.dmp

Filesize
64KB

Download
memory/4584-187-0x000001EDA5D80000-0x000001EDA5D90000-memory.dmp

Filesize
64KB

Download
memory/4844-419-0x0000000000C70000-0x0000000001670000-memory.dmp

Filesize
10.0MB

Download
memory/4844-416-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4844-414-0x0000000000C70000-0x0000000001670000-memory.dmp

Filesize
10.0MB

Download
memory/5044-245-0x0000000000460000-0x00000000010F6000-memory.dmp

Filesize
12.6MB

Download
memory/5044-240-0x0000000000460000-0x00000000010F6000-memory.dmp

Filesize
12.6MB

Download