amadey | 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
Size

1.8MB
MD5

fd99bc3307c9d14045736fd8dbcc06df
SHA1

556af12bac58f37ed315a8567f9b0b3d181571cf
SHA256

7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f
SHA512

d19154f5fa63bc8bf5fa2f3b24ada0a1fa1be890b5972fe984a8dcf1735020baf6c831aae0739a55855078bc7ab2017623107cb297d361abd760a2f84696258e
SSDEEP

49152:XNfmZUvuyENu82GjpFezMtr46xkif1KwIjiNB:dfgUvutu2jpYzMq6x31KwJN

Score

10^/10

amadey lumma redline rhadamanthys zgrat @rlreborn cloud (tg: @fatherofcarders)new discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

new

185.215.113.67:26260

Extracted

Family

redline

Botnet

@RLREBORN Cloud (TG: @FATHEROFCARDERS)

45.15.156.209:40481

Extracted

Family

lumma

https://triangleseasonbenchwj.shop/api

https://gemcreedarticulateod.shop/api

https://secretionsuitcasenioise.shop/api

https://claimconcessionrebe.shop/api

https://liabilityarrangemenyit.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe	family_zgrat_v1
behavioral2/memory/4616-84-0x0000000000E60000-0x00000000013F2000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000279001\new.exe	family_redline
behavioral2/memory/2900-110-0x0000000000840000-0x0000000000894000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000280001\RDX1.exe	family_redline
behavioral2/memory/2120-140-0x0000000000F30000-0x0000000000F84000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

MsBuild.exe

description pid process target process

PID 2860 created 2508 2860 MsBuild.exe sihost.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

description	pid	process	target process
PID 2860 created 2508	2860	MsBuild.exe	sihost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

45 3676 rundll32.exe
61 2236 rundll32.exe
Downloads MZ/PE file

flow	pid	process
45	3676	rundll32.exe
61	2236	rundll32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	explorgu.exe

Executes dropped EXE 6 IoCs

Processes:

explorgu.exeNational.exenew.exeRDX1.exelumma123142124.exeFile300un.exe

pid process

1376 explorgu.exe
4616 National.exe
2900 new.exe
2120 RDX1.exe
3308 lumma123142124.exe
1696 File300un.exe

pid	process
1376	explorgu.exe
4616	National.exe
2900	new.exe
2120	RDX1.exe
3308	lumma123142124.exe
1696	File300un.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine	7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine	explorgu.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeNational.exe

pid process

4384 rundll32.exe
3676 rundll32.exe
2236 rundll32.exe
4616 National.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exeexplorgu.exe

pid process

3740 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
1376 explorgu.exe

pid	process
4384	rundll32.exe
3676	rundll32.exe
2236	rundll32.exe
4616	National.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lumma123142124.exeNational.exe

description	pid	process	target process
PID 3308 set thread context of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 4616 set thread context of 2860	4616	National.exe	MsBuild.exe

Drops file in Windows directory 1 IoCs

Processes:

7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3084	3064	WerFault.exe	RegAsm.exe
1688	4616	WerFault.exe	National.exe
988	2860	WerFault.exe	MsBuild.exe
2876	2860	WerFault.exe	MsBuild.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exeexplorgu.exerundll32.exepowershell.exenew.exeMsBuild.exedialer.exeRDX1.exe

pid	process
3740	7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
3740	7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
1376	explorgu.exe
1376	explorgu.exe
3676	rundll32.exe
3676	rundll32.exe
3676	rundll32.exe
3676	rundll32.exe
3676	rundll32.exe
3676	rundll32.exe
3676	rundll32.exe
3676	rundll32.exe
3676	rundll32.exe
3676	rundll32.exe
3792	powershell.exe
3792	powershell.exe
2900	new.exe
2900	new.exe
2900	new.exe
2900	new.exe
2900	new.exe
2860	MsBuild.exe
2860	MsBuild.exe
1460	dialer.exe
1460	dialer.exe
1460	dialer.exe
1460	dialer.exe
2120	RDX1.exe
2120	RDX1.exe
2120	RDX1.exe
2120	RDX1.exe
2120	RDX1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exenew.exeRDX1.exe

description pid process

Token: SeDebugPrivilege 3792 powershell.exe
Token: SeDebugPrivilege 2900 new.exe
Token: SeDebugPrivilege 2120 RDX1.exe

description	pid	process
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	2900	new.exe
Token: SeDebugPrivilege	2120	RDX1.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

explorgu.exerundll32.exerundll32.exelumma123142124.exeNational.exeMsBuild.exe

description	pid	process	target process
PID 1376 wrote to memory of 4384	1376	explorgu.exe	rundll32.exe
PID 1376 wrote to memory of 4384	1376	explorgu.exe	rundll32.exe
PID 1376 wrote to memory of 4384	1376	explorgu.exe	rundll32.exe
PID 4384 wrote to memory of 3676	4384	rundll32.exe	rundll32.exe
PID 4384 wrote to memory of 3676	4384	rundll32.exe	rundll32.exe
PID 3676 wrote to memory of 2936	3676	rundll32.exe	netsh.exe
PID 3676 wrote to memory of 2936	3676	rundll32.exe	netsh.exe
PID 3676 wrote to memory of 3792	3676	rundll32.exe	powershell.exe
PID 3676 wrote to memory of 3792	3676	rundll32.exe	powershell.exe
PID 1376 wrote to memory of 4616	1376	explorgu.exe	National.exe
PID 1376 wrote to memory of 4616	1376	explorgu.exe	National.exe
PID 1376 wrote to memory of 4616	1376	explorgu.exe	National.exe
PID 1376 wrote to memory of 2900	1376	explorgu.exe	new.exe
PID 1376 wrote to memory of 2900	1376	explorgu.exe	new.exe
PID 1376 wrote to memory of 2900	1376	explorgu.exe	new.exe
PID 1376 wrote to memory of 2120	1376	explorgu.exe	RDX1.exe
PID 1376 wrote to memory of 2120	1376	explorgu.exe	RDX1.exe
PID 1376 wrote to memory of 2120	1376	explorgu.exe	RDX1.exe
PID 1376 wrote to memory of 3308	1376	explorgu.exe	lumma123142124.exe
PID 1376 wrote to memory of 3308	1376	explorgu.exe	lumma123142124.exe
PID 1376 wrote to memory of 3308	1376	explorgu.exe	lumma123142124.exe
PID 3308 wrote to memory of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 3308 wrote to memory of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 3308 wrote to memory of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 3308 wrote to memory of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 3308 wrote to memory of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 3308 wrote to memory of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 3308 wrote to memory of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 3308 wrote to memory of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 3308 wrote to memory of 3064	3308	lumma123142124.exe	RegAsm.exe
PID 1376 wrote to memory of 1696	1376	explorgu.exe	File300un.exe
PID 1376 wrote to memory of 1696	1376	explorgu.exe	File300un.exe
PID 1376 wrote to memory of 1696	1376	explorgu.exe	File300un.exe
PID 1376 wrote to memory of 2236	1376	explorgu.exe	rundll32.exe
PID 1376 wrote to memory of 2236	1376	explorgu.exe	rundll32.exe
PID 1376 wrote to memory of 2236	1376	explorgu.exe	rundll32.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 4616 wrote to memory of 2860	4616	National.exe	MsBuild.exe
PID 2860 wrote to memory of 1460	2860	MsBuild.exe	dialer.exe
PID 2860 wrote to memory of 1460	2860	MsBuild.exe	dialer.exe
PID 2860 wrote to memory of 1460	2860	MsBuild.exe	dialer.exe
PID 2860 wrote to memory of 1460	2860	MsBuild.exe	dialer.exe
PID 2860 wrote to memory of 1460	2860	MsBuild.exe	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2508

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Users\Admin\AppData\Local\Temp\7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
"C:\Users\Admin\AppData\Local\Temp\7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:2936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\168293393341_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe
"C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 424
4⤵
- Program crash
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 408
4⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 992
3⤵
- Program crash
PID:1688

C:\Users\Admin\AppData\Local\Temp\1000279001\new.exe
"C:\Users\Admin\AppData\Local\Temp\1000279001\new.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Users\Admin\AppData\Local\Temp\1000280001\RDX1.exe
"C:\Users\Admin\AppData\Local\Temp\1000280001\RDX1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\AppData\Local\Temp\1000281001\lumma123142124.exe
"C:\Users\Admin\AppData\Local\Temp\1000281001\lumma123142124.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1200
4⤵
- Program crash
PID:3084

C:\Users\Admin\AppData\Local\Temp\1000282001\File300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000282001\File300un.exe"
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3064 -ip 3064
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4616 -ip 4616
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2860 -ip 2860
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2860 -ip 2860
1⤵
PID:220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
Filesize
1.8MB

MD5
fd99bc3307c9d14045736fd8dbcc06df

SHA1
556af12bac58f37ed315a8567f9b0b3d181571cf

SHA256
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f

SHA512
d19154f5fa63bc8bf5fa2f3b24ada0a1fa1be890b5972fe984a8dcf1735020baf6c831aae0739a55855078bc7ab2017623107cb297d361abd760a2f84696258e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe
Filesize
1.1MB

MD5
330bb5701f1592f7ab49085c2549f04c

SHA1
6f25c5cf1fb3ff8d6c338ccab9e40ec5c2f590e3

SHA256
5bfebcc84ef47cf922eac7cf5b48a11019a03e8057f8e319ac052f107232ef32

SHA512
08e43920a1313fc5bff0c5f6af037387978a0d3c235e7ec020f0203bc9639432b5738d4e6b8425d6b7bd7aa921786302ae97093924bf5347c8b138ccf49907d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe
Filesize
627KB

MD5
44d3b2e8ed2906f2ce2c5c35bdecfd5c

SHA1
d46337dce56efe3c1a005a69693bee10502fbf7b

SHA256
28eb60cd926363d7b86c9abd9e6e7c0c54c76fff7f7d8e4882d71e0e2efc765a

SHA512
3b1c4a03e052c47d969fce3d881d9a354b842ba94f1126f1c6952bd6e150842e043b4f0aefe03a6b1a3a82f1aca42d940a2341fc6f80c17be3eefb61d8cb835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe
Filesize
584KB

MD5
ee3ca7b94ffe9995a83adaf1cdae6c41

SHA1
454ed3b52d6a799571edeb34d244069770358cf9

SHA256
f14a8a6c87d91a9d90e90d7df5b206bd33a056dae2a269ff2cd36f7729177ce1

SHA512
7c8906189a65550206c7baf79841d68ec7b770d53ab12f98fccf985ed8dafde49edc55be5cc4681639a5f255db2516f8313755f76438b723f74c7dcede73c574

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000279001\new.exe
Filesize
313KB

MD5
f7df4f6867414bb68132b8815f010e4a

SHA1
ff3b43447568de645671afb2214b26901ad7a4fc

SHA256
2c9490406c7ea631dddcd60f862445faef37c036651636e4bf5e6fe0837c4b42

SHA512
0ad9b1544c25ae7814fe1ecdb1cfd466fd14603a6d55749e63ce6b90926ad239f134aef1bcaa0910b79235b8a3873ad11698e17dbd0cfee92fb909f4daf0412e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000280001\RDX1.exe
Filesize
313KB

MD5
a98147219e118138a69583d2bf4b4a4f

SHA1
0933d682bc3d11a1468fbca7c863a5c1619b06ed

SHA256
aea02ed572705a2cb522550f31ec39cf0781b90d5ea6f58686f60bd7c91e52c2

SHA512
719e73b5341d7c358439efdcf9d479c68bd7d0a67a77fc190e187a1dc293f4791357e509e08b94156b71b9bcc02c4ab5576f4f67a25da7ea4d5a026ae4f86266

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000281001\lumma123142124.exe
Filesize
600KB

MD5
cad41f50c144c92747eee506f5c69a05

SHA1
f08fd5ec92fd22ba613776199182b3b1edb4f7b2

SHA256
1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6

SHA512
64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000282001\File300un.exe
Filesize
57KB

MD5
055231d52a308768e6f648954fd9a3af

SHA1
eb07ae002f10dd7a0940499b1b65ad4726bd9576

SHA256
1da862e5ed37d1aca728940d0f58601c2932a86289bcd8aee627d4b8f3abb3c3

SHA512
9b4807e91b195c776dff98087298cd465083d57aac425d149e733b1b9e37cfd0bca73182dbf93f4ce75c74730656778a3b2e6f52f8dd054efa9c5040f38b80c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
94KB

MD5
d19d241b132d7fdaabc2b7c11c0ce2f7

SHA1
6606c52a2837ca33bfaa73b06e4f8299e5fce138

SHA256
24d269b4c0b58d2073fa6c1513f835ebcfc89fd4b4a09356e72eb17f7d49e365

SHA512
abb7794ba6da10c1469af5b1530a4e0c0345173ed343a5fc6ed54b43e74f024b06cbff409054fb2c8160b3891d6c079646fa34304b46a0e3a234b529cda870b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tl0lbi0k.f4m.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
294KB

MD5
fab1aa84f44010c7e504ae47452ddc92

SHA1
c1f15113aad143af1adbf1f39b649ab48c871359

SHA256
d927a2c1fd15d067eabd8f2d9b133317d5d1bdc8df2de54573b4b2a290ba1f0e

SHA512
ac1cb2eee4de0e79fb85b782486bc76cd3b6cd29010580ac4145b89bd63f5bdf4a53d67d7da44197052b6878637ab7974df4d38b097b05cb5a6a37d95fb47f8a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
memory/1376-55-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-89-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-21-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1376-26-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1376-25-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1376-24-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/1376-23-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1376-22-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1376-20-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1376-27-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1376-28-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1376-29-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-276-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-275-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-162-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-274-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-273-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-221-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-272-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-19-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-18-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-267-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-266-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1376-225-0x0000000000820000-0x0000000000CE0000-memory.dmp

Filesize
4.8MB

Download
memory/1460-263-0x0000000076950000-0x0000000076B65000-memory.dmp

Filesize
2.1MB

Download
memory/1460-259-0x0000000002930000-0x0000000002D30000-memory.dmp

Filesize
4.0MB

Download
memory/1460-260-0x00007FFDE0D50000-0x00007FFDE0F45000-memory.dmp

Filesize
2.0MB

Download
memory/1460-256-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

Filesize
36KB

Download
memory/1696-200-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/1696-198-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/2120-140-0x0000000000F30000-0x0000000000F84000-memory.dmp

Filesize
336KB

Download
memory/2120-142-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/2120-141-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/2860-252-0x00007FFDE0D50000-0x00007FFDE0F45000-memory.dmp

Filesize
2.0MB

Download
memory/2860-251-0x0000000003DF0000-0x00000000041F0000-memory.dmp

Filesize
4.0MB

Download
memory/2860-255-0x0000000076950000-0x0000000076B65000-memory.dmp

Filesize
2.1MB

Download
memory/2860-242-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2860-246-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2860-249-0x0000000003DF0000-0x00000000041F0000-memory.dmp

Filesize
4.0MB

Download
memory/2900-113-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/2900-110-0x0000000000840000-0x0000000000894000-memory.dmp

Filesize
336KB

Download
memory/2900-116-0x00000000063E0000-0x00000000069F8000-memory.dmp

Filesize
6.1MB

Download
memory/2900-118-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/2900-119-0x0000000005350000-0x000000000538C000-memory.dmp

Filesize
240KB

Download
memory/2900-117-0x00000000055C0000-0x00000000056CA000-memory.dmp

Filesize
1.0MB

Download
memory/2900-120-0x00000000054B0000-0x00000000054FC000-memory.dmp

Filesize
304KB

Download
memory/2900-114-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/2900-111-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/2900-115-0x0000000005160000-0x000000000516A000-memory.dmp

Filesize
40KB

Download
memory/2900-112-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/3064-178-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3064-168-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3064-171-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3064-175-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3064-176-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3064-177-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3308-173-0x0000000002B50000-0x0000000004B50000-memory.dmp

Filesize
32.0MB

Download
memory/3308-163-0x00000000006F0000-0x000000000078C000-memory.dmp

Filesize
624KB

Download
memory/3308-164-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/3308-165-0x00000000011F0000-0x0000000001200000-memory.dmp

Filesize
64KB

Download
memory/3308-174-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/3740-0-0x0000000000960000-0x0000000000E20000-memory.dmp

Filesize
4.8MB

Download
memory/3740-1-0x0000000077274000-0x0000000077276000-memory.dmp

Filesize
8KB

Download
memory/3740-2-0x0000000000960000-0x0000000000E20000-memory.dmp

Filesize
4.8MB

Download
memory/3740-3-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3740-4-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3740-5-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3740-6-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/3740-7-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3740-8-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3740-9-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3740-10-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3740-15-0x0000000000960000-0x0000000000E20000-memory.dmp

Filesize
4.8MB

Download
memory/3792-48-0x000002C655680000-0x000002C6556A2000-memory.dmp

Filesize
136KB

Download
memory/3792-53-0x000002C6556C0000-0x000002C6556D0000-memory.dmp

Filesize
64KB

Download
memory/3792-52-0x00007FFDC1B20000-0x00007FFDC25E1000-memory.dmp

Filesize
10.8MB

Download
memory/3792-54-0x000002C6556C0000-0x000002C6556D0000-memory.dmp

Filesize
64KB

Download
memory/3792-56-0x000002C6556C0000-0x000002C6556D0000-memory.dmp

Filesize
64KB

Download
memory/3792-57-0x000002C66E5C0000-0x000002C66E5D2000-memory.dmp

Filesize
72KB

Download
memory/3792-58-0x000002C66E5A0000-0x000002C66E5AA000-memory.dmp

Filesize
40KB

Download
memory/3792-64-0x00007FFDC1B20000-0x00007FFDC25E1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-84-0x0000000000E60000-0x00000000013F2000-memory.dmp

Filesize
5.6MB

Download
memory/4616-85-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/4616-86-0x0000000005E30000-0x0000000005ECC000-memory.dmp

Filesize
624KB

Download
memory/4616-199-0x0000000072E80000-0x0000000073630000-memory.dmp

Filesize
7.7MB

Download
memory/4616-87-0x0000000005D40000-0x0000000005D5A000-memory.dmp

Filesize
104KB

Download
memory/4616-88-0x0000000005D60000-0x0000000005D68000-memory.dmp

Filesize
32KB

Download
memory/4616-90-0x0000000005D80000-0x0000000005D90000-memory.dmp

Filesize
64KB

Download