amadey | 6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2

Analysis

max time kernel
144s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25-03-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
Size

1.8MB
MD5

0f1f137ec50935756eb506a1e7a24796
SHA1

163426991cd993b8590e3739cbaa500ddb258806
SHA256

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2
SHA512

c88e472e4c6942665a11f15e4f2e3a2ff00492eeee443a8c392a48b3b1c175ae87d1b8e0c29b63a669d23b522a2cc17bbff74bdd6767a56cfe9b75ab3e74865d
SSDEEP

49152:w2tV3gsVLMtxQveLGtpnpw4I6H/P1wLu2:TV3wtxQv0Gnpw4ICP1wL

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exeexplorha.exeexplorha.exec444e63db0.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c444e63db0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

5 3996 rundll32.exe
6 3768 rundll32.exe
13 4240 rundll32.exe
14 4852 rundll32.exe
Downloads MZ/PE file

flow	pid	process
5	3996	rundll32.exe
6	3768	rundll32.exe
13	4240	rundll32.exe
14	4852	rundll32.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exeexplorha.exec444e63db0.exeexplorha.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c444e63db0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c444e63db0.exe

Executes dropped EXE 7 IoCs

Processes:

explorha.exeexplorha.exec444e63db0.exelumma21.exechrosha.exeexplorha.exeboom8.exe

pid process

400 explorha.exe
740 explorha.exe
4044 c444e63db0.exe
3300 lumma21.exe
4232 chrosha.exe
5012 explorha.exe
4756 boom8.exe

pid	process
400	explorha.exe
740	explorha.exe
4044	c444e63db0.exe
3300	lumma21.exe
4232	chrosha.exe
5012	explorha.exe
4756	boom8.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exeexplorha.exeexplorha.exec444e63db0.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	c444e63db0.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4848 rundll32.exe
3996 rundll32.exe
3768 rundll32.exe
2324 rundll32.exe
4240 rundll32.exe
4852 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4848	rundll32.exe
3996	rundll32.exe
3768	rundll32.exe
2324	rundll32.exe
4240	rundll32.exe
4852	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\c444e63db0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\c444e63db0.exe"	explorha.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exeexplorha.exeexplorha.exeexplorha.exe

pid process

4084 6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
400 explorha.exe
740 explorha.exe
5012 explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exelumma21.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
File created	C:\Windows\Tasks\chrosha.job	lumma21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4592 schtasks.exe

pid	process
4592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exeexplorha.exerundll32.exepowershell.exeexplorha.exeexplorha.exerundll32.exepowershell.exe

pid	process
4084	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
4084	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
400	explorha.exe
400	explorha.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
4852	powershell.exe
4852	powershell.exe
740	explorha.exe
740	explorha.exe
5012	explorha.exe
5012	explorha.exe
4240	rundll32.exe
4240	rundll32.exe
4240	rundll32.exe
4240	rundll32.exe
4240	rundll32.exe
4240	rundll32.exe
4240	rundll32.exe
4240	rundll32.exe
4240	rundll32.exe
4240	rundll32.exe
2464	powershell.exe
2464	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4852 powershell.exe
Token: SeDebugPrivilege 2464 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe

pid process

4084 6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe

description	pid	process
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exeexplorha.exerundll32.exerundll32.exechrosha.exerundll32.exerundll32.exeboom8.exe

description	pid	process	target process
PID 4084 wrote to memory of 400	4084	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe	explorha.exe
PID 4084 wrote to memory of 400	4084	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe	explorha.exe
PID 4084 wrote to memory of 400	4084	6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe	explorha.exe
PID 400 wrote to memory of 4848	400	explorha.exe	rundll32.exe
PID 400 wrote to memory of 4848	400	explorha.exe	rundll32.exe
PID 400 wrote to memory of 4848	400	explorha.exe	rundll32.exe
PID 4848 wrote to memory of 3996	4848	rundll32.exe	rundll32.exe
PID 4848 wrote to memory of 3996	4848	rundll32.exe	rundll32.exe
PID 3996 wrote to memory of 3592	3996	rundll32.exe	netsh.exe
PID 3996 wrote to memory of 3592	3996	rundll32.exe	netsh.exe
PID 3996 wrote to memory of 4852	3996	rundll32.exe	powershell.exe
PID 3996 wrote to memory of 4852	3996	rundll32.exe	powershell.exe
PID 400 wrote to memory of 3768	400	explorha.exe	rundll32.exe
PID 400 wrote to memory of 3768	400	explorha.exe	rundll32.exe
PID 400 wrote to memory of 3768	400	explorha.exe	rundll32.exe
PID 400 wrote to memory of 4044	400	explorha.exe	c444e63db0.exe
PID 400 wrote to memory of 4044	400	explorha.exe	c444e63db0.exe
PID 400 wrote to memory of 4044	400	explorha.exe	c444e63db0.exe
PID 400 wrote to memory of 2272	400	explorha.exe	explorha.exe
PID 400 wrote to memory of 2272	400	explorha.exe	explorha.exe
PID 400 wrote to memory of 2272	400	explorha.exe	explorha.exe
PID 400 wrote to memory of 3300	400	explorha.exe	lumma21.exe
PID 400 wrote to memory of 3300	400	explorha.exe	lumma21.exe
PID 400 wrote to memory of 3300	400	explorha.exe	lumma21.exe
PID 4232 wrote to memory of 2324	4232	chrosha.exe	rundll32.exe
PID 4232 wrote to memory of 2324	4232	chrosha.exe	rundll32.exe
PID 4232 wrote to memory of 2324	4232	chrosha.exe	rundll32.exe
PID 2324 wrote to memory of 4240	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 4240	2324	rundll32.exe	rundll32.exe
PID 4240 wrote to memory of 4700	4240	rundll32.exe	netsh.exe
PID 4240 wrote to memory of 4700	4240	rundll32.exe	netsh.exe
PID 4240 wrote to memory of 2464	4240	rundll32.exe	powershell.exe
PID 4240 wrote to memory of 2464	4240	rundll32.exe	powershell.exe
PID 4232 wrote to memory of 4852	4232	chrosha.exe	rundll32.exe
PID 4232 wrote to memory of 4852	4232	chrosha.exe	rundll32.exe
PID 4232 wrote to memory of 4852	4232	chrosha.exe	rundll32.exe
PID 4232 wrote to memory of 4756	4232	chrosha.exe	boom8.exe
PID 4232 wrote to memory of 4756	4232	chrosha.exe	boom8.exe
PID 4232 wrote to memory of 4756	4232	chrosha.exe	boom8.exe
PID 4756 wrote to memory of 4592	4756	boom8.exe	schtasks.exe
PID 4756 wrote to memory of 4592	4756	boom8.exe	schtasks.exe
PID 4756 wrote to memory of 4592	4756	boom8.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe
"C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:3592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe
    "C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
    "C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3300

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:4700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2464
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4592

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ca0032e53df57864eca5c293d705d0d

SHA1
faf09dad6654035c51e5f0e373cb280cf97fde34

SHA256
661aeb3b5959e598699b8d83e3f8b962ad2783c4d1ed7cd9ed8355b26e013b17

SHA512
a5e92e427a6ffc7d177819d63e86adc50c34b20abb5304335933de388b46c2ffad7d993d6a478edbcdd203cca2b98d96db6f50ab917b6e21825327e164e7b437

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.5MB

MD5
676d5c99f20607e8b75abc4942526f49

SHA1
ddeeb0cafec738304f5393a4a689ec53b9888822

SHA256
15d5fa66fc5ecc0a2ad7bf9dfe27eeb7fd09b9a37ca0f0d4bf507e99aa4d62c0

SHA512
12d35c5f7932540555194e5d7426b1cc6ea1be04754e55ff2c1c0eb6175978ba03f3033d646c7ab457970f6b55b2c3d3f4633b5558b97198c5debd73311c1478

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
927KB

MD5
03cae7ddd989b541ba318aed351e436b

SHA1
7952ffbb37a205eb7011e611a4c685a7751efba2

SHA256
b341ecc45521633ac70103dc4f72020dffa7fee9f84b862cc42a67532c755a37

SHA512
6aa0090aa5a054cfe3401d7f49a140d649fc14f9a4b3ba9e587d8e78b2490448ff575881b74533c6d980f68bba0a9547ff755f74189449d697200b9daee9d9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
336KB

MD5
5395adfe1ee032fcfebc136ab9447554

SHA1
1f58e9f60d9799057b1a83513ee62fec7e51cdba

SHA256
9b6fa2e775ef0c417352db72904e7b2fc8a4f3ed3a8c22ac4a06741153afa0f5

SHA512
8cdd4e27061e5308d5395200b09c0f113b37f40fca57a6358bd8d996c5b9e5521e9144cf8d60dd2f7295aa7b3e116b7790d11815ff7c123e9520b3de2e53e6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
0f1f137ec50935756eb506a1e7a24796

SHA1
163426991cd993b8590e3739cbaa500ddb258806

SHA256
6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2

SHA512
c88e472e4c6942665a11f15e4f2e3a2ff00492eeee443a8c392a48b3b1c175ae87d1b8e0c29b63a669d23b522a2cc17bbff74bdd6767a56cfe9b75ab3e74865d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe

Filesize
3.0MB

MD5
4351cfdb828068ca48e7507af790d5c4

SHA1
a9c7efaf95dbf3a0d135aa2d83ac37d22dc84764

SHA256
d68cd82842221eb6f9b591e17bd782084a7db96ef1ded5c8e04710bc2916198b

SHA512
66a8c11f287dd1eb1e26f0ff518aab764ce0ee079534b9f40b001936f7e4b016daa26009f0b0f06968ccabbf21b593e774b48cf9e39a48f096c24037137156ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uslkb5pa.3rn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
5KB

MD5
6625945aa4e9522e645323cb22182715

SHA1
cb1b774ecc95796ad1fdf34a05c62664d9db6318

SHA256
48d51dbd21e5b3750177bc9f48a8b1197860ea7d0bafeaa2f42f7ddb8cb422fc

SHA512
72ffdb5a46283f0f0406ec071acc79c6aa92745de5f8dfa3ed0d39bf8ce707796a4ae56e11abfe3a48e74d4e26b196e3f96e814d3d3b63eae5c7cda65943c88a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
memory/400-32-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/400-142-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-27-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/400-31-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/400-30-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/400-29-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/400-26-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/400-25-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-33-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/400-187-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-34-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-35-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-36-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-137-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-153-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-200-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-135-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-128-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-218-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-58-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-109-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-28-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/400-23-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-88-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/400-164-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/740-73-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/740-72-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/740-76-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/740-75-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/740-74-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/740-70-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/740-77-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/740-62-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/2464-170-0x00007FFD53620000-0x00007FFD540E2000-memory.dmp

Filesize
10.8MB

Download
memory/2464-186-0x00007FFD53620000-0x00007FFD540E2000-memory.dmp

Filesize
10.8MB

Download
memory/2464-172-0x0000016166770000-0x0000016166780000-memory.dmp

Filesize
64KB

Download
memory/2464-171-0x0000016166770000-0x0000016166780000-memory.dmp

Filesize
64KB

Download
memory/4044-165-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-143-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-219-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-110-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-154-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-107-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-133-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-134-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-108-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-136-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-188-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-138-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4044-201-0x0000000000A60000-0x0000000000E05000-memory.dmp

Filesize
3.6MB

Download
memory/4084-7-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4084-11-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4084-2-0x0000000000F40000-0x00000000013F4000-memory.dmp

Filesize
4.7MB

Download
memory/4084-5-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4084-10-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/4084-3-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4084-4-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4084-24-0x0000000000F40000-0x00000000013F4000-memory.dmp

Filesize
4.7MB

Download
memory/4084-1-0x0000000077486000-0x0000000077488000-memory.dmp

Filesize
8KB

Download
memory/4084-6-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4084-9-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4084-0-0x0000000000F40000-0x00000000013F4000-memory.dmp

Filesize
4.7MB

Download
memory/4084-8-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4852-63-0x000001D7B2B60000-0x000001D7B2B72000-memory.dmp

Filesize
72KB

Download
memory/4852-64-0x000001D7B2B50000-0x000001D7B2B5A000-memory.dmp

Filesize
40KB

Download
memory/4852-59-0x000001D7B2910000-0x000001D7B2920000-memory.dmp

Filesize
64KB

Download
memory/4852-57-0x00007FFD53620000-0x00007FFD540E2000-memory.dmp

Filesize
10.8MB

Download
memory/4852-60-0x000001D7B2910000-0x000001D7B2920000-memory.dmp

Filesize
64KB

Download
memory/4852-56-0x000001D7B2AE0000-0x000001D7B2B02000-memory.dmp

Filesize
136KB

Download
memory/4852-71-0x00007FFD53620000-0x00007FFD540E2000-memory.dmp

Filesize
10.8MB

Download
memory/5012-150-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/5012-146-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/5012-148-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/5012-147-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/5012-145-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/5012-144-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download
memory/5012-149-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/5012-151-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/5012-152-0x0000000000250000-0x0000000000704000-memory.dmp

Filesize
4.7MB

Download