Malware Analysis Report

2025-08-11 01:12

Sample ID 240325-b4vzhsce79
Target 6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2
SHA256 6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2
Tags
amadey evasion spyware stealer trojan risepro persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2

Threat Level: Known bad

The file 6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2 was found to be: Known bad.

Malicious Activity Summary

amadey evasion spyware stealer trojan risepro persistence

Amadey

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Reads local data of messenger clients

Reads WinSCP keys stored on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 01:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 01:42

Reported

2024-03-25 01:45

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3288 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 3288 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 3288 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 1456 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4000 wrote to memory of 2344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4000 wrote to memory of 2344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2344 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2344 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2344 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe

"C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\098131212907_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 199.232.210.172:80 tcp
PL 93.184.221.240:80 tcp

Files

memory/3288-0-0x0000000000F30000-0x00000000013E4000-memory.dmp

memory/3288-1-0x0000000076FA4000-0x0000000076FA6000-memory.dmp

memory/3288-2-0x0000000000F30000-0x00000000013E4000-memory.dmp

memory/3288-3-0x0000000005580000-0x0000000005581000-memory.dmp

memory/3288-4-0x0000000005590000-0x0000000005591000-memory.dmp

memory/3288-5-0x0000000005570000-0x0000000005571000-memory.dmp

memory/3288-6-0x00000000055B0000-0x00000000055B1000-memory.dmp

memory/3288-7-0x0000000005550000-0x0000000005551000-memory.dmp

memory/3288-8-0x0000000005560000-0x0000000005561000-memory.dmp

memory/3288-9-0x00000000055D0000-0x00000000055D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 0f1f137ec50935756eb506a1e7a24796
SHA1 163426991cd993b8590e3739cbaa500ddb258806
SHA256 6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2
SHA512 c88e472e4c6942665a11f15e4f2e3a2ff00492eeee443a8c392a48b3b1c175ae87d1b8e0c29b63a669d23b522a2cc17bbff74bdd6767a56cfe9b75ab3e74865d

memory/1456-22-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/3288-20-0x0000000000F30000-0x00000000013E4000-memory.dmp

memory/1456-24-0x00000000054C0000-0x00000000054C1000-memory.dmp

memory/1456-23-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-25-0x00000000054D0000-0x00000000054D1000-memory.dmp

memory/1456-26-0x00000000054B0000-0x00000000054B1000-memory.dmp

memory/1456-28-0x0000000005490000-0x0000000005491000-memory.dmp

memory/1456-29-0x00000000054A0000-0x00000000054A1000-memory.dmp

memory/1456-30-0x00000000054F0000-0x00000000054F1000-memory.dmp

memory/1456-27-0x0000000005500000-0x0000000005501000-memory.dmp

memory/1456-31-0x0000000005520000-0x0000000005521000-memory.dmp

memory/1456-32-0x0000000005510000-0x0000000005511000-memory.dmp

memory/1456-33-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-34-0x0000000000AC0000-0x0000000000F74000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

memory/1456-46-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/2036-48-0x000002649FA60000-0x000002649FA82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0gqrceh.ra5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2036-57-0x00007FFC21200000-0x00007FFC21CC1000-memory.dmp

memory/2036-58-0x00000264871E0000-0x00000264871F0000-memory.dmp

memory/2036-59-0x00000264871E0000-0x00000264871F0000-memory.dmp

memory/2036-60-0x000002649FE20000-0x000002649FE32000-memory.dmp

memory/2036-61-0x000002649FAB0000-0x000002649FABA000-memory.dmp

memory/2036-67-0x00007FFC21200000-0x00007FFC21CC1000-memory.dmp

memory/4436-69-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/4436-70-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/4436-71-0x0000000005450000-0x0000000005451000-memory.dmp

memory/4436-72-0x0000000005460000-0x0000000005461000-memory.dmp

memory/4436-73-0x0000000005440000-0x0000000005441000-memory.dmp

memory/4436-75-0x0000000005420000-0x0000000005421000-memory.dmp

memory/4436-74-0x0000000005490000-0x0000000005491000-memory.dmp

memory/4436-76-0x0000000005430000-0x0000000005431000-memory.dmp

memory/4436-77-0x0000000005480000-0x0000000005481000-memory.dmp

memory/4436-78-0x0000000000AC0000-0x0000000000F74000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

memory/1456-89-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-90-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-91-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-92-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-93-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-94-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/3796-96-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/3796-97-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/3796-98-0x0000000005490000-0x0000000005491000-memory.dmp

memory/3796-99-0x00000000054A0000-0x00000000054A1000-memory.dmp

memory/3796-100-0x0000000005480000-0x0000000005481000-memory.dmp

memory/3796-101-0x00000000054D0000-0x00000000054D1000-memory.dmp

memory/3796-102-0x0000000005460000-0x0000000005461000-memory.dmp

memory/3796-103-0x0000000005470000-0x0000000005471000-memory.dmp

memory/3796-104-0x00000000054C0000-0x00000000054C1000-memory.dmp

memory/3796-105-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-106-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-107-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-108-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-109-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-110-0x0000000000AC0000-0x0000000000F74000-memory.dmp

memory/1456-111-0x0000000000AC0000-0x0000000000F74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 596defa2bb76277303bee05495e4d1b6
SHA1 66d03ad914bf2be41847091fff73978f0f76f2fc
SHA256 30816c572ad5441e1bdfe6952400f0a291a004b3493651cc520a56a955cd1b4a
SHA512 4c823a70e73e3cd7c19b9475eaebcd0881add1a8e12782cece917c7e17b2d278ee07cfaee9245444ad057639f50643fa3ae9f594cc451e3bab516bb498bad619

memory/3604-113-0x0000000000AC0000-0x0000000000F74000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 01:42

Reported

2024-03-25 01:44

Platform

win11-20240221-en

Max time kernel

144s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\c444e63db0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\c444e63db0.exe" C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 4084 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 4084 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 400 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4848 wrote to memory of 3996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4848 wrote to memory of 3996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3996 wrote to memory of 3592 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 3996 wrote to memory of 3592 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 3996 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe
PID 400 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe
PID 400 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe
PID 400 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 400 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 400 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 400 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 400 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 400 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 4232 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2324 wrote to memory of 4240 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2324 wrote to memory of 4240 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4240 wrote to memory of 4700 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4240 wrote to memory of 4700 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4240 wrote to memory of 2464 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 2464 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4232 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
PID 4232 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
PID 4232 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
PID 4756 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe C:\Windows\SysWOW64\schtasks.exe
PID 4756 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe C:\Windows\SysWOW64\schtasks.exe
PID 4756 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe

"C:\Users\Admin\AppData\Local\Temp\6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe

"C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

"C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe

"C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe" /F

Network

Country Destination Domain Proto
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.19:80 185.172.128.19 tcp

Files

memory/4084-0-0x0000000000F40000-0x00000000013F4000-memory.dmp

memory/4084-1-0x0000000077486000-0x0000000077488000-memory.dmp

memory/4084-2-0x0000000000F40000-0x00000000013F4000-memory.dmp

memory/4084-5-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

memory/4084-3-0x0000000004E00000-0x0000000004E01000-memory.dmp

memory/4084-7-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

memory/4084-6-0x0000000004E40000-0x0000000004E41000-memory.dmp

memory/4084-4-0x0000000004E10000-0x0000000004E11000-memory.dmp

memory/4084-8-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

memory/4084-9-0x0000000004E30000-0x0000000004E31000-memory.dmp

memory/4084-11-0x0000000004E50000-0x0000000004E51000-memory.dmp

memory/4084-10-0x0000000004E60000-0x0000000004E61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 676d5c99f20607e8b75abc4942526f49
SHA1 ddeeb0cafec738304f5393a4a689ec53b9888822
SHA256 15d5fa66fc5ecc0a2ad7bf9dfe27eeb7fd09b9a37ca0f0d4bf507e99aa4d62c0
SHA512 12d35c5f7932540555194e5d7426b1cc6ea1be04754e55ff2c1c0eb6175978ba03f3033d646c7ab457970f6b55b2c3d3f4633b5558b97198c5debd73311c1478

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 03cae7ddd989b541ba318aed351e436b
SHA1 7952ffbb37a205eb7011e611a4c685a7751efba2
SHA256 b341ecc45521633ac70103dc4f72020dffa7fee9f84b862cc42a67532c755a37
SHA512 6aa0090aa5a054cfe3401d7f49a140d649fc14f9a4b3ba9e587d8e78b2490448ff575881b74533c6d980f68bba0a9547ff755f74189449d697200b9daee9d9c5

memory/400-23-0x0000000000250000-0x0000000000704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 5395adfe1ee032fcfebc136ab9447554
SHA1 1f58e9f60d9799057b1a83513ee62fec7e51cdba
SHA256 9b6fa2e775ef0c417352db72904e7b2fc8a4f3ed3a8c22ac4a06741153afa0f5
SHA512 8cdd4e27061e5308d5395200b09c0f113b37f40fca57a6358bd8d996c5b9e5521e9144cf8d60dd2f7295aa7b3e116b7790d11815ff7c123e9520b3de2e53e6b2

memory/4084-24-0x0000000000F40000-0x00000000013F4000-memory.dmp

memory/400-28-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

memory/400-27-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

memory/400-31-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

memory/400-30-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

memory/400-29-0x0000000004D10000-0x0000000004D11000-memory.dmp

memory/400-26-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

memory/400-25-0x0000000000250000-0x0000000000704000-memory.dmp

memory/400-33-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/400-32-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/400-34-0x0000000000250000-0x0000000000704000-memory.dmp

memory/400-35-0x0000000000250000-0x0000000000704000-memory.dmp

memory/400-36-0x0000000000250000-0x0000000000704000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6625945aa4e9522e645323cb22182715
SHA1 cb1b774ecc95796ad1fdf34a05c62664d9db6318
SHA256 48d51dbd21e5b3750177bc9f48a8b1197860ea7d0bafeaa2f42f7ddb8cb422fc
SHA512 72ffdb5a46283f0f0406ec071acc79c6aa92745de5f8dfa3ed0d39bf8ce707796a4ae56e11abfe3a48e74d4e26b196e3f96e814d3d3b63eae5c7cda65943c88a

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uslkb5pa.3rn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4852-56-0x000001D7B2AE0000-0x000001D7B2B02000-memory.dmp

memory/4852-57-0x00007FFD53620000-0x00007FFD540E2000-memory.dmp

memory/400-58-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4852-59-0x000001D7B2910000-0x000001D7B2920000-memory.dmp

memory/4852-60-0x000001D7B2910000-0x000001D7B2920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 0f1f137ec50935756eb506a1e7a24796
SHA1 163426991cd993b8590e3739cbaa500ddb258806
SHA256 6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2
SHA512 c88e472e4c6942665a11f15e4f2e3a2ff00492eeee443a8c392a48b3b1c175ae87d1b8e0c29b63a669d23b522a2cc17bbff74bdd6767a56cfe9b75ab3e74865d

memory/740-62-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4852-63-0x000001D7B2B60000-0x000001D7B2B72000-memory.dmp

memory/4852-64-0x000001D7B2B50000-0x000001D7B2B5A000-memory.dmp

memory/4852-71-0x00007FFD53620000-0x00007FFD540E2000-memory.dmp

memory/740-72-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/740-76-0x0000000005380000-0x0000000005381000-memory.dmp

memory/740-75-0x0000000005370000-0x0000000005371000-memory.dmp

memory/740-74-0x00000000053D0000-0x00000000053D1000-memory.dmp

memory/740-73-0x0000000005390000-0x0000000005391000-memory.dmp

memory/740-70-0x0000000000250000-0x0000000000704000-memory.dmp

memory/740-77-0x0000000000250000-0x0000000000704000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

memory/400-88-0x0000000000250000-0x0000000000704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000022001\c444e63db0.exe

MD5 4351cfdb828068ca48e7507af790d5c4
SHA1 a9c7efaf95dbf3a0d135aa2d83ac37d22dc84764
SHA256 d68cd82842221eb6f9b591e17bd782084a7db96ef1ded5c8e04710bc2916198b
SHA512 66a8c11f287dd1eb1e26f0ff518aab764ce0ee079534b9f40b001936f7e4b016daa26009f0b0f06968ccabbf21b593e774b48cf9e39a48f096c24037137156ab

memory/4044-107-0x0000000000A60000-0x0000000000E05000-memory.dmp

memory/4044-108-0x0000000000A60000-0x0000000000E05000-memory.dmp

memory/400-109-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-110-0x0000000000A60000-0x0000000000E05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

MD5 d467222c3bd563cb72fa49302f80b079
SHA1 9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256 fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

memory/400-128-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-133-0x0000000000A60000-0x0000000000E05000-memory.dmp

memory/4044-134-0x0000000000A60000-0x0000000000E05000-memory.dmp

memory/400-135-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-136-0x0000000000A60000-0x0000000000E05000-memory.dmp

memory/400-137-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-138-0x0000000000A60000-0x0000000000E05000-memory.dmp

memory/400-142-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-143-0x0000000000A60000-0x0000000000E05000-memory.dmp

memory/5012-144-0x0000000000250000-0x0000000000704000-memory.dmp

memory/5012-145-0x0000000000250000-0x0000000000704000-memory.dmp

memory/5012-147-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

memory/5012-148-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

memory/5012-146-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

memory/5012-150-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

memory/5012-149-0x0000000004D10000-0x0000000004D11000-memory.dmp

memory/5012-151-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

memory/5012-152-0x0000000000250000-0x0000000000704000-memory.dmp

memory/400-153-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-154-0x0000000000A60000-0x0000000000E05000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

memory/400-164-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-165-0x0000000000A60000-0x0000000000E05000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ae626d9a72417b14570daa8fcd5d34a4
SHA1 c103ebaf4d760df722d620df87e6f07c0486439f
SHA256 52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512 a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

memory/2464-170-0x00007FFD53620000-0x00007FFD540E2000-memory.dmp

memory/2464-171-0x0000016166770000-0x0000016166780000-memory.dmp

memory/2464-172-0x0000016166770000-0x0000016166780000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1ca0032e53df57864eca5c293d705d0d
SHA1 faf09dad6654035c51e5f0e373cb280cf97fde34
SHA256 661aeb3b5959e598699b8d83e3f8b962ad2783c4d1ed7cd9ed8355b26e013b17
SHA512 a5e92e427a6ffc7d177819d63e86adc50c34b20abb5304335933de388b46c2ffad7d993d6a478edbcdd203cca2b98d96db6f50ab917b6e21825327e164e7b437

memory/2464-186-0x00007FFD53620000-0x00007FFD540E2000-memory.dmp

memory/400-187-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-188-0x0000000000A60000-0x0000000000E05000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/400-200-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-201-0x0000000000A60000-0x0000000000E05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/400-218-0x0000000000250000-0x0000000000704000-memory.dmp

memory/4044-219-0x0000000000A60000-0x0000000000E05000-memory.dmp