Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 10:23
General
-
Target
a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835.exe
-
Size
3.1MB
-
MD5
6ff2e1d32337832c29ac583e130c85b0
-
SHA1
f80322c0c6487f2a477de9472cfd99646ec4350e
-
SHA256
a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835
-
SHA512
59d6390e755790d85ce5c72fa959827ec2b637354325f8613468c72c0eed70c9f8996a9b2bb58b5c10341b37ce74697cac6bab1f51e1d5c8a22acefc3182cba8
-
SSDEEP
98304:e/sf/0D3kyAYY9BH+E2NBWkNBRJH9IauNvGXL:e/nvNAYtHe+
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 6 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835.exe"C:\Users\Admin\AppData\Local\Temp\a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000055001\9eb620aebc.exe"C:\Users\Admin\AppData\Local\Temp\1000055001\9eb620aebc.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe99efab58,0x7ffe99efab68,0x7ffe99efab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2296 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3904 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3456 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4572 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3164 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1860,i,5117596655793278308,1904519566882361481,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\177723727746_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000056001\c00ed31b5c.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\c00ed31b5c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 8883⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\177723727746_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5204 -ip 52041⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD590e1b72538eb4a33e3422b68beeb854d
SHA16a39a0ac1a5a8ff10a3fa2467c3f41736196aee3
SHA256cc2d244f3352e584ebad97f1c8102677ef854e516d71ac321b158944ad784b3d
SHA512a45e06102b6085d598edcdd669286008c8cf5d634e29aae9c8aa70d127ba1b5efae723f89afc8eee28ddc52a790e4ada5fc384b5aa888f08fc1e142c712e631d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD5b342a77227b7e13bda36adf28664c4e5
SHA1c2d6204c934021608e0a6c7b0b0a207d24ef685a
SHA256ad1006c964c2a695d54c06e326174d1a8a101473d45336d5a6971ce1791de633
SHA512c385a68b0ee1e3fc1a95d0ac86af4a927207af9edeca9db4d17d5eee108b83aca68d6d0ca4cd7c00065b44ea0733dfbbbba578893b7163f87fca295d539c1b9d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD511e0b8cd2f42f846b84734a441669474
SHA1df0ab4b56248eeedfbfa1f0e7934f123a842408a
SHA256998401979da937ed8439d933ca1fbf5696d2e776db0849fc41d744bf322ea2c7
SHA5127dd5f49005d17f7632fe0b4d25d48cb6dcde34d7d17442207dcf79aa93bd67ecc81e17ef2cd4abdd2ec5e912dd1db5223551ecd43e9c1c88bea70ff8e0ec7e39
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD55571757ebdd9e9d98d350f1bf6deda01
SHA169b043eb3b5eba13b51ce98ba3b42eb8e845093b
SHA25688ac697e4d77a39aa7efd5b1693ce4b183a277c202494924784e7eebe60c0b55
SHA5121361d10cbfcb2d2b068038939adebb5fe8219cd9fbacb7f551be9e3baca6f9b32f16b3401607ced0a12550299a3e7a794972e0b360da16bd32eed81e4946abae
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD592beed41b69f599338991c4f45889efb
SHA1433078a20f7817f8da2bf22d44d4d43e6945d220
SHA256be0a093229efc736e49b20e890f2ff80fcfd88b87d49993ad7bfa62783cd9075
SHA512f4bd47c14b0111d24c9aa2d04212304978eac302dd7b7621f52f77e51e1234ce9c5b662ba5e185ae09c63cb7383107e09dc4092491c39ad057c2d37058ec86d7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD52683cf62a792c067da953e56f05fd039
SHA15ded112935f1cd7a0cf23defcbe20c92e4a3f24b
SHA256344ac84ff23ec703d9dba89d21590f9aa15651cf4603bf5bc5eb20ecab5c5878
SHA5129ff7947a0a91a407a1b0e718b2a9e5d38eaa8f507d7fa1b3a4d33ac81aa850044fdbca5b161074dcf4331b8812289506e72162023b4bcea0ab1514beadb3b333
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5675888417d1836a37f97a9297403cada
SHA1553df4c3129285f4957708f51f525fc6950c6756
SHA25611f75078fdc72e163fc6f3feada324b5ebcd0b101233fdefa47207e30970fe19
SHA512de5726c7301ed8cb0afd2be88dab1111dc610daf5c4a6fb5011c381db07ee40dce47597b645455bcf6282818ed186f28a6c27602c2716b9cc929c6d936098a4f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5de0d4fdbb2529486920ac590b9dcf169
SHA16364467f8b4e58ba6a3b030936884e91667807bf
SHA256083c4cfec8861e121e649ae3bd691498d4827596cfdf4d5ff03009c11e58f240
SHA512c1d2d802be913c2926211709007ff4d5eb61bcf1ce6f310bf1309b6f0974015783a34815d3503174cda52ac230a3caad588bc74eed3b784052238fc25794ff27
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
252KB
MD5e91b23eb4bdf19b27d27490567be5250
SHA1a25bc1c6442e4f07db03f738198669baf2440764
SHA2566ab3c23037f35f37fd9f49832d3cf1f2cf3f203e06464e5c74209142af43c872
SHA5123ab2ca1e38ef835075aad5a749a40952d802f6889e52cc80b1997e495260b4966c28cf33114a286e4f7d8822eaac42093823f137b7094e207ede131eac3b5b8a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD574cd4674166ac8f1bea0a81b6bb8eabc
SHA10e7e9faee65e22e86a0f47664f3489c12e710d90
SHA256430d083ba64e6ecf668e892360b5a4a3423ff492e84f01f14aa69957de2e1e44
SHA512ce07207402aefa1503da21c5cc29e55f777abd5a04b2b41061c6d6a37da7ec3a2df0388c7481bf0c71e4f656cb703ca19c6ecde9cbe5ae21d2948321ee7d7391
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
3.1MB
MD56ff2e1d32337832c29ac583e130c85b0
SHA1f80322c0c6487f2a477de9472cfd99646ec4350e
SHA256a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835
SHA51259d6390e755790d85ce5c72fa959827ec2b637354325f8613468c72c0eed70c9f8996a9b2bb58b5c10341b37ce74697cac6bab1f51e1d5c8a22acefc3182cba8
-
C:\Users\Admin\AppData\Local\Temp\1000055001\9eb620aebc.exeFilesize
1.1MB
MD56a00297c63da77f1c00b15844a18eccd
SHA1c18b0e775a3ba7a1941d86d8b9b2c160f3cc770f
SHA256432beea9fbe995a73df585ea6c33e41d91016ac2a032f46400acb19b50d3b800
SHA5126cb45c741e6469176c2f7b031da85b02019d432de1aee9bee035340452e3329f76327e67b414fc91428c065212c98599c14f95cd6ef26fdbbdae7fa5a7b4af8b
-
C:\Users\Admin\AppData\Local\Temp\1000056001\c00ed31b5c.exeFilesize
2.3MB
MD5ad99a9dcbd30c339c8ce2b1963da2b86
SHA1f88527b444b7a654a3207f82ecbbdce241e22e80
SHA2560f57e0e6ea74bf53d468256ec921e8423743536fb1884f276262428e2106aebf
SHA512f26c508b7c175108c3a6e622bddb8a3a07831da4adf35473479e4f55c5a882f75a9b455b78528c952c4e699fd603c9e70e83d7415f7a6fba94fe5c28fc7de7bf
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exeFilesize
1.8MB
MD584b7326a9a654cf5fa260ebfbedfc7b3
SHA1b21187c2a1bf98f2307c597e3b65eff1bff22dd0
SHA256d6aa888cf7e9878abccef7a9a7d9b1983f683acee8fed12d5c1a2cb488255e81
SHA5129b4dfb1e69be4396046ae197b804956b7ea7f40a4d59584336a32bbf06b00b8589a9d969ae2627de0ff2c4dd0bb96fb078d431426c06ee508298db7606d740c2
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c35lcjof.2v4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
\??\pipe\crashpad_2284_XXHEQOLLSJJJAZXWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/916-360-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/916-357-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2192-422-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-333-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-32-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/2192-452-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-119-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-229-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-31-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/2192-29-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/2192-198-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-430-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-220-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-419-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-30-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/2192-405-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-145-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-27-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/2192-28-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/2192-26-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/2192-25-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-269-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-23-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-280-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-283-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-97-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2192-321-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/2268-5-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/2268-8-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/2268-10-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/2268-11-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/2268-7-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/2268-24-0x0000000000FC0000-0x00000000012E9000-memory.dmpFilesize
3.2MB
-
memory/2268-3-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/2268-6-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/2268-1-0x00000000773C4000-0x00000000773C6000-memory.dmpFilesize
8KB
-
memory/2268-4-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/2268-9-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/2268-0-0x0000000000FC0000-0x00000000012E9000-memory.dmpFilesize
3.2MB
-
memory/2268-2-0x0000000000FC0000-0x00000000012E9000-memory.dmpFilesize
3.2MB
-
memory/5464-189-0x0000024CC4F80000-0x0000024CC4F90000-memory.dmpFilesize
64KB
-
memory/5464-190-0x0000024CC54D0000-0x0000024CC54E2000-memory.dmpFilesize
72KB
-
memory/5464-197-0x00007FFE8ABB0000-0x00007FFE8B671000-memory.dmpFilesize
10.8MB
-
memory/5464-191-0x0000024CC5120000-0x0000024CC512A000-memory.dmpFilesize
40KB
-
memory/5464-187-0x00007FFE8ABB0000-0x00007FFE8B671000-memory.dmpFilesize
10.8MB
-
memory/5464-188-0x0000024CC4F80000-0x0000024CC4F90000-memory.dmpFilesize
64KB
-
memory/5464-177-0x0000024CC4FF0000-0x0000024CC5012000-memory.dmpFilesize
136KB
-
memory/5672-441-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/5716-128-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/5716-142-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/5716-116-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/5716-129-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/5716-170-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/5716-130-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/5716-131-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/5716-133-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/5716-132-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/5716-134-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/5828-258-0x0000000000E60000-0x000000000130C000-memory.dmpFilesize
4.7MB
-
memory/5828-252-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/5828-253-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/5828-244-0x0000000000E60000-0x000000000130C000-memory.dmpFilesize
4.7MB
-
memory/5828-251-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/5828-246-0x0000000000E60000-0x000000000130C000-memory.dmpFilesize
4.7MB
-
memory/5828-247-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/5828-249-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/5828-248-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/5828-250-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/5960-286-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/5960-318-0x0000000000600000-0x0000000000929000-memory.dmpFilesize
3.2MB
-
memory/5980-421-0x0000000000E20000-0x00000000012CC000-memory.dmpFilesize
4.7MB
-
memory/5980-406-0x0000000000E20000-0x00000000012CC000-memory.dmpFilesize
4.7MB
-
memory/5980-332-0x0000000000E20000-0x00000000012CC000-memory.dmpFilesize
4.7MB
-
memory/5980-429-0x0000000000E20000-0x00000000012CC000-memory.dmpFilesize
4.7MB
-
memory/5980-383-0x0000000000E20000-0x00000000012CC000-memory.dmpFilesize
4.7MB
-
memory/5980-432-0x0000000000E20000-0x00000000012CC000-memory.dmpFilesize
4.7MB
-
memory/5992-161-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5992-167-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/5992-160-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/5992-163-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/5992-162-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/5992-165-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/5992-159-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/5992-382-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-164-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/5992-158-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/5992-147-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-166-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/5992-292-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-331-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-418-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-282-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-420-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-168-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/5992-171-0x0000000004D20000-0x0000000004D22000-memory.dmpFilesize
8KB
-
memory/5992-428-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-270-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-169-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/5992-268-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-219-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-442-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-218-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB
-
memory/5992-228-0x00000000007D0000-0x0000000000DAB000-memory.dmpFilesize
5.9MB