Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
21-04-2024 10:23
General
-
Target
a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835.exe
-
Size
3.1MB
-
MD5
6ff2e1d32337832c29ac583e130c85b0
-
SHA1
f80322c0c6487f2a477de9472cfd99646ec4350e
-
SHA256
a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835
-
SHA512
59d6390e755790d85ce5c72fa959827ec2b637354325f8613468c72c0eed70c9f8996a9b2bb58b5c10341b37ce74697cac6bab1f51e1d5c8a22acefc3182cba8
-
SSDEEP
98304:e/sf/0D3kyAYY9BH+E2NBWkNBRJH9IauNvGXL:e/nvNAYtHe+
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 6 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835.exe"C:\Users\Admin\AppData\Local\Temp\a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000055001\c582c38544.exe"C:\Users\Admin\AppData\Local\Temp\1000055001\c582c38544.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe8,0x10c,0x7ffe8ccdab58,0x7ffe8ccdab68,0x7ffe8ccdab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2140 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3968 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4232 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3228 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1836,i,8036804426893780684,7261249890616462216,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\017659663955_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000056001\cdadc326b6.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\cdadc326b6.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\017659663955_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\285e0bd3-f4bd-46ee-939e-84cead82a09e.tmpFilesize
252KB
MD5524bd3a9b9badcecd6de70964aeed18c
SHA1695dfb1e1aca9f8725b757b25d01dc2337d7245f
SHA256911283d7e7be02ab7dac4f78eaa309877e7fb023a7158559da3ecba426c65bab
SHA512153794d950a5b77b47d51be74f16ac848ed0c0cf0f55eb4c81de33320fd619af865980bb6dbc437e7da416fb6e237d18de09ce905fd7a0647a1ad41a1c055afe
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD5514e1635a1a32f957ccada37ca3ba2d4
SHA1d2feae50077978143af7013aae78aa5f5a7dda5f
SHA25693d2c73f058ce45d5cf45ea8cf88404b7e263b187d781f3f13ae8326dd794d92
SHA512341152a21f8faedf20a9fcce90b43ed8673bbe0d2616164e8886d57d2fe28143d059cdc52c6f296eb8839455e0e8f0a919d956297897b347592d019372d16ec3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD5880682126f8fcc56d816ec7c01c5f39b
SHA1d9577fd066dcdefcb13601cb1c6df3b762ba8824
SHA256fbefe152b165a92232e3ab841d0957829d88cd107b05f4b891f903f97d367775
SHA512991a34819ac2f78eafdd17d6df6585bf83e360399e59fbcbbfa9374e380954ab3c1e67f2f07c8a851f7df5e223ac2e2aca01a7fc0feb200dcffac91c7b01ca65
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD58a91a5ed27226e917050129bb7408f44
SHA13dc0a45835c4fbbb90db1977b1a264cc362a5da5
SHA2566a862b2cad6c48e6a8e78705f554a687f07b11d3d206d3897502ae3b7908986c
SHA512007c9594c611cde5b1c0c1336b6839433c6f5df03d1002c414329d7258d3d4f311b80363063d4b0b6e16022dd54cbebcc9acda1b0e9a9bac316766617a1c248a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD520ef0fca2d13a23008ea5b4e602ce4a0
SHA12b995ed854dda82e98f96f5fb8d431b6a584b12d
SHA256515a377c607d5e9274dd8a5dc4db0026fb07116d468816bb4d7f5ac4cc6d5b74
SHA512d23e60f307d26789f6b16f634574b4468346703855dd02b642bd30cc228b1a7e10174ace16167e4ab3f7490b639d4ec0371fe0a758d5e70b7b265c331bb07e91
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD5ab1b6d2827b5cbf5ac3b95af0accccfa
SHA14596b6624f69a1891eb4bd4c23c721a64a5461ff
SHA2563a44347786b68fd0113b1a3909acae8c7a90828f0222ec1cb3e794ce919c6e08
SHA512f481704f31b4530fb4a6e4cd74477c61a39a71a9a7de3fed6f4fcf3e60a314ecf7e6d620b7c9effc56296acd0442768651336cdcbf1cd90939ec4617c49f66f7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5a2ffcc0e17eb022329a19b02dc766846
SHA1c957842ba0aff131ac885e8a8761ee332597534f
SHA2563d11bc13d27cd8e394366009d4c0c6be3a6aafe942659a243791abd37a7c198a
SHA51291aa629660466af2191023cf518acf1c9e900c6f35097cc16dd81d75b9d17509b18ad005c411b7da168169de2756445c60b90d6234dc8b4c26c79c49d05b1043
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5c734f6dcdcc9d64d68979e266ce50fc9
SHA11f5285f2cd7e83fdf06568190abdaf7dd3915d43
SHA256c44e2f8f88a5492096b4652e444d79ef757a149d2b5a20679ba7293434f4da56
SHA512ebe697ede8c3fc7d79afdaf0bed542bafadd1d3df84226098345a6c69a3785485f99ae6ed7d36011095df9eb46f947f0a8c72009ce6c9e5ebd59a0484c2ab79a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ae626d9a72417b14570daa8fcd5d34a4
SHA1c103ebaf4d760df722d620df87e6f07c0486439f
SHA25652cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51ca0032e53df57864eca5c293d705d0d
SHA1faf09dad6654035c51e5f0e373cb280cf97fde34
SHA256661aeb3b5959e598699b8d83e3f8b962ad2783c4d1ed7cd9ed8355b26e013b17
SHA512a5e92e427a6ffc7d177819d63e86adc50c34b20abb5304335933de388b46c2ffad7d993d6a478edbcdd203cca2b98d96db6f50ab917b6e21825327e164e7b437
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
3.1MB
MD56ff2e1d32337832c29ac583e130c85b0
SHA1f80322c0c6487f2a477de9472cfd99646ec4350e
SHA256a778286dbc6850ab8f6de20dcf4230f354b2d40ee1a2b0f9cdf442f2fe08c835
SHA51259d6390e755790d85ce5c72fa959827ec2b637354325f8613468c72c0eed70c9f8996a9b2bb58b5c10341b37ce74697cac6bab1f51e1d5c8a22acefc3182cba8
-
C:\Users\Admin\AppData\Local\Temp\1000055001\c582c38544.exeFilesize
1.1MB
MD56a00297c63da77f1c00b15844a18eccd
SHA1c18b0e775a3ba7a1941d86d8b9b2c160f3cc770f
SHA256432beea9fbe995a73df585ea6c33e41d91016ac2a032f46400acb19b50d3b800
SHA5126cb45c741e6469176c2f7b031da85b02019d432de1aee9bee035340452e3329f76327e67b414fc91428c065212c98599c14f95cd6ef26fdbbdae7fa5a7b4af8b
-
C:\Users\Admin\AppData\Local\Temp\1000056001\cdadc326b6.exeFilesize
2.3MB
MD5ad99a9dcbd30c339c8ce2b1963da2b86
SHA1f88527b444b7a654a3207f82ecbbdce241e22e80
SHA2560f57e0e6ea74bf53d468256ec921e8423743536fb1884f276262428e2106aebf
SHA512f26c508b7c175108c3a6e622bddb8a3a07831da4adf35473479e4f55c5a882f75a9b455b78528c952c4e699fd603c9e70e83d7415f7a6fba94fe5c28fc7de7bf
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exeFilesize
1.8MB
MD584b7326a9a654cf5fa260ebfbedfc7b3
SHA1b21187c2a1bf98f2307c597e3b65eff1bff22dd0
SHA256d6aa888cf7e9878abccef7a9a7d9b1983f683acee8fed12d5c1a2cb488255e81
SHA5129b4dfb1e69be4396046ae197b804956b7ea7f40a4d59584336a32bbf06b00b8589a9d969ae2627de0ff2c4dd0bb96fb078d431426c06ee508298db7606d740c2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aysyj41u.inh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
\??\pipe\crashpad_3136_TNFOBBQAIHPHBMBMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1176-292-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/1444-260-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/1444-259-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/1444-262-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/1444-263-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/1444-258-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/1444-255-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/1444-257-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/1444-256-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1444-254-0x00000000008B0000-0x0000000000D5C000-memory.dmpFilesize
4.7MB
-
memory/1444-253-0x00000000008B0000-0x0000000000D5C000-memory.dmpFilesize
4.7MB
-
memory/1444-267-0x00000000008B0000-0x0000000000D5C000-memory.dmpFilesize
4.7MB
-
memory/1736-184-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/1736-189-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/1736-270-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-224-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-214-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-392-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-381-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-373-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-193-0x00000000056C0000-0x00000000056C2000-memory.dmpFilesize
8KB
-
memory/1736-192-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/1736-191-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/1736-190-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/1736-235-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-308-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-335-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-367-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-370-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-222-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-182-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-183-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/1736-186-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/1736-185-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/1736-237-0x0000000000B90000-0x000000000116B000-memory.dmpFilesize
5.9MB
-
memory/1736-187-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/1736-188-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/2016-145-0x00007FFE77F50000-0x00007FFE78A12000-memory.dmpFilesize
10.8MB
-
memory/2016-139-0x00000204F6220000-0x00000204F622A000-memory.dmpFilesize
40KB
-
memory/2016-138-0x00000204F63C0000-0x00000204F63D2000-memory.dmpFilesize
72KB
-
memory/2016-136-0x00000204F5F40000-0x00000204F5F50000-memory.dmpFilesize
64KB
-
memory/2016-137-0x00000204F5F40000-0x00000204F5F50000-memory.dmpFilesize
64KB
-
memory/2016-135-0x00000204F5F40000-0x00000204F5F50000-memory.dmpFilesize
64KB
-
memory/2016-134-0x00007FFE77F50000-0x00007FFE78A12000-memory.dmpFilesize
10.8MB
-
memory/2016-133-0x00000204F6230000-0x00000204F6252000-memory.dmpFilesize
136KB
-
memory/3084-274-0x0000000000F90000-0x000000000143C000-memory.dmpFilesize
4.7MB
-
memory/3084-374-0x0000000000F90000-0x000000000143C000-memory.dmpFilesize
4.7MB
-
memory/3084-275-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/3084-276-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/3084-310-0x0000000000F90000-0x000000000143C000-memory.dmpFilesize
4.7MB
-
memory/3084-273-0x0000000000F90000-0x000000000143C000-memory.dmpFilesize
4.7MB
-
memory/3084-402-0x0000000000F90000-0x000000000143C000-memory.dmpFilesize
4.7MB
-
memory/3084-382-0x0000000000F90000-0x000000000143C000-memory.dmpFilesize
4.7MB
-
memory/3084-354-0x0000000000F90000-0x000000000143C000-memory.dmpFilesize
4.7MB
-
memory/3084-368-0x0000000000F90000-0x000000000143C000-memory.dmpFilesize
4.7MB
-
memory/3084-371-0x0000000000F90000-0x000000000143C000-memory.dmpFilesize
4.7MB
-
memory/3620-105-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/3620-101-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3620-102-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/3620-103-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/3620-106-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/3620-124-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3620-104-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/3620-107-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/3856-307-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-100-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-269-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-27-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/3856-29-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/3856-213-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-30-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/3856-31-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/3856-26-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/3856-25-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/3856-32-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3856-24-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-75-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-23-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-391-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-181-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-334-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-380-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-223-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-28-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/3856-372-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-366-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-234-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-236-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/3856-369-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB
-
memory/4228-4-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/4228-9-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/4228-8-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/4228-5-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/4228-7-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/4228-6-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/4228-3-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/4228-10-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/4228-21-0x00000000009B0000-0x0000000000CD9000-memory.dmpFilesize
3.2MB
-
memory/4228-2-0x00000000009B0000-0x0000000000CD9000-memory.dmpFilesize
3.2MB
-
memory/4228-1-0x0000000077386000-0x0000000077388000-memory.dmpFilesize
8KB
-
memory/4228-0-0x00000000009B0000-0x0000000000CD9000-memory.dmpFilesize
3.2MB
-
memory/4552-390-0x0000000000930000-0x0000000000C59000-memory.dmpFilesize
3.2MB