Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
22-04-2024 12:44
General
-
Target
4f08c3aa2560c97cc24fa3943a2d8a11095620c32c7209d23dcae03603668a68.exe
-
Size
3.1MB
-
MD5
3b69ce65e1b7235f333906eb776e68ca
-
SHA1
666588ba21b5751422e0b3c27a6ab53b9ba93dbd
-
SHA256
4f08c3aa2560c97cc24fa3943a2d8a11095620c32c7209d23dcae03603668a68
-
SHA512
56a626f645031724dfa27ad1dd876de58ac5e9f44ce57f4a8dc360b0d76fa31a5c26aa2b2835edd299ec7492a57ea2ede43ed94bbd9e4af9262cf036667d86e6
-
SSDEEP
49152:nOej1M0rQw14aqx8g4L6M5DyiWuVwKgrmBKC2O3ddQuuI:Sw15qxHs6M5Dtj7jN3d
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 1 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f08c3aa2560c97cc24fa3943a2d8a11095620c32c7209d23dcae03603668a68.exe"C:\Users\Admin\AppData\Local\Temp\4f08c3aa2560c97cc24fa3943a2d8a11095620c32c7209d23dcae03603668a68.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000055001\4346eceb72.exe"C:\Users\Admin\AppData\Local\Temp\1000055001\4346eceb72.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3182ab58,0x7ffd3182ab68,0x7ffd3182ab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4056 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3296 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4412 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1900,i,303496700279344284,11263947164710068887,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\132431369515_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000056001\47ba2eef2a.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\47ba2eef2a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 8683⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\132431369515_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5288 -ip 52881⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD551f1187b8b7783e0ad188be2b2fde054
SHA1c5e7756bfcc9c615afa84e45249446dd0c7766d6
SHA2561971c184baa86c0b7082c318689aaee3af358ca9f8fc3fb611fecabd586ea4eb
SHA5126c8967f12147cfdf6bae38159fbd8743f450a6689dc8ade5c1cf939a7407439765dfecd271845f198a327f810b5f8775f75afa12deea287556ce475a7cd90e1e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5a2c6f9a8c8b81ed1b65852ee3365910c
SHA1b2f969704371a41e104f36d57fdbbca9f21ba0a6
SHA256f572b087dd34675093eeb704393fda83ac2d1c82ea4550efad5ab159248f93a2
SHA512f3804b1e8fb021f1a6601664cfa3f1f2e2a2d7320955dadbc1a32206109a52303b07c44ca1cd3578bef1eb8a27015b6a31c74b40987b9a7d73290792f9cd1221
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD57980d4e70ed2ed084fdfbbf6ce0d275c
SHA1ed50d652a61d08526ca81dbb9d72d4ab741e685a
SHA2569e7e7e7d6ee5ca7ac007cf61cea85044b697e5e08689f50d25b39e6bc5d2ce4a
SHA51258183f6c753f8656e9daee960d9104fa27f3a9a17e85c9f2f4ea76cfa76ae37673db487ecb1888e8e79f0ef1f3d4f5c2ef526d6e08a0fd73e9713b68386c42a3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD5454498eb719113253a796237b285dc7c
SHA138ed16b489add009ec139f4706233355628ddb97
SHA2568ee3030436335ba1f1bcbfeb36708eb595955f40862fad8bdd55029b1fc71786
SHA512e8cd3ee62549ce179eaef0f6a4067bc8a656a5cd0bb9741fd28fccd935606667be260d2bff720d5a08b2a90783302850cb85614bd31ab4d0a227e6725ab3ddff
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD5f2606557f60ac889e54a0e062655995d
SHA12f5cbdbaccc178f0647c40a6d67fe1ea7658746d
SHA256e2e6003ba82f56fd6685b4263843e601424b85af64d0cb8680b5fdc19df09a78
SHA5129e88eb7592b601760ae1d417893cc3c3709e6d649523e0043c27c117f274a697adc10f8331e80be0f7cf7534eb210e39ae10f42d01a26837580a197c92c8b926
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD52284cbe07a568d542dba96f5bac05f2a
SHA18680d5c6b7a18d3b1ff4c64b42022e9e95b0c0ab
SHA256645d2a907a95ec1b0cce9a039bec1752811b7951005836192aa203379dacccfd
SHA512fa7ca43e34e819c3b9caf66a8df54926a6ef8dc07015302ab6ecc0a4d7ca36a88b089cb5654fc7bc3feae8e05f0f6be5621dfdba6fa9a8b39817e583747e6d91
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5d4051c56f36e70f8e25df1d64620c597
SHA10300aab17acca3ee626c78a855f282279ff8c1fe
SHA256fe5bbe93552903266055d10b1c25f0e53bc64848d2856ae5aca249bbd0288073
SHA51218bff0929850ba20ceb2d551e34c09a64c9e83a9532bcdc062bdc97807ecbd0fc8027de58b362247504be721179fd177963d53c53b5fa79a151cc5cad79d248a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
252KB
MD5b7b147541c2744253c9c66888a1ebf8d
SHA11982923a98e32029c7241ff046166664a41099f9
SHA256de0b1f414ad306abefcab7308ac53f9438cb5b7ca8a7873cb7f59c5a9ba3ac68
SHA512d09115024ee413ded9197a9033703bf9f53e5c49e1429f3c711d729837671fb220be5cf5039f392f6def77a6d13ebf8242ed672136cf869daee6f06242c6cf69
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5baa7aea69f1fc6de5c6744a3de244d9c
SHA17ac32cd8e4afa29cbb6c04bb8727735c29ebadc5
SHA256adb474e336b151cf28ead952e8248f9ec8daf30aadc78e716822d9c27f6dde69
SHA5124927c72a9d778a8343f812714356150069349e39937f2e32c62f19ffee226b94eada91756f07f96e22472252f20185177038b3e1e1dd7b8920d676e4e2198f0c
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeFilesize
3.1MB
MD53b69ce65e1b7235f333906eb776e68ca
SHA1666588ba21b5751422e0b3c27a6ab53b9ba93dbd
SHA2564f08c3aa2560c97cc24fa3943a2d8a11095620c32c7209d23dcae03603668a68
SHA51256a626f645031724dfa27ad1dd876de58ac5e9f44ce57f4a8dc360b0d76fa31a5c26aa2b2835edd299ec7492a57ea2ede43ed94bbd9e4af9262cf036667d86e6
-
C:\Users\Admin\AppData\Local\Temp\1000055001\4346eceb72.exeFilesize
1.1MB
MD57d2528cbd7a1de4a0da710bdd9f50e5d
SHA1924f6a5fa107d405420c5ac20a1f9b72384a90df
SHA25643311c09c7a9c1bc0bb2d090b4da3fb5d2fca694080052384b084f369993df62
SHA512eceafa276533873883d0d1247946a4181d37cd999486354999698581d42bf2c553a4cf2a56d262f304704c0b12391da35825c7f56a0dc1c57ee88dab58574774
-
C:\Users\Admin\AppData\Local\Temp\1000056001\47ba2eef2a.exeFilesize
2.3MB
MD56c41dcf3e3f1cd2532e572b9fb65228e
SHA1652a4a2b268099b2ba67201dfcba10c0d1e9d1b2
SHA256b24f6c6e0a83f73c3434fc5bf3a48eaed2facdf397740c984d9c74ab9413c389
SHA5127c474f984f59cd0ec591438162264c824e5bdf7c2e820a709e8b67220dc3ae6d0be31f11b596a81f29eadb67c54f317cf48f2b64681e9a29dc2cabc3df16c63f
-
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exeFilesize
1.8MB
MD5283177eb03a118928caa2120942b3160
SHA1e47e736ad3ff15108036901476a1ad6859368b5d
SHA256280ffcc06cb568629c5146aea0e412f1add9e0e16f3d462e5e50eea586455e60
SHA512e58199608b54e76bece47f0694dd3b19a34fd42914fbd436ed3a44c318f386c16e136d210617413ce13fac2d085b96c6e93ca5258e6d097bc5c7117039cbc96b
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\Tmp6AE5.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wcdvsx1y.tgb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
\??\pipe\crashpad_2416_CISMSDYXIRMLZQTOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1788-242-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/1788-245-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/1788-249-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/1788-248-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/1788-247-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1788-246-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/1788-244-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/1788-243-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/1788-250-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/1804-442-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2880-435-0x0000000000C20000-0x00000000010DA000-memory.dmpFilesize
4.7MB
-
memory/2880-382-0x0000000000C20000-0x00000000010DA000-memory.dmpFilesize
4.7MB
-
memory/3640-44-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/3640-37-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/3640-38-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/3640-39-0x0000000004860000-0x0000000004861000-memory.dmpFilesize
4KB
-
memory/3640-40-0x0000000004840000-0x0000000004841000-memory.dmpFilesize
4KB
-
memory/3640-41-0x0000000004880000-0x0000000004881000-memory.dmpFilesize
4KB
-
memory/3640-43-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/3640-42-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/3640-36-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4268-342-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-34-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/4564-25-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-287-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-153-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-312-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-314-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-113-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-254-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-316-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-188-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-241-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-318-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-46-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-45-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-33-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/4564-228-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-27-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/4564-30-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/4564-31-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/4564-32-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/4564-397-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-28-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/4564-29-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/4564-24-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-375-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4564-26-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/4564-226-0x0000000000D30000-0x0000000001043000-memory.dmpFilesize
3.1MB
-
memory/4608-11-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/4608-0-0x00000000000C0000-0x00000000003D3000-memory.dmpFilesize
3.1MB
-
memory/4608-23-0x00000000000C0000-0x00000000003D3000-memory.dmpFilesize
3.1MB
-
memory/4608-1-0x0000000077B54000-0x0000000077B56000-memory.dmpFilesize
8KB
-
memory/4608-10-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/4608-2-0x00000000000C0000-0x00000000003D3000-memory.dmpFilesize
3.1MB
-
memory/4608-3-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/4608-6-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/4608-7-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/4608-8-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/4608-9-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/4608-5-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/4608-4-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/5352-110-0x00007FFD2E6B0000-0x00007FFD2F171000-memory.dmpFilesize
10.8MB
-
memory/5352-111-0x000001A250F00000-0x000001A250F10000-memory.dmpFilesize
64KB
-
memory/5352-112-0x000001A250F00000-0x000001A250F10000-memory.dmpFilesize
64KB
-
memory/5352-114-0x000001A250F00000-0x000001A250F10000-memory.dmpFilesize
64KB
-
memory/5352-116-0x000001A269630000-0x000001A26963A000-memory.dmpFilesize
40KB
-
memory/5352-115-0x000001A269650000-0x000001A269662000-memory.dmpFilesize
72KB
-
memory/5352-122-0x00007FFD2E6B0000-0x00007FFD2F171000-memory.dmpFilesize
10.8MB
-
memory/5352-106-0x000001A251490000-0x000001A2514B2000-memory.dmpFilesize
136KB
-
memory/5372-211-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/5372-381-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-207-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-313-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-256-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-315-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-251-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-317-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-239-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-339-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-229-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-227-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-213-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/5372-212-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/5372-220-0x0000000005150000-0x0000000005152000-memory.dmpFilesize
8KB
-
memory/5372-297-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-208-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/5372-209-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/5372-215-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/5372-216-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/5372-217-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/5372-218-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/5372-219-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/5372-438-0x0000000000B10000-0x00000000010E7000-memory.dmpFilesize
5.8MB
-
memory/5372-210-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/5372-214-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/5536-369-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/5536-366-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/5892-286-0x0000000000830000-0x0000000000CEA000-memory.dmpFilesize
4.7MB