Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
22-04-2024 15:32
General
-
Target
1bebb04cd216a1e16df87f944e655ec75593f03bad7c46d2bd078dd805e20811.exe
-
Size
1.8MB
-
MD5
f8b5857ea950c83cd3bcb2d58986a489
-
SHA1
8f3a0a3783755c414abdbff3900823783e996436
-
SHA256
1bebb04cd216a1e16df87f944e655ec75593f03bad7c46d2bd078dd805e20811
-
SHA512
4372fb69677ee3d07b93d8e9e8bc642d150a6ced9a94734f1555a0f2989255fd9dd46fa6d0852793d9194b696b210f995065e60ab26c2ec59b9d88bd692141b1
-
SSDEEP
49152:L3/bnTZGQ+uriNIzU6inU33NdzOzNCV6PZg6SSD:LjnTZGDuriNEU6ifNCwPZg6TD
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
lumma
https://democraticseekysiwo.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bebb04cd216a1e16df87f944e655ec75593f03bad7c46d2bd078dd805e20811.exe"C:\Users\Admin\AppData\Local\Temp\1bebb04cd216a1e16df87f944e655ec75593f03bad7c46d2bd078dd805e20811.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000008001\2e9698eebd.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\2e9698eebd.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb61a5ab58,0x7ffb61a5ab68,0x7ffb61a5ab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4812 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4932 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4604 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:85⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1892,i,14785899060401190498,15086472369075279198,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000009001\d8379bad67.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\d8379bad67.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000204001\mix123.exe"C:\Users\Admin\AppData\Local\Temp\1000204001\mix123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 3643⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\084619521222_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 972 -ip 9721⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD5950dca77fe90664b0227ae67ed0f7af7
SHA11b6e87e7189624c9afe1b7cb0ca5e999ecd43bda
SHA2568836c1202ca49da0a040aa9655f42686e17e92673623b677ccde6dc4a0535144
SHA512f9afc55205ecdbe3bb6fcfaa1695ea4454f1248b509c7b63696ac74da6539c97a4167f6535229e482b2f6b5f828cad67ff2e56ffea08b67a358d5a97bd14c5f8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5857ad69a11d8e2e75ba5cdb598c5b805
SHA18d60d79c73701f32ca04809e8a4125b24b7b0e2b
SHA2566b9c9bfee4ba06ca756de8982aa3271a5a4ac27788c30cde99f1377f51b58cb9
SHA5125be5dadc3d1b9cf7f56dc426878f324657c0c8838dfc41ff5b5599374a12f23d6a8e6165efab88b022fc2b55b0c9ba4ed64fa34baaeae645dcafd7b39eaca740
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD55b596674d3d7e05df8c94ebe0ea87e97
SHA110966ef621274ed578909b876af3f66c74225ef4
SHA25640e50c870039b8189ec229b1f129aacc6a09bca3104046316d35c8a0d89fa731
SHA51258c61697391c4ddc3a75b264a9fe61e0eaf2f8e3126cd06b676afac0440d5c7d1f716b4a4f708f2ec7279dd2419abc72b947a795ebd2cca9d579321b5d7d483e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD54761bfd3aeda6a7882d83af464dc356a
SHA1bcceba93893db32923f0c619dc172b2ea4aaeb88
SHA2569c125c34c8924489d58ccedb7565d5648022c1f7b4bdfa9f15ab209c1c3e86d9
SHA5126f5c5accccec6131fa407a6967f32c4dea9aea3938053581dc8675214751c9db9d27fb1035959c03f535df4d8a97ae0652be5f3e1e0baf6ebb9935260d115af7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD54e35b029bc1ed680776958e28a51b840
SHA19cb80fcfc9a2c89f945ad7da8cb22bccb2e884a6
SHA2561d41433954001db47572312e8994d2d2328692708a0cec9f0e61f95edab1e15c
SHA512371b238b9892361626df8d904082706cd7539cebb83f9293fc024e2639c8eef9694338684b690628226aadc02dd3491e4d3ea539ed3344d9e157343e600eea22
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5cdb6368242ea1a0ccd55cf762789a12f
SHA1af65b84d59aadc939af6f87cc22d095a612c375d
SHA256bff613d5293531cfe06b54c0de6ff3c116f98e7e059fe5ab974763bc56ff1702
SHA512b6431cff9bfe47f27fea36c584cb2735e617b47272611d690b32d3909bde87efbaa0c23b7c0defc6850e1299a0b06d25e43d49bdedea14a397f2fb57796edafb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5fb01f7088493ef7758d36a32ec1466c5
SHA1ed51914d6c025ba0d5be6c4e3773bafef29fdacd
SHA25611d4b0c583366842649bdfe1ad2296242bc0ec7b37d001f9ab011a73e45df184
SHA512c3706ca41fad68554e7822479f00c37c97ef7e99810cc7c7b54eb7b53b90a53e23190cea1ee45c2cd5867832d74add411699915608f35e5087eaedd1c9706bdb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
252KB
MD5f06535ac20be98e6fb9c0930b26a6584
SHA11c8bd6a784789073ad429fb15226d6d463096c94
SHA256695841cd3515ba9e18e93799a19d10ddbe8608180bf89fab86495c76abfe5eaf
SHA5123e05484c5a5a44acdfe6472966bb5439a3a5f2ec1e717d2e21df4d1952f7862ba7e091247ba1d90bfc704a555616ffb026d919b468165097678c2102960505cd
-
C:\Users\Admin\AppData\Local\Temp\1000008001\2e9698eebd.exeFilesize
1.1MB
MD5857b7975dd9a0f76ad6fe9e3dc8be9af
SHA136a05855893916cc30c58dd4ddd6c768e4ba0c4c
SHA2569a67ddcda5312fec555fcdb4bbd1b07ccf9216edce67666a137fe9976344f047
SHA512d760afb7d491e82be1642a558e15107fb862b8aa3909c1612f7cddeab6a3e64fc705171ea767a02689f92f43d60b5cfa7ebf43552ad061bb7d1c1992ad377719
-
C:\Users\Admin\AppData\Local\Temp\1000009001\d8379bad67.exeFilesize
2.3MB
MD5eb0fef05fee1b8fa16139cd98d4fdba5
SHA1c9017f9d7ae7c561e600ba65831ecfe4e187d729
SHA256d6d06a32bf675c9b3077110afe5c4a4b2ad7c75c3ef7301cf3a498d5991684ad
SHA512b66a38929dd191901d4cc5ac1530501612eef12c9c121c1d44cc9e20747c1649255c76b7c5853783aaac800d3c2b3acdaa2b2df328bceee2bfb6c585f66f0f3b
-
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exeFilesize
1.8MB
MD56f7acbf1b71aa4d9e4b12eda9fafad28
SHA1659ddf3dcdf0fedaa9eb5bbd533f2d28ad9ab821
SHA25613eda7140f4c70a33b6ad32b127a9c9765981cc02642fe032e910d99479a0bfc
SHA51288f76cd5cbdd821a330bc801b89bddc0de329ea2a4763cbebcfcf3b9f6fd33d24446cc0c8ad0224e0ada2b58dc84c58b501249bd5b229d40bc88e74bb2422029
-
C:\Users\Admin\AppData\Local\Temp\1000204001\mix123.exeFilesize
460KB
MD5b0ad062d7a3c30ea28fc19a17342864b
SHA12f564ec9aa1b0d62ecd60f098742635dd69e01b2
SHA256b3e69d9ba38efb593238787f599ddf2c5d76207906126a7a3422c53a7d898d5a
SHA512c30dad0a60d6000473d9d8a64397898d3d710dab8c3bb336c27096b9f9dc2672022480d19c7b351ac2014508ac415fecf97182b88ff747a15dfeb805943e825a
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeFilesize
1.8MB
MD5f8b5857ea950c83cd3bcb2d58986a489
SHA18f3a0a3783755c414abdbff3900823783e996436
SHA2561bebb04cd216a1e16df87f944e655ec75593f03bad7c46d2bd078dd805e20811
SHA5124372fb69677ee3d07b93d8e9e8bc642d150a6ced9a94734f1555a0f2989255fd9dd46fa6d0852793d9194b696b210f995065e60ab26c2ec59b9d88bd692141b1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kpk4avai.qct.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
\??\pipe\crashpad_1012_UZOFKZSMAEFXNSDRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1184-9-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/1184-4-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/1184-2-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/1184-3-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/1184-5-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/1184-6-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/1184-7-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/1184-1-0x0000000076EF4000-0x0000000076EF6000-memory.dmpFilesize
8KB
-
memory/1184-8-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/1184-0-0x0000000000260000-0x0000000000708000-memory.dmpFilesize
4.7MB
-
memory/1184-22-0x0000000000260000-0x0000000000708000-memory.dmpFilesize
4.7MB
-
memory/1796-292-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/1796-276-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-142-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-84-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-27-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/2032-323-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-148-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-111-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-354-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-28-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/2032-125-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-29-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/2032-30-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/2032-40-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/2032-273-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-39-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/2032-31-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/2032-269-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-267-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-265-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-25-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/2032-26-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/2032-249-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-232-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-21-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-195-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2032-189-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/2128-178-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/2128-173-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/2128-179-0x0000000004B60000-0x0000000004B62000-memory.dmpFilesize
8KB
-
memory/2128-177-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/2128-190-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-193-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-174-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/2128-266-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-168-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/2128-264-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-169-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/2128-171-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/2128-170-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/2128-270-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-239-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-268-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-205-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-175-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/2128-365-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-176-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/2128-326-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-167-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/2128-172-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/2128-311-0x00000000000F0000-0x00000000006E0000-memory.dmpFilesize
5.9MB
-
memory/3448-313-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/3448-315-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/3736-199-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/3736-204-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/3736-203-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/3736-202-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/3736-201-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/3736-200-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/3736-197-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/3736-198-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/3736-196-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/3852-274-0x0000000000D00000-0x00000000011BC000-memory.dmpFilesize
4.7MB
-
memory/3852-324-0x0000000000D00000-0x00000000011BC000-memory.dmpFilesize
4.7MB
-
memory/3852-364-0x0000000000D00000-0x00000000011BC000-memory.dmpFilesize
4.7MB
-
memory/4796-234-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/4796-224-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/4796-233-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/4796-230-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/4796-221-0x0000000000FC0000-0x000000000147C000-memory.dmpFilesize
4.7MB
-
memory/4796-229-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/4796-238-0x0000000000FC0000-0x000000000147C000-memory.dmpFilesize
4.7MB
-
memory/4796-223-0x0000000000FC0000-0x000000000147C000-memory.dmpFilesize
4.7MB
-
memory/4796-225-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/4796-228-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/4796-227-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/4796-226-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/4988-38-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/4988-35-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/4988-36-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/4988-34-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/4988-33-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/4988-32-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/4988-37-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/4988-41-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB
-
memory/4988-24-0x00000000007C0000-0x0000000000C68000-memory.dmpFilesize
4.7MB