Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
16-05-2024 18:52
General
-
Target
147d8700213e21009163c6e6199abe10_NeikiAnalytics.exe
-
Size
1.9MB
-
MD5
147d8700213e21009163c6e6199abe10
-
SHA1
87fef2f5afb529c3e447282dded91facead60977
-
SHA256
b2922bac18a922160af9e991c92041bdd226e5d4f0e7841735f2e9b2048f5d5c
-
SHA512
1f3a6ec33c4136dfde9b2a8ed20fc48b771c661d926b90b37d4b810149e3875eb7c32c3614f3fdf7ac5c6ea2b986cba4e5b80537c513e0a8b97fd358d31eef6c
-
SSDEEP
49152:24v+pFoJ+N/CbApngPjG5kzjypLox1kHSvf:Epqg1GigPK5kzepLCTf
Malware Config
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
redline
1
185.215.113.67:26260
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
lumma
https://headraisepresidensu.shop/api
https://sofaprivateawarderysj.shop/api
https://lineagelasserytailsd.shop/api
https://tendencyportionjsuk.shop/api
https://appetitesallooonsj.shop/api
https://minorittyeffeoos.shop/api
https://prideconstituiiosjk.shop/api
https://smallelementyjdui.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
XMRig Miner payload 4 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 24 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\147d8700213e21009163c6e6199abe10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\147d8700213e21009163c6e6199abe10_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 3604⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameStabilityService\installm.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks5⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameStabilityService\GameService.exeGameService remove GameSyncLinks confirm5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameStabilityService\GameService.exeGameService install GameStabilityService "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameStabilityService\GameService.exeGameService start GameStabilityService5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\8xwDw4wNDhEaPoKB0g4tAt0z.exe"C:\Users\Admin\Pictures\8xwDw4wNDhEaPoKB0g4tAt0z.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 4526⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 5126⤵
- Program crash
-
C:\Users\Admin\Pictures\hYLtaeWNjWHzQUNhpfkidzn2.exe"C:\Users\Admin\Pictures\hYLtaeWNjWHzQUNhpfkidzn2.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\umCGOVEeUYtigv9fiQSVcgDp.exe"C:\Users\Admin\Pictures\umCGOVEeUYtigv9fiQSVcgDp.exe" /s5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\rH8YOIVHHvd2BWV5YeHSh62E.exe"C:\Users\Admin\Pictures\rH8YOIVHHvd2BWV5YeHSh62E.exe"5⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2708 -ip 27081⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\GameStabilityService\GameService.exe"C:\Program Files (x86)\GameStabilityService\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\269446.exe"C:\Windows\Temp\269446.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 86Adxfq6AnkKUZNQwBuLMF9HYKxy399q4GoNvX86ddj4DNkHhKaPCWagERDeBPVYSw76hQwZATyV8GAWhX5g2ujETX6AWcp --coin XMR -t 1 --no-color -p x3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3528 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:31⤵
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2384 -ip 23841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2384 -ip 23841⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameStabilityService\GameService.exeFilesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exeFilesize
6.2MB
MD5c4f2b643c3ff9bb7ae4fd625c9d98154
SHA1bd7c7190e45cbda09be256bee7622bb74f75f00c
SHA25676b585b4eac7b0584f28d66d6bf37ad29b1ab73354cbd3c5bb1c819787208f0b
SHA5122efeaf9473ac1a8f42fd5870154faa37b06e4f331768cd7934fd4aa685eb6da4e28eaa7357807c4bf37dd79fc4a5eaf70ab4324ed0100dcdb4abaf4d9b0a7dcb
-
C:\Program Files (x86)\GameStabilityService\installm.batFilesize
247B
MD5192ae14b572f1bdd164ee67855d5a83a
SHA19cf0757c807a8b834470d216ccd85be9a6b60aa0
SHA2562f6be6b40cf7c1802b6540dbf0b90eac67fd6a94067a06090e1f71bee164188d
SHA51218fc80eb3d450359863d61cf9123a08cdfe8c52d5f59e97f5b42816584d474d8a080bb75e7fe92480d2961481d59584a3987b2e7a15e611b58885b4441085e3c
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exeFilesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exeFilesize
474KB
MD5e967f019b01357086d92181e6ee28e0b
SHA17f26480ea5ca0ee9481dfc0bea12194bd6f10283
SHA256c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82
SHA512dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exeFilesize
304KB
MD59faf597de46ed64912a01491fe550d33
SHA149203277926355afd49393782ae4e01802ad48af
SHA2560854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exeFilesize
2.0MB
MD51d814be25e80fa6739f6f1eec2018102
SHA144353b52a72e3f5c46b3d6078aab1211ce33b4fd
SHA25601862602fb4853d90796a1a669b4ec4ab5e8cc6a774bf94e707171d5e16594fc
SHA51215732577c4fd4a0d2303df2f2d623e165c94f5b8dcd92724681d41ac35ecefbe8c04052329ec6938a594086bf8a19a54253be9f33cc8b3a298261467cddf5578
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exeFilesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exeFilesize
379KB
MD5009669d63111ff8efad651efac7333af
SHA1d0ebf3a228e2d44e094aa3b1b056176bc05c8f40
SHA2564736228698b5bb9b7dc86f4dbfe539e54fe5f5153be6c4aec7b8269e34c7a84b
SHA512dbf32ce7ba68fa88f508bced74b898baa73679216374d885e279eaf848c8f197294f66a0131491050f70f93413d973cc1fe7245e8128758a6103a453e7aed808
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
208B
MD52dbc71afdfa819995cded3cc0b9e2e2e
SHA160e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf
SHA2565a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac
SHA5120c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeFilesize
1.9MB
MD5147d8700213e21009163c6e6199abe10
SHA187fef2f5afb529c3e447282dded91facead60977
SHA256b2922bac18a922160af9e991c92041bdd226e5d4f0e7841735f2e9b2048f5d5c
SHA5121f3a6ec33c4136dfde9b2a8ed20fc48b771c661d926b90b37d4b810149e3875eb7c32c3614f3fdf7ac5c6ea2b986cba4e5b80537c513e0a8b97fd358d31eef6c
-
C:\Users\Admin\AppData\Local\Temp\Tmp3687.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13v2w1sb.sjy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353Filesize
2KB
MD5e5f579b1ac69e9b9e254db7cc6fc0df9
SHA191f7e3cf9c934833bf97aa7f8586003e2bdaf31f
SHA256bafb68ce48dc7b068fb9ccd35b3a80a7680452fafdd6a7bf3e70bc2c6f0b103c
SHA512af2644415225c018d869015bcea7a0bef0dcceb3de52ccfbdf5ee883c6ee134f97a023b36a02af2149d27580d24e2266cf3a2c0ceea353766dcb55bdb3840165
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exeFilesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exeFilesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5f8655ead162a0f200c9ed1cb0aa3491d
SHA1cbe931d6a03a9f8b6d643e0764409882b84c5c49
SHA2564d544c4b8dfab46950eff46aae27e50a020bb11fd1959a87dc008a3ab3d9fc31
SHA512e89aca62ada806e154551a31f54fded42bc792d05444ffd64e0a7dbfd8bc185375b346847638a55e48352a7eb94a0b896648ff5958ab9c897030bdfcae050ffa
-
C:\Users\Admin\Pictures\8xwDw4wNDhEaPoKB0g4tAt0z.exeFilesize
280KB
MD56c5a2c1438f4f104f3fa1558ecba4628
SHA1f6724c8104b9e1543cfae13fff957dd430e51353
SHA2568323be0d9da32e6a724ab5f04e7145d10967bf9a7318dd18af1f18251da8d8f5
SHA512ec92c93bef118d7601b6159b60624eea9ae28d6b40d7d6d2c02c65b3f048a77eb7488184c68984ccd2be02045292bec8d664aafca609bd9307995575b57c0dc3
-
C:\Users\Admin\Pictures\fsXWqvQMrrpvjifkNEgIutRC.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Admin\Pictures\hYLtaeWNjWHzQUNhpfkidzn2.exeFilesize
4.1MB
MD5fdb5dc85a26d2aa74f762634d86b7b8f
SHA1c9c40ab974982eff6a39e3fa13b6ffb0722a51d7
SHA2562ec3cfc658a9fa63eefc16824587749dc8bc4a3ccae1b881a6fe3f9114c67cf7
SHA5128fcd96eee55e9fc646f95e1eb74da88b729c0f75eabf9b83712de041aee1f11ee41bb74f013387cf9ba1b34790f90109a318ede811b7eb5b5b3cb50e79205d0a
-
C:\Users\Admin\Pictures\umCGOVEeUYtigv9fiQSVcgDp.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Windows\Temp\269446.exeFilesize
6.0MB
MD55cdb390aaba8caad929f5891f86cf8d7
SHA1324a43fa56dffe541c0414f253faf2bf34ad9fa4
SHA2561dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44
SHA5129e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9
-
memory/396-233-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-305-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-357-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-125-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-369-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-127-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-107-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-344-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-343-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-162-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-98-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-307-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-87-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-76-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-376-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-20-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-21-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-445-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-22-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/396-23-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/1344-342-0x00000166E6220000-0x00000166E627C000-memory.dmpFilesize
368KB
-
memory/1344-276-0x00000166E4680000-0x00000166E468A000-memory.dmpFilesize
40KB
-
memory/1508-370-0x000001E528740000-0x000001E52888E000-memory.dmpFilesize
1.3MB
-
memory/1508-347-0x000001E5285D0000-0x000001E5285F2000-memory.dmpFilesize
136KB
-
memory/1508-446-0x000001E528740000-0x000001E52888E000-memory.dmpFilesize
1.3MB
-
memory/1848-256-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1848-258-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1856-120-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/1856-134-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/1856-122-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/2220-39-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2336-263-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/2336-242-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/2464-304-0x0000000000D60000-0x0000000000E20000-memory.dmpFilesize
768KB
-
memory/2708-40-0x00000000000B0000-0x0000000000368000-memory.dmpFilesize
2.7MB
-
memory/2756-372-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/2756-373-0x00000000001B0000-0x000000000067C000-memory.dmpFilesize
4.8MB
-
memory/3104-257-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/3192-191-0x00000293ECE20000-0x00000293ECE40000-memory.dmpFilesize
128KB
-
memory/3248-346-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4108-378-0x0000000006190000-0x00000000061DC000-memory.dmpFilesize
304KB
-
memory/4108-341-0x0000000005A90000-0x0000000005B06000-memory.dmpFilesize
472KB
-
memory/4108-131-0x0000000000190000-0x00000000001E2000-memory.dmpFilesize
328KB
-
memory/4108-175-0x00000000051E0000-0x0000000005784000-memory.dmpFilesize
5.6MB
-
memory/4108-306-0x0000000005020000-0x000000000502A000-memory.dmpFilesize
40KB
-
memory/4108-363-0x0000000006770000-0x0000000006D88000-memory.dmpFilesize
6.1MB
-
memory/4108-228-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/4216-57-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4252-56-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/4252-55-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/4524-302-0x0000000000E50000-0x0000000000EA2000-memory.dmpFilesize
328KB
-
memory/4524-375-0x0000000006E10000-0x0000000006E4C000-memory.dmpFilesize
240KB
-
memory/4524-371-0x0000000005A80000-0x0000000005A92000-memory.dmpFilesize
72KB
-
memory/4524-345-0x0000000006CF0000-0x0000000006D0E000-memory.dmpFilesize
120KB
-
memory/4524-367-0x0000000006F20000-0x000000000702A000-memory.dmpFilesize
1.0MB
-
memory/4700-121-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/4948-0-0x0000000000380000-0x000000000084C000-memory.dmpFilesize
4.8MB
-
memory/4948-5-0x0000000000380000-0x000000000084C000-memory.dmpFilesize
4.8MB
-
memory/4948-7-0x0000000000380000-0x000000000084C000-memory.dmpFilesize
4.8MB
-
memory/4948-4-0x0000000000380000-0x000000000084C000-memory.dmpFilesize
4.8MB
-
memory/4948-3-0x0000000000381000-0x00000000003AF000-memory.dmpFilesize
184KB
-
memory/4948-2-0x0000000000380000-0x000000000084C000-memory.dmpFilesize
4.8MB
-
memory/4948-1-0x0000000077A44000-0x0000000077A46000-memory.dmpFilesize
8KB
-
memory/4948-19-0x0000000000380000-0x000000000084C000-memory.dmpFilesize
4.8MB
-
memory/4948-8-0x0000000000380000-0x000000000084C000-memory.dmpFilesize
4.8MB