Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    296s
  • max time network
    298s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/08/2024, 22:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5327be09c22f6dfa4189c652bc3fad5795a96f6b68c1ed709ca23ef6a1cc1372.exe

  • Size

    1.8MB

  • MD5

    e205f70aca7807877b7f704a0b8a2f18

  • SHA1

    fabe7bbc7ec955a1ae243936739c59ba4d2bd9dc

  • SHA256

    5327be09c22f6dfa4189c652bc3fad5795a96f6b68c1ed709ca23ef6a1cc1372

  • SHA512

    c61b235b3f862afbcf9623f0d061c22915538c0be73c5e1b47db78dd52eff06fd096dd33d22d2d7d59a1b202484b6b4ade5c8671d91a0c1a9b0e96714fb6d9d1

  • SSDEEP

    49152:ZZmfDMeVl6fhF+uM8Sk+SO8ZpK+DmLzq:3DeVIFZNZfZpK+SLO

Score
10/10
amadeyredlinestealcbuy tg @fatherofcardersdefaultfed3aalivetrafficcredential_accessdiscoveryevasionexecutioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.52.165.210:39030

Extracted

Family

redline

C2

185.215.113.67:21405

Extracted

Family

stealc

Botnet

default

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

BUY TG @FATHEROFCARDERS

C2

45.66.231.214:9932

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 23 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5327be09c22f6dfa4189c652bc3fad5795a96f6b68c1ed709ca23ef6a1cc1372.exe
    "C:\Users\Admin\AppData\Local\Temp\5327be09c22f6dfa4189c652bc3fad5795a96f6b68c1ed709ca23ef6a1cc1372.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
        "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1600
      • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4848
          • C:\Users\Admin\AppData\Roaming\I9PqMOqqKD.exe
            "C:\Users\Admin\AppData\Roaming\I9PqMOqqKD.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:912
          • C:\Users\Admin\AppData\Roaming\vWYKaC3kjN.exe
            "C:\Users\Admin\AppData\Roaming\vWYKaC3kjN.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:832
      • C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe
        "C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:416
        • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
          "C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3132
      • C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe
        "C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1500
        • C:\Users\Admin\AppData\Local\Temp\5555.exe
          "C:\Users\Admin\AppData\Local\Temp\5555.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          PID:2636
      • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4328
      • C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe
        "C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4504
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4592
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
          4⤵
            PID:3972
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
            • Drops startup file
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2280
            • C:\Users\Admin\Pictures\owqNP8vO3JVev9V3IdqFYQz2.exe
              "C:\Users\Admin\Pictures\owqNP8vO3JVev9V3IdqFYQz2.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              PID:4864
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
              PID:228
          • C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe
            "C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe"
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4428
      • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:2156
      • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        1⤵
        • Executes dropped EXE
        PID:3012
      • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        1⤵
        • Executes dropped EXE
        PID:2156
      • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4328
      • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4472
      • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        1⤵
        • Executes dropped EXE
        PID:2580
      • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4800
      • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        1⤵
        • Executes dropped EXE
        PID:2704
      • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4832
      • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        1⤵
        • Executes dropped EXE
        PID:2512

      Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            3
            T1112

            Virtualization/Sandbox Evasion

            2
            T1497

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            4
            T1552

            Credentials In Files

            4
            T1552.001

            Discovery

            Query Registry

            6
            T1012

            System Information Discovery

            5
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Virtualization/Sandbox Evasion

            2
            T1497

            Lateral Movement

            Collection

            Data from Local System

            3
            T1005

            Command and Control

            Web Service

            1
            T1102

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
              Filesize

              328B

              MD5

              6d17c0e3cfba49903eb6deee60caca28

              SHA1

              e1ee524df65d628e36d8eea31b1f8787ea797278

              SHA256

              1c30010f7852590bbfe814487b8382a6a139b717d7446d5d0ae63d0892f130a3

              SHA512

              0dd3325f61c8b210c617d66537562060b40d0b4f10a02a756cabbde96424afdeff23731d00746af821e63df04192e3c9b6d518c123fcdb81d4a3d39c8785bf53

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
              Filesize

              954KB

              MD5

              e71c0c5d72455dde6510ba23552d7d2f

              SHA1

              4dff851c07a9f9ebc9e71b7f675cc20b06a2439c

              SHA256

              de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f

              SHA512

              c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
              Filesize

              1.4MB

              MD5

              04e90b2cf273efb3f6895cfcef1e59ba

              SHA1

              79afcc39db33426ee8b97ad7bfb48f3f2e4c3449

              SHA256

              e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e

              SHA512

              72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe
              Filesize

              416KB

              MD5

              6093bb59e7707afe20ca2d9b80327b49

              SHA1

              fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc

              SHA256

              3acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3

              SHA512

              d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe
              Filesize

              304KB

              MD5

              0d76d08b0f0a404604e7de4d28010abc

              SHA1

              ef4270c06b84b0d43372c5827c807641a41f2374

              SHA256

              6dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e

              SHA512

              979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
              Filesize

              187KB

              MD5

              e78239a5b0223499bed12a752b893cad

              SHA1

              a429b46db791f433180ae4993ebb656d2f9393a4

              SHA256

              80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

              SHA512

              cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe
              Filesize

              3.2MB

              MD5

              03fe60596aa8f9b633ac360fd9ec42d8

              SHA1

              1e7bc8d80c7a2a315639b09d332a549dc7ddcb4b

              SHA256

              e731f79ee3512fefe48e53b4424145efc6a1b2585220b9c6025038d5f1263055

              SHA512

              d6f080881874112c2876ed691a6c725ce0cc87196934fd8fa9ff488619c84e6e4a9c244c0840999b6a6cce95b4b7375648cf3011d79927e90a0c786895c0cfdf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe
              Filesize

              304KB

              MD5

              0f02da56dab4bc19fca05d6d93e74dcf

              SHA1

              a809c7e9c3136b8030727f128004aa2c31edc7a9

              SHA256

              e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379

              SHA512

              522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
              Filesize

              1.8MB

              MD5

              e205f70aca7807877b7f704a0b8a2f18

              SHA1

              fabe7bbc7ec955a1ae243936739c59ba4d2bd9dc

              SHA256

              5327be09c22f6dfa4189c652bc3fad5795a96f6b68c1ed709ca23ef6a1cc1372

              SHA512

              c61b235b3f862afbcf9623f0d061c22915538c0be73c5e1b47db78dd52eff06fd096dd33d22d2d7d59a1b202484b6b4ade5c8671d91a0c1a9b0e96714fb6d9d1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\5555.exe
              Filesize

              547KB

              MD5

              8ecad7a38a26ac1fc2c7804afd0599fa

              SHA1

              587475e77012d412fd96213f048b2fb2d5d405e9

              SHA256

              83f6f8c068cd5b4448b2525ee799f58aa5ad0ce40f901881eda105f6d6ed4661

              SHA512

              a5a2499fb2c5a7751f09c50032c2fcba1c2c87ad4c35910decf00d24d4d90e233fa383319d7ddd3537f3891a0db49240a9c2c81451192308280687015c8898d5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djpzmwmr.mi5.ps1
              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

              Download Submit

            • C:\Users\Admin\AppData\Roaming\I9PqMOqqKD.exe
              Filesize

              510KB

              MD5

              74e358f24a40f37c8ffd7fa40d98683a

              SHA1

              7a330075e6ea3d871eaeefcecdeb1d2feb2fc202

              SHA256

              0928c96b35cd4cc5887fb205731aa91eb68886b816bcc5ec151aeee81ce4f9a6

              SHA512

              1525e07712c35111b56664e1589b1db37965995cc8e6d9b6f931fa38b0aa8e8347fc08b870d03573d10f0d597a2cd9db2598845c82b6c085f0df04f2a3b46eaf

              Download Submit

            • C:\Users\Admin\AppData\Roaming\vWYKaC3kjN.exe
              Filesize

              503KB

              MD5

              2c2be38fb507206d36dddb3d03096518

              SHA1

              a16edb81610a080096376d998e5ddc3e4b54bbd6

              SHA256

              0c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e

              SHA512

              e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316

              Download Submit

            • C:\Users\Admin\Pictures\l6i5xzJYuIy4auze4qDQYJuP.exe
              Filesize

              7KB

              MD5

              77f762f953163d7639dff697104e1470

              SHA1

              ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

              SHA256

              d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

              SHA512

              d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

              Download Submit

            • C:\Users\Admin\Pictures\owqNP8vO3JVev9V3IdqFYQz2.exe
              Filesize

              2.9MB

              MD5

              bc3e076ec6527a8bf74e9293be24630e

              SHA1

              2a58c06f16d1ba29e7f6945fd08896caa55df709

              SHA256

              37b97e07cc1d88c49e382de22ce61ad6d684901114d475b96e2bc9645797903b

              SHA512

              0dbf419d0652d143a36d4185d9b7ec2f35224b2467395826f55d53f538ef5539326bca03afa43676961c316de70b830f176a0056105d64f1205bf03fa84c4cf1

              Download Submit

            • \ProgramData\mozglue.dll
              Filesize

              593KB

              MD5

              c8fd9be83bc728cc04beffafc2907fe9

              SHA1

              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

              SHA256

              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

              SHA512

              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

              Download Submit

            • \ProgramData\nss3.dll
              Filesize

              2.0MB

              MD5

              1cc453cdf74f31e4d913ff9c10acdde2

              SHA1

              6e85eae544d6e965f15fa5c39700fa7202f3aafe

              SHA256

              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

              SHA512

              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

              Download Submit

            • memory/832-207-0x0000000009150000-0x00000000091C6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/832-208-0x00000000090F0000-0x000000000910E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/832-142-0x0000000000760000-0x00000000007E4000-memory.dmp

              Filesize

              528KB

              Download

            • memory/912-141-0x0000000000D40000-0x0000000000DC6000-memory.dmp

              Filesize

              536KB

              Download

            • memory/1408-322-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-342-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-296-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-295-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-308-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-310-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-312-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-99-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-350-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-17-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-18-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-340-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-338-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-20-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-19-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-336-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-334-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-318-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-230-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-229-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-320-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-305-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-324-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-326-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-344-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-16-0x0000000000231000-0x000000000025F000-memory.dmp

              Filesize

              184KB

              Download

            • memory/1408-14-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1408-328-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1500-86-0x0000000000340000-0x0000000000392000-memory.dmp

              Filesize

              328KB

              Download

            • memory/1600-51-0x0000000006860000-0x0000000006872000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1600-50-0x0000000008120000-0x000000000822A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/1600-168-0x0000000008C20000-0x0000000008C70000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1600-33-0x0000000000400000-0x0000000000452000-memory.dmp

              Filesize

              328KB

              Download

            • memory/1600-167-0x0000000009400000-0x000000000992C000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/1600-36-0x0000000002EF0000-0x0000000002EFA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1600-166-0x0000000008D00000-0x0000000008EC2000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/1600-159-0x0000000006440000-0x00000000064A6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1600-53-0x0000000008050000-0x000000000809B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1600-35-0x0000000005470000-0x0000000005502000-memory.dmp

              Filesize

              584KB

              Download

            • memory/1600-52-0x0000000008010000-0x000000000804E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1600-49-0x00000000068C0000-0x0000000006EC6000-memory.dmp

              Filesize

              6.0MB

              Download

            • memory/1600-34-0x0000000005AB0000-0x0000000005FAE000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/1724-5-0x0000000000840000-0x0000000000CF9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1724-3-0x0000000000840000-0x0000000000CF9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1724-2-0x0000000000841000-0x000000000086F000-memory.dmp

              Filesize

              184KB

              Download

            • memory/1724-0-0x0000000000840000-0x0000000000CF9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1724-15-0x0000000000840000-0x0000000000CF9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/1724-1-0x0000000077DF4000-0x0000000077DF5000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2156-226-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2156-211-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/2280-254-0x0000000000400000-0x0000000000408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2636-306-0x00007FF692170000-0x00007FF6921FE000-memory.dmp

              Filesize

              568KB

              Download

            • memory/4328-316-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4328-100-0x00000000012A0000-0x00000000014E3000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/4328-124-0x0000000061E00000-0x0000000061EF3000-memory.dmp

              Filesize

              972KB

              Download

            • memory/4328-317-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4328-227-0x00000000012A0000-0x00000000014E3000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/4428-224-0x0000000000F50000-0x0000000000FA2000-memory.dmp

              Filesize

              328KB

              Download

            • memory/4472-333-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4472-332-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4504-228-0x000001EFB29A0000-0x000001EFB29A6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/4504-206-0x000001EFB2480000-0x000001EFB248A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4504-231-0x000001EFCC820000-0x000001EFCC87A000-memory.dmp

              Filesize

              360KB

              Download

            • memory/4592-241-0x000001AF98190000-0x000001AF98206000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4592-237-0x000001AFFF290000-0x000001AFFF2B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4800-348-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4800-349-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4832-365-0x0000000000230000-0x00000000006E9000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/4848-105-0x0000000000400000-0x0000000000536000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4848-103-0x0000000000400000-0x0000000000536000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4848-101-0x0000000000400000-0x0000000000536000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4848-104-0x0000000000400000-0x0000000000536000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4848-118-0x0000000000400000-0x0000000000536000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4864-307-0x0000000000400000-0x0000000000C97000-memory.dmp

              Filesize

              8.6MB

              Download

            • memory/4864-304-0x0000000000400000-0x0000000000C97000-memory.dmp

              Filesize

              8.6MB

              Download