Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    295s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/08/2024, 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    454f65d0741e515c03e0196b9b8fdfb11fb12c1c39717bd277d856d94dcf7db3.exe

  • Size

    1.8MB

  • MD5

    876a6feeffb71e95f7217eaa05c585eb

  • SHA1

    2e5a5e4709482cdbf42bc8173bef6ec25feac600

  • SHA256

    454f65d0741e515c03e0196b9b8fdfb11fb12c1c39717bd277d856d94dcf7db3

  • SHA512

    bbaeef6123efe1361ccac311790c2eec3958f145b1818bc280b9f0fda27f9fa87b5ee74db1e9d6bc0e7aaf75d852729fe8f1afcad70fe527764daaab432d6ab8

  • SSDEEP

    24576:Rez4TNxWuU/dZlLTOGiyl1Iz1sGVbRKCN1jT0DUh+dIF9J52dzrf5vtO5Hn/W/9l:K4xJK5O218VNKCqI2dfOxQ91aCm

Score
10/10
amadeyredlinestealcbuy tg @fatherofcardersdefaultfed3aalivetrafficcredential_accessdiscoveryevasionexecutioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.52.165.210:39030

Extracted

Family

redline

C2

185.215.113.67:21405

Extracted

Family

stealc

Botnet

default

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

BUY TG @FATHEROFCARDERS

C2

45.66.231.214:9932

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 23 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\454f65d0741e515c03e0196b9b8fdfb11fb12c1c39717bd277d856d94dcf7db3.exe
    "C:\Users\Admin\AppData\Local\Temp\454f65d0741e515c03e0196b9b8fdfb11fb12c1c39717bd277d856d94dcf7db3.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:204
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:508
      • C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
        "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:2068
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2144
        • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
          "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3008
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3696
            • C:\Users\Admin\AppData\Roaming\TBWNoH8Ixj.exe
              "C:\Users\Admin\AppData\Roaming\TBWNoH8Ixj.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4764
            • C:\Users\Admin\AppData\Roaming\ANnPtpr69I.exe
              "C:\Users\Admin\AppData\Roaming\ANnPtpr69I.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2520
        • C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4336
          • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
            "C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1256
        • C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe
          "C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3400
          • C:\Users\Admin\AppData\Local\Temp\5555.exe
            "C:\Users\Admin\AppData\Local\Temp\5555.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            PID:4688
        • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
          "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4452
        • C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe
          "C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
            4⤵
            • Drops startup file
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4624
            • C:\Users\Admin\Pictures\HBp7JQplVAnzdzDK11rS07tc.exe
              "C:\Users\Admin\Pictures\HBp7JQplVAnzdzDK11rS07tc.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              PID:1668
        • C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe
          "C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3944
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4360
    • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      1⤵
      • Executes dropped EXE
      PID:4356
    • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      1⤵
      • Executes dropped EXE
      PID:3068
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4828
    • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      1⤵
      • Executes dropped EXE
      PID:356
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2524
    • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      1⤵
      • Executes dropped EXE
      PID:200
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2772
    • C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
      1⤵
      • Executes dropped EXE
      PID:4584
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3404

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    4
    T1552

    Credentials In Files

    4
    T1552.001

    Discovery

    Query Registry

    6
    T1012

    System Information Discovery

    5
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
      Filesize

      328B

      MD5

      e7b4859f9ffe286b522475dd54d7850d

      SHA1

      9c6a2afd0ced97f51e8d60b800d9be5baf4204f5

      SHA256

      e657e7f219ecec0818c88b4548ec8f9f7d0294b6b6941ca7a472bbf081b9f460

      SHA512

      e1127a62488b358e0b8bf9b19166c0216810867f10b01f3228a3eb063ef7775159b1bcbf61b0de55d0d26130a310960047220d4c351dca1d1fa74546339f7e50

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
      Filesize

      954KB

      MD5

      e71c0c5d72455dde6510ba23552d7d2f

      SHA1

      4dff851c07a9f9ebc9e71b7f675cc20b06a2439c

      SHA256

      de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f

      SHA512

      c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
      Filesize

      1.4MB

      MD5

      04e90b2cf273efb3f6895cfcef1e59ba

      SHA1

      79afcc39db33426ee8b97ad7bfb48f3f2e4c3449

      SHA256

      e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e

      SHA512

      72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe
      Filesize

      416KB

      MD5

      6093bb59e7707afe20ca2d9b80327b49

      SHA1

      fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc

      SHA256

      3acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3

      SHA512

      d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe
      Filesize

      304KB

      MD5

      0d76d08b0f0a404604e7de4d28010abc

      SHA1

      ef4270c06b84b0d43372c5827c807641a41f2374

      SHA256

      6dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e

      SHA512

      979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
      Filesize

      187KB

      MD5

      e78239a5b0223499bed12a752b893cad

      SHA1

      a429b46db791f433180ae4993ebb656d2f9393a4

      SHA256

      80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

      SHA512

      cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe
      Filesize

      3.2MB

      MD5

      03fe60596aa8f9b633ac360fd9ec42d8

      SHA1

      1e7bc8d80c7a2a315639b09d332a549dc7ddcb4b

      SHA256

      e731f79ee3512fefe48e53b4424145efc6a1b2585220b9c6025038d5f1263055

      SHA512

      d6f080881874112c2876ed691a6c725ce0cc87196934fd8fa9ff488619c84e6e4a9c244c0840999b6a6cce95b4b7375648cf3011d79927e90a0c786895c0cfdf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe
      Filesize

      304KB

      MD5

      0f02da56dab4bc19fca05d6d93e74dcf

      SHA1

      a809c7e9c3136b8030727f128004aa2c31edc7a9

      SHA256

      e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379

      SHA512

      522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      Filesize

      1.8MB

      MD5

      876a6feeffb71e95f7217eaa05c585eb

      SHA1

      2e5a5e4709482cdbf42bc8173bef6ec25feac600

      SHA256

      454f65d0741e515c03e0196b9b8fdfb11fb12c1c39717bd277d856d94dcf7db3

      SHA512

      bbaeef6123efe1361ccac311790c2eec3958f145b1818bc280b9f0fda27f9fa87b5ee74db1e9d6bc0e7aaf75d852729fe8f1afcad70fe527764daaab432d6ab8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\5555.exe
      Filesize

      547KB

      MD5

      8ecad7a38a26ac1fc2c7804afd0599fa

      SHA1

      587475e77012d412fd96213f048b2fb2d5d405e9

      SHA256

      83f6f8c068cd5b4448b2525ee799f58aa5ad0ce40f901881eda105f6d6ed4661

      SHA512

      a5a2499fb2c5a7751f09c50032c2fcba1c2c87ad4c35910decf00d24d4d90e233fa383319d7ddd3537f3891a0db49240a9c2c81451192308280687015c8898d5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epxvegji.vzx.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ANnPtpr69I.exe
      Filesize

      503KB

      MD5

      2c2be38fb507206d36dddb3d03096518

      SHA1

      a16edb81610a080096376d998e5ddc3e4b54bbd6

      SHA256

      0c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e

      SHA512

      e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316

      Download Submit

    • C:\Users\Admin\AppData\Roaming\TBWNoH8Ixj.exe
      Filesize

      510KB

      MD5

      74e358f24a40f37c8ffd7fa40d98683a

      SHA1

      7a330075e6ea3d871eaeefcecdeb1d2feb2fc202

      SHA256

      0928c96b35cd4cc5887fb205731aa91eb68886b816bcc5ec151aeee81ce4f9a6

      SHA512

      1525e07712c35111b56664e1589b1db37965995cc8e6d9b6f931fa38b0aa8e8347fc08b870d03573d10f0d597a2cd9db2598845c82b6c085f0df04f2a3b46eaf

      Download Submit

    • C:\Users\Admin\Pictures\AqX1vDOyZ5AE2GpB6E1KGAyf.exe
      Filesize

      7KB

      MD5

      77f762f953163d7639dff697104e1470

      SHA1

      ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

      SHA256

      d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

      SHA512

      d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

      Download Submit

    • C:\Users\Admin\Pictures\HBp7JQplVAnzdzDK11rS07tc.exe
      Filesize

      2.9MB

      MD5

      bc3e076ec6527a8bf74e9293be24630e

      SHA1

      2a58c06f16d1ba29e7f6945fd08896caa55df709

      SHA256

      37b97e07cc1d88c49e382de22ce61ad6d684901114d475b96e2bc9645797903b

      SHA512

      0dbf419d0652d143a36d4185d9b7ec2f35224b2467395826f55d53f538ef5539326bca03afa43676961c316de70b830f176a0056105d64f1205bf03fa84c4cf1

      Download Submit

    • \ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit

    • \ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit

    • memory/204-0-0x0000000000800000-0x0000000000CBF000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/204-12-0x0000000000800000-0x0000000000CBF000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/204-5-0x0000000000800000-0x0000000000CBF000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/204-3-0x0000000000800000-0x0000000000CBF000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/204-2-0x0000000000801000-0x000000000082F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/204-1-0x0000000077BF4000-0x0000000077BF5000-memory.dmp

      Filesize

      4KB

      Download

    • memory/508-314-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-17-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-328-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-14-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-297-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-326-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-324-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-347-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-15-0x0000000000D81000-0x0000000000DAF000-memory.dmp

      Filesize

      184KB

      Download

    • memory/508-306-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-281-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-308-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-103-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-282-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-345-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-310-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-312-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-330-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-226-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-343-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-322-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-318-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-299-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-341-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-16-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-339-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/508-334-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1668-305-0x0000000000400000-0x0000000000C97000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/1668-300-0x0000000000400000-0x0000000000C97000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/1728-233-0x0000020069690000-0x00000200696B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1728-236-0x0000020069840000-0x00000200698B6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2144-38-0x0000000008470000-0x00000000084BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2144-30-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2144-31-0x0000000005DB0000-0x00000000062AE000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/2144-32-0x00000000058B0000-0x0000000005942000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2144-33-0x0000000005860000-0x000000000586A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2144-34-0x0000000006C80000-0x0000000007286000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2144-112-0x00000000091B0000-0x0000000009200000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2144-102-0x00000000066E0000-0x0000000006746000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2144-35-0x00000000084E0000-0x00000000085EA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2144-36-0x00000000083D0000-0x00000000083E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2144-37-0x0000000008430000-0x000000000846E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2520-135-0x00000000095B0000-0x0000000009626000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2520-88-0x0000000000820000-0x00000000008A4000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2520-136-0x0000000009570000-0x000000000958E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2520-163-0x0000000009D00000-0x0000000009EC2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2520-164-0x000000000A400000-0x000000000A92C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2524-335-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2524-337-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2772-354-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2772-352-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3400-101-0x0000000000E70000-0x0000000000EC2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3404-369-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3404-371-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3696-75-0x0000000000400000-0x0000000000536000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3696-68-0x0000000000400000-0x0000000000536000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3696-74-0x0000000000400000-0x0000000000536000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3696-71-0x0000000000400000-0x0000000000536000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3696-83-0x0000000000400000-0x0000000000536000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3944-202-0x0000000000860000-0x00000000008B2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/4208-206-0x0000023777370000-0x0000023777376000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4208-180-0x0000023775830000-0x000002377583A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4208-227-0x0000023777C30000-0x0000023777C8A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4360-301-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4360-303-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4452-280-0x0000000000EF0000-0x0000000001133000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4452-140-0x0000000061E00000-0x0000000061EF3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/4452-117-0x0000000000EF0000-0x0000000001133000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4624-232-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4688-304-0x00007FF7CB320000-0x00007FF7CB3AE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/4764-87-0x0000000000ED0000-0x0000000000F56000-memory.dmp

      Filesize

      536KB

      Download

    • memory/4828-320-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4828-319-0x0000000000D80000-0x000000000123F000-memory.dmp

      Filesize

      4.7MB

      Download