amadey | 72404ecb9dff0bbdb1296b7be79515ebf9323101374385476c282812517c43d9

Analysis

max time kernel
591s
max time network
579s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23-10-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Requirements.scr
Size

45.2MB
MD5

3984a66e5b78113a55d22f9c2f3af1bc
SHA1

16895f9541767e859eb7784b70804623eaa48b2c
SHA256

72404ecb9dff0bbdb1296b7be79515ebf9323101374385476c282812517c43d9
SHA512

b44cc041f9df8eaf28fee92a701dfc9d45b458b3310a248d1ca466c313bb26466ea098f15bee119999c4e8f08c8bc63f50e783da98b72863180440fd4373547c
SSDEEP

786432:+1prb/zUF2kVcAQDv8vK6BneoexUqOLb55j0JJ3gTsGN3pxNy:ypLUAk+NqBsxUqcpxsMXc

Score

10^/10

amadey lumma rhadamanthys 76a1c5 discovery execution stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

76a1c5

http://185.208.158.96

Attributes

install_dir
9b94b7e626
install_file
Gxtuum.exe
strings_key
7ec67893d851db775fae22819287705c
url_paths
/mzmtrpwoe113ee/index.php

rc4.plain

Extracted

Family

rhadamanthys

https://185.196.11.237:9697/f002171ab05c7/hip4946p.881o6

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4584 created 1088	4584	explorer.exe	49
PID 4460 created 1088	4460	explorer.exe	49

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
240	WinRar64.exe
4548	vlc.exe
3420	VBoxTestOGL.exe

Loads dropped DLL 14 IoCs

pid	Process
240	WinRar64.exe
240	WinRar64.exe
240	WinRar64.exe
4548	vlc.exe
4548	vlc.exe
3420	VBoxTestOGL.exe
3420	VBoxTestOGL.exe
3420	VBoxTestOGL.exe
3420	VBoxTestOGL.exe
3420	VBoxTestOGL.exe
3420	VBoxTestOGL.exe
3420	VBoxTestOGL.exe
3420	VBoxTestOGL.exe
3420	VBoxTestOGL.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 240 set thread context of 4648	240	WinRar64.exe	91
PID 2732 set thread context of 4584	2732	explorer.exe	102
PID 4548 set thread context of 1592	4548	vlc.exe	112
PID 3420 set thread context of 3856	3420	VBoxTestOGL.exe	119

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3764	powershell.exe
768	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2512	4584	WerFault.exe	102
652	4584	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRar64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	Requirements.scr

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
240	WinRar64.exe
240	WinRar64.exe
4648	cmd.exe
4648	cmd.exe
4584	explorer.exe
4584	explorer.exe
2364	openwith.exe
2364	openwith.exe
2364	openwith.exe
2364	openwith.exe
3764	powershell.exe
3764	powershell.exe
4548	vlc.exe
4548	vlc.exe
1592	cmd.exe
1592	cmd.exe
4460	explorer.exe
4460	explorer.exe
4248	openwith.exe
4248	openwith.exe
4248	openwith.exe
4248	openwith.exe
768	powershell.exe
768	powershell.exe
3420	VBoxTestOGL.exe
3420	VBoxTestOGL.exe
3856	cmd.exe
3856	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
240	WinRar64.exe
4648	cmd.exe
4548	vlc.exe
1592	cmd.exe
3420	VBoxTestOGL.exe
3856	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2936	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2936	AcroRd32.exe
2936	AcroRd32.exe
2936	AcroRd32.exe
2936	AcroRd32.exe
2936	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 240	2832	Requirements.scr	89
PID 2832 wrote to memory of 240	2832	Requirements.scr	89
PID 2832 wrote to memory of 240	2832	Requirements.scr	89
PID 2832 wrote to memory of 2936	2832	Requirements.scr	90
PID 2832 wrote to memory of 2936	2832	Requirements.scr	90
PID 2832 wrote to memory of 2936	2832	Requirements.scr	90
PID 240 wrote to memory of 4648	240	WinRar64.exe	91
PID 240 wrote to memory of 4648	240	WinRar64.exe	91
PID 240 wrote to memory of 4648	240	WinRar64.exe	91
PID 2936 wrote to memory of 1820	2936	AcroRd32.exe	93
PID 2936 wrote to memory of 1820	2936	AcroRd32.exe	93
PID 2936 wrote to memory of 1820	2936	AcroRd32.exe	93
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 3140	1820	RdrCEF.exe	94
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95
PID 1820 wrote to memory of 236	1820	RdrCEF.exe	95

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1088
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4248

C:\Users\Admin\AppData\Local\Temp\Requirements.scr
"C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S
1⤵
PID:4820

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\Requirements.scr
"C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
  "C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4648
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe" /S
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2732
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 456
        6⤵
        Program crash
        
        PID:2512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 452
        6⤵
        Program crash
        
        PID:652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
    - - C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1592
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe" /S
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3856
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe" /S
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Requirements.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6E056330C8D9E71F750796BEA01EF4EB --mojo-platform-channel-handle=1792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3140
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=81700D0C8B53F6656E60BE73FD1B8D2B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=81700D0C8B53F6656E60BE73FD1B8D2B --renderer-client-id=2 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:236
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7ED7C0F9210873451B199414A8FCC9EF --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4616
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=01E2EC2CF6ED0D58DA7B1952FE24CDFF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=01E2EC2CF6ED0D58DA7B1952FE24CDFF --renderer-client-id=5 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:5116
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06BD84C10AB835DD0468A3733EA03572 --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:856
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2DB0B463CDBDCBDC3DE4FDBAE4BEB6D8 --mojo-platform-channel-handle=2812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4584 -ip 4584
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4584 -ip 4584
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b58e6de9cf9aa1c43c15c4e5bacebd1

SHA1
706600fc3b8d7551ff18452f1025e8a0480b3e6d

SHA256
e04e22e7bcc9ddb67fb534f1eb10e4af31d9f07d0c6f2b54d133dd5996ba0be9

SHA512
dbef32d4a09bb46e999a7bee2aec0e54431dec644f54aa9a1e9833a1b0ee340589ee76cd32e2b5fddb6fc64e641777c96e43cc93d2e805f8443d58ef5a4095fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a6f494e1-181f-43ae-8081-58780b6f2a46.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Programs\WinRAR\MSNCore.dll

Filesize
991KB

MD5
deaa38a71c85d2f9d4ba71343d1603da

SHA1
bdbb492512cee480794e761d1bea718db14013ec

SHA256
1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65

SHA512
87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7

Download Submit
C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe

Filesize
5.5MB

MD5
537915708fe4e81e18e99d5104b353ed

SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb

SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

Download Submit
C:\Users\Admin\AppData\Local\Programs\WinRAR\bqbr

Filesize
1016KB

MD5
d1dd94b6d3c47bf394de95221842cbed

SHA1
42717a7086e0b3f9539948ea2c80e57739c5879a

SHA256
ea0f82414408da76de7706b137551a76b0adb4a7282d45a82c0d61b6c88f4706

SHA512
0c3fc772cda18b3a41eb152a45c32ef83b148914ec5d042242bb4fe66baf7612ea58389fae05258fab4ee9c0e4bfd041c959f57dc24781b72e0b4e7501f112b5

Download Submit
C:\Users\Admin\AppData\Local\Programs\WinRAR\contactsUX.dll

Filesize
331KB

MD5
54ee6a204238313dc6aca21c7e036c17

SHA1
531fd1c18e2e4984c72334eb56af78a1048da6c7

SHA256
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd

SHA512
19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

Download Submit
C:\Users\Admin\AppData\Local\Programs\WinRAR\gld

Filesize
88KB

MD5
06a62106f0d01ed3a971415b57366a8b

SHA1
9d905a38a4f53961a3828b2f759062b428dd25a9

SHA256
6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93

SHA512
4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74

Download Submit
C:\Users\Admin\AppData\Local\Programs\WinRAR\msidcrl40.dll

Filesize
784KB

MD5
f1f8d156bbdd5945a4f933ac7fa7cc41

SHA1
e581235e9f1a3a8a63b8a470eaed882bc93b9085

SHA256
344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a

SHA512
86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9

Download Submit
C:\Users\Admin\AppData\Local\Programs\WinRAR\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip

Filesize
2.8MB

MD5
f169e93956f90c9b4fee4800e4fb655f

SHA1
fb0005f2d2213f1e486c3d1c2992cf35b8450591

SHA256
61205f3d3b64a36565e557eb3f16f1a0cd031852ce7c1dd13e879cca611d2da1

SHA512
ee86a4447bf986ebaeebdf47b332973b25071b5f4e16067e44064d82ad5827b38c89faf4eda12a92ad7cfabee78f1ae01b3acfff9650c37b34f63e651ab28c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\dqhq

Filesize
57KB

MD5
b23152452b6c798ee1b57352cc5ebce1

SHA1
219a30751cda0df049fecc8247daf34fe57d1f4a

SHA256
c513a651c736cdb3acbc7fad1612c544bf14b658dd4db62ea7eb434d8393f83a

SHA512
c951a6e46c4f7d86553dfb2d796e68fd6cb197114155c61e8898e6d792ec87cc18a326097cf140874473e6e33cced35d6a87aea93894a59e3da35f27862e177d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\hcsjm

Filesize
896KB

MD5
d272096a4ad0ba0c3001c21804b11835

SHA1
3b3933a81cf97301e1e1a4f3c37df2dbb32d3679

SHA256
975412a4da13058af093ad1c18dc985428bebd0f2fc730e6195948e69154d65f

SHA512
6c837d5638fdeed4ce2e579019c8ee85a2f751393530a286396dce30cfc7db4c336515f4fd94fd1b7cf0ee93a1366bcfa7acc6e62e459382f3553bf2d55c2c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlc.dll

Filesize
186KB

MD5
4b262612db64f26ea1168ca569811110

SHA1
8e59964d1302a3109513cd4fd22c1f313e79654c

SHA256
a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f

SHA512
9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlccore.dll

Filesize
2.7MB

MD5
c39b26fd913f74e1b80df54a3c58cfb7

SHA1
d81a62a78fbe5294c9298721e588ed9b38aafd9e

SHA256
eafae6c93e6e49310d13f80b76de3286ad6027624416543fbd65f8f0b0541e68

SHA512
4fbd067c88405b5541da6ddb1fa6c7d09a327d008c5494674124bf8fe3641d328e6ac0ee95b84b6368be796e249d633842a4ef5f0db71ce5cbb449089175fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe

Filesize
966KB

MD5
e634616d3b445fc1cd55ee79cf5326ea

SHA1
ca27a368d87bc776884322ca996f3b24e20645f4

SHA256
1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937

SHA512
7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip

Filesize
4KB

MD5
cb106cb03334fff181d51a71637a2a6c

SHA1
0cea6bb69e925f00c7d334cf58b46b9d4cb6cb37

SHA256
db462a4becbd5ce94f72d91b9f0bd0e1b2dbc9220094d710747b4ca39e3a72f7

SHA512
9f66fb7db9fc5a3274c1a88c4c4d7152aa7aec8e0ed6abbd6fe88bd9444eed57055df8b2e7254c222848b00a6643b94e12c610f94b6fc68a566ce18322d27661

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip

Filesize
8.5MB

MD5
e0a6c369447034f1b7f2749620c420cc

SHA1
15b88a23dca33d84bdb2c256e67aee6705a4f122

SHA256
3e13e72c418b133c27a1c5aa85cf76f803ab2642b22b473d27de4a1449890603

SHA512
374e851b931cee58aa31b6ab215dc94d85a9251e1e60d43e6c21edbf657983bb37148681b20d2d518c4001624caebbd588d3bfa59506900e11a8003765cb379a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtCoreVBox4.dll

Filesize
2.8MB

MD5
96123f5c43b67b168840b1c548e8bcce

SHA1
e3e17aa08ea61e3bc7312c37da766db1f166fb83

SHA256
2473eaee17b4d730f2d9be74c3c2ab491f62cbbd68be43cf10a9ca04efcaef5b

SHA512
df974aeceeac2e72424e775674ffbc5a7ced9cf3b90135e3d6decd3fffa0d56b24a175cde6c2aa59a98f93cfa957c790b2b95303bccd4a37aa53a4deccc5ba92

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtGuiVBox4.dll

Filesize
9.4MB

MD5
e74d017961a50822825aa733c6196efc

SHA1
4db6e896e19d43927377209b14e4abd928264671

SHA256
b13e868e0da8d43519b8694074bf70a8b90f9f1c27a89f168766f2fd435721be

SHA512
5750ff404c2835fb9df0512e1551b20b8f191280d8436fc196605931a40d8ca124a0e5686d9fe3a7b3dbd6cd9d81e13353a4d28d9669f859322ab66fe28cf8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtOpenGLVBox4.dll

Filesize
865KB

MD5
4fc7c92babfa0c6c8341a57b63660058

SHA1
d5aad499f6abcb94bfec8509790fb81375ebefb2

SHA256
909481124b55b069b2ac196148514522853c849a80d4cbc7136e498dc77f34a1

SHA512
6602af365d6c7642409d95878e07c2f7054eab76794f51ff10a88388d1e292779cd3cbddea280d43eaa5bdc71661325e2da07020a2b481c32ba330d41e387b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxOGLhostcrutil.dll

Filesize
161KB

MD5
d01bfdcb832e310af8b74b9613741144

SHA1
88dcf21940f852e60026f3994b7cd6d4f2246e45

SHA256
943187c2fb090849721985a6119b3440180f7274bc752326a56f3c7862322bef

SHA512
ac3b9fb49967736fb1daa4bc9de62a7d4707a7f6c7b20ac20fadcb4a3e6f7e5e0542ad68f766c604f123f2400487043a1c531352846db2e08f808bae31ea9ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxRT.dll

Filesize
4.1MB

MD5
31e7657643d832681fee0e303e25ee52

SHA1
0756c911a602cfe2f094104d1c10a2d014c52e59

SHA256
7328aeb5cec65215e5462c1ea4d69a6383fb77605ccb84c60fdb90d6d0b3c0f4

SHA512
542ecead0a1d54de9300220799b1bbaf5e304fafa95c4ce130f0003a5c693adcf1c3140d67e6721c1cbc576989597bff7353727cec95ac289f563e1aee1ec9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe

Filesize
145KB

MD5
ba99b11a84a19051eca441320af22f4e

SHA1
bb3a700fa2676d0223444a81796c7b21aa191ca8

SHA256
e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f

SHA512
e6e0541c121dc3260d4c48d1d788eff122a947c6ea8cd7da538edf6fd5f46cd37ee96f2c431575e31338ef93a5e21c81c51057734e29eec3814d4cd5100038e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\msvcp100.dll

Filesize
593KB

MD5
4f096d96285e06cd51aef7d2d3de04da

SHA1
c90ef0eb5b1a0b1b85ad6792291747fb6307dcdb

SHA256
5bb420fbe28315f2117376052bb8488ce84a3398dda65005b8ae1f792017e9a8

SHA512
80f558c50a71ad9c4930b3838b481e4fb453c38d57c91f7f70c1f86e4043b9a4fbcec27d7c025285504cbf3bde7c50b4770f18121d7818ac58e2ee9c2071f97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\oivfk

Filesize
43KB

MD5
6f40f246a78ef46dd8df58d64e8fb51a

SHA1
6878766db27f7810cba58ad3e1c0e862dbf6fcca

SHA256
24bc3325b3cbddb6f69f34845d9e7c2bbf6ecff9f631d5d8642b15419846b07b

SHA512
20a11fcf8f19f4eb4b5114e6fe4f3d468f22147c2114d23b180c0294da5206e189ce57a5bfed332f5c5b0484dd6cb4dea6b9d528be7d5a0f51d4ee3a5f3ccc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\qkyv

Filesize
816KB

MD5
757b60d1b085d26b2d312a04dea9a84f

SHA1
1e1eda4a0e13ad16c2251bb4d95d615e979db944

SHA256
292f1ef0342e06ae83fec5da98b1e58d1737c8f1614bb71eb3395c5a150ec701

SHA512
a8e706e74b1edf6599e75dff7d43a143f87d0c31e3733394ffe2437af7ec323c92c34b8298f8ed91ff795ea581c10a2902e4cde90511cdc340023c9b5da05e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\565375082730

Filesize
115KB

MD5
fbc92c076d7805c946c1210ce0d34060

SHA1
4556aec1443769a358e43971b0f34224c4e4f761

SHA256
05ed6ec7282fe3593fe09a98bd608b7c74b65b041241a3b482bb86988d5c045b

SHA512
02f5d0d2c66311b5e4492b2a3b8f29672a379cbf514dfa45ea62e18fa317b37b4ac4d80ce80a1ec53eef3ee37006382f63f96fb9215834e28df4ff07d63dcc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\914c3ea5

Filesize
1.0MB

MD5
d662c681221bb432c9b309cbf3f2d5a1

SHA1
0dfe5af3b4cb5ed372826d827c8f9b53ccbb13fd

SHA256
45b7fef5f2b4e9d43c345be1abac013401a17707b8a33b229d356ea52202a364

SHA512
3d6002482f467b32562fd3501a6f1db85f32c093c0fba118158306f0ccde1b61c0d7fb3d72742f44190ae6891c9152edcf4786095072d22e75a36df691aef48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Requirements.pdf

Filesize
717KB

MD5
720b78ca59dbb0e1b885f47b9c4eebd3

SHA1
98629bc8c27329023931d158d2ab879e8136b5ff

SHA256
73300eda96e39870895468cf7a7b90616b37d5d7673671c89db1776c192ed2be

SHA512
ee22206441b41881acbae939dba2f4269e652782ba485963f81d3ae2aedd3838bba2a673de502a367cdc5f1a8c33a08e120495a473d617f2ec049fa5f0be17ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jp4avmvu.rtn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96bc47

Filesize
1.1MB

MD5
eb5c4122508c1a7de85149b3f994f8e1

SHA1
d4e41b7a785a802df396de59501a4b995433c40b

SHA256
6d1d1b7f5886cbc1a5e3674964f4bafabdd0ddac779811bb9632e42d8b67396a

SHA512
e40341d71cbda6bc62b24b48608642066d4efd2498472b481a8616ba36fd15b223a24dee988fb05be66e94484b8441bf968896c3fd8d6c73a9be7891e2f4f1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee86145a

Filesize
1.2MB

MD5
f4fa068cc3baa836a3b6ff22a16800ce

SHA1
0e3b30758eacc47c33f2d8ad9f204ccc0253e906

SHA256
c4d608ec5fb6417ad2a142a07ea80b92f741bcb093783cf789ffd789b3a26ab9

SHA512
477b5e7c0a86075a19254c566de67145cfd06837d6c3cd40db580a1e879b651f5c79d707ee7fc834a3e8246ad4a634121c1e39ab5d0793859a75740bcc541794

Download Submit
memory/240-141-0x0000000072580000-0x00000000726FD000-memory.dmp

Filesize
1.5MB

Download
memory/240-110-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download
memory/240-109-0x0000000072580000-0x00000000726FD000-memory.dmp

Filesize
1.5MB

Download
memory/1592-257-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download
memory/1592-259-0x0000000072C10000-0x0000000072D8D000-memory.dmp

Filesize
1.5MB

Download
memory/2364-196-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download
memory/2364-198-0x0000000077510000-0x0000000077762000-memory.dmp

Filesize
2.3MB

Download
memory/2364-193-0x00000000008D0000-0x00000000008D9000-memory.dmp

Filesize
36KB

Download
memory/2364-195-0x0000000002950000-0x0000000002D50000-memory.dmp

Filesize
4.0MB

Download
memory/2732-344-0x0000000000600000-0x0000000000694000-memory.dmp

Filesize
592KB

Download
memory/2732-239-0x0000000000600000-0x0000000000694000-memory.dmp

Filesize
592KB

Download
memory/2732-258-0x0000000000600000-0x0000000000694000-memory.dmp

Filesize
592KB

Download
memory/2732-185-0x0000000000600000-0x0000000000694000-memory.dmp

Filesize
592KB

Download
memory/2732-171-0x0000000000600000-0x0000000000694000-memory.dmp

Filesize
592KB

Download
memory/2732-170-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download
memory/2732-282-0x0000000000600000-0x0000000000694000-memory.dmp

Filesize
592KB

Download
memory/3420-343-0x00007FFB4D1F0000-0x00007FFB4D36A000-memory.dmp

Filesize
1.5MB

Download
memory/3420-345-0x00007FFB4D1F0000-0x00007FFB4D36A000-memory.dmp

Filesize
1.5MB

Download
memory/3764-206-0x000001C9CD1B0000-0x000001C9CD1D2000-memory.dmp

Filesize
136KB

Download
memory/3764-216-0x000001C9CD260000-0x000001C9CD26A000-memory.dmp

Filesize
40KB

Download
memory/3764-215-0x000001C9CD5F0000-0x000001C9CD602000-memory.dmp

Filesize
72KB

Download
memory/3856-348-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download
memory/4248-278-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download
memory/4248-277-0x0000000002AF0000-0x0000000002EF0000-memory.dmp

Filesize
4.0MB

Download
memory/4248-280-0x0000000077510000-0x0000000077762000-memory.dmp

Filesize
2.3MB

Download
memory/4460-275-0x0000000000630000-0x00000000006B0000-memory.dmp

Filesize
512KB

Download
memory/4460-272-0x0000000077510000-0x0000000077762000-memory.dmp

Filesize
2.3MB

Download
memory/4460-269-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/4460-267-0x0000000000630000-0x00000000006B0000-memory.dmp

Filesize
512KB

Download
memory/4460-264-0x0000000000630000-0x00000000006B0000-memory.dmp

Filesize
512KB

Download
memory/4460-263-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download
memory/4460-262-0x0000000000630000-0x00000000006B0000-memory.dmp

Filesize
512KB

Download
memory/4548-251-0x00007FFB4D350000-0x00007FFB4D4CA000-memory.dmp

Filesize
1.5MB

Download
memory/4548-253-0x00007FF6360C0000-0x00007FF6361B8000-memory.dmp

Filesize
992KB

Download
memory/4548-255-0x00007FFB4D700000-0x00007FFB4D9B5000-memory.dmp

Filesize
2.7MB

Download
memory/4548-254-0x00007FFB65A40000-0x00007FFB65A74000-memory.dmp

Filesize
208KB

Download
memory/4548-238-0x00007FFB4D350000-0x00007FFB4D4CA000-memory.dmp

Filesize
1.5MB

Download
memory/4584-189-0x0000000004260000-0x0000000004660000-memory.dmp

Filesize
4.0MB

Download
memory/4584-192-0x0000000077510000-0x0000000077762000-memory.dmp

Filesize
2.3MB

Download
memory/4584-190-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download
memory/4584-188-0x0000000004260000-0x0000000004660000-memory.dmp

Filesize
4.0MB

Download
memory/4584-187-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4584-186-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4588-353-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download
memory/4588-354-0x00000000004F0000-0x0000000000553000-memory.dmp

Filesize
396KB

Download
memory/4648-168-0x0000000072580000-0x00000000726FD000-memory.dmp

Filesize
1.5MB

Download
memory/4648-152-0x0000000072580000-0x00000000726FD000-memory.dmp

Filesize
1.5MB

Download
memory/4648-151-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

Filesize
2.0MB

Download