Analysis Overview
SHA256
72404ecb9dff0bbdb1296b7be79515ebf9323101374385476c282812517c43d9
Threat Level: Known bad
The file Requirements.scr was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
Amadey
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Program crash
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-23 01:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-23 01:43
Reported
2024-10-23 01:56
Platform
win10v2004-20241007-en
Max time kernel
591s
Max time network
584s
Command Line
Signatures
Amadey
Lumma Stealer, LummaC
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2832 created 2824 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Requirements.scr | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2180 set thread context of 3896 | N/A | C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1140 set thread context of 3088 | N/A | C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4556 set thread context of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe | C:\Windows\SysWOW64\cmd.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Requirements.scr | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Requirements.scr
"C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S
C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
"C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe" /S
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Requirements.pdf"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E746A7293CEB6D3BE8196BAFEC30902E --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A4C0A137AC080B4B4D9B0DE2B2077A39 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A4C0A137AC080B4B4D9B0DE2B2077A39 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4C980F0E0586547596F8F183F34A1692 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4C980F0E0586547596F8F183F34A1692 --renderer-client-id=4 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ACBD00D949547E0DA1219F59E79B9468 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8915A0BBC33D070C4756934AFFF30BC3 --mojo-platform-channel-handle=2800 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2809791575C2EFE025948F4BD2727F27 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" /S
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\'
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
"C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" /S
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\'
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe
"C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" /S
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 203.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.192.25.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| US | 8.8.8.8:53 | 96.158.208.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer-files.digital | udp |
| US | 172.67.136.106:443 | transfer-files.digital | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 106.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 172.67.136.106:443 | transfer-files.digital | tcp |
| US | 8.8.8.8:53 | remindydivir.biz | udp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 8.8.8.8:53 | 104.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mathcucom.sbs | udp |
| US | 8.8.8.8:53 | allocatinow.sbs | udp |
| US | 8.8.8.8:53 | enlargkiw.sbs | udp |
| US | 8.8.8.8:53 | resinedyw.sbs | udp |
| US | 8.8.8.8:53 | vennurviot.sbs | udp |
| US | 8.8.8.8:53 | ehticsprocw.sbs | udp |
| US | 8.8.8.8:53 | condifendteu.sbs | udp |
| US | 8.8.8.8:53 | drawwyobstacw.sbs | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
Files
C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
| MD5 | 537915708fe4e81e18e99d5104b353ed |
| SHA1 | 128ddb7096e5b748c72dc13f55b593d8d20aa3fb |
| SHA256 | 6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74 |
| SHA512 | 9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\msncore.dll
| MD5 | deaa38a71c85d2f9d4ba71343d1603da |
| SHA1 | bdbb492512cee480794e761d1bea718db14013ec |
| SHA256 | 1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65 |
| SHA512 | 87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\contactsUX.dll
| MD5 | 54ee6a204238313dc6aca21c7e036c17 |
| SHA1 | 531fd1c18e2e4984c72334eb56af78a1048da6c7 |
| SHA256 | 0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd |
| SHA512 | 19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\msidcrl40.dll
| MD5 | f1f8d156bbdd5945a4f933ac7fa7cc41 |
| SHA1 | e581235e9f1a3a8a63b8a470eaed882bc93b9085 |
| SHA256 | 344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a |
| SHA512 | 86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\gld
| MD5 | 06a62106f0d01ed3a971415b57366a8b |
| SHA1 | 9d905a38a4f53961a3828b2f759062b428dd25a9 |
| SHA256 | 6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93 |
| SHA512 | 4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\bqbr
| MD5 | d1dd94b6d3c47bf394de95221842cbed |
| SHA1 | 42717a7086e0b3f9539948ea2c80e57739c5879a |
| SHA256 | ea0f82414408da76de7706b137551a76b0adb4a7282d45a82c0d61b6c88f4706 |
| SHA512 | 0c3fc772cda18b3a41eb152a45c32ef83b148914ec5d042242bb4fe66baf7612ea58389fae05258fab4ee9c0e4bfd041c959f57dc24781b72e0b4e7501f112b5 |
memory/2180-103-0x00000000727F0000-0x000000007296B000-memory.dmp
memory/2180-104-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinRAR\msvcr80.dll
| MD5 | 43143abb001d4211fab627c136124a44 |
| SHA1 | edb99760ae04bfe68aaacf34eb0287a3c10ec885 |
| SHA256 | cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03 |
| SHA512 | ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6 |
C:\Users\Admin\AppData\Local\Temp\Requirements.pdf
| MD5 | 720b78ca59dbb0e1b885f47b9c4eebd3 |
| SHA1 | 98629bc8c27329023931d158d2ab879e8136b5ff |
| SHA256 | 73300eda96e39870895468cf7a7b90616b37d5d7673671c89db1776c192ed2be |
| SHA512 | ee22206441b41881acbae939dba2f4269e652782ba485963f81d3ae2aedd3838bba2a673de502a367cdc5f1a8c33a08e120495a473d617f2ec049fa5f0be17ac |
memory/2180-119-0x00000000727F0000-0x000000007296B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ef14339e
| MD5 | 3e8a24b9eb3227e503aaabac47112844 |
| SHA1 | e5c8331f33eaf4ef11ef7b3a93075a2dc502863f |
| SHA256 | 8d5da5f1689fc16761a843238a47a9d48f2783e86a1485c8ec62eb7474125008 |
| SHA512 | 8f2bd93a49a0836e9df3bbe08b3e225b5522731dc975870ce4bc4f3206212be5dce18801ba5b1b1b7159d2311b610a8e32b3c5fca4a67c9cde2885351cd989cc |
memory/3896-143-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp
memory/3896-144-0x00000000727F0000-0x000000007296B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | cfc8488f218b74ade9b7f3aa6185a8cb |
| SHA1 | 97e30529d6fec986f85fac3a12e59968a2da507e |
| SHA256 | 6892fd3b1a5a5d5be6a8328091e50fe66036ac76d07158f3e607735ef9071ec8 |
| SHA512 | d5a89c938330f9480e9d4e60eea1a9375bf89e954f3d2dc735e2a4d59c543c6cc0d5059406b46fa238b5df1fffad15872728bcdb133ea96ba61344a93d12a9e7 |
memory/3896-242-0x00000000727F0000-0x000000007296B000-memory.dmp
memory/3032-244-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp
memory/3032-245-0x0000000001240000-0x00000000012D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\045521122590
| MD5 | 8fb8c82e5a87075a040684472c83c809 |
| SHA1 | d9881bc893abfb739f26e6a9e8f319a132e47287 |
| SHA256 | dd61d59a5c041ac563a7083ae06b64d1bd3821ae1abad0bfc4e470cf834a7a9a |
| SHA512 | 46bb9d8f2a6f3970f6bf370bdb87336002c48748d338e6cbb6ecee6835dca71ccaaf6e4184f3636bf3ecbd224a8a8b5b0a2efa84fd69519a764821ca10ff591a |
memory/3032-259-0x0000000001240000-0x00000000012D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip
| MD5 | f169e93956f90c9b4fee4800e4fb655f |
| SHA1 | fb0005f2d2213f1e486c3d1c2992cf35b8450591 |
| SHA256 | 61205f3d3b64a36565e557eb3f16f1a0cd031852ce7c1dd13e879cca611d2da1 |
| SHA512 | ee86a4447bf986ebaeebdf47b332973b25071b5f4e16067e44064d82ad5827b38c89faf4eda12a92ad7cfabee78f1ae01b3acfff9650c37b34f63e651ab28c38 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rz0ioqbd.zgg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/844-267-0x000001AD5B290000-0x000001AD5B2B2000-memory.dmp
memory/844-277-0x000001AD5B660000-0x000001AD5B672000-memory.dmp
memory/844-278-0x000001AD5B640000-0x000001AD5B64A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
| MD5 | e634616d3b445fc1cd55ee79cf5326ea |
| SHA1 | ca27a368d87bc776884322ca996f3b24e20645f4 |
| SHA256 | 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937 |
| SHA512 | 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlc.dll
| MD5 | 4b262612db64f26ea1168ca569811110 |
| SHA1 | 8e59964d1302a3109513cd4fd22c1f313e79654c |
| SHA256 | a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f |
| SHA512 | 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlccore.dll
| MD5 | c39b26fd913f74e1b80df54a3c58cfb7 |
| SHA1 | d81a62a78fbe5294c9298721e588ed9b38aafd9e |
| SHA256 | eafae6c93e6e49310d13f80b76de3286ad6027624416543fbd65f8f0b0541e68 |
| SHA512 | 4fbd067c88405b5541da6ddb1fa6c7d09a327d008c5494674124bf8fe3641d328e6ac0ee95b84b6368be796e249d633842a4ef5f0db71ce5cbb449089175fd48 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\dqhq
| MD5 | b23152452b6c798ee1b57352cc5ebce1 |
| SHA1 | 219a30751cda0df049fecc8247daf34fe57d1f4a |
| SHA256 | c513a651c736cdb3acbc7fad1612c544bf14b658dd4db62ea7eb434d8393f83a |
| SHA512 | c951a6e46c4f7d86553dfb2d796e68fd6cb197114155c61e8898e6d792ec87cc18a326097cf140874473e6e33cced35d6a87aea93894a59e3da35f27862e177d |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\hcsjm
| MD5 | d272096a4ad0ba0c3001c21804b11835 |
| SHA1 | 3b3933a81cf97301e1e1a4f3c37df2dbb32d3679 |
| SHA256 | 975412a4da13058af093ad1c18dc985428bebd0f2fc730e6195948e69154d65f |
| SHA512 | 6c837d5638fdeed4ce2e579019c8ee85a2f751393530a286396dce30cfc7db4c336515f4fd94fd1b7cf0ee93a1366bcfa7acc6e62e459382f3553bf2d55c2c48 |
memory/1140-300-0x00007FFA899E0000-0x00007FFA89B52000-memory.dmp
memory/3032-301-0x0000000001240000-0x00000000012D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip
| MD5 | a290dd693643ce7538594c8aa6bbac51 |
| SHA1 | 3ae44b4b5eee78a1fea842c8bf4b32680f6ea314 |
| SHA256 | c690b5e7135fcd3629d5bb1b0386ff043f02125408da719b16a672dc7b16b4a0 |
| SHA512 | 088466010489357179114d46f4df01c635e7e2aa28e78210d93b641f23b4bbf588ddf51a44a31cebcedfa8709b8c7bdde089bb9f27a7decfb5838869b4b32d02 |
memory/1140-313-0x00007FFA899E0000-0x00007FFA89B52000-memory.dmp
memory/1140-315-0x00007FF7837A0000-0x00007FF783898000-memory.dmp
memory/1140-316-0x00007FFA9E2F0000-0x00007FFA9E324000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\13ff6614
| MD5 | df65187c4c11e6050bf6b20c8ffa78ad |
| SHA1 | 413645ac3b623a61c6e559d153e5f3fe2a1b4e04 |
| SHA256 | f371aa1a22f012566e056980d28b308cbc8c5e476ded82de72f7049a7b256567 |
| SHA512 | 3c550f40e71fc54d1d380c7b08fe2a9660390ccc240629a7e02f70e2a30a9ab9c1b68a3069c7d3f7c0a667fa9aa13f667af27b91b73d214803c3dedfcbd14599 |
memory/1140-317-0x00007FFA89B60000-0x00007FFA89E15000-memory.dmp
memory/3088-319-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp
memory/3032-320-0x0000000001240000-0x00000000012D4000-memory.dmp
memory/3088-321-0x0000000067F70000-0x00000000680EB000-memory.dmp
memory/2832-324-0x0000000000A70000-0x0000000000AF0000-memory.dmp
memory/2832-325-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp
memory/2832-326-0x0000000000A70000-0x0000000000AF0000-memory.dmp
memory/2832-329-0x0000000003FE0000-0x00000000043E0000-memory.dmp
memory/2832-330-0x0000000003FE0000-0x00000000043E0000-memory.dmp
memory/2832-333-0x0000000075DE0000-0x0000000075FF5000-memory.dmp
memory/4896-334-0x00000000003C0000-0x00000000003C9000-memory.dmp
memory/2832-336-0x0000000000A70000-0x0000000000AF0000-memory.dmp
memory/4896-338-0x0000000002330000-0x0000000002730000-memory.dmp
memory/4896-339-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp
memory/4896-341-0x0000000075DE0000-0x0000000075FF5000-memory.dmp
memory/3032-342-0x0000000001240000-0x00000000012D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip
| MD5 | e0a6c369447034f1b7f2749620c420cc |
| SHA1 | 15b88a23dca33d84bdb2c256e67aee6705a4f122 |
| SHA256 | 3e13e72c418b133c27a1c5aa85cf76f803ab2642b22b473d27de4a1449890603 |
| SHA512 | 374e851b931cee58aa31b6ab215dc94d85a9251e1e60d43e6c21edbf657983bb37148681b20d2d518c4001624caebbd588d3bfa59506900e11a8003765cb379a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fe3aab3ae544a134b68e881b82b70169 |
| SHA1 | 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6 |
| SHA256 | bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b |
| SHA512 | 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0912bdcdbfa8d76ed3ab2ff4d8aa479d |
| SHA1 | 5a4debb7128aff994c0f1024f62e7aa5714352c8 |
| SHA256 | 00e4b652fa67392304e72b044806f909ac2ede9efed271f304e060b13ee1da1e |
| SHA512 | f276b688c1661fcebec6750637329256ef166b57527066c5bdc70bdb9fa4959d446e240d1b0ee80ef4491c796c1afe23e18833f29f37e335083c62ccb91d90ae |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe
| MD5 | ba99b11a84a19051eca441320af22f4e |
| SHA1 | bb3a700fa2676d0223444a81796c7b21aa191ca8 |
| SHA256 | e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f |
| SHA512 | e6e0541c121dc3260d4c48d1d788eff122a947c6ea8cd7da538edf6fd5f46cd37ee96f2c431575e31338ef93a5e21c81c51057734e29eec3814d4cd5100038e9 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxOGLhostcrutil.dll
| MD5 | d01bfdcb832e310af8b74b9613741144 |
| SHA1 | 88dcf21940f852e60026f3994b7cd6d4f2246e45 |
| SHA256 | 943187c2fb090849721985a6119b3440180f7274bc752326a56f3c7862322bef |
| SHA512 | ac3b9fb49967736fb1daa4bc9de62a7d4707a7f6c7b20ac20fadcb4a3e6f7e5e0542ad68f766c604f123f2400487043a1c531352846db2e08f808bae31ea9ada |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxRT.dll
| MD5 | 31e7657643d832681fee0e303e25ee52 |
| SHA1 | 0756c911a602cfe2f094104d1c10a2d014c52e59 |
| SHA256 | 7328aeb5cec65215e5462c1ea4d69a6383fb77605ccb84c60fdb90d6d0b3c0f4 |
| SHA512 | 542ecead0a1d54de9300220799b1bbaf5e304fafa95c4ce130f0003a5c693adcf1c3140d67e6721c1cbc576989597bff7353727cec95ac289f563e1aee1ec9c2 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtCoreVBox4.dll
| MD5 | 96123f5c43b67b168840b1c548e8bcce |
| SHA1 | e3e17aa08ea61e3bc7312c37da766db1f166fb83 |
| SHA256 | 2473eaee17b4d730f2d9be74c3c2ab491f62cbbd68be43cf10a9ca04efcaef5b |
| SHA512 | df974aeceeac2e72424e775674ffbc5a7ced9cf3b90135e3d6decd3fffa0d56b24a175cde6c2aa59a98f93cfa957c790b2b95303bccd4a37aa53a4deccc5ba92 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\MSVCR100.dll
| MD5 | df3ca8d16bded6a54977b30e66864d33 |
| SHA1 | b7b9349b33230c5b80886f5c1f0a42848661c883 |
| SHA256 | 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36 |
| SHA512 | 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtGuiVBox4.dll
| MD5 | e74d017961a50822825aa733c6196efc |
| SHA1 | 4db6e896e19d43927377209b14e4abd928264671 |
| SHA256 | b13e868e0da8d43519b8694074bf70a8b90f9f1c27a89f168766f2fd435721be |
| SHA512 | 5750ff404c2835fb9df0512e1551b20b8f191280d8436fc196605931a40d8ca124a0e5686d9fe3a7b3dbd6cd9d81e13353a4d28d9669f859322ab66fe28cf8cf |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtOpenGLVBox4.dll
| MD5 | 4fc7c92babfa0c6c8341a57b63660058 |
| SHA1 | d5aad499f6abcb94bfec8509790fb81375ebefb2 |
| SHA256 | 909481124b55b069b2ac196148514522853c849a80d4cbc7136e498dc77f34a1 |
| SHA512 | 6602af365d6c7642409d95878e07c2f7054eab76794f51ff10a88388d1e292779cd3cbddea280d43eaa5bdc71661325e2da07020a2b481c32ba330d41e387b46 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\MSVCP100.dll
| MD5 | 4f096d96285e06cd51aef7d2d3de04da |
| SHA1 | c90ef0eb5b1a0b1b85ad6792291747fb6307dcdb |
| SHA256 | 5bb420fbe28315f2117376052bb8488ce84a3398dda65005b8ae1f792017e9a8 |
| SHA512 | 80f558c50a71ad9c4930b3838b481e4fb453c38d57c91f7f70c1f86e4043b9a4fbcec27d7c025285504cbf3bde7c50b4770f18121d7818ac58e2ee9c2071f97c |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\oivfk
| MD5 | 6f40f246a78ef46dd8df58d64e8fb51a |
| SHA1 | 6878766db27f7810cba58ad3e1c0e862dbf6fcca |
| SHA256 | 24bc3325b3cbddb6f69f34845d9e7c2bbf6ecff9f631d5d8642b15419846b07b |
| SHA512 | 20a11fcf8f19f4eb4b5114e6fe4f3d468f22147c2114d23b180c0294da5206e189ce57a5bfed332f5c5b0484dd6cb4dea6b9d528be7d5a0f51d4ee3a5f3ccc14 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\qkyv
| MD5 | 757b60d1b085d26b2d312a04dea9a84f |
| SHA1 | 1e1eda4a0e13ad16c2251bb4d95d615e979db944 |
| SHA256 | 292f1ef0342e06ae83fec5da98b1e58d1737c8f1614bb71eb3395c5a150ec701 |
| SHA512 | a8e706e74b1edf6599e75dff7d43a143f87d0c31e3733394ffe2437af7ec323c92c34b8298f8ed91ff795ea581c10a2902e4cde90511cdc340023c9b5da05e51 |
memory/4556-434-0x00007FFA898E0000-0x00007FFA89A52000-memory.dmp
memory/3032-435-0x0000000001240000-0x00000000012D4000-memory.dmp
memory/4556-436-0x00007FFA898E0000-0x00007FFA89A52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a737e43b
| MD5 | 4f5f1eb10d832b9b39412202d26b41c6 |
| SHA1 | f27255bc361174b6b3959f703de1a975900521b7 |
| SHA256 | bfffc6a7456008b22211dcb552cb1ffcc89cf2a384453887a08ad7d30b6717f0 |
| SHA512 | 9efb70109e55eac9fa176d902c90a5cd8ed2f632afc9d8c0f11cc0068566aaf707bdc289952e3acbe3ed10cf356aef99080cd3c52a493717f9e6c9c2e0809746 |
memory/2840-439-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp
memory/2840-441-0x00000000754C0000-0x000000007563B000-memory.dmp
memory/4784-444-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp
memory/4784-445-0x0000000000BC0000-0x0000000000C23000-memory.dmp
memory/4784-447-0x0000000000BC0000-0x0000000000C23000-memory.dmp
memory/4784-449-0x0000000000BC0000-0x0000000000C23000-memory.dmp
memory/3032-460-0x0000000001240000-0x00000000012D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\045521122590
| MD5 | 2b6f9902ceec7d6264f465d61cd46633 |
| SHA1 | 1c86a28bd2f6ccdbac42e1b8a478be8a7b7faaf3 |
| SHA256 | 3348302e7cd8d97352761b55eb218fa0ada1634ae6b1f3daa22a203d2f7654f7 |
| SHA512 | c2937e92c1b0ff23d88e07cbc9ff38085d7f0110a9e7bb78129ce3e5c36ac3329b6ea3777bf5361bfa41ffc2d3b8c1203fed073c1330766c1b5e2410085c5fb7 |
memory/3032-467-0x0000000001240000-0x00000000012D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\045521122590
| MD5 | e0ad0696b5050938000193d4f87aa5af |
| SHA1 | cd29c81ff8e661424296b6f384414a2c56b7155f |
| SHA256 | 488cc55af4405835c3b3606f54b9b69e895041e14810a45b9299717be0e02d08 |
| SHA512 | df4e286d9a9da5d2e75e5ca3b9ae65124428959705cb2f9d797a3a46df3bdbdee73e1b2ec39eba4bcffb12960863b504ded1fa8a50b3676ea8957f8168e63c53 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-23 01:43
Reported
2024-10-23 01:56
Platform
win11-20241007-en
Max time kernel
591s
Max time network
579s
Command Line
Signatures
Amadey
Lumma Stealer, LummaC
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4584 created 1088 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
| PID 4460 created 1088 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 240 set thread context of 4648 | N/A | C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2732 set thread context of 4584 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 4548 set thread context of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3420 set thread context of 3856 | N/A | C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe | C:\Windows\SysWOW64\cmd.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Requirements.scr | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Requirements.scr
"C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Requirements.scr
"C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S
C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
"C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe" /S
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Requirements.pdf"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6E056330C8D9E71F750796BEA01EF4EB --mojo-platform-channel-handle=1792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=81700D0C8B53F6656E60BE73FD1B8D2B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=81700D0C8B53F6656E60BE73FD1B8D2B --renderer-client-id=2 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7ED7C0F9210873451B199414A8FCC9EF --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=01E2EC2CF6ED0D58DA7B1952FE24CDFF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=01E2EC2CF6ED0D58DA7B1952FE24CDFF --renderer-client-id=5 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06BD84C10AB835DD0468A3733EA03572 --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2DB0B463CDBDCBDC3DE4FDBAE4BEB6D8 --mojo-platform-channel-handle=2812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" /S
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 452
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\'
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
"C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" /S
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\'
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe
"C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" /S
Network
| Country | Destination | Domain | Proto |
| GB | 104.86.110.114:443 | tcp | |
| GB | 104.86.110.114:443 | tcp | |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 20.44.10.122:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| US | 104.21.46.78:443 | transfer-files.digital | tcp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 104.21.46.78:443 | transfer-files.digital | tcp |
| US | 104.21.4.104:443 | remindydivir.biz | tcp |
| US | 8.8.8.8:53 | condifendteu.sbs | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
| NL | 185.208.158.96:80 | 185.208.158.96 | tcp |
Files
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a6f494e1-181f-43ae-8081-58780b6f2a46.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
| MD5 | 537915708fe4e81e18e99d5104b353ed |
| SHA1 | 128ddb7096e5b748c72dc13f55b593d8d20aa3fb |
| SHA256 | 6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74 |
| SHA512 | 9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\MSNCore.dll
| MD5 | deaa38a71c85d2f9d4ba71343d1603da |
| SHA1 | bdbb492512cee480794e761d1bea718db14013ec |
| SHA256 | 1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65 |
| SHA512 | 87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\contactsUX.dll
| MD5 | 54ee6a204238313dc6aca21c7e036c17 |
| SHA1 | 531fd1c18e2e4984c72334eb56af78a1048da6c7 |
| SHA256 | 0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd |
| SHA512 | 19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\msidcrl40.dll
| MD5 | f1f8d156bbdd5945a4f933ac7fa7cc41 |
| SHA1 | e581235e9f1a3a8a63b8a470eaed882bc93b9085 |
| SHA256 | 344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a |
| SHA512 | 86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\gld
| MD5 | 06a62106f0d01ed3a971415b57366a8b |
| SHA1 | 9d905a38a4f53961a3828b2f759062b428dd25a9 |
| SHA256 | 6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93 |
| SHA512 | 4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74 |
C:\Users\Admin\AppData\Local\Programs\WinRAR\bqbr
| MD5 | d1dd94b6d3c47bf394de95221842cbed |
| SHA1 | 42717a7086e0b3f9539948ea2c80e57739c5879a |
| SHA256 | ea0f82414408da76de7706b137551a76b0adb4a7282d45a82c0d61b6c88f4706 |
| SHA512 | 0c3fc772cda18b3a41eb152a45c32ef83b148914ec5d042242bb4fe66baf7612ea58389fae05258fab4ee9c0e4bfd041c959f57dc24781b72e0b4e7501f112b5 |
memory/240-109-0x0000000072580000-0x00000000726FD000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\WinRAR\msvcr80.dll
| MD5 | 43143abb001d4211fab627c136124a44 |
| SHA1 | edb99760ae04bfe68aaacf34eb0287a3c10ec885 |
| SHA256 | cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03 |
| SHA512 | ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6 |
memory/240-110-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Requirements.pdf
| MD5 | 720b78ca59dbb0e1b885f47b9c4eebd3 |
| SHA1 | 98629bc8c27329023931d158d2ab879e8136b5ff |
| SHA256 | 73300eda96e39870895468cf7a7b90616b37d5d7673671c89db1776c192ed2be |
| SHA512 | ee22206441b41881acbae939dba2f4269e652782ba485963f81d3ae2aedd3838bba2a673de502a367cdc5f1a8c33a08e120495a473d617f2ec049fa5f0be17ac |
C:\Users\Admin\AppData\Local\Temp\ee86145a
| MD5 | f4fa068cc3baa836a3b6ff22a16800ce |
| SHA1 | 0e3b30758eacc47c33f2d8ad9f204ccc0253e906 |
| SHA256 | c4d608ec5fb6417ad2a142a07ea80b92f741bcb093783cf789ffd789b3a26ab9 |
| SHA512 | 477b5e7c0a86075a19254c566de67145cfd06837d6c3cd40db580a1e879b651f5c79d707ee7fc834a3e8246ad4a634121c1e39ab5d0793859a75740bcc541794 |
memory/240-141-0x0000000072580000-0x00000000726FD000-memory.dmp
memory/4648-151-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
memory/4648-152-0x0000000072580000-0x00000000726FD000-memory.dmp
memory/4648-168-0x0000000072580000-0x00000000726FD000-memory.dmp
memory/2732-170-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
memory/2732-171-0x0000000000600000-0x0000000000694000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\565375082730
| MD5 | fbc92c076d7805c946c1210ce0d34060 |
| SHA1 | 4556aec1443769a358e43971b0f34224c4e4f761 |
| SHA256 | 05ed6ec7282fe3593fe09a98bd608b7c74b65b041241a3b482bb86988d5c045b |
| SHA512 | 02f5d0d2c66311b5e4492b2a3b8f29672a379cbf514dfa45ea62e18fa317b37b4ac4d80ce80a1ec53eef3ee37006382f63f96fb9215834e28df4ff07d63dcc25 |
memory/2732-185-0x0000000000600000-0x0000000000694000-memory.dmp
memory/4584-186-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4584-187-0x0000000000400000-0x000000000047E000-memory.dmp
memory/4584-188-0x0000000004260000-0x0000000004660000-memory.dmp
memory/4584-189-0x0000000004260000-0x0000000004660000-memory.dmp
memory/2364-193-0x00000000008D0000-0x00000000008D9000-memory.dmp
memory/4584-192-0x0000000077510000-0x0000000077762000-memory.dmp
memory/4584-190-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
memory/2364-195-0x0000000002950000-0x0000000002D50000-memory.dmp
memory/2364-196-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
memory/2364-198-0x0000000077510000-0x0000000077762000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip
| MD5 | f169e93956f90c9b4fee4800e4fb655f |
| SHA1 | fb0005f2d2213f1e486c3d1c2992cf35b8450591 |
| SHA256 | 61205f3d3b64a36565e557eb3f16f1a0cd031852ce7c1dd13e879cca611d2da1 |
| SHA512 | ee86a4447bf986ebaeebdf47b332973b25071b5f4e16067e44064d82ad5827b38c89faf4eda12a92ad7cfabee78f1ae01b3acfff9650c37b34f63e651ab28c38 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jp4avmvu.rtn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3764-206-0x000001C9CD1B0000-0x000001C9CD1D2000-memory.dmp
memory/3764-216-0x000001C9CD260000-0x000001C9CD26A000-memory.dmp
memory/3764-215-0x000001C9CD5F0000-0x000001C9CD602000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe
| MD5 | e634616d3b445fc1cd55ee79cf5326ea |
| SHA1 | ca27a368d87bc776884322ca996f3b24e20645f4 |
| SHA256 | 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937 |
| SHA512 | 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlccore.dll
| MD5 | c39b26fd913f74e1b80df54a3c58cfb7 |
| SHA1 | d81a62a78fbe5294c9298721e588ed9b38aafd9e |
| SHA256 | eafae6c93e6e49310d13f80b76de3286ad6027624416543fbd65f8f0b0541e68 |
| SHA512 | 4fbd067c88405b5541da6ddb1fa6c7d09a327d008c5494674124bf8fe3641d328e6ac0ee95b84b6368be796e249d633842a4ef5f0db71ce5cbb449089175fd48 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlc.dll
| MD5 | 4b262612db64f26ea1168ca569811110 |
| SHA1 | 8e59964d1302a3109513cd4fd22c1f313e79654c |
| SHA256 | a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f |
| SHA512 | 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7 |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\dqhq
| MD5 | b23152452b6c798ee1b57352cc5ebce1 |
| SHA1 | 219a30751cda0df049fecc8247daf34fe57d1f4a |
| SHA256 | c513a651c736cdb3acbc7fad1612c544bf14b658dd4db62ea7eb434d8393f83a |
| SHA512 | c951a6e46c4f7d86553dfb2d796e68fd6cb197114155c61e8898e6d792ec87cc18a326097cf140874473e6e33cced35d6a87aea93894a59e3da35f27862e177d |
C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\hcsjm
| MD5 | d272096a4ad0ba0c3001c21804b11835 |
| SHA1 | 3b3933a81cf97301e1e1a4f3c37df2dbb32d3679 |
| SHA256 | 975412a4da13058af093ad1c18dc985428bebd0f2fc730e6195948e69154d65f |
| SHA512 | 6c837d5638fdeed4ce2e579019c8ee85a2f751393530a286396dce30cfc7db4c336515f4fd94fd1b7cf0ee93a1366bcfa7acc6e62e459382f3553bf2d55c2c48 |
memory/4548-238-0x00007FFB4D350000-0x00007FFB4D4CA000-memory.dmp
memory/2732-239-0x0000000000600000-0x0000000000694000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip
| MD5 | cb106cb03334fff181d51a71637a2a6c |
| SHA1 | 0cea6bb69e925f00c7d334cf58b46b9d4cb6cb37 |
| SHA256 | db462a4becbd5ce94f72d91b9f0bd0e1b2dbc9220094d710747b4ca39e3a72f7 |
| SHA512 | 9f66fb7db9fc5a3274c1a88c4c4d7152aa7aec8e0ed6abbd6fe88bd9444eed57055df8b2e7254c222848b00a6643b94e12c610f94b6fc68a566ce18322d27661 |
memory/4548-251-0x00007FFB4D350000-0x00007FFB4D4CA000-memory.dmp
memory/4548-255-0x00007FFB4D700000-0x00007FFB4D9B5000-memory.dmp
memory/4548-253-0x00007FF6360C0000-0x00007FF6361B8000-memory.dmp
memory/4548-254-0x00007FFB65A40000-0x00007FFB65A74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d96bc47
| MD5 | eb5c4122508c1a7de85149b3f994f8e1 |
| SHA1 | d4e41b7a785a802df396de59501a4b995433c40b |
| SHA256 | 6d1d1b7f5886cbc1a5e3674964f4bafabdd0ddac779811bb9632e42d8b67396a |
| SHA512 | e40341d71cbda6bc62b24b48608642066d4efd2498472b481a8616ba36fd15b223a24dee988fb05be66e94484b8441bf968896c3fd8d6c73a9be7891e2f4f1e2 |
memory/1592-257-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
memory/2732-258-0x0000000000600000-0x0000000000694000-memory.dmp
memory/1592-259-0x0000000072C10000-0x0000000072D8D000-memory.dmp
memory/4460-262-0x0000000000630000-0x00000000006B0000-memory.dmp
memory/4460-263-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
memory/4460-264-0x0000000000630000-0x00000000006B0000-memory.dmp
memory/4460-267-0x0000000000630000-0x00000000006B0000-memory.dmp
memory/4460-269-0x0000000004D30000-0x0000000005130000-memory.dmp
memory/4460-272-0x0000000077510000-0x0000000077762000-memory.dmp
memory/4248-277-0x0000000002AF0000-0x0000000002EF0000-memory.dmp
memory/4460-275-0x0000000000630000-0x00000000006B0000-memory.dmp
memory/4248-278-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
memory/4248-280-0x0000000077510000-0x0000000077762000-memory.dmp
memory/2732-282-0x0000000000600000-0x0000000000694000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip
| MD5 | e0a6c369447034f1b7f2749620c420cc |
| SHA1 | 15b88a23dca33d84bdb2c256e67aee6705a4f122 |
| SHA256 | 3e13e72c418b133c27a1c5aa85cf76f803ab2642b22b473d27de4a1449890603 |
| SHA512 | 374e851b931cee58aa31b6ab215dc94d85a9251e1e60d43e6c21edbf657983bb37148681b20d2d518c4001624caebbd588d3bfa59506900e11a8003765cb379a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ae626d9a72417b14570daa8fcd5d34a4 |
| SHA1 | c103ebaf4d760df722d620df87e6f07c0486439f |
| SHA256 | 52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a |
| SHA512 | a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b58e6de9cf9aa1c43c15c4e5bacebd1 |
| SHA1 | 706600fc3b8d7551ff18452f1025e8a0480b3e6d |
| SHA256 | e04e22e7bcc9ddb67fb534f1eb10e4af31d9f07d0c6f2b54d133dd5996ba0be9 |
| SHA512 | dbef32d4a09bb46e999a7bee2aec0e54431dec644f54aa9a1e9833a1b0ee340589ee76cd32e2b5fddb6fc64e641777c96e43cc93d2e805f8443d58ef5a4095fe |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe
| MD5 | ba99b11a84a19051eca441320af22f4e |
| SHA1 | bb3a700fa2676d0223444a81796c7b21aa191ca8 |
| SHA256 | e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f |
| SHA512 | e6e0541c121dc3260d4c48d1d788eff122a947c6ea8cd7da538edf6fd5f46cd37ee96f2c431575e31338ef93a5e21c81c51057734e29eec3814d4cd5100038e9 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxRT.dll
| MD5 | 31e7657643d832681fee0e303e25ee52 |
| SHA1 | 0756c911a602cfe2f094104d1c10a2d014c52e59 |
| SHA256 | 7328aeb5cec65215e5462c1ea4d69a6383fb77605ccb84c60fdb90d6d0b3c0f4 |
| SHA512 | 542ecead0a1d54de9300220799b1bbaf5e304fafa95c4ce130f0003a5c693adcf1c3140d67e6721c1cbc576989597bff7353727cec95ac289f563e1aee1ec9c2 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxOGLhostcrutil.dll
| MD5 | d01bfdcb832e310af8b74b9613741144 |
| SHA1 | 88dcf21940f852e60026f3994b7cd6d4f2246e45 |
| SHA256 | 943187c2fb090849721985a6119b3440180f7274bc752326a56f3c7862322bef |
| SHA512 | ac3b9fb49967736fb1daa4bc9de62a7d4707a7f6c7b20ac20fadcb4a3e6f7e5e0542ad68f766c604f123f2400487043a1c531352846db2e08f808bae31ea9ada |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\msvcp100.dll
| MD5 | 4f096d96285e06cd51aef7d2d3de04da |
| SHA1 | c90ef0eb5b1a0b1b85ad6792291747fb6307dcdb |
| SHA256 | 5bb420fbe28315f2117376052bb8488ce84a3398dda65005b8ae1f792017e9a8 |
| SHA512 | 80f558c50a71ad9c4930b3838b481e4fb453c38d57c91f7f70c1f86e4043b9a4fbcec27d7c025285504cbf3bde7c50b4770f18121d7818ac58e2ee9c2071f97c |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\oivfk
| MD5 | 6f40f246a78ef46dd8df58d64e8fb51a |
| SHA1 | 6878766db27f7810cba58ad3e1c0e862dbf6fcca |
| SHA256 | 24bc3325b3cbddb6f69f34845d9e7c2bbf6ecff9f631d5d8642b15419846b07b |
| SHA512 | 20a11fcf8f19f4eb4b5114e6fe4f3d468f22147c2114d23b180c0294da5206e189ce57a5bfed332f5c5b0484dd6cb4dea6b9d528be7d5a0f51d4ee3a5f3ccc14 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\qkyv
| MD5 | 757b60d1b085d26b2d312a04dea9a84f |
| SHA1 | 1e1eda4a0e13ad16c2251bb4d95d615e979db944 |
| SHA256 | 292f1ef0342e06ae83fec5da98b1e58d1737c8f1614bb71eb3395c5a150ec701 |
| SHA512 | a8e706e74b1edf6599e75dff7d43a143f87d0c31e3733394ffe2437af7ec323c92c34b8298f8ed91ff795ea581c10a2902e4cde90511cdc340023c9b5da05e51 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtGuiVBox4.dll
| MD5 | e74d017961a50822825aa733c6196efc |
| SHA1 | 4db6e896e19d43927377209b14e4abd928264671 |
| SHA256 | b13e868e0da8d43519b8694074bf70a8b90f9f1c27a89f168766f2fd435721be |
| SHA512 | 5750ff404c2835fb9df0512e1551b20b8f191280d8436fc196605931a40d8ca124a0e5686d9fe3a7b3dbd6cd9d81e13353a4d28d9669f859322ab66fe28cf8cf |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtOpenGLVBox4.dll
| MD5 | 4fc7c92babfa0c6c8341a57b63660058 |
| SHA1 | d5aad499f6abcb94bfec8509790fb81375ebefb2 |
| SHA256 | 909481124b55b069b2ac196148514522853c849a80d4cbc7136e498dc77f34a1 |
| SHA512 | 6602af365d6c7642409d95878e07c2f7054eab76794f51ff10a88388d1e292779cd3cbddea280d43eaa5bdc71661325e2da07020a2b481c32ba330d41e387b46 |
memory/3420-343-0x00007FFB4D1F0000-0x00007FFB4D36A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtCoreVBox4.dll
| MD5 | 96123f5c43b67b168840b1c548e8bcce |
| SHA1 | e3e17aa08ea61e3bc7312c37da766db1f166fb83 |
| SHA256 | 2473eaee17b4d730f2d9be74c3c2ab491f62cbbd68be43cf10a9ca04efcaef5b |
| SHA512 | df974aeceeac2e72424e775674ffbc5a7ced9cf3b90135e3d6decd3fffa0d56b24a175cde6c2aa59a98f93cfa957c790b2b95303bccd4a37aa53a4deccc5ba92 |
C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\msvcr100.dll
| MD5 | df3ca8d16bded6a54977b30e66864d33 |
| SHA1 | b7b9349b33230c5b80886f5c1f0a42848661c883 |
| SHA256 | 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36 |
| SHA512 | 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0 |
memory/2732-344-0x0000000000600000-0x0000000000694000-memory.dmp
memory/3420-345-0x00007FFB4D1F0000-0x00007FFB4D36A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\914c3ea5
| MD5 | d662c681221bb432c9b309cbf3f2d5a1 |
| SHA1 | 0dfe5af3b4cb5ed372826d827c8f9b53ccbb13fd |
| SHA256 | 45b7fef5f2b4e9d43c345be1abac013401a17707b8a33b229d356ea52202a364 |
| SHA512 | 3d6002482f467b32562fd3501a6f1db85f32c093c0fba118158306f0ccde1b61c0d7fb3d72742f44190ae6891c9152edcf4786095072d22e75a36df691aef48a |
memory/3856-348-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
memory/4588-353-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp
memory/4588-354-0x00000000004F0000-0x0000000000553000-memory.dmp