amadey | e80d88b233f39e7a110cdebfb83f395a7e5ff732e793b7542958bcd10a18ef96

Analysis

max time kernel
134s
max time network
148s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-12-2021 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fae96da26402ed864b9fc0b06a2e5995.exe
Size

323KB
MD5

fae96da26402ed864b9fc0b06a2e5995
SHA1

ba3d150ccc9340ce47b0eee6f9b1a672a1aab0bd
SHA256

e80d88b233f39e7a110cdebfb83f395a7e5ff732e793b7542958bcd10a18ef96
SHA512

26592e8624442e49e2bef7d9cf5e2d603c97e5a6133728fe9828ca8e6e168ef45bbee3bdee366a15187b5b012825f5e5a69d6a1d740ab3e56921398f83453df5

Score

10^/10

amadey arkei redline smokeloader tofsee 1 install backdoor collection discovery evasion infostealer persistence spyware stealer suricata trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

tofsee

mubrikych.top

oxxyfix.xyz

Extracted

Family

redline

Botnet

86.107.197.138:38133

Extracted

Family

redline

Botnet

install

62.182.156.187:56323

Extracted

Family

amadey

Version

2.86

185.215.113.35/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Arkei
Arkei is an infostealer written in C++.
stealer arkei
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1588-119-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1588-118-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1588-121-0x0000000000419326-mapping.dmp	family_redline
behavioral1/memory/1588-123-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1588-120-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1964-130-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1964-131-0x000000000041932E-mapping.dmp	family_redline
behavioral1/memory/1964-135-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1828-86-0x00000000001B0000-0x00000000001CC000-memory.dmp	family_arkei
behavioral1/memory/1828-87-0x0000000000400000-0x00000000004D2000-memory.dmp	family_arkei

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 17 IoCs

Processes:

3331.exe3331.exe8B8E.exeEEE3.exeF451.exe217.exeD18.exe15E0.exebxfdqonu.exe217.exe2903.exe15E0.exetkools.execounterstrike.exe6CFA.exeleakless.exetkools.exe

pid	process
1276	3331.exe
1632	3331.exe
1764	8B8E.exe
1828	EEE3.exe
744	F451.exe
1532	217.exe
1648	D18.exe
1216	15E0.exe
892	bxfdqonu.exe
1588	217.exe
1552	2903.exe
1964	15E0.exe
1756	tkools.exe
1760	counterstrike.exe
1332	6CFA.exe
900	leakless.exe
2184	tkools.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6CFA.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\6CFA.exe	vmprotect

Deletes itself 1 IoCs

Processes:

pid process

1372

Loads dropped DLL 16 IoCs

Processes:

3331.exe217.exe15E0.exeD18.exeEEE3.execmd.execounterstrike.exe

pid	process
1276	3331.exe
1532	217.exe
1216	15E0.exe
1372
1372
1648	D18.exe
1648	D18.exe
1828	EEE3.exe
944	cmd.exe
944	cmd.exe
1828	EEE3.exe
1760	counterstrike.exe
1760	counterstrike.exe
1828	EEE3.exe
1828	EEE3.exe
1828	EEE3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6CFA.exe

pid process

1332 6CFA.exe

pid	process
1332	6CFA.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

fae96da26402ed864b9fc0b06a2e5995.exe3331.exe217.exe15E0.exe

description	pid	process	target process
PID 1624 set thread context of 1428	1624	fae96da26402ed864b9fc0b06a2e5995.exe	fae96da26402ed864b9fc0b06a2e5995.exe
PID 1276 set thread context of 1632	1276	3331.exe	3331.exe
PID 1532 set thread context of 1588	1532	217.exe	217.exe
PID 1216 set thread context of 1964	1216	15E0.exe	15E0.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fae96da26402ed864b9fc0b06a2e5995.exe3331.exe8B8E.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fae96da26402ed864b9fc0b06a2e5995.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3331.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8B8E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8B8E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fae96da26402ed864b9fc0b06a2e5995.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fae96da26402ed864b9fc0b06a2e5995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3331.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3331.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8B8E.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EEE3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EEE3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EEE3.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1164 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2664 timeout.exe

pid	process
1164	schtasks.exe

pid	process
2664	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 87 Go-http-client/1.1
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3008 taskkill.exe

description	flow	ioc
HTTP User-Agent header	87	Go-http-client/1.1

pid	process
3008	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fae96da26402ed864b9fc0b06a2e5995.exe

pid	process
1428	fae96da26402ed864b9fc0b06a2e5995.exe
1428	fae96da26402ed864b9fc0b06a2e5995.exe
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1372
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

fae96da26402ed864b9fc0b06a2e5995.exe3331.exe8B8E.exe

pid process

1428 fae96da26402ed864b9fc0b06a2e5995.exe
1632 3331.exe
1764 8B8E.exe
1372
1372
1372
1372

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

217.exe15E0.exe15E0.exe217.exe

description	pid	process
Token: SeDebugPrivilege	1532	217.exe
Token: SeDebugPrivilege	1216	15E0.exe
Token: SeShutdownPrivilege	1372
Token: SeDebugPrivilege	1964	15E0.exe
Token: SeDebugPrivilege	1588	217.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
1372
1372
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

chrome.exe

pid	process
1372
1372
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fae96da26402ed864b9fc0b06a2e5995.exe3331.exeF451.exe217.exe

description	pid	process	target process
PID 1624 wrote to memory of 1428	1624	fae96da26402ed864b9fc0b06a2e5995.exe	fae96da26402ed864b9fc0b06a2e5995.exe
PID 1624 wrote to memory of 1428	1624	fae96da26402ed864b9fc0b06a2e5995.exe	fae96da26402ed864b9fc0b06a2e5995.exe
PID 1624 wrote to memory of 1428	1624	fae96da26402ed864b9fc0b06a2e5995.exe	fae96da26402ed864b9fc0b06a2e5995.exe
PID 1624 wrote to memory of 1428	1624	fae96da26402ed864b9fc0b06a2e5995.exe	fae96da26402ed864b9fc0b06a2e5995.exe
PID 1624 wrote to memory of 1428	1624	fae96da26402ed864b9fc0b06a2e5995.exe	fae96da26402ed864b9fc0b06a2e5995.exe
PID 1624 wrote to memory of 1428	1624	fae96da26402ed864b9fc0b06a2e5995.exe	fae96da26402ed864b9fc0b06a2e5995.exe
PID 1624 wrote to memory of 1428	1624	fae96da26402ed864b9fc0b06a2e5995.exe	fae96da26402ed864b9fc0b06a2e5995.exe
PID 1372 wrote to memory of 1276	1372		3331.exe
PID 1372 wrote to memory of 1276	1372		3331.exe
PID 1372 wrote to memory of 1276	1372		3331.exe
PID 1372 wrote to memory of 1276	1372		3331.exe
PID 1276 wrote to memory of 1632	1276	3331.exe	3331.exe
PID 1276 wrote to memory of 1632	1276	3331.exe	3331.exe
PID 1276 wrote to memory of 1632	1276	3331.exe	3331.exe
PID 1276 wrote to memory of 1632	1276	3331.exe	3331.exe
PID 1276 wrote to memory of 1632	1276	3331.exe	3331.exe
PID 1276 wrote to memory of 1632	1276	3331.exe	3331.exe
PID 1276 wrote to memory of 1632	1276	3331.exe	3331.exe
PID 1372 wrote to memory of 1764	1372		8B8E.exe
PID 1372 wrote to memory of 1764	1372		8B8E.exe
PID 1372 wrote to memory of 1764	1372		8B8E.exe
PID 1372 wrote to memory of 1764	1372		8B8E.exe
PID 1372 wrote to memory of 1828	1372		EEE3.exe
PID 1372 wrote to memory of 1828	1372		EEE3.exe
PID 1372 wrote to memory of 1828	1372		EEE3.exe
PID 1372 wrote to memory of 1828	1372		EEE3.exe
PID 1372 wrote to memory of 744	1372		F451.exe
PID 1372 wrote to memory of 744	1372		F451.exe
PID 1372 wrote to memory of 744	1372		F451.exe
PID 1372 wrote to memory of 744	1372		F451.exe
PID 1372 wrote to memory of 1532	1372		217.exe
PID 1372 wrote to memory of 1532	1372		217.exe
PID 1372 wrote to memory of 1532	1372		217.exe
PID 1372 wrote to memory of 1532	1372		217.exe
PID 744 wrote to memory of 1720	744	F451.exe	cmd.exe
PID 744 wrote to memory of 1720	744	F451.exe	cmd.exe
PID 744 wrote to memory of 1720	744	F451.exe	cmd.exe
PID 744 wrote to memory of 1720	744	F451.exe	cmd.exe
PID 744 wrote to memory of 1800	744	F451.exe	cmd.exe
PID 744 wrote to memory of 1800	744	F451.exe	cmd.exe
PID 744 wrote to memory of 1800	744	F451.exe	cmd.exe
PID 744 wrote to memory of 1800	744	F451.exe	cmd.exe
PID 1372 wrote to memory of 1648	1372		D18.exe
PID 1372 wrote to memory of 1648	1372		D18.exe
PID 1372 wrote to memory of 1648	1372		D18.exe
PID 1372 wrote to memory of 1648	1372		D18.exe
PID 744 wrote to memory of 716	744	F451.exe	sc.exe
PID 744 wrote to memory of 716	744	F451.exe	sc.exe
PID 744 wrote to memory of 716	744	F451.exe	sc.exe
PID 744 wrote to memory of 716	744	F451.exe	sc.exe
PID 744 wrote to memory of 1592	744	F451.exe	sc.exe
PID 744 wrote to memory of 1592	744	F451.exe	sc.exe
PID 744 wrote to memory of 1592	744	F451.exe	sc.exe
PID 744 wrote to memory of 1592	744	F451.exe	sc.exe
PID 744 wrote to memory of 1624	744	F451.exe	sc.exe
PID 744 wrote to memory of 1624	744	F451.exe	sc.exe
PID 744 wrote to memory of 1624	744	F451.exe	sc.exe
PID 744 wrote to memory of 1624	744	F451.exe	sc.exe
PID 1532 wrote to memory of 1588	1532	217.exe	217.exe
PID 1532 wrote to memory of 1588	1532	217.exe	217.exe
PID 1532 wrote to memory of 1588	1532	217.exe	217.exe
PID 1532 wrote to memory of 1588	1532	217.exe	217.exe
PID 744 wrote to memory of 380	744	F451.exe	netsh.exe
PID 744 wrote to memory of 380	744	F451.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\fae96da26402ed864b9fc0b06a2e5995.exe
"C:\Users\Admin\AppData\Local\Temp\fae96da26402ed864b9fc0b06a2e5995.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\fae96da26402ed864b9fc0b06a2e5995.exe
"C:\Users\Admin\AppData\Local\Temp\fae96da26402ed864b9fc0b06a2e5995.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1428

C:\Users\Admin\AppData\Local\Temp\3331.exe
C:\Users\Admin\AppData\Local\Temp\3331.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\3331.exe
C:\Users\Admin\AppData\Local\Temp\3331.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1632

C:\Users\Admin\AppData\Local\Temp\8B8E.exe
C:\Users\Admin\AppData\Local\Temp\8B8E.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1764

C:\Users\Admin\AppData\Local\Temp\EEE3.exe
C:\Users\Admin\AppData\Local\Temp\EEE3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\EEE3.exe" & exit
2⤵
PID:2592

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2664

C:\Users\Admin\AppData\Local\Temp\F451.exe
C:\Users\Admin\AppData\Local\Temp\F451.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jzqloxcd\
2⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bxfdqonu.exe" C:\Windows\SysWOW64\jzqloxcd\
2⤵
PID:1800

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jzqloxcd binPath= "C:\Windows\SysWOW64\jzqloxcd\bxfdqonu.exe /d\"C:\Users\Admin\AppData\Local\Temp\F451.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:716

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jzqloxcd "wifi internet conection"
2⤵
PID:1592

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jzqloxcd
2⤵
PID:1624

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\217.exe
C:\Users\Admin\AppData\Local\Temp\217.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\217.exe
C:\Users\Admin\AppData\Local\Temp\217.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\D18.exe
C:\Users\Admin\AppData\Local\Temp\D18.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
3⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
4⤵
PID:1776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
3⤵
- Creates scheduled task(s)
PID:1164

C:\Users\Admin\AppData\Local\Temp\15E0.exe
C:\Users\Admin\AppData\Local\Temp\15E0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Users\Admin\AppData\Local\Temp\15E0.exe
C:\Users\Admin\AppData\Local\Temp\15E0.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\jzqloxcd\bxfdqonu.exe
C:\Windows\SysWOW64\jzqloxcd\bxfdqonu.exe /d"C:\Users\Admin\AppData\Local\Temp\F451.exe"
1⤵
- Executes dropped EXE
PID:892

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\2903.exe
C:\Users\Admin\AppData\Local\Temp\2903.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\system32\cmd.exe
cmd /C C:\Users\Admin\AppData\Roaming\\counterstrike.exe
2⤵
- Loads dropped DLL
PID:944

C:\Users\Admin\AppData\Roaming\counterstrike.exe
C:\Users\Admin\AppData\Roaming\\counterstrike.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760

C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe 10f9a7f9b4d9dfde330854390577b13c 127.0.0.1:49372 "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-sync --enable-features=NetworkService,NetworkServiceInProcess --force-color-profile=srgb --no-startup-window --disable-ipc-flooding-protection --remote-debugging-port=0 --mute-audio --no-first-run --disable-hang-monitor --disable-backgrounding-occluded-windows --disable-default-apps --disable-popup-blocking --disable-prompt-on-repost --use-mock-keychain "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-background-networking --disable-background-timer-throttling --metrics-recording-only --disable-blink-features=AutomationControlled --disable-breakpad --enable-automation --disable-dev-shm-usage --disable-renderer-backgrounding --disable-features=site-per-process,TranslateUI --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages
4⤵
- Executes dropped EXE
PID:900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-sync --enable-features=NetworkService,NetworkServiceInProcess --force-color-profile=srgb --no-startup-window --disable-ipc-flooding-protection --remote-debugging-port=0 --mute-audio --no-first-run --disable-hang-monitor --disable-backgrounding-occluded-windows --disable-default-apps --disable-popup-blocking --disable-prompt-on-repost --use-mock-keychain "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-background-networking --disable-background-timer-throttling --metrics-recording-only --disable-blink-features=AutomationControlled --disable-breakpad --enable-automation --disable-dev-shm-usage --disable-renderer-backgrounding --disable-features=site-per-process,TranslateUI --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages
5⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xd8,0xdc,0x9c,0xe0,0x7fef6944f50,0x7fef6944f60,0x7fef6944f70
6⤵
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,14976021261312780207,17712987310117895515,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1104 /prefetch:2
6⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1092,14976021261312780207,17712987310117895515,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=1832 /prefetch:8
6⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1092,14976021261312780207,17712987310117895515,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2336 /prefetch:1
6⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,14976021261312780207,17712987310117895515,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3172 /prefetch:2
6⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1092,14976021261312780207,17712987310117895515,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-gpu-compositing --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3244 /prefetch:1
6⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14976021261312780207,17712987310117895515,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=3856 /prefetch:8
6⤵
PID:2928

C:\Windows\system32\taskkill.exe
taskkill /t /f /pid 1600
5⤵
- Kills process with taskkill
PID:3008

C:\Users\Admin\AppData\Local\Temp\6CFA.exe
C:\Users\Admin\AppData\Local\Temp\6CFA.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1776

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1596

C:\Windows\system32\taskeng.exe
taskeng.exe {152846E2-D26D-4941-ADBD-0246BF8EE625} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
2⤵
- Executes dropped EXE
PID:2184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
MD5
051aa6b5efcb15c37359c474c611cc11

SHA1
fc872cd4d8212f1e0ef8cab00a2b62c833e3be37

SHA256
674fd79f346af3f6cd7b401fbf151f21055ed23dd8874f189987a9c53059005f

SHA512
a0ffcd71c91e5b198d8f98661f972ea295c37042ec4c99fbf4c28a201385b1d49914aeb37471d803ed71b781f0a80fc5164dc76cc604b62ab449194db3094db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\15E0.exe
MD5
f497ff63ca89d5513a63de1dc1bae58f

SHA1
ca6b819d4c0d27d5d737f2dc70109b87b6344bef

SHA256
ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

SHA512
6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\15E0.exe
MD5
f497ff63ca89d5513a63de1dc1bae58f

SHA1
ca6b819d4c0d27d5d737f2dc70109b87b6344bef

SHA256
ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

SHA512
6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\15E0.exe
MD5
f497ff63ca89d5513a63de1dc1bae58f

SHA1
ca6b819d4c0d27d5d737f2dc70109b87b6344bef

SHA256
ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

SHA512
6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\217.exe
MD5
f2f8a2b12cb2e41ffbe135b6ed9b5b7c

SHA1
f7133a7435be0377a45d6a0bd0ef56bb0198e9be

SHA256
6d969631ce713fc809012f3aa8fd56cf9ef564cc1c43d5ba85f06fddc749e4a1

SHA512
c3098730be533954cab86f8d29a40f77d551ccb6cb59ff72e9ab549277a93a257cc1a1501108c81e4c2d6d9723fe793780ffd810b9d839faa6c64e33fe52c4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\217.exe
MD5
f2f8a2b12cb2e41ffbe135b6ed9b5b7c

SHA1
f7133a7435be0377a45d6a0bd0ef56bb0198e9be

SHA256
6d969631ce713fc809012f3aa8fd56cf9ef564cc1c43d5ba85f06fddc749e4a1

SHA512
c3098730be533954cab86f8d29a40f77d551ccb6cb59ff72e9ab549277a93a257cc1a1501108c81e4c2d6d9723fe793780ffd810b9d839faa6c64e33fe52c4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\217.exe
MD5
f2f8a2b12cb2e41ffbe135b6ed9b5b7c

SHA1
f7133a7435be0377a45d6a0bd0ef56bb0198e9be

SHA256
6d969631ce713fc809012f3aa8fd56cf9ef564cc1c43d5ba85f06fddc749e4a1

SHA512
c3098730be533954cab86f8d29a40f77d551ccb6cb59ff72e9ab549277a93a257cc1a1501108c81e4c2d6d9723fe793780ffd810b9d839faa6c64e33fe52c4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2903.exe
MD5
9f25eb870ee8a56eda7d35dc25f2241c

SHA1
7af117f07ca61a75baa2e4b183f980832b19f390

SHA256
53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

SHA512
f39f4f99302cbcc3b0cd60a9899864ec9d2b84aa937ef1e07696043198d673908006e11cd40972bdfe0015112bc2310c03cc9467d0a2e523d5b1bc3858bd5eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3331.exe
MD5
3ad000405b2cd1a001c4b23092215317

SHA1
2c5b5275b7a3aa35f65bf57be0c9885f4cf1755e

SHA256
9a329a1ed81b92704c4c7d1e4795aad61fb08ecd5dab30327976e8e1b1d16293

SHA512
29a353d4378173b28ba6455953486fee9394e56e8a3f394810dd1b1d9fe20bde0eeb2721529309fde8d429f7addff43dc326e95ac6946f1390768367ac4b179f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3331.exe
MD5
3ad000405b2cd1a001c4b23092215317

SHA1
2c5b5275b7a3aa35f65bf57be0c9885f4cf1755e

SHA256
9a329a1ed81b92704c4c7d1e4795aad61fb08ecd5dab30327976e8e1b1d16293

SHA512
29a353d4378173b28ba6455953486fee9394e56e8a3f394810dd1b1d9fe20bde0eeb2721529309fde8d429f7addff43dc326e95ac6946f1390768367ac4b179f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3331.exe
MD5
3ad000405b2cd1a001c4b23092215317

SHA1
2c5b5275b7a3aa35f65bf57be0c9885f4cf1755e

SHA256
9a329a1ed81b92704c4c7d1e4795aad61fb08ecd5dab30327976e8e1b1d16293

SHA512
29a353d4378173b28ba6455953486fee9394e56e8a3f394810dd1b1d9fe20bde0eeb2721529309fde8d429f7addff43dc326e95ac6946f1390768367ac4b179f

Download Submit
C:\Users\Admin\AppData\Local\Temp\56194281155842401186
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
7d782bbbbd6cb54410caef8242537cab

SHA1
ca691b9fea276140b5c95cfea35329ecfd4c592b

SHA256
6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

SHA512
962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
7d782bbbbd6cb54410caef8242537cab

SHA1
ca691b9fea276140b5c95cfea35329ecfd4c592b

SHA256
6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

SHA512
962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
7d782bbbbd6cb54410caef8242537cab

SHA1
ca691b9fea276140b5c95cfea35329ecfd4c592b

SHA256
6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

SHA512
962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CFA.exe
MD5
2fe55f16da6348999312ef5ec21ae20d

SHA1
112bb1adce4ff9c427f61acbad6129794f8b213e

SHA256
f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d

SHA512
12747dd0fb27ace42c58f9412099d8fb33e73a24a1c1a86ebab96c22aef9f11a32320b8eca61fa9197ec8476a358ef674e067151d163b2a96f92085cf3d72724

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CFA.exe
MD5
2fe55f16da6348999312ef5ec21ae20d

SHA1
112bb1adce4ff9c427f61acbad6129794f8b213e

SHA256
f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d

SHA512
12747dd0fb27ace42c58f9412099d8fb33e73a24a1c1a86ebab96c22aef9f11a32320b8eca61fa9197ec8476a358ef674e067151d163b2a96f92085cf3d72724

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B8E.exe
MD5
265ed6f79387305a37bd4a598403adf1

SHA1
c0647e1d4a77715a54141e4898bebcd322f3d9da

SHA256
1c10d4f9c74cbfb4478aa18e3430ea14c07da31ca819ffb8bea5d6e30218bff5

SHA512
1a7c615cab3ebe9910282b01bec5f5eb9558f40d716c4b0914e15d3d8b59e7d4bc37569575c8d9ba612613e1298f3f390d0bbaa153975f40ec262cea27b58b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\D18.exe
MD5
7d782bbbbd6cb54410caef8242537cab

SHA1
ca691b9fea276140b5c95cfea35329ecfd4c592b

SHA256
6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

SHA512
962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D18.exe
MD5
7d782bbbbd6cb54410caef8242537cab

SHA1
ca691b9fea276140b5c95cfea35329ecfd4c592b

SHA256
6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

SHA512
962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEE3.exe
MD5
9f552053040a466fc3fd745e37ebe354

SHA1
e5b585661f55b2b8033fe2228df55c7ead070e01

SHA256
b97e66178aa10ab5b06531c7fb2fd36d7c94485367f6db3e94c969f40d8e6940

SHA512
a9811f4baafe97adbcb1dcc03a87796ede4be4db1b1fcfb23a33b5cefd6764da9257faa12ca4de811973e5acf4cba68d557095587aa2d807008ee161abc5de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEE3.exe
MD5
9f552053040a466fc3fd745e37ebe354

SHA1
e5b585661f55b2b8033fe2228df55c7ead070e01

SHA256
b97e66178aa10ab5b06531c7fb2fd36d7c94485367f6db3e94c969f40d8e6940

SHA512
a9811f4baafe97adbcb1dcc03a87796ede4be4db1b1fcfb23a33b5cefd6764da9257faa12ca4de811973e5acf4cba68d557095587aa2d807008ee161abc5de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\F451.exe
MD5
44d65948e693d217c38e2cca0be02e4d

SHA1
a8f1bffff003a591f0eb4264f3eeadf03b1f6594

SHA256
f817c83321640bfc088858c746e7829d53cbe9c1c5ad1e0d81615936a7a09596

SHA512
38af1832b26b36d242a3f61e502ad888bcb34bf3936dd6e1d61d302753e03e19882e1175b346ef6f35ccaf4c04390b5b527ae5de7666bf3c76d74834bc18b1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F451.exe
MD5
44d65948e693d217c38e2cca0be02e4d

SHA1
a8f1bffff003a591f0eb4264f3eeadf03b1f6594

SHA256
f817c83321640bfc088858c746e7829d53cbe9c1c5ad1e0d81615936a7a09596

SHA512
38af1832b26b36d242a3f61e502ad888bcb34bf3936dd6e1d61d302753e03e19882e1175b346ef6f35ccaf4c04390b5b527ae5de7666bf3c76d74834bc18b1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxfdqonu.exe
MD5
334f0445f544bbeb6311ac3afaeeece3

SHA1
20b81bfab1b9750cf8c6a61f80f5ed0f1e67adde

SHA256
721e1e286960eeed7859e51cfa12f9ec2c6b3a39550aecb048852c248b426cd1

SHA512
c7c214d48b5274e8ec37ec7effab7eacab1a51329a3a5307661ee8f3b01625a78ce4ddf690ad8eec5ebe106bfe227927b717b0d08683430c98cf83c838df775b

Download Submit
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
MD5
3ea012e26f60ab84a7cf5ad579a83cf4

SHA1
3bd5db30c5a7c8f98a8ccffef341bdd185d3293f

SHA256
6239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399

SHA512
f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0

Download Submit
C:\Users\Admin\AppData\Roaming\counterstrike.exe
MD5
9a0f30f9096d0a3cea84512b2044b5fa

SHA1
9c6e6ceb67e75c9960ad5a4cc756b6f096c30343

SHA256
5b8c8da4d888e49c2f9b009163169bdf444db2a48dc9f9b9d020cc9178972fd9

SHA512
e88edab9a771e9e5fb3bcbc2d497a49e56cb440f933cf64d8e60a39c8228842e035803eb21c25cc5c5f26f1b6456796b01e8ca49f9dc3ee3dd279da4cc75d833

Download Submit
C:\Users\Admin\AppData\Roaming\counterstrike.exe
MD5
9a0f30f9096d0a3cea84512b2044b5fa

SHA1
9c6e6ceb67e75c9960ad5a4cc756b6f096c30343

SHA256
5b8c8da4d888e49c2f9b009163169bdf444db2a48dc9f9b9d020cc9178972fd9

SHA512
e88edab9a771e9e5fb3bcbc2d497a49e56cb440f933cf64d8e60a39c8228842e035803eb21c25cc5c5f26f1b6456796b01e8ca49f9dc3ee3dd279da4cc75d833

Download Submit
C:\Windows\SysWOW64\jzqloxcd\bxfdqonu.exe
MD5
334f0445f544bbeb6311ac3afaeeece3

SHA1
20b81bfab1b9750cf8c6a61f80f5ed0f1e67adde

SHA256
721e1e286960eeed7859e51cfa12f9ec2c6b3a39550aecb048852c248b426cd1

SHA512
c7c214d48b5274e8ec37ec7effab7eacab1a51329a3a5307661ee8f3b01625a78ce4ddf690ad8eec5ebe106bfe227927b717b0d08683430c98cf83c838df775b

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1600_GMEQHSRMETNVOCHM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\15E0.exe
MD5
f497ff63ca89d5513a63de1dc1bae58f

SHA1
ca6b819d4c0d27d5d737f2dc70109b87b6344bef

SHA256
ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

SHA512
6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

Download Submit
\Users\Admin\AppData\Local\Temp\217.exe
MD5
f2f8a2b12cb2e41ffbe135b6ed9b5b7c

SHA1
f7133a7435be0377a45d6a0bd0ef56bb0198e9be

SHA256
6d969631ce713fc809012f3aa8fd56cf9ef564cc1c43d5ba85f06fddc749e4a1

SHA512
c3098730be533954cab86f8d29a40f77d551ccb6cb59ff72e9ab549277a93a257cc1a1501108c81e4c2d6d9723fe793780ffd810b9d839faa6c64e33fe52c4bd

Download Submit
\Users\Admin\AppData\Local\Temp\2903.exe
MD5
9f25eb870ee8a56eda7d35dc25f2241c

SHA1
7af117f07ca61a75baa2e4b183f980832b19f390

SHA256
53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

SHA512
f39f4f99302cbcc3b0cd60a9899864ec9d2b84aa937ef1e07696043198d673908006e11cd40972bdfe0015112bc2310c03cc9467d0a2e523d5b1bc3858bd5eb2

Download Submit
\Users\Admin\AppData\Local\Temp\2903.exe
MD5
9f25eb870ee8a56eda7d35dc25f2241c

SHA1
7af117f07ca61a75baa2e4b183f980832b19f390

SHA256
53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

SHA512
f39f4f99302cbcc3b0cd60a9899864ec9d2b84aa937ef1e07696043198d673908006e11cd40972bdfe0015112bc2310c03cc9467d0a2e523d5b1bc3858bd5eb2

Download Submit
\Users\Admin\AppData\Local\Temp\3331.exe
MD5
3ad000405b2cd1a001c4b23092215317

SHA1
2c5b5275b7a3aa35f65bf57be0c9885f4cf1755e

SHA256
9a329a1ed81b92704c4c7d1e4795aad61fb08ecd5dab30327976e8e1b1d16293

SHA512
29a353d4378173b28ba6455953486fee9394e56e8a3f394810dd1b1d9fe20bde0eeb2721529309fde8d429f7addff43dc326e95ac6946f1390768367ac4b179f

Download Submit
\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
7d782bbbbd6cb54410caef8242537cab

SHA1
ca691b9fea276140b5c95cfea35329ecfd4c592b

SHA256
6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

SHA512
962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

Download Submit
\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
7d782bbbbd6cb54410caef8242537cab

SHA1
ca691b9fea276140b5c95cfea35329ecfd4c592b

SHA256
6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

SHA512
962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

Download Submit
\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
MD5
3ea012e26f60ab84a7cf5ad579a83cf4

SHA1
3bd5db30c5a7c8f98a8ccffef341bdd185d3293f

SHA256
6239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399

SHA512
f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0

Download Submit
\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
MD5
3ea012e26f60ab84a7cf5ad579a83cf4

SHA1
3bd5db30c5a7c8f98a8ccffef341bdd185d3293f

SHA256
6239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399

SHA512
f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0

Download Submit
\Users\Admin\AppData\Roaming\counterstrike.exe
MD5
9a0f30f9096d0a3cea84512b2044b5fa

SHA1
9c6e6ceb67e75c9960ad5a4cc756b6f096c30343

SHA256
5b8c8da4d888e49c2f9b009163169bdf444db2a48dc9f9b9d020cc9178972fd9

SHA512
e88edab9a771e9e5fb3bcbc2d497a49e56cb440f933cf64d8e60a39c8228842e035803eb21c25cc5c5f26f1b6456796b01e8ca49f9dc3ee3dd279da4cc75d833

Download Submit
\Users\Admin\AppData\Roaming\counterstrike.exe
MD5
9a0f30f9096d0a3cea84512b2044b5fa

SHA1
9c6e6ceb67e75c9960ad5a4cc756b6f096c30343

SHA256
5b8c8da4d888e49c2f9b009163169bdf444db2a48dc9f9b9d020cc9178972fd9

SHA512
e88edab9a771e9e5fb3bcbc2d497a49e56cb440f933cf64d8e60a39c8228842e035803eb21c25cc5c5f26f1b6456796b01e8ca49f9dc3ee3dd279da4cc75d833

Download Submit
memory/380-106-0x0000000000000000-mapping.dmp

Download
memory/716-102-0x0000000000000000-mapping.dmp

Download
memory/744-93-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/744-94-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/744-90-0x000000000030B000-0x000000000031C000-memory.dmp

Filesize
68KB

Download
memory/744-80-0x0000000000000000-mapping.dmp

Download
memory/892-129-0x000000000065B000-0x000000000066C000-memory.dmp

Filesize
68KB

Download
memory/892-139-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/900-185-0x0000000000000000-mapping.dmp

Download
memory/944-158-0x0000000000000000-mapping.dmp

Download
memory/1164-155-0x0000000000000000-mapping.dmp

Download
memory/1216-110-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1216-114-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1216-113-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/1216-107-0x0000000000000000-mapping.dmp

Download
memory/1276-61-0x0000000000000000-mapping.dmp

Download
memory/1276-63-0x00000000005EB000-0x00000000005FC000-memory.dmp

Filesize
68KB

Download
memory/1332-166-0x0000000000000000-mapping.dmp

Download
memory/1332-171-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1332-180-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1332-198-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1332-187-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1332-175-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1332-170-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1332-176-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1332-197-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1332-204-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1332-173-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1332-174-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1332-200-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1332-201-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1372-70-0x0000000003E50000-0x0000000003E66000-memory.dmp

Filesize
88KB

Download
memory/1372-60-0x00000000026F0000-0x0000000002706000-memory.dmp

Filesize
88KB

Download
memory/1372-77-0x0000000003F70000-0x0000000003F86000-memory.dmp

Filesize
88KB

Download
memory/1428-58-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1428-57-0x0000000000402F47-mapping.dmp

Download
memory/1428-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1516-154-0x0000000000000000-mapping.dmp

Download
memory/1532-88-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1532-97-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1532-96-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1532-83-0x0000000000000000-mapping.dmp

Download
memory/1552-128-0x0000000000000000-mapping.dmp

Download
memory/1588-121-0x0000000000419326-mapping.dmp

Download
memory/1588-123-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1588-116-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1588-117-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1588-119-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1588-118-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1588-120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1588-150-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1592-103-0x0000000000000000-mapping.dmp

Download
memory/1596-181-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1596-183-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1596-177-0x0000000000000000-mapping.dmp

Download
memory/1624-59-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1624-104-0x0000000000000000-mapping.dmp

Download
memory/1624-55-0x000000000065B000-0x000000000066B000-memory.dmp

Filesize
64KB

Download
memory/1632-67-0x0000000000402F47-mapping.dmp

Download
memory/1648-141-0x000000000058B000-0x00000000005A9000-memory.dmp

Filesize
120KB

Download
memory/1648-143-0x00000000002C0000-0x00000000002F8000-memory.dmp

Filesize
224KB

Download
memory/1648-144-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1648-100-0x0000000000000000-mapping.dmp

Download
memory/1720-138-0x0000000000110000-0x0000000000125000-memory.dmp

Filesize
84KB

Download
memory/1720-95-0x0000000000000000-mapping.dmp

Download
memory/1756-148-0x0000000000000000-mapping.dmp

Download
memory/1756-151-0x00000000002EB000-0x0000000000309000-memory.dmp

Filesize
120KB

Download
memory/1756-157-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1760-163-0x0000000000000000-mapping.dmp

Download
memory/1764-71-0x0000000000000000-mapping.dmp

Download
memory/1764-73-0x00000000005AB000-0x00000000005BC000-memory.dmp

Filesize
68KB

Download
memory/1764-76-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1764-75-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1776-156-0x0000000000000000-mapping.dmp

Download
memory/1776-169-0x0000000000000000-mapping.dmp

Download
memory/1776-192-0x00000000708B1000-0x00000000708B3000-memory.dmp

Filesize
8KB

Download
memory/1776-193-0x0000000000190000-0x0000000000204000-memory.dmp

Filesize
464KB

Download
memory/1776-194-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/1800-98-0x0000000000000000-mapping.dmp

Download
memory/1828-82-0x00000000002EB000-0x00000000002FC000-memory.dmp

Filesize
68KB

Download
memory/1828-87-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1828-78-0x0000000000000000-mapping.dmp

Download
memory/1828-86-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/1964-140-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1964-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1964-131-0x000000000041932E-mapping.dmp

Download
memory/1964-130-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2184-196-0x0000000000000000-mapping.dmp

Download
memory/2592-206-0x0000000000000000-mapping.dmp

Download
memory/2664-207-0x0000000000000000-mapping.dmp

Download
memory/3008-210-0x0000000000000000-mapping.dmp

Download