amadey | 5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2

Analysis

max time kernel
153s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe
Size

382KB
MD5

38b5deb16f9cd877a6a7ca7c7434b5ea
SHA1

11051c4a389238fe7e2202cb506a6f23cfa6bfa4
SHA256

5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2
SHA512

f1f75b2f2641e09c1ce71b7d442b30169b6335d2e15a6fc9bfcb94ffa6552d4f8783cd6468016789d249e2633332e705631e06ad9ede80c03f87e4a051aee899

Malware Config

Extracted

Family

vidar

Version

52.2

Botnet

1366

https://t.me/netflixaccsfree

https://mastodon.social/@ronxik12

Attributes

profile_id
1366

Extracted

Family

smokeloader

Version

2020

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

http://samnutu11nuli.com/

http://nikogkojam.org/

rc4.i32

Extracted

Family

amadey

Version

3.10

185.215.113.38/f8dfksdj3/index.php

Extracted

Family

redline

Botnet

SUSHI

65.108.101.231:14648

Attributes

auth_value
26bcdf6ae8358a98f24ebd4bd8ec3714

Extracted

Family

redline

Botnet

ROK

194.36.177.138:81

Attributes

auth_value
17f65f419822bba9db958b4ac6cc9f05

Extracted

Family

djvu

http://ugll.org/test3/get.php

Attributes

extension
.fefg
offline_id
eBNgvyGQV1Hmt9DBdxVRs8qPi1agsS7OaohPmit1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-j3AdKrnQie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: admin@helpdata.top Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0482JIjdm

rsa_pubkey.plain

Extracted

Family

redline

Botnet

ruz19489

193.124.22.34:19489

Attributes

auth_value
2b3af4bdf5e7f4f41faf1150d1660073

Extracted

Family

redline

Botnet

@humus228p

185.215.113.24:15994

Attributes

auth_value
bb99a32fdff98741feb69d524760afae

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3840-259-0x0000000002320000-0x000000000243B000-memory.dmp	family_djvu
behavioral2/memory/3856-272-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3856-274-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3856-276-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3856-277-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1020-148-0x0000000000AE0000-0x0000000000C86000-memory.dmp	family_redline
behavioral2/memory/1020-147-0x0000000000AE0000-0x0000000000C86000-memory.dmp	family_redline
behavioral2/memory/1020-151-0x0000000000AE0000-0x0000000000C86000-memory.dmp	family_redline
behavioral2/memory/3240-234-0x0000000000DF0000-0x0000000001468000-memory.dmp	family_redline
behavioral2/memory/4336-245-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4016-257-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/960-261-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5072-267-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1560-218-0x0000000000400000-0x0000000000453000-memory.dmp	family_vidar
behavioral2/memory/2948-208-0x00000000000A0000-0x0000000000123000-memory.dmp	family_vidar
behavioral2/memory/1560-229-0x0000000000400000-0x0000000000453000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

NiceProcessX64.bmp.exeSetupMEXX.exe.exefile1.exe.exefile2.exe.exe6523.exe.exeService.bmp.exeFJEfRXZ.exe.exe

pid process

3360 NiceProcessX64.bmp.exe
4376 SetupMEXX.exe.exe
2948 file1.exe.exe
1020 file2.exe.exe
1284 6523.exe.exe
5092 Service.bmp.exe
3956 FJEfRXZ.exe.exe

pid	process
3360	NiceProcessX64.bmp.exe
4376	SetupMEXX.exe.exe
2948	file1.exe.exe
1020	file2.exe.exe
1284	6523.exe.exe
5092	Service.bmp.exe
3956	FJEfRXZ.exe.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe	upx
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe	upx

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe	vmprotect
behavioral2/memory/4968-238-0x0000000000100000-0x00000000009C1000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe	vmprotect
behavioral2/memory/4584-284-0x00000000007A0000-0x0000000001061000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1080 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1080	icacls.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\Fenix_6.bmp.exe	themida
C:\Users\Admin\Pictures\Adobe Films\Fenix_6.bmp.exe	themida
behavioral2/memory/3240-234-0x0000000000DF0000-0x0000000001468000-memory.dmp	themida

Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

154 ipinfo.io
162 api.2ip.ua
164 api.2ip.ua
29 ipinfo.io
30 ipinfo.io
112 ipinfo.io
113 ipinfo.io
153 ipinfo.io

flow	ioc
154	ipinfo.io
162	api.2ip.ua
164	api.2ip.ua
29	ipinfo.io
30	ipinfo.io
112	ipinfo.io
113	ipinfo.io
153	ipinfo.io

Drops file in Program Files directory 2 IoCs

Processes:

Service.bmp.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.bmp.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.bmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
5044	4960	WerFault.exe	norm2.bmp.exe
4284	4072	WerFault.exe	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6523.exe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1256 schtasks.exe
2040 schtasks.exe
2424 schtasks.exe

pid	process
1256	schtasks.exe
2040	schtasks.exe
2424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exeNiceProcessX64.bmp.exe

pid	process
4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe
4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe
3360	NiceProcessX64.bmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

file2.exe.exeSetupMEXX.exe.exe

description pid process

Token: SeDebugPrivilege 1020 file2.exe.exe
Token: SeDebugPrivilege 4376 SetupMEXX.exe.exe

description	pid	process
Token: SeDebugPrivilege	1020	file2.exe.exe
Token: SeDebugPrivilege	4376	SetupMEXX.exe.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe

description	pid	process	target process
PID 4072 wrote to memory of 3360	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	NiceProcessX64.bmp.exe
PID 4072 wrote to memory of 3360	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	NiceProcessX64.bmp.exe
PID 4072 wrote to memory of 4376	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	SetupMEXX.exe.exe
PID 4072 wrote to memory of 4376	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	SetupMEXX.exe.exe
PID 4072 wrote to memory of 4376	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	SetupMEXX.exe.exe
PID 4072 wrote to memory of 2948	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	file1.exe.exe
PID 4072 wrote to memory of 2948	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	file1.exe.exe
PID 4072 wrote to memory of 2948	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	file1.exe.exe
PID 4072 wrote to memory of 1020	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	file2.exe.exe
PID 4072 wrote to memory of 1020	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	file2.exe.exe
PID 4072 wrote to memory of 1020	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	file2.exe.exe
PID 4072 wrote to memory of 1284	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	6523.exe.exe
PID 4072 wrote to memory of 1284	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	6523.exe.exe
PID 4072 wrote to memory of 1284	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	6523.exe.exe
PID 4072 wrote to memory of 5092	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	Service.bmp.exe
PID 4072 wrote to memory of 5092	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	Service.bmp.exe
PID 4072 wrote to memory of 5092	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	Service.bmp.exe
PID 4072 wrote to memory of 3956	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	FJEfRXZ.exe.exe
PID 4072 wrote to memory of 3956	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	FJEfRXZ.exe.exe
PID 4072 wrote to memory of 3956	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	FJEfRXZ.exe.exe
PID 4072 wrote to memory of 3840	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	test33.bmp.exe
PID 4072 wrote to memory of 3840	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	test33.bmp.exe
PID 4072 wrote to memory of 3840	4072	5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe	test33.bmp.exe

C:\Users\Admin\AppData\Local\Temp\5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe
"C:\Users\Admin\AppData\Local\Temp\5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3360

C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Users\Admin\Pictures\Adobe Films\file1.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\file1.exe.exe"
2⤵
- Executes dropped EXE
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1560

C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1284

C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5092

C:\Users\Admin\Documents\B4PbyYZdlFz2A9phI24scHEe.exe
"C:\Users\Admin\Documents\B4PbyYZdlFz2A9phI24scHEe.exe"
3⤵
PID:1544

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
4⤵
PID:2640

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1256

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2040

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
2⤵
- Executes dropped EXE
PID:3956

C:\Windows\SysWOW64\ftp.exe
ftp -?
3⤵
PID:3000

C:\Users\Admin\Pictures\Adobe Films\prolivv.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\prolivv.bmp.exe"
2⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4336

C:\Users\Admin\Pictures\Adobe Films\Fenix_6.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix_6.bmp.exe"
2⤵
PID:3240

C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe"
2⤵
PID:3924

C:\Users\Admin\Pictures\Adobe Films\real1801.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\real1801.bmp.exe"
2⤵
PID:3700

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe"
2⤵
PID:3840

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe"
3⤵
PID:3856

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4a99f926-f154-4d84-8b6e-3d9581d2e3ff" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:1080

C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe"
2⤵
PID:1388

C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe"
2⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 728
3⤵
- Program crash
PID:5044

C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe"
2⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe"
3⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
4⤵
PID:720

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe" /F
4⤵
- Creates scheduled task(s)
PID:2424

C:\Users\Admin\Pictures\Adobe Films\lokes_1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\lokes_1.bmp.exe"
2⤵
PID:4924

C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe"
2⤵
PID:3672

C:\Users\Admin\Pictures\Adobe Films\unmatured.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\unmatured.bmp.exe"
2⤵
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4016

C:\Users\Admin\Pictures\Adobe Films\arabcode_crypted_3.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\arabcode_crypted_3.bmp.exe"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:960

C:\Users\Admin\Pictures\Adobe Films\Offscum.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\Offscum.exe.exe"
2⤵
PID:4460

C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_2.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_2.bmp.exe"
2⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:5072

C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe"
2⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 3324
2⤵
- Program crash
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4072 -ip 4072
1⤵
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
41fbbfef77c9e15df36e1cb541503d98

SHA1
c2e6a702ecb76de3321d194644d0bd73d479cecb

SHA256
1c596fd0b7231e43e672cb027be6117200830dd98929f060c3a97f8efc4eae17

SHA512
9f26e615f952b673ce80740ee48e37ac44fd27c7bb280f1d1cc4fec614ccd2c95dd4a19dbb0f09e94fa2e0fc65a92de9a2e64e358040c2bfc523ec162377d08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
408B

MD5
97123455b295c0e8ec24f2a22bee00d6

SHA1
3bb443f7e4ad94b555ff23d18b7c06c7122e104d

SHA256
b43ebc69b92cadb2f130e652161c893677b6beb53e9a286689a27095759f4036

SHA512
61742e4d0186c5bf2332cc833533757d27bcfdf4cb384f486525a2a27f150a11d68e76b65adbf22c835af52e5747d39fd9fee5d02dd502226e9fda549299ed91

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
Filesize
4.7MB

MD5
6955f1fcff91064a4d99ba254e0c35de

SHA1
a9fe80036ea557b382d4d12020e97cf7781be179

SHA256
03618f286dbbd66bc95826d30127466d14b19c5b1cc46ba1cb0897430506b591

SHA512
fc4c024eea13a316f68c933a0dbae2749b423e204ff688e71e750d62cba1fe657ca9a0a6d4d36fd5fcaa2353b4bb1e2910216cf5527e09165f83ad71e41e00b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
Filesize
167KB

MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\Documents\B4PbyYZdlFz2A9phI24scHEe.exe
Filesize
232KB

MD5
5546c1ab6768292b78c746d9ea627f4a

SHA1
be3bf3f21b6101099bcfd7203a179829aea4b435

SHA256
93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

SHA512
90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Download Submit
C:\Users\Admin\Documents\B4PbyYZdlFz2A9phI24scHEe.exe
Filesize
232KB

MD5
5546c1ab6768292b78c746d9ea627f4a

SHA1
be3bf3f21b6101099bcfd7203a179829aea4b435

SHA256
93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

SHA512
90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
252KB

MD5
803754d7fd2a5760637a96baa877a0dd

SHA1
2a67e4ea5a3bde0385965a44a4291af432937b9c

SHA256
68e029be93ff26581a1c2120d3c4c152f7ee3303e3696c7d4b6801220f186b9f

SHA512
3242d5279d48c9bf5022ad4765552deffbcf0acdb46f69bc68f3772f1b997cd12710bc7c507e27c7b9e47c95353a6acec628fd24ba327ef52cf56e7a03f309bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
252KB

MD5
803754d7fd2a5760637a96baa877a0dd

SHA1
2a67e4ea5a3bde0385965a44a4291af432937b9c

SHA256
68e029be93ff26581a1c2120d3c4c152f7ee3303e3696c7d4b6801220f186b9f

SHA512
3242d5279d48c9bf5022ad4765552deffbcf0acdb46f69bc68f3772f1b997cd12710bc7c507e27c7b9e47c95353a6acec628fd24ba327ef52cf56e7a03f309bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_6.bmp.exe
Filesize
1.7MB

MD5
c4642af33e0af7ccc37f133fdd506970

SHA1
f7cb09c34830ac148ef081b8422c6e57fa0e8d78

SHA256
f458313d1c3a4c5586dec2f165e283353bd2e369b922cf5aad9afbbaec54f49e

SHA512
acfa1997b8a408cc116f05827b23a99143ff4a43a2190c3b7ee4619427804ecffb1ada5482d3f9ef8e2002e48fd164e0f6284f33b5ef11486d3d49ba34e354bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_6.bmp.exe
Filesize
1.7MB

MD5
c4642af33e0af7ccc37f133fdd506970

SHA1
f7cb09c34830ac148ef081b8422c6e57fa0e8d78

SHA256
f458313d1c3a4c5586dec2f165e283353bd2e369b922cf5aad9afbbaec54f49e

SHA512
acfa1997b8a408cc116f05827b23a99143ff4a43a2190c3b7ee4619427804ecffb1ada5482d3f9ef8e2002e48fd164e0f6284f33b5ef11486d3d49ba34e354bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Offscum.exe.exe
Filesize
384KB

MD5
43e800701f22f016821dac724aafc5db

SHA1
86a33ba8fb36657178ff13ebfa7ce3a0b9c0eca0

SHA256
d3cb46076b5c81e8b4478ac44dee8508656ef8a1844b8c0601c7bcee34b76a5f

SHA512
344f78bfc56e533465631c486298dc6318fec14ce89362e463e6530511c75374814abc998b3fecdd86daabb6179d3abd489fe033cea38a157680c0ae79069368

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Offscum.exe.exe
Filesize
384KB

MD5
43e800701f22f016821dac724aafc5db

SHA1
86a33ba8fb36657178ff13ebfa7ce3a0b9c0eca0

SHA256
d3cb46076b5c81e8b4478ac44dee8508656ef8a1844b8c0601c7bcee34b76a5f

SHA512
344f78bfc56e533465631c486298dc6318fec14ce89362e463e6530511c75374814abc998b3fecdd86daabb6179d3abd489fe033cea38a157680c0ae79069368

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
383KB

MD5
53b62ed629c088e2a3c856504a09cf0e

SHA1
ec8ddc00350fa9390a9b07e06812e19732ee23cb

SHA256
3b5a86c09a060f913be80d183e0fe300a8fad7811f2010753db73ba8b04c8654

SHA512
8c8c8635d9848d679aba11dd74439b5b5dbba7fc52b75bee1a404dad626eefcb7ec58b372b198cea483867d614d9c3a571ae8e28c4b4830820844027584e72ea

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
383KB

MD5
53b62ed629c088e2a3c856504a09cf0e

SHA1
ec8ddc00350fa9390a9b07e06812e19732ee23cb

SHA256
3b5a86c09a060f913be80d183e0fe300a8fad7811f2010753db73ba8b04c8654

SHA512
8c8c8635d9848d679aba11dd74439b5b5dbba7fc52b75bee1a404dad626eefcb7ec58b372b198cea483867d614d9c3a571ae8e28c4b4830820844027584e72ea

Download Submit
C:\Users\Admin\Pictures\Adobe Films\arabcode_crypted_3.bmp.exe
Filesize
542KB

MD5
87b38b08c9c900680c61b81c576f849a

SHA1
b2d0c7d3a37efb6e3923a0d0c47589ff7be5a20d

SHA256
72584b24a721dc0a3c0fe0b0f3ae76d3ede757c7bfa7be776f295935e8b174ad

SHA512
0fab8644d0c90b7c6daace1f87788d1347391eb74decf9702d9c0925438bc11fc6557837988818d07c6b92e29ab72e466df5f37622640a40373844b528dcfe57

Download Submit
C:\Users\Admin\Pictures\Adobe Films\arabcode_crypted_3.bmp.exe
Filesize
542KB

MD5
87b38b08c9c900680c61b81c576f849a

SHA1
b2d0c7d3a37efb6e3923a0d0c47589ff7be5a20d

SHA256
72584b24a721dc0a3c0fe0b0f3ae76d3ede757c7bfa7be776f295935e8b174ad

SHA512
0fab8644d0c90b7c6daace1f87788d1347391eb74decf9702d9c0925438bc11fc6557837988818d07c6b92e29ab72e466df5f37622640a40373844b528dcfe57

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file1.exe.exe
Filesize
513KB

MD5
c198c3583e494e8171f6c66d8ef98427

SHA1
14b287f456d59bd49595af319ef31cdab710b160

SHA256
ddb7fce69d1cd4ca06d7528352866130f3e21fa9798626263d9958b54c2d1129

SHA512
419024e65f26884037f92c6f6a2352da7e45d1638af11879918551dc7168abffa835cef27045181a291c32e85090536177e02226a5c5b651d3beebf1928bf3c2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file1.exe.exe
Filesize
513KB

MD5
c198c3583e494e8171f6c66d8ef98427

SHA1
14b287f456d59bd49595af319ef31cdab710b160

SHA256
ddb7fce69d1cd4ca06d7528352866130f3e21fa9798626263d9958b54c2d1129

SHA512
419024e65f26884037f92c6f6a2352da7e45d1638af11879918551dc7168abffa835cef27045181a291c32e85090536177e02226a5c5b651d3beebf1928bf3c2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
Filesize
1.8MB

MD5
2dde036370dc81b739f4d3941a9666c6

SHA1
449e79517f8370e544466b42021b947351a74e54

SHA256
a7b031aabbeb5da007dea0cedb319cd604ab055a14660993365cc0cb6ac6f575

SHA512
ae96c7c6792ad7617898c418234cf3cac1f5936a807c71ea5967e54b6dd2f4f8ada4fbbe32f7ac8935e68bd046a7e6f532d3b632178c914c14eff218c29043d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
Filesize
1.8MB

MD5
2dde036370dc81b739f4d3941a9666c6

SHA1
449e79517f8370e544466b42021b947351a74e54

SHA256
a7b031aabbeb5da007dea0cedb319cd604ab055a14660993365cc0cb6ac6f575

SHA512
ae96c7c6792ad7617898c418234cf3cac1f5936a807c71ea5967e54b6dd2f4f8ada4fbbe32f7ac8935e68bd046a7e6f532d3b632178c914c14eff218c29043d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lokes_1.bmp.exe
Filesize
393KB

MD5
765b46d47cc4c5af4c899ad762cf996a

SHA1
ff2ffe0c32ddf4268ac09ff6b012a5fcde3c5787

SHA256
4fa8f0ef12891f15d5ae450d30947fcbab560030a0a240ad6e5a176ce2dc8074

SHA512
e14fd1c47c6557c1d9991f2c805495578596b83767c9eaf1e6061dd917a9d00dc53eafb2b7e20975073da17b97ae3bed358e5ba8bf56cf8bb13423b050ccc669

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lokes_1.bmp.exe
Filesize
393KB

MD5
765b46d47cc4c5af4c899ad762cf996a

SHA1
ff2ffe0c32ddf4268ac09ff6b012a5fcde3c5787

SHA256
4fa8f0ef12891f15d5ae450d30947fcbab560030a0a240ad6e5a176ce2dc8074

SHA512
e14fd1c47c6557c1d9991f2c805495578596b83767c9eaf1e6061dd917a9d00dc53eafb2b7e20975073da17b97ae3bed358e5ba8bf56cf8bb13423b050ccc669

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe
Filesize
368KB

MD5
42101bce768d69826cb3d8303639bc70

SHA1
d98098e5aff1508e9835abf5b6031ac9fa29a3f9

SHA256
66fca34e2831ba7e4bbe73584925ab574d9eecda5dfde6e384fa74e834ee7a83

SHA512
76f1161112842f38263d9c6acfab4189cd1a808ce8bd75964cc1f53c1635f48cbd3d1d66768b399def56de986074ba432bc1b5531690e893f945ac102855e1dd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte2001.bmp.exe
Filesize
368KB

MD5
42101bce768d69826cb3d8303639bc70

SHA1
d98098e5aff1508e9835abf5b6031ac9fa29a3f9

SHA256
66fca34e2831ba7e4bbe73584925ab574d9eecda5dfde6e384fa74e834ee7a83

SHA512
76f1161112842f38263d9c6acfab4189cd1a808ce8bd75964cc1f53c1635f48cbd3d1d66768b399def56de986074ba432bc1b5531690e893f945ac102855e1dd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe
Filesize
199KB

MD5
d6728282f4a78d3940539cc8064c9e22

SHA1
b1ca5ebd044ab729a1856c85c8b18e2018cae344

SHA256
d6d9b00f01d8945d10b0e1febe4d83d9102852f5988b2be5fb806aac03174bc9

SHA512
3e26de9ef82c25c817d45087aaefc81d7831a359b9970409cac109bc32fb7085e270954733f8d2b86200526768bb59424b1c378b603cfc1efaf4d8b6c3a6d16e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\norm2.bmp.exe
Filesize
199KB

MD5
d6728282f4a78d3940539cc8064c9e22

SHA1
b1ca5ebd044ab729a1856c85c8b18e2018cae344

SHA256
d6d9b00f01d8945d10b0e1febe4d83d9102852f5988b2be5fb806aac03174bc9

SHA512
3e26de9ef82c25c817d45087aaefc81d7831a359b9970409cac109bc32fb7085e270954733f8d2b86200526768bb59424b1c378b603cfc1efaf4d8b6c3a6d16e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_2.bmp.exe
Filesize
353KB

MD5
6023f31ff76703b4c7d00d4d72706b36

SHA1
234bff16678085a140edd455dfce8ae3a83cb0fb

SHA256
2d12e4f66db97f46c1bd6c4bbffcd84766dcb61bf114e2d6a00c01157badf19f

SHA512
3e00e7cc659a0aa2e3724f4118edb4de1b43b719fd89d8a7e71969bc4e2aabc43c381467c13cbbed49f051922d9c1225c4d3b38de49482e0295e258b5205a2bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_2.bmp.exe
Filesize
353KB

MD5
6023f31ff76703b4c7d00d4d72706b36

SHA1
234bff16678085a140edd455dfce8ae3a83cb0fb

SHA256
2d12e4f66db97f46c1bd6c4bbffcd84766dcb61bf114e2d6a00c01157badf19f

SHA512
3e00e7cc659a0aa2e3724f4118edb4de1b43b719fd89d8a7e71969bc4e2aabc43c381467c13cbbed49f051922d9c1225c4d3b38de49482e0295e258b5205a2bc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\prolivv.bmp.exe
Filesize
1.8MB

MD5
a84338fbfb66adbef7b83b5cd4d3ed8f

SHA1
c611983fc664000da467d7b0f47a85794a51e059

SHA256
cc1d7a95962068a79420a3fa92a9d32b7fdd267bf23c6bae880b0c39d2548d15

SHA512
a0442d338eddd8137280b8177554a418e53af7ed29be0f6fc99df19de548f0144303a26eed66ebf9f341b21263b1307b9ecdff28b4aa4e11b57330f2dacc7e86

Download Submit
C:\Users\Admin\Pictures\Adobe Films\prolivv.bmp.exe
Filesize
1.8MB

MD5
a84338fbfb66adbef7b83b5cd4d3ed8f

SHA1
c611983fc664000da467d7b0f47a85794a51e059

SHA256
cc1d7a95962068a79420a3fa92a9d32b7fdd267bf23c6bae880b0c39d2548d15

SHA512
a0442d338eddd8137280b8177554a418e53af7ed29be0f6fc99df19de548f0144303a26eed66ebf9f341b21263b1307b9ecdff28b4aa4e11b57330f2dacc7e86

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real1801.bmp.exe
Filesize
443KB

MD5
87ff0b64fabbac1fbbd598d2613cae53

SHA1
db0c3e52f9388e699925cfc05d087c2613e7af2f

SHA256
fc87527ede2648a39ff16f55bb8dffa46e65d2b04b5ac2d67d05a39bd429f9a8

SHA512
51f166c30fc646027005b2677bc858665626ecb5dba135cc1b619684e079cc61c627eb253e888fd9cc59e753b25e786e670359c76e94a4de2d936ad339107f1a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real1801.bmp.exe
Filesize
443KB

MD5
87ff0b64fabbac1fbbd598d2613cae53

SHA1
db0c3e52f9388e699925cfc05d087c2613e7af2f

SHA256
fc87527ede2648a39ff16f55bb8dffa46e65d2b04b5ac2d67d05a39bd429f9a8

SHA512
51f166c30fc646027005b2677bc858665626ecb5dba135cc1b619684e079cc61c627eb253e888fd9cc59e753b25e786e670359c76e94a4de2d936ad339107f1a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
393KB

MD5
dd2d48c4f9266f9d8e466910fccf104e

SHA1
498469726fc4f7bedcaa04bc5d401992a5e14838

SHA256
6a1628771731ecb4307adde305886c618a47856c201cb109ebcec05909c6a8fe

SHA512
6afaf922c299343cde5cca89b2e68117d941ddb9c3a157c8610d0a8bb1666e4f9ed196373efbc266c0db1abaa0d386d7fe14531ce3aed0104f3b2c7b613c079e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
393KB

MD5
dd2d48c4f9266f9d8e466910fccf104e

SHA1
498469726fc4f7bedcaa04bc5d401992a5e14838

SHA256
6a1628771731ecb4307adde305886c618a47856c201cb109ebcec05909c6a8fe

SHA512
6afaf922c299343cde5cca89b2e68117d941ddb9c3a157c8610d0a8bb1666e4f9ed196373efbc266c0db1abaa0d386d7fe14531ce3aed0104f3b2c7b613c079e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\unmatured.bmp.exe
Filesize
304KB

MD5
222baf5ecfe2873edffdd610c9d022d8

SHA1
e52abb3309d67f9eccc1e9843ffcf65e8b082a06

SHA256
ddb7ebbaa7ab0b5bc9765246f765239c6ec390c973eff6f4e4cc33e82942f1d5

SHA512
a873b249107f07385bad0508423f6f4da228742e99a98d446bd5eb8d110c1249adf1763910c2d85358216c145adb0715bf206475b62c628aa95abf04be511a44

Download Submit
C:\Users\Admin\Pictures\Adobe Films\unmatured.bmp.exe
Filesize
304KB

MD5
222baf5ecfe2873edffdd610c9d022d8

SHA1
e52abb3309d67f9eccc1e9843ffcf65e8b082a06

SHA256
ddb7ebbaa7ab0b5bc9765246f765239c6ec390c973eff6f4e4cc33e82942f1d5

SHA512
a873b249107f07385bad0508423f6f4da228742e99a98d446bd5eb8d110c1249adf1763910c2d85358216c145adb0715bf206475b62c628aa95abf04be511a44

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
Filesize
73KB

MD5
3eaa7551af183919ba48a37dfb4b1c3c

SHA1
2b600f9d269b02f6a2f21fe19741514b2c9b5968

SHA256
e42fa8e2f765d73e4cacc8cf165bcc231bb704af2cd80f3ea78c2e746154aa2d

SHA512
a7f55f312f9ddde3e841027f160d748bdea63af0be2261d8131ed17b04c557d6913968badf96ae1d42392c30c89ef553c588029212110c844d06f84cf67a85cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
Filesize
73KB

MD5
3eaa7551af183919ba48a37dfb4b1c3c

SHA1
2b600f9d269b02f6a2f21fe19741514b2c9b5968

SHA256
e42fa8e2f765d73e4cacc8cf165bcc231bb704af2cd80f3ea78c2e746154aa2d

SHA512
a7f55f312f9ddde3e841027f160d748bdea63af0be2261d8131ed17b04c557d6913968badf96ae1d42392c30c89ef553c588029212110c844d06f84cf67a85cf

Download Submit
memory/720-288-0x0000000000000000-mapping.dmp

Download
memory/860-195-0x0000000000000000-mapping.dmp

Download
memory/960-260-0x0000000000000000-mapping.dmp

Download
memory/960-261-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1020-151-0x0000000000AE0000-0x0000000000C86000-memory.dmp

Filesize
1.6MB

Download
memory/1020-150-0x0000000000620000-0x0000000000661000-memory.dmp

Filesize
260KB

Download
memory/1020-143-0x0000000000000000-mapping.dmp

Download
memory/1020-148-0x0000000000AE0000-0x0000000000C86000-memory.dmp

Filesize
1.6MB

Download
memory/1020-147-0x0000000000AE0000-0x0000000000C86000-memory.dmp

Filesize
1.6MB

Download
memory/1020-149-0x00000000773C0000-0x00000000775D5000-memory.dmp

Filesize
2.1MB

Download
memory/1020-237-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/1020-155-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/1020-152-0x0000000073EF0000-0x0000000073F79000-memory.dmp

Filesize
548KB

Download
memory/1020-153-0x0000000075AB0000-0x0000000076063000-memory.dmp

Filesize
5.7MB

Download
memory/1020-216-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/1020-161-0x000000006D410000-0x000000006D45C000-memory.dmp

Filesize
304KB

Download
memory/1020-160-0x0000000004BA0000-0x0000000004BDC000-memory.dmp

Filesize
240KB

Download
memory/1020-156-0x0000000004CB0000-0x0000000004DBA000-memory.dmp

Filesize
1.0MB

Download
memory/1020-154-0x00000000051C0000-0x00000000057D8000-memory.dmp

Filesize
6.1MB

Download
memory/1232-181-0x0000000000000000-mapping.dmp

Download
memory/1252-198-0x0000000000000000-mapping.dmp

Download
memory/1256-241-0x0000000000000000-mapping.dmp

Download
memory/1284-157-0x0000000000000000-mapping.dmp

Download
memory/1284-175-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/1284-170-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1284-169-0x0000000002EBD000-0x0000000002EC6000-memory.dmp

Filesize
36KB

Download
memory/1388-182-0x0000000000000000-mapping.dmp

Download
memory/1544-236-0x0000000000000000-mapping.dmp

Download
memory/1544-275-0x0000000003830000-0x00000000039F0000-memory.dmp

Filesize
1.8MB

Download
memory/1560-218-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1560-217-0x0000000000000000-mapping.dmp

Download
memory/1560-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-242-0x0000000000000000-mapping.dmp

Download
memory/2424-289-0x0000000000000000-mapping.dmp

Download
memory/2536-197-0x0000000000000000-mapping.dmp

Download
memory/2640-281-0x0000000000000000-mapping.dmp

Download
memory/2948-208-0x00000000000A0000-0x0000000000123000-memory.dmp

Filesize
524KB

Download
memory/2948-139-0x0000000000000000-mapping.dmp

Download
memory/3000-235-0x0000000000000000-mapping.dmp

Download
memory/3088-250-0x0000000000000000-mapping.dmp

Download
memory/3088-256-0x00000000007B0000-0x00000000007C8000-memory.dmp

Filesize
96KB

Download
memory/3088-268-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/3148-194-0x00000000028B0000-0x00000000028C6000-memory.dmp

Filesize
88KB

Download
memory/3240-231-0x0000000077960000-0x0000000077B03000-memory.dmp

Filesize
1.6MB

Download
memory/3240-234-0x0000000000DF0000-0x0000000001468000-memory.dmp

Filesize
6.5MB

Download
memory/3240-180-0x0000000000000000-mapping.dmp

Download
memory/3360-135-0x0000000000000000-mapping.dmp

Download
memory/3416-248-0x0000000000000000-mapping.dmp

Download
memory/3672-196-0x0000000000000000-mapping.dmp

Download
memory/3700-178-0x0000000000000000-mapping.dmp

Download
memory/3840-258-0x0000000000635000-0x00000000006C6000-memory.dmp

Filesize
580KB

Download
memory/3840-259-0x0000000002320000-0x000000000243B000-memory.dmp

Filesize
1.1MB

Download
memory/3840-174-0x0000000000000000-mapping.dmp

Download
memory/3856-276-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3856-274-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3856-271-0x0000000000000000-mapping.dmp

Download
memory/3856-272-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3856-277-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3924-179-0x0000000000000000-mapping.dmp

Download
memory/3956-171-0x0000000000000000-mapping.dmp

Download
memory/4016-257-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4016-255-0x0000000000000000-mapping.dmp

Download
memory/4072-132-0x0000000000AD0000-0x0000000000B03000-memory.dmp

Filesize
204KB

Download
memory/4072-133-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4072-134-0x00000000034D0000-0x0000000003690000-memory.dmp

Filesize
1.8MB

Download
memory/4072-131-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/4336-287-0x0000000006D90000-0x0000000006DE0000-memory.dmp

Filesize
320KB

Download
memory/4336-244-0x0000000000000000-mapping.dmp

Download
memory/4336-245-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4376-168-0x0000000007100000-0x00000000076A4000-memory.dmp

Filesize
5.6MB

Download
memory/4376-138-0x0000000000000000-mapping.dmp

Download
memory/4376-163-0x0000000002D10000-0x0000000002D47000-memory.dmp

Filesize
220KB

Download
memory/4376-164-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/4376-162-0x0000000002D6D000-0x0000000002D96000-memory.dmp

Filesize
164KB

Download
memory/4376-230-0x0000000008720000-0x000000000873E000-memory.dmp

Filesize
120KB

Download
memory/4376-183-0x0000000008200000-0x0000000008276000-memory.dmp

Filesize
472KB

Download
memory/4460-199-0x0000000000000000-mapping.dmp

Download
memory/4584-284-0x00000000007A0000-0x0000000001061000-memory.dmp

Filesize
8.8MB

Download
memory/4584-278-0x0000000000000000-mapping.dmp

Download
memory/4924-187-0x0000000000000000-mapping.dmp

Download
memory/4960-188-0x0000000000000000-mapping.dmp

Download
memory/4968-238-0x0000000000100000-0x00000000009C1000-memory.dmp

Filesize
8.8MB

Download
memory/4968-186-0x0000000000000000-mapping.dmp

Download
memory/5072-267-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5072-262-0x0000000000000000-mapping.dmp

Download
memory/5092-165-0x0000000000000000-mapping.dmp

Download