amadey | b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01

Analysis

max time kernel
85s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
Size

198KB
MD5

06881454143376beb76a127d1758524d
SHA1

4c6957bee8f43be7a44918f7a418270134bc4e9c
SHA256

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4bd80688a43006533c01
SHA512

abba15ced8006c48468b4375bded848c5e16cfa97006c10f09db716aac946f3d4c25f2a6f55ea7e1f473f83ba83f3cc25617ea159fd4be29c9ed9f517c0a3c67

Score

10^/10

amadey djvu redline vidar 937 @humus228p discovery evasion infostealer persistence ransomware spyware stealer suricata trojan upx vmprotect

Malware Config

Extracted

Family

amadey

Version

3.10

185.215.113.38/f8dfksdj3/index.php

Extracted

Family

djvu

http://ugll.org/test3/get.php

Attributes

extension
.zpps
offline_id
vBBkNb2o254Xzi3oCcyyfpBNyU9yOZKLh1HH5Mt1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-wYSZeUnrpa Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: admin@helpdata.top Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0486JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

52.3

Botnet

937

https://t.me/hyipsdigest

https://mastodon.online/@ronxik13

Attributes

profile_id
937

Extracted

Family

redline

Botnet

@humus228p

185.215.113.24:15994

Attributes

auth_value
bb99a32fdff98741feb69d524760afae

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3780-204-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3780-212-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3780-207-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3584-199-0x0000000002130000-0x000000000224B000-memory.dmp	family_djvu
behavioral2/memory/3780-215-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4800-329-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4800-325-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe	family_redline
behavioral2/memory/1516-200-0x00000000003A0000-0x00000000005E2000-memory.dmp	family_redline
behavioral2/memory/956-198-0x00000000002C0000-0x0000000000518000-memory.dmp	family_redline
behavioral2/memory/3836-247-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4364-217-0x00000000005C0000-0x000000000060F000-memory.dmp	family_vidar
behavioral2/memory/4364-221-0x0000000000400000-0x00000000004A7000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

NiceProcessX64.bmp.exefile2.exe.exeService.bmp.exeTrdngAnlzr649.exe.exeSetupMEXX.exe.exemalina.exe.exerrmix.exe.exelovera.exe.exetest3_2302.bmp.exepen4ik_v0.7b__windows_64_1.bmp.exeFJEfRXZ.exe.exefxd1.bmp.exereal2302.bmp.exeFenix_13.bmp.exeolympteam_build_crypted_6.bmp.exe6523.exe.exelol.bmp.exeMixinte23.bmp.exebuild2kEu.bmp.exewam.exe.exe

pid	process
4236	NiceProcessX64.bmp.exe
1516	file2.exe.exe
1776	Service.bmp.exe
2368	TrdngAnlzr649.exe.exe
1492	SetupMEXX.exe.exe
1304	malina.exe.exe
1592	rrmix.exe.exe
1172	lovera.exe.exe
3584	test3_2302.bmp.exe
116	pen4ik_v0.7b__windows_64_1.bmp.exe
2212	FJEfRXZ.exe.exe
3400	fxd1.bmp.exe
4364	real2302.bmp.exe
956	Fenix_13.bmp.exe
2796	olympteam_build_crypted_6.bmp.exe
2956	6523.exe.exe
4800	lol.bmp.exe
3512	Mixinte23.bmp.exe
1940	build2kEu.bmp.exe
2156	wam.exe.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe	upx
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe	upx
C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe	upx
C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe	vmprotect
behavioral2/memory/3400-192-0x0000000000080000-0x0000000000941000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe	vmprotect
behavioral2/memory/4560-274-0x0000000000A00000-0x00000000012C1000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3080 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3080	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FJEfRXZ.exe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	FJEfRXZ.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	FJEfRXZ.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipinfo.io
100 ipinfo.io
115 api.2ip.ua
14 ipinfo.io
99 ipinfo.io
117 api.2ip.ua
134 ipinfo.io
135 ipinfo.io
204 api.2ip.ua
205 api.2ip.ua

flow	ioc
15	ipinfo.io
100	ipinfo.io
115	api.2ip.ua
14	ipinfo.io
99	ipinfo.io
117	api.2ip.ua
134	ipinfo.io
135	ipinfo.io
204	api.2ip.ua
205	api.2ip.ua

Drops file in Program Files directory 2 IoCs

Processes:

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4148	2368	WerFault.exe	TrdngAnlzr649.exe.exe
1548	4800	WerFault.exe	lol.bmp.exe
3476	2796	WerFault.exe	olympteam_build_crypted_6.bmp.exe
3028	3512	WerFault.exe	Mixinte23.bmp.exe
1528	1796	WerFault.exe	Mixinte23.bmp.exe
2588	3512	WerFault.exe	Mixinte23.bmp.exe
2076	3512	WerFault.exe	Mixinte23.bmp.exe
1392	1796	WerFault.exe	Mixinte23.bmp.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1976 schtasks.exe
1588 schtasks.exe
2056 schtasks.exe

pid	process
1976	schtasks.exe
1588	schtasks.exe
2056	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exeNiceProcessX64.bmp.exe

pid	process
2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe
4236	NiceProcessX64.bmp.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exeFJEfRXZ.exe.exe

description	pid	process	target process
PID 2036 wrote to memory of 4236	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	NiceProcessX64.bmp.exe
PID 2036 wrote to memory of 4236	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	NiceProcessX64.bmp.exe
PID 2036 wrote to memory of 2368	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	TrdngAnlzr649.exe.exe
PID 2036 wrote to memory of 2368	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	TrdngAnlzr649.exe.exe
PID 2036 wrote to memory of 2368	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	TrdngAnlzr649.exe.exe
PID 2036 wrote to memory of 1776	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Service.bmp.exe
PID 2036 wrote to memory of 1776	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Service.bmp.exe
PID 2036 wrote to memory of 1776	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Service.bmp.exe
PID 2036 wrote to memory of 1516	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	file2.exe.exe
PID 2036 wrote to memory of 1516	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	file2.exe.exe
PID 2036 wrote to memory of 1516	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	file2.exe.exe
PID 2036 wrote to memory of 1492	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	SetupMEXX.exe.exe
PID 2036 wrote to memory of 1492	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	SetupMEXX.exe.exe
PID 2036 wrote to memory of 1492	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	SetupMEXX.exe.exe
PID 2036 wrote to memory of 3584	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	test3_2302.bmp.exe
PID 2036 wrote to memory of 3584	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	test3_2302.bmp.exe
PID 2036 wrote to memory of 3584	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	test3_2302.bmp.exe
PID 2036 wrote to memory of 1592	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	rrmix.exe.exe
PID 2036 wrote to memory of 1592	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	rrmix.exe.exe
PID 2036 wrote to memory of 1592	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	rrmix.exe.exe
PID 2036 wrote to memory of 1304	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	malina.exe.exe
PID 2036 wrote to memory of 1304	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	malina.exe.exe
PID 2036 wrote to memory of 1172	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	lovera.exe.exe
PID 2036 wrote to memory of 1172	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	lovera.exe.exe
PID 2036 wrote to memory of 1172	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	lovera.exe.exe
PID 2036 wrote to memory of 2212	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	FJEfRXZ.exe.exe
PID 2036 wrote to memory of 2212	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	FJEfRXZ.exe.exe
PID 2036 wrote to memory of 2212	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	FJEfRXZ.exe.exe
PID 2036 wrote to memory of 116	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	pen4ik_v0.7b__windows_64_1.bmp.exe
PID 2036 wrote to memory of 116	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	pen4ik_v0.7b__windows_64_1.bmp.exe
PID 2036 wrote to memory of 3400	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	fxd1.bmp.exe
PID 2036 wrote to memory of 3400	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	fxd1.bmp.exe
PID 2036 wrote to memory of 3400	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	fxd1.bmp.exe
PID 2036 wrote to memory of 4364	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	real2302.bmp.exe
PID 2036 wrote to memory of 4364	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	real2302.bmp.exe
PID 2036 wrote to memory of 4364	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	real2302.bmp.exe
PID 2036 wrote to memory of 956	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Fenix_13.bmp.exe
PID 2036 wrote to memory of 956	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Fenix_13.bmp.exe
PID 2036 wrote to memory of 956	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Fenix_13.bmp.exe
PID 2036 wrote to memory of 2796	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	olympteam_build_crypted_6.bmp.exe
PID 2036 wrote to memory of 2796	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	olympteam_build_crypted_6.bmp.exe
PID 2036 wrote to memory of 2796	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	olympteam_build_crypted_6.bmp.exe
PID 2036 wrote to memory of 2956	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	6523.exe.exe
PID 2036 wrote to memory of 2956	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	6523.exe.exe
PID 2036 wrote to memory of 2956	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	6523.exe.exe
PID 2036 wrote to memory of 4800	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	lol.bmp.exe
PID 2036 wrote to memory of 4800	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	lol.bmp.exe
PID 2036 wrote to memory of 4800	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	lol.bmp.exe
PID 2036 wrote to memory of 3512	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Mixinte23.bmp.exe
PID 2036 wrote to memory of 3512	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Mixinte23.bmp.exe
PID 2036 wrote to memory of 3512	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	Mixinte23.bmp.exe
PID 2036 wrote to memory of 1940	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	build2kEu.bmp.exe
PID 2036 wrote to memory of 1940	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	build2kEu.bmp.exe
PID 2036 wrote to memory of 1940	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	build2kEu.bmp.exe
PID 2036 wrote to memory of 2156	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	wam.exe.exe
PID 2036 wrote to memory of 2156	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	wam.exe.exe
PID 2036 wrote to memory of 2156	2036	b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe	wam.exe.exe
PID 2212 wrote to memory of 1272	2212	FJEfRXZ.exe.exe	ftp.exe
PID 2212 wrote to memory of 1272	2212	FJEfRXZ.exe.exe	ftp.exe
PID 2212 wrote to memory of 1272	2212	FJEfRXZ.exe.exe	ftp.exe

C:\Users\Admin\AppData\Local\Temp\b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe
"C:\Users\Admin\AppData\Local\Temp\b07997fa6d97fa62edb47fe65881fb8fd7cfc025b1ac4.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4236

C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe"
2⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr649.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr649.exe.exe"
2⤵
- Executes dropped EXE
PID:2368

C:\Users\Admin\AppData\Local\Temp\I3JM2.exe
"C:\Users\Admin\AppData\Local\Temp\I3JM2.exe"
3⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\DAME8.exe
"C:\Users\Admin\AppData\Local\Temp\DAME8.exe"
3⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\0496C.exe
"C:\Users\Admin\AppData\Local\Temp\0496C.exe"
3⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\0496C.exe
"C:\Users\Admin\AppData\Local\Temp\0496C.exe"
3⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\C46E7.exe
"C:\Users\Admin\AppData\Local\Temp\C46E7.exe"
3⤵
PID:3156

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\g0PLM.lw
4⤵
PID:708

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\g0PLM.lw
5⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\ML004J7FC1DDH88.exe
https://iplogger.org/1x4az7
3⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 308
3⤵
- Program crash
PID:4148

C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe"
2⤵
- Executes dropped EXE
PID:1776

C:\Users\Admin\Documents\AtSO3oSAEJ_9QcO2sM6w1IVB.exe
"C:\Users\Admin\Documents\AtSO3oSAEJ_9QcO2sM6w1IVB.exe"
3⤵
PID:1660

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
4⤵
PID:672

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
4⤵
PID:4020

C:\Windows\SysWOW64\ftp.exe
ftp -?
5⤵
PID:4704

C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe"
4⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 424
5⤵
- Program crash
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 696
5⤵
- Program crash
PID:1392

C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe"
4⤵
PID:952

C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe"
4⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\7zSB512.tmp\Install.exe
.\Install.exe
5⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\7zSDCCE.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:3592

C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe"
4⤵
PID:1468

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\g0PLM.lw
5⤵
PID:4416

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\g0PLM.lw
6⤵
PID:2068

C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe"
4⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe"
5⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\0437E.exe
"C:\Users\Admin\AppData\Local\Temp\0437E.exe"
6⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\2GILI.exe
"C:\Users\Admin\AppData\Local\Temp\2GILI.exe"
6⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\0437E.exe
"C:\Users\Admin\AppData\Local\Temp\0437E.exe"
6⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\4CAB6.exe
"C:\Users\Admin\AppData\Local\Temp\4CAB6.exe"
6⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\MF3G2.exe
"C:\Users\Admin\AppData\Local\Temp\MF3G2.exe"
6⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\InvisBrowser45856.exe
"C:\Users\Admin\AppData\Local\Temp\InvisBrowser45856.exe"
5⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe
"C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe"
5⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\setup331.exe
"C:\Users\Admin\AppData\Local\Temp\setup331.exe"
5⤵
PID:4516

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" n7L~ATW.5 /s
6⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\zhangj.exe
"C:\Users\Admin\AppData\Local\Temp\zhangj.exe"
5⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\zhangj.exe
"C:\Users\Admin\AppData\Local\Temp\zhangj.exe" -h
6⤵
PID:5172

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
5⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\rtst1077.exe
"C:\Users\Admin\AppData\Local\Temp\rtst1077.exe"
5⤵
PID:5468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2056

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1976

C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe"
2⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe"
2⤵
- Executes dropped EXE
PID:3584

C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe"
3⤵
PID:3780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b135e569-0a2d-494b-9f57-92ac63862f48" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:3080

C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:3296

C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:4800

C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe"
2⤵
- Executes dropped EXE
PID:1304

C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe"
2⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\Pictures\Adobe Films\lovera.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\lovera.exe.exe"
2⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe"
2⤵
- Executes dropped EXE
PID:3400

C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe"
3⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
4⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\
5⤵
PID:2820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe" /F
4⤵
- Creates scheduled task(s)
PID:1588

C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe"
2⤵
- Executes dropped EXE
PID:116

C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\ftp.exe
ftp -?
3⤵
PID:1272

C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe"
2⤵
- Executes dropped EXE
PID:956

C:\Users\Admin\Pictures\Adobe Films\real2302.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\real2302.bmp.exe"
2⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im real2302.bmp.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\real2302.bmp.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:5344

C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_6.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_6.bmp.exe"
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 284
3⤵
- Program crash
PID:3476

C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe"
2⤵
- Executes dropped EXE
PID:2956

C:\Users\Admin\Pictures\Adobe Films\build2kEu.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\build2kEu.bmp.exe"
2⤵
- Executes dropped EXE
PID:1940

C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe"
2⤵
- Executes dropped EXE
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 788
3⤵
- Program crash
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 796
3⤵
- Program crash
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 856
3⤵
- Program crash
PID:2076

C:\Users\Admin\Pictures\Adobe Films\lol.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\lol.bmp.exe"
2⤵
- Executes dropped EXE
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 160
3⤵
- Program crash
PID:1548

C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe"
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
3⤵
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3512 -ip 3512
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2368 -ip 2368
1⤵
PID:260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4800 -ip 4800
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2796 -ip 2796
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3512 -ip 3512
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3512 -ip 3512
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1796 -ip 1796
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3512 -ip 3512
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1796 -ip 1796
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4364 -ip 4364
1⤵
PID:5392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
506B

MD5
5fc36ce8b4819f6c35207fcc1671e6e8

SHA1
7325d93245ecd4a669db510e8303c7db64923978

SHA256
18622c19015bf646c93b3296c0b4bfc38dd3f189db67890c471df9c3dddc2643

SHA512
9744c038e9df5f839acf9e8f6748c3db3a9cfaf957f39aadc6896ca691bc6b46f71ae357eb4448d63c0b06b9f7f36cff46379d02f6286c299fc9ef652d78e356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
637762595675ea193b480936cde6bb1a

SHA1
c180d4a0c5a497f1d0ad5442acc1455064462c77

SHA256
e64b2e14648f6fdcc365511af3be5276fd4b0731c195a4b5e5032c3dc9b57629

SHA512
7c754d1cd4f7bf97c81340002d4eefa291684c1cdb1106836234721e25642acf7b727b9c8c72689b02a0731abf1c330065272a7c783707ae6c26c73970a5fbc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
248B

MD5
5fb381561b8e4e08ce0f29d26d6e5a68

SHA1
ea9800ad71f788f68538cf57535a0d0f1fbc6516

SHA256
6752d40604c4a62e234b1368c37ed7bacfddbb7b51164250d4e1dcb4ca79ba7c

SHA512
52d7e4bbf0deb90adff989bbb8e9517ed862130e3f1c4867d1d3642d8f6c6ac4fa3bb6a36b9de89744ed0440c43cf9db6c8aceadcc8b3135cb541658a2dcc78c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
408B

MD5
4f32501817d2f1d7a0192dae835a550e

SHA1
789ed3c4e9c78a0839cba510418ab605872d091d

SHA256
c4309a9a5f9defab58a21935af9b4c52130e87f4ce931a873836f98b76d5c601

SHA512
5913c2ebeabda66e554c70060fd2b51335e7fbe5b2b21afa8512620cf293c98c0e0d75a7fa87763901dfb2eaaf544715873365b9d02f7a2bb2cd5a5bc46cc4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0496C.exe
Filesize
405KB

MD5
5a7a4a08e04bdf5ff193e3878f9f5a94

SHA1
d5a83c490b059279ccf231ab5d8f4d7d952737f2

SHA256
45b74ee8834454e9867c7aaafdb50d861b0f645647fcf12c328c156b415af3d6

SHA512
1db48d1381a922cdc10fa21c96ba339a467824fd152821a09727c46e327874a9c312ad227cf09f872b2acbf883dbe3665b83839eff1a89f1af11a6c6147e2624

Download Submit
C:\Users\Admin\AppData\Local\Temp\0496C.exe
Filesize
405KB

MD5
5a7a4a08e04bdf5ff193e3878f9f5a94

SHA1
d5a83c490b059279ccf231ab5d8f4d7d952737f2

SHA256
45b74ee8834454e9867c7aaafdb50d861b0f645647fcf12c328c156b415af3d6

SHA512
1db48d1381a922cdc10fa21c96ba339a467824fd152821a09727c46e327874a9c312ad227cf09f872b2acbf883dbe3665b83839eff1a89f1af11a6c6147e2624

Download Submit
C:\Users\Admin\AppData\Local\Temp\0496C.exe
Filesize
405KB

MD5
5a7a4a08e04bdf5ff193e3878f9f5a94

SHA1
d5a83c490b059279ccf231ab5d8f4d7d952737f2

SHA256
45b74ee8834454e9867c7aaafdb50d861b0f645647fcf12c328c156b415af3d6

SHA512
1db48d1381a922cdc10fa21c96ba339a467824fd152821a09727c46e327874a9c312ad227cf09f872b2acbf883dbe3665b83839eff1a89f1af11a6c6147e2624

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C46E7.exe
Filesize
2.0MB

MD5
09e435274ff2f3f7fd404c81855700c4

SHA1
0671bf4bb88541bf7258511de4278c19b9311911

SHA256
02e6c166c32137a4a9dd3a23977c8742ab0e3207f8d013c3e630b5d974302379

SHA512
000e7c0f55854bb76b4bc7ed9b6eff5f4c09b274a3aec90a62cd0dfffef133ce820f0f9f2a1795f4232f735df449c96c28fcb2a8e1204e412a53269af84cafa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C46E7.exe
Filesize
2.0MB

MD5
09e435274ff2f3f7fd404c81855700c4

SHA1
0671bf4bb88541bf7258511de4278c19b9311911

SHA256
02e6c166c32137a4a9dd3a23977c8742ab0e3207f8d013c3e630b5d974302379

SHA512
000e7c0f55854bb76b4bc7ed9b6eff5f4c09b274a3aec90a62cd0dfffef133ce820f0f9f2a1795f4232f735df449c96c28fcb2a8e1204e412a53269af84cafa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAME8.exe
Filesize
397KB

MD5
19f7fd710ee944e138057fd178ddfc94

SHA1
cfb6d6686c2b894c6672e9b00b3ca43cddfc7cc8

SHA256
959c0ef7180f57d3159570b691671e9a51833c193d9727d374d7965740fb0b57

SHA512
b3a9f2f5a3ccb770d63d6e7edfefabd1390433329ab7da84125cc875ad277d36cdf18558258a9d6b9301a1d6c5a85c825419946ab047516595f069d4f154a2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAME8.exe
Filesize
397KB

MD5
19f7fd710ee944e138057fd178ddfc94

SHA1
cfb6d6686c2b894c6672e9b00b3ca43cddfc7cc8

SHA256
959c0ef7180f57d3159570b691671e9a51833c193d9727d374d7965740fb0b57

SHA512
b3a9f2f5a3ccb770d63d6e7edfefabd1390433329ab7da84125cc875ad277d36cdf18558258a9d6b9301a1d6c5a85c825419946ab047516595f069d4f154a2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\I3JM2.exe
Filesize
414KB

MD5
474f5218c9c02012527e1fa3ba49134c

SHA1
0c0da64f94dc01a4808082c2c004f727cea2afe0

SHA256
c911528baa904d1f763fbd4f383e44528fbdbb3345403b54c2c92c9ee10294db

SHA512
ebef596faba126a0f5b480f600e263b29c5c9199479b6e9c90ecdc30f1db1c4ebaddd34a7d21e7c0caa64b5e945a05fc69fee6d003fd5494c92ad17fcfdb7b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I3JM2.exe
Filesize
414KB

MD5
474f5218c9c02012527e1fa3ba49134c

SHA1
0c0da64f94dc01a4808082c2c004f727cea2afe0

SHA256
c911528baa904d1f763fbd4f383e44528fbdbb3345403b54c2c92c9ee10294db

SHA512
ebef596faba126a0f5b480f600e263b29c5c9199479b6e9c90ecdc30f1db1c4ebaddd34a7d21e7c0caa64b5e945a05fc69fee6d003fd5494c92ad17fcfdb7b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ML004J7FC1DDH88.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\ML004J7FC1DDH88.exe
Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\b135e569-0a2d-494b-9f57-92ac63862f48\test3_2302.bmp.exe
Filesize
793KB

MD5
34e5e37fee16506939fee08d5a4ca6d1

SHA1
d0d03de4beb28dff0d78575eebcb343569bc2454

SHA256
0a837dbd2c91c18baef52d74b5ea8816409088b403b4685cc79c448de00c80be

SHA512
8b784ca1ccbf7aeef48e90629f199fa5d859170ebc6385e908bb494e78f59036855c1c99b34bfef706256705bd6232966e3294d9a111a0ff3e719eed58ad9908

Download Submit
C:\Users\Admin\Documents\AtSO3oSAEJ_9QcO2sM6w1IVB.exe
Filesize
232KB

MD5
5546c1ab6768292b78c746d9ea627f4a

SHA1
be3bf3f21b6101099bcfd7203a179829aea4b435

SHA256
93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

SHA512
90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Download Submit
C:\Users\Admin\Documents\AtSO3oSAEJ_9QcO2sM6w1IVB.exe
Filesize
232KB

MD5
5546c1ab6768292b78c746d9ea627f4a

SHA1
be3bf3f21b6101099bcfd7203a179829aea4b435

SHA256
93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

SHA512
90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
273KB

MD5
498edf86b1c3d87a7f5d69b141536968

SHA1
7c51719681e310e261e08391398538831d756f87

SHA256
199f07c53739985d2bc2ac07a9e17106e0cb1a318946b5155635e9b4cb388f9f

SHA512
b271f050825aeaba4e2943f5692af287b99ec3f91a93173c1e15c4e0c7c077e239f7b8fc4e7db8394b358e6afd8db3d02d6a048dfbcb55542610aafa5e8934cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6523.exe.exe
Filesize
273KB

MD5
498edf86b1c3d87a7f5d69b141536968

SHA1
7c51719681e310e261e08391398538831d756f87

SHA256
199f07c53739985d2bc2ac07a9e17106e0cb1a318946b5155635e9b4cb388f9f

SHA512
b271f050825aeaba4e2943f5692af287b99ec3f91a93173c1e15c4e0c7c077e239f7b8fc4e7db8394b358e6afd8db3d02d6a048dfbcb55542610aafa5e8934cf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe
Filesize
2.3MB

MD5
d06053f19afb27cad9ec2a464b0c7e6a

SHA1
15746b7ad1c74cf09154dbfc78674d61e6308956

SHA256
1db889f76936865004f03f71ab4e683bb696ab5790844e71632c87eb19708e26

SHA512
112fa4c14334e01657eceeace1e4a49ab14cd8262dae6ad9bb4241b38829c212a4a1b68180733c0135fee9c102c68b828500ffe69828304c3aa26578182c7afb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Fenix_13.bmp.exe
Filesize
2.3MB

MD5
d06053f19afb27cad9ec2a464b0c7e6a

SHA1
15746b7ad1c74cf09154dbfc78674d61e6308956

SHA256
1db889f76936865004f03f71ab4e683bb696ab5790844e71632c87eb19708e26

SHA512
112fa4c14334e01657eceeace1e4a49ab14cd8262dae6ad9bb4241b38829c212a4a1b68180733c0135fee9c102c68b828500ffe69828304c3aa26578182c7afb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe
Filesize
362KB

MD5
e65389971e6b1600cd9ba471eb0fc919

SHA1
fba787594902a0b17051ab9207d90a64e2180886

SHA256
c99b400662f4c707645a9530ce2e5388b8056068310106679b7d59515fedaef2

SHA512
499957619f17a1a2753f839d12c7475a4d59692f4a599ed7a1d7d03639a8e22ba098d513fbad81f38211fc59550cacd7669323003f22226acb97c423931b1c8d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe
Filesize
362KB

MD5
e65389971e6b1600cd9ba471eb0fc919

SHA1
fba787594902a0b17051ab9207d90a64e2180886

SHA256
c99b400662f4c707645a9530ce2e5388b8056068310106679b7d59515fedaef2

SHA512
499957619f17a1a2753f839d12c7475a4d59692f4a599ed7a1d7d03639a8e22ba098d513fbad81f38211fc59550cacd7669323003f22226acb97c423931b1c8d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Service.bmp.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
404KB

MD5
8942865f2de463a60382cf0b98aff5a2

SHA1
9f60cbe3b0bc1134ae55dbc491a798c3fd1ae11b

SHA256
1cd6554f09f75e739a84261f57defaa5d1f21a76cd6c36bdaac64baa2ba04625

SHA512
14cc4291cdae4578460b6760553d45036160760814147be12196632f0341632b557ea4d1300eec29c781f6b661fe80edb5cd0f6b37ad550ee405ba7825dbedf8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SetupMEXX.exe.exe
Filesize
404KB

MD5
8942865f2de463a60382cf0b98aff5a2

SHA1
9f60cbe3b0bc1134ae55dbc491a798c3fd1ae11b

SHA256
1cd6554f09f75e739a84261f57defaa5d1f21a76cd6c36bdaac64baa2ba04625

SHA512
14cc4291cdae4578460b6760553d45036160760814147be12196632f0341632b557ea4d1300eec29c781f6b661fe80edb5cd0f6b37ad550ee405ba7825dbedf8

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr649.exe.exe
Filesize
277KB

MD5
3a9b0f049c8661a872a9fc2779de887e

SHA1
0d8d4dd7bd39747bdc11f57345fe2d3b677169fe

SHA256
69c61bf4a3560f09753747be125fe6714704591cb6affd155a3c0e5cec2ec93f

SHA512
16bf49d6eb2581f4094d7d86335119300a0aaf068d3b3389bfad54c361e95045c72c53db316c6528b2d0c4a1bf708ca89828f7c2f3bfc4be561dc15cf8379613

Download Submit
C:\Users\Admin\Pictures\Adobe Films\TrdngAnlzr649.exe.exe
Filesize
277KB

MD5
3a9b0f049c8661a872a9fc2779de887e

SHA1
0d8d4dd7bd39747bdc11f57345fe2d3b677169fe

SHA256
69c61bf4a3560f09753747be125fe6714704591cb6affd155a3c0e5cec2ec93f

SHA512
16bf49d6eb2581f4094d7d86335119300a0aaf068d3b3389bfad54c361e95045c72c53db316c6528b2d0c4a1bf708ca89828f7c2f3bfc4be561dc15cf8379613

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build2kEu.bmp.exe
Filesize
2.6MB

MD5
89de5dec1c1e8698d01d5e82ffddce2b

SHA1
dd038824c59bf3e458efa7c3232164205a08e696

SHA256
ee6d7b1250c7a25a60011a45291a4fee70821fb45f2f96ba436571820cdc4833

SHA512
51f652ae07fbf748ea8315709f6ce26c941a6f0c5b714f53cd397b83ecbf53dcd6782ad3ca5c332cf48b664ffa47cd381be27daaa04d940eca117b6c7379dc6c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build2kEu.bmp.exe
Filesize
2.6MB

MD5
89de5dec1c1e8698d01d5e82ffddce2b

SHA1
dd038824c59bf3e458efa7c3232164205a08e696

SHA256
ee6d7b1250c7a25a60011a45291a4fee70821fb45f2f96ba436571820cdc4833

SHA512
51f652ae07fbf748ea8315709f6ce26c941a6f0c5b714f53cd397b83ecbf53dcd6782ad3ca5c332cf48b664ffa47cd381be27daaa04d940eca117b6c7379dc6c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
Filesize
2.3MB

MD5
2a1f532bcd45137f005917a851e869a2

SHA1
dee59f5bbd691efb93ac4057167c8d75666c8c52

SHA256
a41ccf622c6aace19dcac93a9bc81edcd425e29548097125aba0210b38d9f53d

SHA512
a29df8d0eaca7bc3b0a29c5bbc4626b38514dedf2a0793353428b28bcaa560adea179fcd463bda935b48ad73a2025e9c0420fe99e10011a80d2edf5dd929fb9b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\file2.exe.exe
Filesize
2.3MB

MD5
2a1f532bcd45137f005917a851e869a2

SHA1
dee59f5bbd691efb93ac4057167c8d75666c8c52

SHA256
a41ccf622c6aace19dcac93a9bc81edcd425e29548097125aba0210b38d9f53d

SHA512
a29df8d0eaca7bc3b0a29c5bbc4626b38514dedf2a0793353428b28bcaa560adea179fcd463bda935b48ad73a2025e9c0420fe99e10011a80d2edf5dd929fb9b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fxd1.bmp.exe
Filesize
5.4MB

MD5
3a3706d7e37223c5f6fa0587586efe59

SHA1
980d3a6877ef89e9c972dad1c40aa6470f7b11e9

SHA256
013530b627569b2c70577679cd756dd54835439b166c896347398f6f6aef0e8d

SHA512
6441dbaa82b8619a29fef9e2d457eba68667793e8b463cf9c187bd09733904d647f6aa12b242971f5d8ae5b7e59aee753ea65a5da5a00cef04de99c4fb56c5d3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lol.bmp.exe
Filesize
2.2MB

MD5
0af5008c7168017d3d3ad4a18aeb3792

SHA1
f1151f7105d652956d7d7786f9f7865bd05a052c

SHA256
f7fef1be0f04b559fa963964cba0f93e9aee0fa4c99f6791a46edb2aed50e54f

SHA512
5e15edbf1e300606ec53a51db1e64c42d8ee5ce06511a90bd411fb8db49aa6ea96907a8f7b3757181f7d68dc4eb7e71b2c3cd55566c3cfa9ac73aa35b7535b35

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lol.bmp.exe
Filesize
2.2MB

MD5
0af5008c7168017d3d3ad4a18aeb3792

SHA1
f1151f7105d652956d7d7786f9f7865bd05a052c

SHA256
f7fef1be0f04b559fa963964cba0f93e9aee0fa4c99f6791a46edb2aed50e54f

SHA512
5e15edbf1e300606ec53a51db1e64c42d8ee5ce06511a90bd411fb8db49aa6ea96907a8f7b3757181f7d68dc4eb7e71b2c3cd55566c3cfa9ac73aa35b7535b35

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lovera.exe.exe
Filesize
414KB

MD5
bf80706e236f46c165c7d79cda16c2dd

SHA1
2e8998642704454135eff52e033db70791069401

SHA256
6b03f4302ed47b60f6a23d9a5919f84217979574acdcf798ad534032c0d3f056

SHA512
fa0e10d1268cb715307c7b6ecf78d143b44f65ccf1986dc4758bb189e1a8dde06d347a77a25f421fc79654924ae2441cc442668333dc4831413849e6a9f154d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lovera.exe.exe
Filesize
414KB

MD5
bf80706e236f46c165c7d79cda16c2dd

SHA1
2e8998642704454135eff52e033db70791069401

SHA256
6b03f4302ed47b60f6a23d9a5919f84217979574acdcf798ad534032c0d3f056

SHA512
fa0e10d1268cb715307c7b6ecf78d143b44f65ccf1986dc4758bb189e1a8dde06d347a77a25f421fc79654924ae2441cc442668333dc4831413849e6a9f154d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe
Filesize
4.0MB

MD5
c2035e63fef67cd014b06483ffb25d85

SHA1
1bebdcf0cc087d67efa0f8df4640de4736216ba0

SHA256
53a7a867dfacb28aad8efcd8ffb41256a3f4b717fdf50251da0de4b4b4621a1c

SHA512
96628091d71af654d012be1009613a9892a74182df8a53800f72eb8ab9c75dece6f034e2f78656049b3ad170bb6777117dcd29c34fb753d5d528a67b263601d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\malina.exe.exe
Filesize
4.0MB

MD5
c2035e63fef67cd014b06483ffb25d85

SHA1
1bebdcf0cc087d67efa0f8df4640de4736216ba0

SHA256
53a7a867dfacb28aad8efcd8ffb41256a3f4b717fdf50251da0de4b4b4621a1c

SHA512
96628091d71af654d012be1009613a9892a74182df8a53800f72eb8ab9c75dece6f034e2f78656049b3ad170bb6777117dcd29c34fb753d5d528a67b263601d0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_6.bmp.exe
Filesize
2.3MB

MD5
2582cecaac4e585a1ed3f61b696d066e

SHA1
2a046dfbe3c71e41daf6b597230cd3937df4db84

SHA256
043b388d0e0972d3e1ed5e11bf4c9ce848c12850cbbd316cd89ec1c5b1cf7e14

SHA512
3f8064ba4ff4ee2600345520a65234687cc8217d81bdd4690ce03830a3c4c0dada3abe3518ed45a577bdd0ff4f4ac23a66a2acb77ba25d9f7288c2e66430bf3f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\olympteam_build_crypted_6.bmp.exe
Filesize
2.3MB

MD5
2582cecaac4e585a1ed3f61b696d066e

SHA1
2a046dfbe3c71e41daf6b597230cd3937df4db84

SHA256
043b388d0e0972d3e1ed5e11bf4c9ce848c12850cbbd316cd89ec1c5b1cf7e14

SHA512
3f8064ba4ff4ee2600345520a65234687cc8217d81bdd4690ce03830a3c4c0dada3abe3518ed45a577bdd0ff4f4ac23a66a2acb77ba25d9f7288c2e66430bf3f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pen4ik_v0.7b__windows_64_1.bmp.exe
Filesize
4.0MB

MD5
23e195e5f5a1d168b084c5ba124dfb47

SHA1
302ebac608b9ca82f2780f354e70c4628e325190

SHA256
ceb347eb751265cf60634b7d017feea6665a78ae17ec1e51ddecee791662dd71

SHA512
d5c46958033ccdf063abc354e5b6b513ea1520ed6bf1b0550d53854ddfc86d3954a2b0290284fc55acb412be4151ba72caf172677a9892d14999d633dacad6a3

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real2302.bmp.exe
Filesize
393KB

MD5
d44fc63831d8d499057b6e8af2249c04

SHA1
a650025df5f1250519964189f4fd7fdf2ac67870

SHA256
9c217b7b031f9f36ee43d06ad0aaecdcc6ecc07c985b177446ce1dadeaa3b36e

SHA512
179c7e531ec7eac875f51026b38dca38bbd99d611d8df5e0cd8d9870b0f7c59dcaedc563a54a7f6c479998df9fb182b4f691849a9e5b6a16eeb45dca8fdee89b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\real2302.bmp.exe
Filesize
393KB

MD5
d44fc63831d8d499057b6e8af2249c04

SHA1
a650025df5f1250519964189f4fd7fdf2ac67870

SHA256
9c217b7b031f9f36ee43d06ad0aaecdcc6ecc07c985b177446ce1dadeaa3b36e

SHA512
179c7e531ec7eac875f51026b38dca38bbd99d611d8df5e0cd8d9870b0f7c59dcaedc563a54a7f6c479998df9fb182b4f691849a9e5b6a16eeb45dca8fdee89b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
413KB

MD5
4e3ad1812fe89e87334279738acd9fe4

SHA1
6d78d18e9d70ee5f6d24c7ecc403517d09c6899d

SHA256
c1b1a801164e37010109b65a5d33c1d7098818a0449e62f41378d3794b0b0dbf

SHA512
9d9e1e8eb769175d73555f240101ba7077b87022e1d9aa540cbfa87e9e84880a167c61af2e5b1ae5b5d10c40c9ec2cc792a3115caf1e7dc785a163651d10c94f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rrmix.exe.exe
Filesize
413KB

MD5
4e3ad1812fe89e87334279738acd9fe4

SHA1
6d78d18e9d70ee5f6d24c7ecc403517d09c6899d

SHA256
c1b1a801164e37010109b65a5d33c1d7098818a0449e62f41378d3794b0b0dbf

SHA512
9d9e1e8eb769175d73555f240101ba7077b87022e1d9aa540cbfa87e9e84880a167c61af2e5b1ae5b5d10c40c9ec2cc792a3115caf1e7dc785a163651d10c94f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
Filesize
793KB

MD5
34e5e37fee16506939fee08d5a4ca6d1

SHA1
d0d03de4beb28dff0d78575eebcb343569bc2454

SHA256
0a837dbd2c91c18baef52d74b5ea8816409088b403b4685cc79c448de00c80be

SHA512
8b784ca1ccbf7aeef48e90629f199fa5d859170ebc6385e908bb494e78f59036855c1c99b34bfef706256705bd6232966e3294d9a111a0ff3e719eed58ad9908

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
Filesize
793KB

MD5
34e5e37fee16506939fee08d5a4ca6d1

SHA1
d0d03de4beb28dff0d78575eebcb343569bc2454

SHA256
0a837dbd2c91c18baef52d74b5ea8816409088b403b4685cc79c448de00c80be

SHA512
8b784ca1ccbf7aeef48e90629f199fa5d859170ebc6385e908bb494e78f59036855c1c99b34bfef706256705bd6232966e3294d9a111a0ff3e719eed58ad9908

Download Submit
C:\Users\Admin\Pictures\Adobe Films\test3_2302.bmp.exe
Filesize
793KB

MD5
34e5e37fee16506939fee08d5a4ca6d1

SHA1
d0d03de4beb28dff0d78575eebcb343569bc2454

SHA256
0a837dbd2c91c18baef52d74b5ea8816409088b403b4685cc79c448de00c80be

SHA512
8b784ca1ccbf7aeef48e90629f199fa5d859170ebc6385e908bb494e78f59036855c1c99b34bfef706256705bd6232966e3294d9a111a0ff3e719eed58ad9908

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
Filesize
42KB

MD5
3db068a879c93c0d66360373664f0841

SHA1
0416699ecd93ba41df14185aae1ba684c8383d6d

SHA256
00ca1bb4d44f0de4d748a9a70af4193bb0e90db1056d77872877bd6545e771db

SHA512
adadac3cac028c81535d6a79f5bf1698ee76af496d8743bb26b7127cd17ae989f79c90329f76ebedf4c710ecc5cdb210ec9c4e409c54d10fee6adf2cd5ffe2bf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\wam.exe.exe
Filesize
42KB

MD5
3db068a879c93c0d66360373664f0841

SHA1
0416699ecd93ba41df14185aae1ba684c8383d6d

SHA256
00ca1bb4d44f0de4d748a9a70af4193bb0e90db1056d77872877bd6545e771db

SHA512
adadac3cac028c81535d6a79f5bf1698ee76af496d8743bb26b7127cd17ae989f79c90329f76ebedf4c710ecc5cdb210ec9c4e409c54d10fee6adf2cd5ffe2bf

Download Submit
memory/116-143-0x0000000000000000-mapping.dmp

Download
memory/672-270-0x0000000000000000-mapping.dmp

Download
memory/708-284-0x0000000000000000-mapping.dmp

Download
memory/888-316-0x0000000000000000-mapping.dmp

Download
memory/932-282-0x0000000000000000-mapping.dmp

Download
memory/952-281-0x0000000000000000-mapping.dmp

Download
memory/956-166-0x0000000000000000-mapping.dmp

Download
memory/956-332-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/956-198-0x00000000002C0000-0x0000000000518000-memory.dmp

Filesize
2.3MB

Download
memory/956-267-0x0000000005550000-0x0000000005B68000-memory.dmp

Filesize
6.1MB

Download
memory/1072-293-0x0000000000640000-0x0000000001380000-memory.dmp

Filesize
13.2MB

Download
memory/1072-290-0x0000000000000000-mapping.dmp

Download
memory/1168-287-0x0000000004D20000-0x0000000004D5C000-memory.dmp

Filesize
240KB

Download
memory/1168-234-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1168-232-0x0000000000000000-mapping.dmp

Download
memory/1168-268-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1172-141-0x0000000000000000-mapping.dmp

Download
memory/1272-191-0x0000000000000000-mapping.dmp

Download
memory/1304-140-0x0000000000000000-mapping.dmp

Download
memory/1468-288-0x0000000000000000-mapping.dmp

Download
memory/1492-137-0x0000000000000000-mapping.dmp

Download
memory/1516-200-0x00000000003A0000-0x00000000005E2000-memory.dmp

Filesize
2.3MB

Download
memory/1516-136-0x0000000000000000-mapping.dmp

Download
memory/1588-286-0x0000000000000000-mapping.dmp

Download
memory/1592-139-0x0000000000000000-mapping.dmp

Download
memory/1660-251-0x0000000000000000-mapping.dmp

Download
memory/1660-266-0x0000000003850000-0x0000000003A10000-memory.dmp

Filesize
1.8MB

Download
memory/1776-135-0x0000000000000000-mapping.dmp

Download
memory/1796-280-0x0000000000000000-mapping.dmp

Download
memory/1928-297-0x0000000000000000-mapping.dmp

Download
memory/1940-177-0x0000000000000000-mapping.dmp

Download
memory/1940-258-0x0000000005870000-0x000000000588E000-memory.dmp

Filesize
120KB

Download
memory/1940-226-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/1940-201-0x0000000000850000-0x0000000000AEE000-memory.dmp

Filesize
2.6MB

Download
memory/1940-224-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/1940-216-0x00000000056B0000-0x0000000005726000-memory.dmp

Filesize
472KB

Download
memory/1976-257-0x0000000000000000-mapping.dmp

Download
memory/2036-130-0x0000000003D00000-0x0000000003EC0000-memory.dmp

Filesize
1.8MB

Download
memory/2056-254-0x0000000000000000-mapping.dmp

Download
memory/2068-315-0x0000000000000000-mapping.dmp

Download
memory/2068-317-0x00000000026E0000-0x00000000036E0000-memory.dmp

Filesize
16.0MB

Download
memory/2156-188-0x0000000000000000-mapping.dmp

Download
memory/2156-197-0x0000000000900000-0x0000000000912000-memory.dmp

Filesize
72KB

Download
memory/2212-142-0x0000000000000000-mapping.dmp

Download
memory/2292-333-0x0000000000000000-mapping.dmp

Download
memory/2368-208-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2368-203-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/2368-134-0x0000000000000000-mapping.dmp

Download
memory/2368-205-0x00000000005D0000-0x00000000005EF000-memory.dmp

Filesize
124KB

Download
memory/2796-168-0x0000000000000000-mapping.dmp

Download
memory/2820-322-0x0000000000000000-mapping.dmp

Download
memory/2956-174-0x0000000000000000-mapping.dmp

Download
memory/3080-265-0x0000000000000000-mapping.dmp

Download
memory/3156-233-0x0000000000000000-mapping.dmp

Download
memory/3296-289-0x0000000000000000-mapping.dmp

Download
memory/3296-328-0x0000000000512000-0x00000000005A3000-memory.dmp

Filesize
580KB

Download
memory/3380-218-0x0000000000000000-mapping.dmp

Download
memory/3400-192-0x0000000000080000-0x0000000000941000-memory.dmp

Filesize
8.8MB

Download
memory/3400-147-0x0000000000000000-mapping.dmp

Download
memory/3512-176-0x0000000000000000-mapping.dmp

Download
memory/3512-213-0x00000000005B0000-0x00000000005EF000-memory.dmp

Filesize
252KB

Download
memory/3512-210-0x0000000000772000-0x0000000000798000-memory.dmp

Filesize
152KB

Download
memory/3512-211-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/3584-199-0x0000000002130000-0x000000000224B000-memory.dmp

Filesize
1.1MB

Download
memory/3584-138-0x0000000000000000-mapping.dmp

Download
memory/3584-209-0x000000000077E000-0x000000000080F000-memory.dmp

Filesize
580KB

Download
memory/3592-323-0x0000000010000000-0x0000000010636000-memory.dmp

Filesize
6.2MB

Download
memory/3592-318-0x0000000000000000-mapping.dmp

Download
memory/3696-227-0x0000000000000000-mapping.dmp

Download
memory/3736-214-0x0000000000000000-mapping.dmp

Download
memory/3780-215-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3780-204-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3780-202-0x0000000000000000-mapping.dmp

Download
memory/3780-207-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3780-212-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3836-269-0x00000000051B0000-0x00000000052BA000-memory.dmp

Filesize
1.0MB

Download
memory/3836-246-0x0000000000000000-mapping.dmp

Download
memory/3836-247-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4004-236-0x0000000000000000-mapping.dmp

Download
memory/4004-253-0x00007FFC2DBA0000-0x00007FFC2E661000-memory.dmp

Filesize
10.8MB

Download
memory/4004-245-0x0000029F52200000-0x0000029F52206000-memory.dmp

Filesize
24KB

Download
memory/4020-277-0x0000000000000000-mapping.dmp

Download
memory/4236-131-0x0000000000000000-mapping.dmp

Download
memory/4364-195-0x00000000007C3000-0x00000000007F1000-memory.dmp

Filesize
184KB

Download
memory/4364-221-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4364-152-0x0000000000000000-mapping.dmp

Download
memory/4364-217-0x00000000005C0000-0x000000000060F000-memory.dmp

Filesize
316KB

Download
memory/4364-291-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4416-303-0x0000000000000000-mapping.dmp

Download
memory/4448-283-0x0000000000000000-mapping.dmp

Download
memory/4516-331-0x0000000000000000-mapping.dmp

Download
memory/4560-274-0x0000000000A00000-0x00000000012C1000-memory.dmp

Filesize
8.8MB

Download
memory/4560-259-0x0000000000000000-mapping.dmp

Download
memory/4564-225-0x0000000000000000-mapping.dmp

Download
memory/4704-285-0x0000000000000000-mapping.dmp

Download
memory/4800-175-0x0000000000000000-mapping.dmp

Download
memory/4800-329-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4800-231-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4800-325-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4800-320-0x0000000000000000-mapping.dmp

Download
memory/4900-319-0x0000000000000000-mapping.dmp

Download
memory/4900-321-0x0000000000D20000-0x0000000000D82000-memory.dmp

Filesize
392KB

Download
memory/4900-341-0x000000001BE30000-0x000000001BE80000-memory.dmp

Filesize
320KB

Download
memory/5000-326-0x0000000000000000-mapping.dmp

Download
memory/5064-300-0x0000000000000000-mapping.dmp

Download
memory/5064-334-0x000000002DC40000-0x000000002DCFD000-memory.dmp

Filesize
756KB

Download
memory/5064-335-0x000000002DD00000-0x000000002DDA7000-memory.dmp

Filesize
668KB

Download
memory/5064-307-0x0000000002D30000-0x0000000003D30000-memory.dmp

Filesize
16.0MB

Download
memory/5064-340-0x000000002DD00000-0x000000002DDA7000-memory.dmp

Filesize
668KB

Download
memory/5112-338-0x0000000000000000-mapping.dmp

Download
memory/5164-337-0x0000000000000000-mapping.dmp

Download
memory/5172-336-0x0000000000000000-mapping.dmp

Download
memory/5212-339-0x0000000000000000-mapping.dmp

Download
memory/5272-343-0x0000000000000000-mapping.dmp

Download