amadey | 88294b5ff980e8d16d46e65608fdf678666f7a8d45581f9dd6e8d3d209f93612

Analysis

max time kernel
118s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

272KB
MD5

d9a112b65110b0c6f694fb441d3fd29a
SHA1

12cbc8d4fe4e0d6bee9a3e86191cf9df8af1fcef
SHA256

88294b5ff980e8d16d46e65608fdf678666f7a8d45581f9dd6e8d3d209f93612
SHA512

0663a900f409d12ca931724250c24a54fdf2250e0c48ecd5e966bae2c9597476d955297b7f620074bea3ccd21f780a97fa00883ca814d488fe0bf66d9726815a
SSDEEP

6144:flKRLLkmt0rlGq+TN7IBQd9IDta2T5cjk5:flKRr0rEvTN7IBOIDt7Taj

Score

10^/10

amadey redline rhadamanthys france new1 discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.66

193.233.20.2/Bn89hku/index.php

Extracted

Family

redline

Botnet

france

193.233.20.5:4136

Attributes

auth_value
827023aa27bcc1cc2382e4d111feec6f

Extracted

Family

redline

Botnet

new1

176.113.115.16:4122

Attributes

auth_value
ac44cbde6633acc9d67419c7278d5c70

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3648-201-0x0000000000470000-0x000000000048D000-memory.dmp	family_rhadamanthys
behavioral2/memory/744-204-0x0000000000580000-0x000000000059D000-memory.dmp	family_rhadamanthys
behavioral2/memory/4864-217-0x0000000000590000-0x00000000005AD000-memory.dmp	family_rhadamanthys
behavioral2/memory/3648-218-0x0000000000470000-0x000000000048D000-memory.dmp	family_rhadamanthys

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

nika.exelava.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	lava.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	lava.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	lava.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	lava.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	lava.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

mnolyk.exenika.exelava.exefranc.exenita1.exemixo.exenita.exemixo1.exetrebo1.exetrebo1.exemnolyk.exetrebo1.exetrebo1.exemnolyk.exe

pid	process
4604	mnolyk.exe
4296	nika.exe
3600	lava.exe
4580	franc.exe
4152	nita1.exe
3020	mixo.exe
4012	nita.exe
4212	mixo1.exe
3648	trebo1.exe
744	trebo1.exe
112	mnolyk.exe
4020	trebo1.exe
4864	trebo1.exe
4948	mnolyk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exemnolyk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	mnolyk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lava.exenika.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	lava.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	nika.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mnolyk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nita.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000008051\\nita.exe"	mnolyk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

trebo1.exe

pid process

3648 trebo1.exe
3648 trebo1.exe
3648 trebo1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3648	trebo1.exe
3648	trebo1.exe
3648	trebo1.exe

Program crash 50 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1948	1180	WerFault.exe	file.exe
4224	1180	WerFault.exe	file.exe
828	1180	WerFault.exe	file.exe
5028	1180	WerFault.exe	file.exe
4320	1180	WerFault.exe	file.exe
4480	1180	WerFault.exe	file.exe
4820	1180	WerFault.exe	file.exe
4084	4604	WerFault.exe	mnolyk.exe
3508	4604	WerFault.exe	mnolyk.exe
2176	4604	WerFault.exe	mnolyk.exe
4540	4604	WerFault.exe	mnolyk.exe
4088	4604	WerFault.exe	mnolyk.exe
4052	4604	WerFault.exe	mnolyk.exe
3140	4604	WerFault.exe	mnolyk.exe
4892	4604	WerFault.exe	mnolyk.exe
2904	4604	WerFault.exe	mnolyk.exe
3936	4604	WerFault.exe	mnolyk.exe
4756	4604	WerFault.exe	mnolyk.exe
3276	4604	WerFault.exe	mnolyk.exe
3668	4604	WerFault.exe	mnolyk.exe
3104	4604	WerFault.exe	mnolyk.exe
2364	4604	WerFault.exe	mnolyk.exe
3944	4604	WerFault.exe	mnolyk.exe
3636	4604	WerFault.exe	mnolyk.exe
5028	4604	WerFault.exe	mnolyk.exe
1828	4604	WerFault.exe	mnolyk.exe
3464	4604	WerFault.exe	mnolyk.exe
4640	4604	WerFault.exe	mnolyk.exe
1340	4604	WerFault.exe	mnolyk.exe
3452	4604	WerFault.exe	mnolyk.exe
5108	4604	WerFault.exe	mnolyk.exe
2924	4604	WerFault.exe	mnolyk.exe
536	4604	WerFault.exe	mnolyk.exe
5012	4604	WerFault.exe	mnolyk.exe
4952	4604	WerFault.exe	mnolyk.exe
1476	4604	WerFault.exe	mnolyk.exe
3280	4604	WerFault.exe	mnolyk.exe
4448	4604	WerFault.exe	mnolyk.exe
2712	4604	WerFault.exe	mnolyk.exe
1412	4604	WerFault.exe	mnolyk.exe
3156	4604	WerFault.exe	mnolyk.exe
3928	4604	WerFault.exe	mnolyk.exe
1460	4604	WerFault.exe	mnolyk.exe
4084	4152	WerFault.exe	nita1.exe
3344	4012	WerFault.exe	nita.exe
3876	4212	WerFault.exe	mixo1.exe
1568	112	WerFault.exe	mnolyk.exe
3600	4604	WerFault.exe	mnolyk.exe
996	4604	WerFault.exe	mnolyk.exe
1896	4948	WerFault.exe	mnolyk.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

trebo1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	trebo1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	trebo1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	trebo1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	trebo1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	trebo1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4012 schtasks.exe

pid	process
4012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

nika.exelava.exefranc.exemixo.exenita1.exenita.exemixo1.exe

pid	process
4296	nika.exe
4296	nika.exe
3600	lava.exe
3600	lava.exe
4580	franc.exe
3020	mixo.exe
4580	franc.exe
3020	mixo.exe
4152	nita1.exe
4152	nita1.exe
4012	nita.exe
4212	mixo1.exe
4012	nita.exe
4212	mixo1.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

nika.exelava.exefranc.exemixo.exenita1.exenita.exemixo1.exetrebo1.exe

description	pid	process
Token: SeDebugPrivilege	4296	nika.exe
Token: SeDebugPrivilege	3600	lava.exe
Token: SeDebugPrivilege	4580	franc.exe
Token: SeDebugPrivilege	3020	mixo.exe
Token: SeDebugPrivilege	4152	nita1.exe
Token: SeDebugPrivilege	4012	nita.exe
Token: SeDebugPrivilege	4212	mixo1.exe
Token: SeShutdownPrivilege	3648	trebo1.exe
Token: SeCreatePagefilePrivilege	3648	trebo1.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

file.exemnolyk.execmd.exe

description	pid	process	target process
PID 1180 wrote to memory of 4604	1180	file.exe	mnolyk.exe
PID 1180 wrote to memory of 4604	1180	file.exe	mnolyk.exe
PID 1180 wrote to memory of 4604	1180	file.exe	mnolyk.exe
PID 4604 wrote to memory of 4012	4604	mnolyk.exe	schtasks.exe
PID 4604 wrote to memory of 4012	4604	mnolyk.exe	schtasks.exe
PID 4604 wrote to memory of 4012	4604	mnolyk.exe	schtasks.exe
PID 4604 wrote to memory of 760	4604	mnolyk.exe	cmd.exe
PID 4604 wrote to memory of 760	4604	mnolyk.exe	cmd.exe
PID 4604 wrote to memory of 760	4604	mnolyk.exe	cmd.exe
PID 760 wrote to memory of 2376	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 2376	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 2376	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 5004	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 5004	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 5004	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4948	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4948	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4948	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4068	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 4068	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 4068	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 4780	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4780	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 4780	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 2192	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 2192	760	cmd.exe	cacls.exe
PID 760 wrote to memory of 2192	760	cmd.exe	cacls.exe
PID 4604 wrote to memory of 4296	4604	mnolyk.exe	nika.exe
PID 4604 wrote to memory of 4296	4604	mnolyk.exe	nika.exe
PID 4604 wrote to memory of 3600	4604	mnolyk.exe	lava.exe
PID 4604 wrote to memory of 3600	4604	mnolyk.exe	lava.exe
PID 4604 wrote to memory of 4580	4604	mnolyk.exe	franc.exe
PID 4604 wrote to memory of 4580	4604	mnolyk.exe	franc.exe
PID 4604 wrote to memory of 4580	4604	mnolyk.exe	franc.exe
PID 4604 wrote to memory of 4152	4604	mnolyk.exe	nita1.exe
PID 4604 wrote to memory of 4152	4604	mnolyk.exe	nita1.exe
PID 4604 wrote to memory of 4152	4604	mnolyk.exe	nita1.exe
PID 4604 wrote to memory of 3020	4604	mnolyk.exe	mixo.exe
PID 4604 wrote to memory of 3020	4604	mnolyk.exe	mixo.exe
PID 4604 wrote to memory of 3020	4604	mnolyk.exe	mixo.exe
PID 4604 wrote to memory of 4012	4604	mnolyk.exe	nita.exe
PID 4604 wrote to memory of 4012	4604	mnolyk.exe	nita.exe
PID 4604 wrote to memory of 4012	4604	mnolyk.exe	nita.exe
PID 4604 wrote to memory of 4212	4604	mnolyk.exe	mixo1.exe
PID 4604 wrote to memory of 4212	4604	mnolyk.exe	mixo1.exe
PID 4604 wrote to memory of 4212	4604	mnolyk.exe	mixo1.exe
PID 4604 wrote to memory of 3648	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 3648	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 3648	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 744	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 744	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 744	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 4020	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 4020	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 4020	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 4864	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 4864	4604	mnolyk.exe	trebo1.exe
PID 4604 wrote to memory of 4864	4604	mnolyk.exe	trebo1.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 864
2⤵
- Program crash
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 948
2⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068
2⤵
- Program crash
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 956
2⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 956
2⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068
2⤵
- Program crash
PID:4480

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 584
3⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 708
3⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 844
3⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 852
3⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 856
3⤵
- Program crash
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 720
3⤵
- Program crash
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1000
3⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F
3⤵
- Creates scheduled task(s)
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 916
3⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 656
3⤵
- Program crash
PID:2904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2376

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
4⤵
PID:5004

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
4⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4068

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:N"
4⤵
PID:4780

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:R" /E
4⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1200
3⤵
- Program crash
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 620
3⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1092
3⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 648
3⤵
- Program crash
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1316
3⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1280
3⤵
- Program crash
PID:2364

C:\Users\Admin\AppData\Local\Temp\1000001001\nika.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\nika.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1612
3⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1640
3⤵
- Program crash
PID:3636

C:\Users\Admin\AppData\Local\Temp\1000002001\lava.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\lava.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1612
3⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1332
3⤵
- Program crash
PID:1828

C:\Users\Admin\AppData\Local\Temp\1000003051\franc.exe
"C:\Users\Admin\AppData\Local\Temp\1000003051\franc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1676
3⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1616
3⤵
- Program crash
PID:4640

C:\Users\Admin\AppData\Local\Temp\1000004051\nita1.exe
"C:\Users\Admin\AppData\Local\Temp\1000004051\nita1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1232
4⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1612
3⤵
- Program crash
PID:1340

C:\Users\Admin\AppData\Local\Temp\1000005001\mixo.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\mixo.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1660
3⤵
- Program crash
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1712
3⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1696
3⤵
- Program crash
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1552
3⤵
- Program crash
PID:536

C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exe
"C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1232
4⤵
- Program crash
PID:3344

C:\Users\Admin\AppData\Local\Temp\1000009001\mixo1.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\mixo1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1220
4⤵
- Program crash
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1668
3⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1612
3⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1656
3⤵
- Program crash
PID:1476

C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe
"C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1652
3⤵
- Program crash
PID:3280

C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe
"C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"
3⤵
- Executes dropped EXE
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1752
3⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1816
3⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1836
3⤵
- Program crash
PID:1412

C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe
"C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"
3⤵
- Executes dropped EXE
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1840
3⤵
- Program crash
PID:3156

C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe
"C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe"
3⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1676
3⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1908
3⤵
- Program crash
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1828
3⤵
- Program crash
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1008
3⤵
- Program crash
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 756
2⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1180 -ip 1180
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1180 -ip 1180
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1180 -ip 1180
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1180 -ip 1180
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1180 -ip 1180
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1180 -ip 1180
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1180 -ip 1180
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4604 -ip 4604
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4604 -ip 4604
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4604 -ip 4604
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4604 -ip 4604
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4604 -ip 4604
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4604 -ip 4604
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4604 -ip 4604
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4604 -ip 4604
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4604 -ip 4604
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4604 -ip 4604
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4604 -ip 4604
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4604 -ip 4604
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4604 -ip 4604
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4604 -ip 4604
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4604 -ip 4604
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4604 -ip 4604
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4604 -ip 4604
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4604 -ip 4604
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4604 -ip 4604
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4604 -ip 4604
1⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 312
2⤵
- Program crash
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4604 -ip 4604
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4604 -ip 4604
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4604 -ip 4604
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4604 -ip 4604
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4152 -ip 4152
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4012 -ip 4012
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4212 -ip 4212
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 112 -ip 112
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4604 -ip 4604
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4604 -ip 4604
1⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 316
2⤵
- Program crash
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4948 -ip 4948
1⤵
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000001001\nika.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\nika.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\lava.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\lava.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003051\franc.exe
Filesize
175KB

MD5
6991818e08082c4c140db502d2aff79f

SHA1
020ee1da61473dcd090805343601c1ae3d265032

SHA256
aa0a99779ffa4aa30aa23c9dc9db17b250457c5902e7d06aa785be97d764c3d0

SHA512
3f02448363aabe7515f1225a3291fb1fa0185ca78a302d70dd611b7f73b1b317a486eef61c2a7489a0d4e43301fa20c5fa48cb62d26f3e20d87aaeceb8a82d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003051\franc.exe
Filesize
175KB

MD5
6991818e08082c4c140db502d2aff79f

SHA1
020ee1da61473dcd090805343601c1ae3d265032

SHA256
aa0a99779ffa4aa30aa23c9dc9db17b250457c5902e7d06aa785be97d764c3d0

SHA512
3f02448363aabe7515f1225a3291fb1fa0185ca78a302d70dd611b7f73b1b317a486eef61c2a7489a0d4e43301fa20c5fa48cb62d26f3e20d87aaeceb8a82d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\nita1.exe
Filesize
336KB

MD5
6dd4fd70660fe4fd43fdcd316521dee4

SHA1
c1a01f8f0b2cf669528be357e97f7cd6cbab4a50

SHA256
66967d49e5d96c09737095adf9f655361955d4b41854662ced6cc2414f780db6

SHA512
4062f3e68b9bcc37c9aec0099d1c9b1bbb0504dd6b7e78effae6be3d0b9380f487b39371a836dc73921d9c01be3cd87e85d78eb755beb95a0c28aa98ebde505e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\nita1.exe
Filesize
336KB

MD5
6dd4fd70660fe4fd43fdcd316521dee4

SHA1
c1a01f8f0b2cf669528be357e97f7cd6cbab4a50

SHA256
66967d49e5d96c09737095adf9f655361955d4b41854662ced6cc2414f780db6

SHA512
4062f3e68b9bcc37c9aec0099d1c9b1bbb0504dd6b7e78effae6be3d0b9380f487b39371a836dc73921d9c01be3cd87e85d78eb755beb95a0c28aa98ebde505e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\mixo.exe
Filesize
175KB

MD5
1f2c3b82599a2c08b71927d14161a891

SHA1
bb2cd9f22ff5f4125602eae38fe738df4efdfd08

SHA256
898f61de806302b411cb94d53aa9493a599038a8e1dd8ccc03801835e018cca1

SHA512
68a8b8e7b64babe0f73e92ca2ab3c933c23d1ac77c7b4de835ca42c24205b3202a4211c979bbba0a5e045f51a175307dd1caa7256cf02b47a5f0ea3456ee2106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\mixo.exe
Filesize
175KB

MD5
1f2c3b82599a2c08b71927d14161a891

SHA1
bb2cd9f22ff5f4125602eae38fe738df4efdfd08

SHA256
898f61de806302b411cb94d53aa9493a599038a8e1dd8ccc03801835e018cca1

SHA512
68a8b8e7b64babe0f73e92ca2ab3c933c23d1ac77c7b4de835ca42c24205b3202a4211c979bbba0a5e045f51a175307dd1caa7256cf02b47a5f0ea3456ee2106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exe
Filesize
336KB

MD5
6dd4fd70660fe4fd43fdcd316521dee4

SHA1
c1a01f8f0b2cf669528be357e97f7cd6cbab4a50

SHA256
66967d49e5d96c09737095adf9f655361955d4b41854662ced6cc2414f780db6

SHA512
4062f3e68b9bcc37c9aec0099d1c9b1bbb0504dd6b7e78effae6be3d0b9380f487b39371a836dc73921d9c01be3cd87e85d78eb755beb95a0c28aa98ebde505e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008051\nita.exe
Filesize
336KB

MD5
6dd4fd70660fe4fd43fdcd316521dee4

SHA1
c1a01f8f0b2cf669528be357e97f7cd6cbab4a50

SHA256
66967d49e5d96c09737095adf9f655361955d4b41854662ced6cc2414f780db6

SHA512
4062f3e68b9bcc37c9aec0099d1c9b1bbb0504dd6b7e78effae6be3d0b9380f487b39371a836dc73921d9c01be3cd87e85d78eb755beb95a0c28aa98ebde505e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\mixo1.exe
Filesize
335KB

MD5
10a05c2fcdcdeef666bf26002956a01a

SHA1
7c2b07aee55da4220aef156540576e910575daf1

SHA256
b04a7934ee8ac567f8a18985768140a51b57ccfdfc0ed0d5bb96528bf94a7146

SHA512
f3605d32efc70957f7d70fb2cf2bace4253671fdd6ba8fc3c5d5e205fe1460963963ba2513b06aaa6dc0261508e78ff5099b9639a3e4b905bf6824ae43433017

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\mixo1.exe
Filesize
335KB

MD5
10a05c2fcdcdeef666bf26002956a01a

SHA1
7c2b07aee55da4220aef156540576e910575daf1

SHA256
b04a7934ee8ac567f8a18985768140a51b57ccfdfc0ed0d5bb96528bf94a7146

SHA512
f3605d32efc70957f7d70fb2cf2bace4253671fdd6ba8fc3c5d5e205fe1460963963ba2513b06aaa6dc0261508e78ff5099b9639a3e4b905bf6824ae43433017

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe
Filesize
220KB

MD5
4b304313bfc0ce7e21da7ae0d3c82c39

SHA1
60745879faa3544b3a884843e368e668acbb6fa9

SHA256
623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd

SHA512
2da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe
Filesize
220KB

MD5
4b304313bfc0ce7e21da7ae0d3c82c39

SHA1
60745879faa3544b3a884843e368e668acbb6fa9

SHA256
623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd

SHA512
2da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe
Filesize
220KB

MD5
4b304313bfc0ce7e21da7ae0d3c82c39

SHA1
60745879faa3544b3a884843e368e668acbb6fa9

SHA256
623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd

SHA512
2da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe
Filesize
220KB

MD5
4b304313bfc0ce7e21da7ae0d3c82c39

SHA1
60745879faa3544b3a884843e368e668acbb6fa9

SHA256
623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd

SHA512
2da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\trebo1.exe
Filesize
220KB

MD5
4b304313bfc0ce7e21da7ae0d3c82c39

SHA1
60745879faa3544b3a884843e368e668acbb6fa9

SHA256
623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd

SHA512
2da2ec584ccde77ec35cab398272e60ec69eda24491030119110f0e389067d322cd08a04a3bdbbbeff85f43c0d739ae10a6a549e2d7a14854d1109db8d313001

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
272KB

MD5
d9a112b65110b0c6f694fb441d3fd29a

SHA1
12cbc8d4fe4e0d6bee9a3e86191cf9df8af1fcef

SHA256
88294b5ff980e8d16d46e65608fdf678666f7a8d45581f9dd6e8d3d209f93612

SHA512
0663a900f409d12ca931724250c24a54fdf2250e0c48ecd5e966bae2c9597476d955297b7f620074bea3ccd21f780a97fa00883ca814d488fe0bf66d9726815a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
272KB

MD5
d9a112b65110b0c6f694fb441d3fd29a

SHA1
12cbc8d4fe4e0d6bee9a3e86191cf9df8af1fcef

SHA256
88294b5ff980e8d16d46e65608fdf678666f7a8d45581f9dd6e8d3d209f93612

SHA512
0663a900f409d12ca931724250c24a54fdf2250e0c48ecd5e966bae2c9597476d955297b7f620074bea3ccd21f780a97fa00883ca814d488fe0bf66d9726815a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
272KB

MD5
d9a112b65110b0c6f694fb441d3fd29a

SHA1
12cbc8d4fe4e0d6bee9a3e86191cf9df8af1fcef

SHA256
88294b5ff980e8d16d46e65608fdf678666f7a8d45581f9dd6e8d3d209f93612

SHA512
0663a900f409d12ca931724250c24a54fdf2250e0c48ecd5e966bae2c9597476d955297b7f620074bea3ccd21f780a97fa00883ca814d488fe0bf66d9726815a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
272KB

MD5
d9a112b65110b0c6f694fb441d3fd29a

SHA1
12cbc8d4fe4e0d6bee9a3e86191cf9df8af1fcef

SHA256
88294b5ff980e8d16d46e65608fdf678666f7a8d45581f9dd6e8d3d209f93612

SHA512
0663a900f409d12ca931724250c24a54fdf2250e0c48ecd5e966bae2c9597476d955297b7f620074bea3ccd21f780a97fa00883ca814d488fe0bf66d9726815a

Download Submit
memory/112-223-0x0000000002D6C000-0x0000000002D8A000-memory.dmp

Filesize
120KB

Download
memory/112-224-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/112-225-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/744-204-0x0000000000580000-0x000000000059D000-memory.dmp

Filesize
116KB

Download
memory/744-198-0x0000000000000000-mapping.dmp

Download
memory/744-202-0x0000000000754000-0x0000000000757000-memory.dmp

Filesize
12KB

Download
memory/760-144-0x0000000000000000-mapping.dmp

Download
memory/1180-133-0x0000000002C70000-0x0000000002D70000-memory.dmp

Filesize
1024KB

Download
memory/1180-134-0x00000000047E0000-0x000000000481C000-memory.dmp

Filesize
240KB

Download
memory/1180-135-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/1180-139-0x00000000047E0000-0x000000000481C000-memory.dmp

Filesize
240KB

Download
memory/1180-140-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/2192-150-0x0000000000000000-mapping.dmp

Download
memory/2376-145-0x0000000000000000-mapping.dmp

Download
memory/3020-185-0x0000000004DC0000-0x0000000004E26000-memory.dmp

Filesize
408KB

Download
memory/3020-172-0x0000000000000000-mapping.dmp

Download
memory/3020-175-0x0000000000180000-0x00000000001B2000-memory.dmp

Filesize
200KB

Download
memory/3020-191-0x0000000006AE0000-0x000000000700C000-memory.dmp

Filesize
5.2MB

Download
memory/3020-186-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/3600-161-0x00007FFF77D90000-0x00007FFF78851000-memory.dmp

Filesize
10.8MB

Download
memory/3600-181-0x00007FFF77D90000-0x00007FFF78851000-memory.dmp

Filesize
10.8MB

Download
memory/3600-156-0x0000000000000000-mapping.dmp

Download
memory/3648-203-0x0000000002250000-0x0000000003250000-memory.dmp

Filesize
16.0MB

Download
memory/3648-201-0x0000000000470000-0x000000000048D000-memory.dmp

Filesize
116KB

Download
memory/3648-200-0x00000000004E1000-0x00000000004E3000-memory.dmp

Filesize
8KB

Download
memory/3648-194-0x0000000000000000-mapping.dmp

Download
memory/3648-218-0x0000000000470000-0x000000000048D000-memory.dmp

Filesize
116KB

Download
memory/4012-207-0x0000000000400000-0x0000000002BBD000-memory.dmp

Filesize
39.7MB

Download
memory/4012-177-0x0000000000000000-mapping.dmp

Download
memory/4012-206-0x0000000002DF8000-0x0000000002E26000-memory.dmp

Filesize
184KB

Download
memory/4012-143-0x0000000000000000-mapping.dmp

Download
memory/4020-215-0x00000000006E4000-0x00000000006E7000-memory.dmp

Filesize
12KB

Download
memory/4020-210-0x0000000000000000-mapping.dmp

Download
memory/4068-148-0x0000000000000000-mapping.dmp

Download
memory/4152-197-0x0000000000400000-0x0000000002BBD000-memory.dmp

Filesize
39.7MB

Download
memory/4152-219-0x0000000002C68000-0x0000000002C96000-memory.dmp

Filesize
184KB

Download
memory/4152-192-0x0000000002C68000-0x0000000002C96000-memory.dmp

Filesize
184KB

Download
memory/4152-193-0x00000000047C0000-0x000000000480B000-memory.dmp

Filesize
300KB

Download
memory/4152-220-0x0000000002C68000-0x0000000002C96000-memory.dmp

Filesize
184KB

Download
memory/4152-221-0x0000000000400000-0x0000000002BBD000-memory.dmp

Filesize
39.7MB

Download
memory/4152-166-0x0000000000000000-mapping.dmp

Download
memory/4212-212-0x0000000002DC8000-0x0000000002DF6000-memory.dmp

Filesize
184KB

Download
memory/4212-209-0x0000000000400000-0x0000000002BBD000-memory.dmp

Filesize
39.7MB

Download
memory/4212-208-0x0000000002D40000-0x0000000002D8B000-memory.dmp

Filesize
300KB

Download
memory/4212-182-0x0000000000000000-mapping.dmp

Download
memory/4212-222-0x0000000002DC8000-0x0000000002DF6000-memory.dmp

Filesize
184KB

Download
memory/4296-180-0x00007FFF77D90000-0x00007FFF78851000-memory.dmp

Filesize
10.8MB

Download
memory/4296-151-0x0000000000000000-mapping.dmp

Download
memory/4296-154-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/4296-155-0x00007FFF77D90000-0x00007FFF78851000-memory.dmp

Filesize
10.8MB

Download
memory/4580-162-0x0000000000000000-mapping.dmp

Download
memory/4580-190-0x0000000006990000-0x0000000006B52000-memory.dmp

Filesize
1.8MB

Download
memory/4580-165-0x00000000005F0000-0x0000000000622000-memory.dmp

Filesize
200KB

Download
memory/4580-170-0x0000000005090000-0x000000000519A000-memory.dmp

Filesize
1.0MB

Download
memory/4580-176-0x0000000004FF0000-0x000000000502C000-memory.dmp

Filesize
240KB

Download
memory/4580-187-0x0000000005F10000-0x0000000005FA2000-memory.dmp

Filesize
584KB

Download
memory/4580-189-0x00000000060B0000-0x0000000006100000-memory.dmp

Filesize
320KB

Download
memory/4580-188-0x0000000006140000-0x00000000061B6000-memory.dmp

Filesize
472KB

Download
memory/4580-169-0x00000000055A0000-0x0000000005BB8000-memory.dmp

Filesize
6.1MB

Download
memory/4580-171-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

Filesize
72KB

Download
memory/4604-142-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/4604-160-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/4604-141-0x0000000002DF8000-0x0000000002E17000-memory.dmp

Filesize
124KB

Download
memory/4604-136-0x0000000000000000-mapping.dmp

Download
memory/4604-159-0x0000000002DF8000-0x0000000002E17000-memory.dmp

Filesize
124KB

Download
memory/4780-149-0x0000000000000000-mapping.dmp

Download
memory/4864-217-0x0000000000590000-0x00000000005AD000-memory.dmp

Filesize
116KB

Download
memory/4864-216-0x0000000000784000-0x0000000000787000-memory.dmp

Filesize
12KB

Download
memory/4864-213-0x0000000000000000-mapping.dmp

Download
memory/4948-147-0x0000000000000000-mapping.dmp

Download
memory/4948-227-0x0000000002CCC000-0x0000000002CEA000-memory.dmp

Filesize
120KB

Download
memory/4948-228-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/5004-146-0x0000000000000000-mapping.dmp

Download