amadey | 1b91c65e1678d7a0101659f5509c60a879ac638e2958d16bfc4100b8b1d6c825

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-04-2023 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16507e0d31203c35d54e4deca192b4bb.exe
Size

229KB
MD5

16507e0d31203c35d54e4deca192b4bb
SHA1

b25ab6686ff5fa410bc1b24fc123cc42bff78c27
SHA256

1b91c65e1678d7a0101659f5509c60a879ac638e2958d16bfc4100b8b1d6c825
SHA512

5eb3b9fde3360989c397c5c16fd3724f84f14658710fb0d6f03acf51d358df96a9cbdc0797b7af298f334c6898aacbd54bc524e38a1cad6584b260b7cf34d248
SSDEEP

6144:mKVNIG75NpcElElt/DgK1yuFShFBr2D+:/5KE6LguFS7BB

Score

10^/10

amadey aurora spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Extracted

Family

aurora

89.208.103.78:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

oneetx.exetester.exeoneetx.exeoneetx.exe

pid process

984 oneetx.exe
1152 tester.exe
1632 oneetx.exe
1000 oneetx.exe
Loads dropped DLL 7 IoCs

Processes:

16507e0d31203c35d54e4deca192b4bb.exeoneetx.exerundll32.exe

pid process

1704 16507e0d31203c35d54e4deca192b4bb.exe
984 oneetx.exe
984 oneetx.exe
476 rundll32.exe
476 rundll32.exe
476 rundll32.exe
476 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

568 schtasks.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1416 systeminfo.exe

pid	process
984	oneetx.exe
1152	tester.exe
1632	oneetx.exe
1000	oneetx.exe

pid	process
1704	16507e0d31203c35d54e4deca192b4bb.exe
984	oneetx.exe
984	oneetx.exe
476	rundll32.exe
476	rundll32.exe
476	rundll32.exe
476	rundll32.exe

pid	process
568	schtasks.exe

pid	process
1416	systeminfo.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

oneetx.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	oneetx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	oneetx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	oneetx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	oneetx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	oneetx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	oneetx.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2028	powershell.exe
1380	powershell.exe
2036	powershell.exe
1744	powershell.exe
1984	powershell.exe
868	powershell.exe
1992	powershell.exe
564	powershell.exe
1816	powershell.exe
868	powershell.exe
1416	powershell.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemProfilePrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeProfSingleProcessPrivilege	1612	WMIC.exe
Token: SeIncBasePriorityPrivilege	1612	WMIC.exe
Token: SeCreatePagefilePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeDebugPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeRemoteShutdownPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: 33	1612	WMIC.exe
Token: 34	1612	WMIC.exe
Token: 35	1612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1168	wmic.exe
Token: SeSecurityPrivilege	1168	wmic.exe
Token: SeTakeOwnershipPrivilege	1168	wmic.exe
Token: SeLoadDriverPrivilege	1168	wmic.exe
Token: SeSystemProfilePrivilege	1168	wmic.exe
Token: SeSystemtimePrivilege	1168	wmic.exe
Token: SeProfSingleProcessPrivilege	1168	wmic.exe
Token: SeIncBasePriorityPrivilege	1168	wmic.exe
Token: SeCreatePagefilePrivilege	1168	wmic.exe
Token: SeBackupPrivilege	1168	wmic.exe
Token: SeRestorePrivilege	1168	wmic.exe
Token: SeShutdownPrivilege	1168	wmic.exe
Token: SeDebugPrivilege	1168	wmic.exe
Token: SeSystemEnvironmentPrivilege	1168	wmic.exe
Token: SeRemoteShutdownPrivilege	1168	wmic.exe
Token: SeUndockPrivilege	1168	wmic.exe
Token: SeManageVolumePrivilege	1168	wmic.exe
Token: 33	1168	wmic.exe
Token: 34	1168	wmic.exe
Token: 35	1168	wmic.exe
Token: SeIncreaseQuotaPrivilege	1168	wmic.exe
Token: SeSecurityPrivilege	1168	wmic.exe
Token: SeTakeOwnershipPrivilege	1168	wmic.exe
Token: SeLoadDriverPrivilege	1168	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

16507e0d31203c35d54e4deca192b4bb.exe

pid process

1704 16507e0d31203c35d54e4deca192b4bb.exe

pid	process
1704	16507e0d31203c35d54e4deca192b4bb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16507e0d31203c35d54e4deca192b4bb.exeoneetx.exetester.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1704 wrote to memory of 984	1704	16507e0d31203c35d54e4deca192b4bb.exe	oneetx.exe
PID 1704 wrote to memory of 984	1704	16507e0d31203c35d54e4deca192b4bb.exe	oneetx.exe
PID 1704 wrote to memory of 984	1704	16507e0d31203c35d54e4deca192b4bb.exe	oneetx.exe
PID 1704 wrote to memory of 984	1704	16507e0d31203c35d54e4deca192b4bb.exe	oneetx.exe
PID 984 wrote to memory of 568	984	oneetx.exe	schtasks.exe
PID 984 wrote to memory of 568	984	oneetx.exe	schtasks.exe
PID 984 wrote to memory of 568	984	oneetx.exe	schtasks.exe
PID 984 wrote to memory of 568	984	oneetx.exe	schtasks.exe
PID 984 wrote to memory of 1152	984	oneetx.exe	tester.exe
PID 984 wrote to memory of 1152	984	oneetx.exe	tester.exe
PID 984 wrote to memory of 1152	984	oneetx.exe	tester.exe
PID 984 wrote to memory of 1152	984	oneetx.exe	tester.exe
PID 1152 wrote to memory of 1620	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 1620	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 1620	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 1620	1152	tester.exe	cmd.exe
PID 1620 wrote to memory of 1612	1620	cmd.exe	WMIC.exe
PID 1620 wrote to memory of 1612	1620	cmd.exe	WMIC.exe
PID 1620 wrote to memory of 1612	1620	cmd.exe	WMIC.exe
PID 1620 wrote to memory of 1612	1620	cmd.exe	WMIC.exe
PID 1152 wrote to memory of 1168	1152	tester.exe	wmic.exe
PID 1152 wrote to memory of 1168	1152	tester.exe	wmic.exe
PID 1152 wrote to memory of 1168	1152	tester.exe	wmic.exe
PID 1152 wrote to memory of 1168	1152	tester.exe	wmic.exe
PID 1152 wrote to memory of 1712	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 1712	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 1712	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 1712	1152	tester.exe	cmd.exe
PID 1712 wrote to memory of 1164	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 1164	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 1164	1712	cmd.exe	WMIC.exe
PID 1712 wrote to memory of 1164	1712	cmd.exe	WMIC.exe
PID 1152 wrote to memory of 1372	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 1372	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 1372	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 1372	1152	tester.exe	cmd.exe
PID 1372 wrote to memory of 1988	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1988	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1988	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1988	1372	cmd.exe	WMIC.exe
PID 1152 wrote to memory of 660	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 660	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 660	1152	tester.exe	cmd.exe
PID 1152 wrote to memory of 660	1152	tester.exe	cmd.exe
PID 660 wrote to memory of 1416	660	cmd.exe	systeminfo.exe
PID 660 wrote to memory of 1416	660	cmd.exe	systeminfo.exe
PID 660 wrote to memory of 1416	660	cmd.exe	systeminfo.exe
PID 660 wrote to memory of 1416	660	cmd.exe	systeminfo.exe
PID 1152 wrote to memory of 2028	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 2028	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 2028	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 2028	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 1380	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 1380	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 1380	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 1380	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 2036	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 2036	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 2036	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 2036	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 1744	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 1744	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 1744	1152	tester.exe	powershell.exe
PID 1152 wrote to memory of 1744	1152	tester.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\16507e0d31203c35d54e4deca192b4bb.exe
"C:\Users\Admin\AppData\Local\Temp\16507e0d31203c35d54e4deca192b4bb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:568
- - C:\Users\Admin\AppData\Local\Temp\1000011001\tester.exe
    "C:\Users\Admin\AppData\Local\Temp\1000011001\tester.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        
        PID:1164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C "wmic cpu get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        5⤵
        
        PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd "/c " systeminfo
      4⤵
      Suspicious use of WriteProcessMemory
      PID:660
    - - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHc\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\tcuAxhxKQFDaFpL\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFf\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\RsWxPLDnJObCsNV\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1984
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\lgTeMaPEZQ\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\leQYhYzRyWJjPjz\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\pfRFEgmota\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\FetHsbZRjxAwnwe\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1816
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\krBEmfdzdc\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\EkXBAkjQZLCtTMt\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "copy \"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\" \"C:\Users\Admin\AppData\Local\Temp\TCoaNatyyi\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1936
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:476

C:\Windows\system32\taskeng.exe
taskeng.exe {42F03355-D1A9-4E6D-94BD-05159BE5F62C} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
PID:1572
- C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
30a37b17d0adeb9ee91940a2d74f8c91

SHA1
ec2fd332147d4e58af983761bbfc57b018f3ec08

SHA256
965929026c7a6cbc337b1d882ad47e288be17ef489bcf2e7402f73697103b5e0

SHA512
b09f8d490bf72d05682f024c0776548e22fe5c5ec595af1b776cbc94b595c32cd68cb5c9208d743d1a320bc16bcbaeee298328cb6c61ee0642ffbae004cb592c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\tester.exe

Filesize
3.1MB

MD5
90fa50b0c2dad2de89180eccc6495bdb

SHA1
eb428d525b02ada08e3dde81974b388f45fc5081

SHA256
b701f623cfec2e92c0e40c931c633caaf2d5f0874dd162e4974603ea424c60ee

SHA512
a3fb6b4ac2d148662df9e28c6b49099b4f07cbfbeb9ea9483628867c7af124be9a8bb092ce24c0914440aa8c7677418ba7d9ca017bc8b3f8524f01b2f8fd6eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\tester.exe

Filesize
3.1MB

MD5
90fa50b0c2dad2de89180eccc6495bdb

SHA1
eb428d525b02ada08e3dde81974b388f45fc5081

SHA256
b701f623cfec2e92c0e40c931c633caaf2d5f0874dd162e4974603ea424c60ee

SHA512
a3fb6b4ac2d148662df9e28c6b49099b4f07cbfbeb9ea9483628867c7af124be9a8bb092ce24c0914440aa8c7677418ba7d9ca017bc8b3f8524f01b2f8fd6eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Filesize
229KB

MD5
16507e0d31203c35d54e4deca192b4bb

SHA1
b25ab6686ff5fa410bc1b24fc123cc42bff78c27

SHA256
1b91c65e1678d7a0101659f5509c60a879ac638e2958d16bfc4100b8b1d6c825

SHA512
5eb3b9fde3360989c397c5c16fd3724f84f14658710fb0d6f03acf51d358df96a9cbdc0797b7af298f334c6898aacbd54bc524e38a1cad6584b260b7cf34d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Filesize
229KB

MD5
16507e0d31203c35d54e4deca192b4bb

SHA1
b25ab6686ff5fa410bc1b24fc123cc42bff78c27

SHA256
1b91c65e1678d7a0101659f5509c60a879ac638e2958d16bfc4100b8b1d6c825

SHA512
5eb3b9fde3360989c397c5c16fd3724f84f14658710fb0d6f03acf51d358df96a9cbdc0797b7af298f334c6898aacbd54bc524e38a1cad6584b260b7cf34d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Filesize
229KB

MD5
16507e0d31203c35d54e4deca192b4bb

SHA1
b25ab6686ff5fa410bc1b24fc123cc42bff78c27

SHA256
1b91c65e1678d7a0101659f5509c60a879ac638e2958d16bfc4100b8b1d6c825

SHA512
5eb3b9fde3360989c397c5c16fd3724f84f14658710fb0d6f03acf51d358df96a9cbdc0797b7af298f334c6898aacbd54bc524e38a1cad6584b260b7cf34d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Filesize
229KB

MD5
16507e0d31203c35d54e4deca192b4bb

SHA1
b25ab6686ff5fa410bc1b24fc123cc42bff78c27

SHA256
1b91c65e1678d7a0101659f5509c60a879ac638e2958d16bfc4100b8b1d6c825

SHA512
5eb3b9fde3360989c397c5c16fd3724f84f14658710fb0d6f03acf51d358df96a9cbdc0797b7af298f334c6898aacbd54bc524e38a1cad6584b260b7cf34d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Filesize
229KB

MD5
16507e0d31203c35d54e4deca192b4bb

SHA1
b25ab6686ff5fa410bc1b24fc123cc42bff78c27

SHA256
1b91c65e1678d7a0101659f5509c60a879ac638e2958d16bfc4100b8b1d6c825

SHA512
5eb3b9fde3360989c397c5c16fd3724f84f14658710fb0d6f03acf51d358df96a9cbdc0797b7af298f334c6898aacbd54bc524e38a1cad6584b260b7cf34d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20AD.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkXBAkjQZLCtTMt

Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\FetHsbZRjxAwnwe

Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHc

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsWxPLDnJObCsNV

Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFf

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar220C.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\krBEmfdzdc

Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\krBEmfdzdc

Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\leQYhYzRyWJjPjz

Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgTeMaPEZQ

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfRFEgmota

Filesize
92KB

MD5
d6492f228d1417a459765d7b9657cbba

SHA1
ef73426c3634a16ac6c15803633e77035abd032c

SHA256
75fbdce4223e0df5805b3fddc158d6c955b34b2112ed83d9967e731cc9f8cfb7

SHA512
50c5c6955ac90ccc1602bc32fc2d03808f42fbde7be46c681d7b7e99eb4cfe222a868c6c73728e4afce1b5904d7b2148c29ed5b177c38a5c1bfaf047e86b5613

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcuAxhxKQFDaFpL

Filesize
71KB

MD5
e5e81f0ae5ba9a2ac3db0a17d3c9f810

SHA1
c2d6bdf002325094ff399b1e4c36df575b48ee4f

SHA256
a9826445bacefee0847379551b63949c11cd58e505129c12743da87be48254f3

SHA512
cb77e1b933cc5c8a2ff8e0e8281f1d6d45b9d3bacbd0adef33515445fb00030cdb2cefc0b7fa22d2b2085b1751ee603027f82656c8b1c289cc71a2bdea630cce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHEH3C2OZTOOJE5HYIGH.temp

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4c75a074242816f62fa0e6abef4fd456

SHA1
3335670c5bd35cde05922fdf4017f3211cf3efb1

SHA256
a8650d1e1ec92be89972b578924b0a86b1cd88a93651462b83fa18cb4caedc0c

SHA512
d5945d9c7da1b7373989af3abdc43177d9aa95eee2662c869c86cef25f72cc183393b34dcbf0ad65fe5ee9f58101534d673617e87adf2bd628c824da2220ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\1000011001\tester.exe

Filesize
3.1MB

MD5
90fa50b0c2dad2de89180eccc6495bdb

SHA1
eb428d525b02ada08e3dde81974b388f45fc5081

SHA256
b701f623cfec2e92c0e40c931c633caaf2d5f0874dd162e4974603ea424c60ee

SHA512
a3fb6b4ac2d148662df9e28c6b49099b4f07cbfbeb9ea9483628867c7af124be9a8bb092ce24c0914440aa8c7677418ba7d9ca017bc8b3f8524f01b2f8fd6eb3

Download Submit
\Users\Admin\AppData\Local\Temp\1000011001\tester.exe

Filesize
3.1MB

MD5
90fa50b0c2dad2de89180eccc6495bdb

SHA1
eb428d525b02ada08e3dde81974b388f45fc5081

SHA256
b701f623cfec2e92c0e40c931c633caaf2d5f0874dd162e4974603ea424c60ee

SHA512
a3fb6b4ac2d148662df9e28c6b49099b4f07cbfbeb9ea9483628867c7af124be9a8bb092ce24c0914440aa8c7677418ba7d9ca017bc8b3f8524f01b2f8fd6eb3

Download Submit
\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Filesize
229KB

MD5
16507e0d31203c35d54e4deca192b4bb

SHA1
b25ab6686ff5fa410bc1b24fc123cc42bff78c27

SHA256
1b91c65e1678d7a0101659f5509c60a879ac638e2958d16bfc4100b8b1d6c825

SHA512
5eb3b9fde3360989c397c5c16fd3724f84f14658710fb0d6f03acf51d358df96a9cbdc0797b7af298f334c6898aacbd54bc524e38a1cad6584b260b7cf34d248

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
memory/564-284-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/1380-237-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1380-236-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1816-293-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/1816-292-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/1936-318-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1936-317-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/2028-229-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2028-230-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2036-245-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download