Analysis

  • max time kernel
    153s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 21:59

General

  • Target

    5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe

  • Size

    1.1MB

  • MD5

    9e7a6e732538e5b23e7deb3200e792bc

  • SHA1

    d103b9f2eb7295d4acaefcf2b9fc304efb151759

  • SHA256

    5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4

  • SHA512

    bbc1cd06453eb24bbaf95230792133353250e348c0c6d749bc07e816c5f9910e6e261bb362444200ff465af64b20683086cb86d00b16a3fa09914cff0ff1562f

  • SSDEEP

    24576:NywIRXjlTw2e+Zlb1OtR3KTcFp4bNioBaNVbeWcGuAX2cWzkl9:oV9G+/wtYT04orTeDGu42Rs

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detects Redline Stealer samples 3 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Async RAT payload 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 3 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe
    "C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1356
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3896
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3932
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1092
              6⤵
              • Program crash
              PID:3580
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3140
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4256
            • C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
              "C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3980
              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe
                C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe /TH_ID=_1564 /OriginExe="C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1036
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c cmd < Yugoslavia
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4688
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3372
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell get-process avastui
                      10⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:484
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell get-process avgui
                      10⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:64
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /V /R "^TiesHighsFridayPromisedOrganismsPromotedStronglyBannersTermExplainOrganisedPhpLastingMaritime$" Finding
                      10⤵
                        PID:5104
                      • C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
                        29190\\Bondage.exe.pif 29190\\M
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:3060
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks.exe /create /tn "dZVxEGlqbg" /tr "C:\Users\Admin\AppData\Roaming\claRXiEwVe\dZVxEGlqbg.exe.com C:\Users\Admin\AppData\Roaming\claRXiEwVe\H" /sc onlogon /F /RL HIGHEST
                          11⤵
                          • Creates scheduled task(s)
                          PID:4956
                        • C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
                          C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
                          11⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks processor information in registry
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4300
                          • C:\ProgramData\07900588628047328197.exe
                            "C:\ProgramData\07900588628047328197.exe"
                            12⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1028
                            • C:\Windows\SysWOW64\schtasks.exe
                              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoJFlNPT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF3F.tmp"
                              13⤵
                              • Creates scheduled task(s)
                              PID:948
                            • C:\ProgramData\07900588628047328197.exe
                              "{path}"
                              13⤵
                              • Executes dropped EXE
                              PID:4748
                            • C:\ProgramData\07900588628047328197.exe
                              "{path}"
                              13⤵
                              • Executes dropped EXE
                              PID:552
                            • C:\ProgramData\07900588628047328197.exe
                              "{path}"
                              13⤵
                              • Executes dropped EXE
                              PID:4180
                            • C:\ProgramData\07900588628047328197.exe
                              "{path}"
                              13⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1036
                          • C:\ProgramData\46777832471797123856.exe
                            "C:\ProgramData\46777832471797123856.exe"
                            12⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:3736
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe; Set-MpPreference -SubmitSamplesConsent NeverSend -PUAProtection Disabled
                              13⤵
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1064
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif" & exit
                            12⤵
                              PID:4912
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout /t 6
                                13⤵
                                • Delays execution with timeout.exe
                                PID:1508
                        • C:\Windows\SysWOW64\PING.EXE
                          ping localhost -n 18
                          10⤵
                          • Runs ping.exe
                          PID:3872
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                  6⤵
                  • Loads dropped DLL
                  PID:4076
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3932 -ip 3932
        1⤵
          PID:3648
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:3292
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
          1⤵
          • Drops desktop.ini file(s)
          • Checks processor information in registry
          • Modifies registry class
          PID:2796
        • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
          C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
          1⤵
          • Executes dropped EXE
          PID:3652
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
          1⤵
          • Checks processor information in registry
          • Modifies registry class
          PID:3380
        • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
          C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
          1⤵
          • Executes dropped EXE
          PID:3108

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\07900588628047328197.exe

                Filesize

                599KB

                MD5

                a63c4dc41c0b62c9ceb73be679ab932d

                SHA1

                42b1a611458102f8d4910de7f43c81238b313a03

                SHA256

                2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e

                SHA512

                e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

              • C:\ProgramData\07900588628047328197.exe

                Filesize

                599KB

                MD5

                a63c4dc41c0b62c9ceb73be679ab932d

                SHA1

                42b1a611458102f8d4910de7f43c81238b313a03

                SHA256

                2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e

                SHA512

                e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

              • C:\ProgramData\07900588628047328197.exe

                Filesize

                599KB

                MD5

                a63c4dc41c0b62c9ceb73be679ab932d

                SHA1

                42b1a611458102f8d4910de7f43c81238b313a03

                SHA256

                2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e

                SHA512

                e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

              • C:\ProgramData\07900588628047328197.exe

                Filesize

                599KB

                MD5

                a63c4dc41c0b62c9ceb73be679ab932d

                SHA1

                42b1a611458102f8d4910de7f43c81238b313a03

                SHA256

                2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e

                SHA512

                e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

              • C:\ProgramData\07900588628047328197.exe

                Filesize

                599KB

                MD5

                a63c4dc41c0b62c9ceb73be679ab932d

                SHA1

                42b1a611458102f8d4910de7f43c81238b313a03

                SHA256

                2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e

                SHA512

                e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

              • C:\ProgramData\07900588628047328197.exe

                Filesize

                599KB

                MD5

                a63c4dc41c0b62c9ceb73be679ab932d

                SHA1

                42b1a611458102f8d4910de7f43c81238b313a03

                SHA256

                2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e

                SHA512

                e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

              • C:\ProgramData\07900588628047328197.exe

                Filesize

                599KB

                MD5

                a63c4dc41c0b62c9ceb73be679ab932d

                SHA1

                42b1a611458102f8d4910de7f43c81238b313a03

                SHA256

                2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e

                SHA512

                e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

              • C:\ProgramData\46777832471797123856.exe

                Filesize

                9.4MB

                MD5

                718d69c7e8baa9b2fea5078ac9adf6b7

                SHA1

                b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

                SHA256

                21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

                SHA512

                ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

              • C:\ProgramData\46777832471797123856.exe

                Filesize

                9.4MB

                MD5

                718d69c7e8baa9b2fea5078ac9adf6b7

                SHA1

                b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

                SHA256

                21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

                SHA512

                ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

              • C:\ProgramData\46777832471797123856.exe

                Filesize

                9.4MB

                MD5

                718d69c7e8baa9b2fea5078ac9adf6b7

                SHA1

                b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

                SHA256

                21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

                SHA512

                ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

              • C:\ProgramData\mozglue.dll

                Filesize

                593KB

                MD5

                c8fd9be83bc728cc04beffafc2907fe9

                SHA1

                95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                SHA256

                ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                SHA512

                fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

              • C:\ProgramData\nss3.dll

                Filesize

                2.0MB

                MD5

                1cc453cdf74f31e4d913ff9c10acdde2

                SHA1

                6e85eae544d6e965f15fa5c39700fa7202f3aafe

                SHA256

                ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                SHA512

                dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

                Filesize

                717B

                MD5

                60fe01df86be2e5331b0cdbe86165686

                SHA1

                2a79f9713c3f192862ff80508062e64e8e0b29bd

                SHA256

                c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

                SHA512

                ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59C287033A8C5F95779AE0F50A84C0D2

                Filesize

                503B

                MD5

                3f85e970f7c157b415e4c11c1319dbfd

                SHA1

                2e5c546c536c94f7f5e441ae3409731cd82574e6

                SHA256

                da5c69afb4a233d66a68eef5c8a83e3e84ddd305fa0afd6a8288e98a518398a1

                SHA512

                f91ac0c5b46ce16a935d2107d94112a2b65054d75407fa440887572cf676a438fb38bffb7fcb85f4f471a04ab61731e16b60dbb1dab39e93272def6ee2b600ff

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

                Filesize

                192B

                MD5

                3bbe7b7fccd20dfed4aa22e8e7aaec66

                SHA1

                d1d9415af152a91d8aba2d8f8560814bd588578b

                SHA256

                29cab0a843da9ccae464d1f1fe7e00ee59e59e8a5420f155f739d6560c2d7e70

                SHA512

                9be492d1d2d106c829fdf9dbae9980b5cc8ff34256c3e6a34821bfd0a7d35634dfca95f600f80dda416731a465bf26e927651f02629b6ba9e839153ac0e3334a

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59C287033A8C5F95779AE0F50A84C0D2

                Filesize

                552B

                MD5

                da32a725c31f3e5319181849341f30bd

                SHA1

                2e73968cf57a25a784695060dcb9baf596d9d536

                SHA256

                4a9c1be24aa10b0d061f9a87d3c03f3674cc7f833762fabf5d08efe82a9e7715

                SHA512

                7b72948b4150c2f5aa93ae0be3af1e085c99687caf261bbb1e0a56279f6ddd42d58b7092643556e78d026824d5a941b30fa2ddf144335dd041fae4da32e76a82

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                Filesize

                1KB

                MD5

                def65711d78669d7f8e69313be4acf2e

                SHA1

                6522ebf1de09eeb981e270bd95114bc69a49cda6

                SHA256

                aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                SHA512

                05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                18KB

                MD5

                24e5a6f9d5c5924aea695e04b3f429ec

                SHA1

                b97b6ab3cbe1ef82834ea97d5566389069382a68

                SHA256

                4bc7cba82a38d8a16d4e700e9992e3104aeee0932755f4006b97fd0f6a971642

                SHA512

                279c376b84f761cae858bb91d3b68131744463da27201379b1ea0645b9c27bcabcd3c90ec3e8c2c7b4970d8ee9c4767e96bcd306d782cfac6b27a6294701b1d7

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                18KB

                MD5

                7d7278e76528dbcf5d6d37026fe66437

                SHA1

                3039931e4fd849167ed09bc53e31e915cbbb8918

                SHA256

                973b01756144bb8fed38d32bf86538ac217f257589e2f882d5afd5d1069f189a

                SHA512

                449e36155f3866490753b4bbf6c4d2f65637587cac71ce2eeaed280a87b1a783ae90e5d8b0a8844d5fbb880c3e8602b824aafa7b5ef06fac0389d855098eb312

              • C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe

                Filesize

                1.7MB

                MD5

                4f24c94182a964c6706c1920a73822c0

                SHA1

                5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

                SHA256

                45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

                SHA512

                d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

              • C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe

                Filesize

                1.7MB

                MD5

                4f24c94182a964c6706c1920a73822c0

                SHA1

                5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

                SHA256

                45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

                SHA512

                d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

              • C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe

                Filesize

                1.7MB

                MD5

                4f24c94182a964c6706c1920a73822c0

                SHA1

                5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

                SHA256

                45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

                SHA512

                d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

              • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

                Filesize

                229KB

                MD5

                e05249b60272a0a33974a9cf62a06a6c

                SHA1

                75c7ea58f69bc67d073375f5a23f7438ec78004b

                SHA256

                c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068

                SHA512

                ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

              • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

                Filesize

                229KB

                MD5

                e05249b60272a0a33974a9cf62a06a6c

                SHA1

                75c7ea58f69bc67d073375f5a23f7438ec78004b

                SHA256

                c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068

                SHA512

                ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

              • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

                Filesize

                229KB

                MD5

                e05249b60272a0a33974a9cf62a06a6c

                SHA1

                75c7ea58f69bc67d073375f5a23f7438ec78004b

                SHA256

                c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068

                SHA512

                ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

              • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

                Filesize

                229KB

                MD5

                e05249b60272a0a33974a9cf62a06a6c

                SHA1

                75c7ea58f69bc67d073375f5a23f7438ec78004b

                SHA256

                c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068

                SHA512

                ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

              • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

                Filesize

                229KB

                MD5

                e05249b60272a0a33974a9cf62a06a6c

                SHA1

                75c7ea58f69bc67d073375f5a23f7438ec78004b

                SHA256

                c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068

                SHA512

                ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

                Filesize

                1004KB

                MD5

                cb7724f0cfbc465a48b1832d3419edd7

                SHA1

                f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa

                SHA256

                0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940

                SHA512

                f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

                Filesize

                1004KB

                MD5

                cb7724f0cfbc465a48b1832d3419edd7

                SHA1

                f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa

                SHA256

                0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940

                SHA512

                f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

                Filesize

                415KB

                MD5

                ca0980a62c6480dabf9d26117d623f05

                SHA1

                bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63

                SHA256

                5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995

                SHA512

                3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

                Filesize

                415KB

                MD5

                ca0980a62c6480dabf9d26117d623f05

                SHA1

                bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63

                SHA256

                5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995

                SHA512

                3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

                Filesize

                620KB

                MD5

                2c370254d2b62b9fa0a22d82556bb9db

                SHA1

                98dd76e9e34d752e6110a70e514f8dc94e914ebd

                SHA256

                ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b

                SHA512

                9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

                Filesize

                620KB

                MD5

                2c370254d2b62b9fa0a22d82556bb9db

                SHA1

                98dd76e9e34d752e6110a70e514f8dc94e914ebd

                SHA256

                ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b

                SHA512

                9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

                Filesize

                229KB

                MD5

                e05249b60272a0a33974a9cf62a06a6c

                SHA1

                75c7ea58f69bc67d073375f5a23f7438ec78004b

                SHA256

                c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068

                SHA512

                ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

                Filesize

                229KB

                MD5

                e05249b60272a0a33974a9cf62a06a6c

                SHA1

                75c7ea58f69bc67d073375f5a23f7438ec78004b

                SHA256

                c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068

                SHA512

                ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

                Filesize

                437KB

                MD5

                2013df3ab4c393dbfeb56100e4c414a6

                SHA1

                1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2

                SHA256

                1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878

                SHA512

                7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

                Filesize

                437KB

                MD5

                2013df3ab4c393dbfeb56100e4c414a6

                SHA1

                1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2

                SHA256

                1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878

                SHA512

                7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

                Filesize

                175KB

                MD5

                6bb86793dc581b29147c2d4d5bad8ce6

                SHA1

                c5ffe67ea0f190d661779969a5da2b843e9eaf6d

                SHA256

                ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd

                SHA512

                376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

                Filesize

                175KB

                MD5

                6bb86793dc581b29147c2d4d5bad8ce6

                SHA1

                c5ffe67ea0f190d661779969a5da2b843e9eaf6d

                SHA256

                ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd

                SHA512

                376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

                Filesize

                332KB

                MD5

                72627a85c40f3bdaf6b6b451f742f1e9

                SHA1

                44a15ee128d050db7dca4884f1ccd2f584d7915e

                SHA256

                fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7

                SHA512

                6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

                Filesize

                332KB

                MD5

                72627a85c40f3bdaf6b6b451f742f1e9

                SHA1

                44a15ee128d050db7dca4884f1ccd2f584d7915e

                SHA256

                fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7

                SHA512

                6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00000#Cancer

                Filesize

                101KB

                MD5

                d4c65e691f5a42538b02417f60c042be

                SHA1

                7726b2bd52dc94a9d3e79f2e82e92dd8820997ad

                SHA256

                d71b5a80bc3d6fce71c6fc6efb62542bd5536d7d3805d92067a29f512bd12c33

                SHA512

                e487f30b27b178a09d381802767f7425d63e6538bc9b0d5406ea39cf7f7c2c586d53850e460b897a49014b61e75ffbe817b4a93b9460a18ed89d223048dab62f

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00001#Foto

                Filesize

                199KB

                MD5

                60ad6b661b7d878936b63c39e7d94555

                SHA1

                655ca3b2c75ad015a02470c92e8d7b9d58541524

                SHA256

                650f797d33d5ecf29e1876324de2507a3b97cad3cc00c1e25ff02420a2e4e70e

                SHA512

                f44b3d36f26666c079354085471d44b2838c24553fd0797e12c3c96b14794aa24073574379e1e0abce3b38aaaa179dd1bf05c51ca3831aff82c90fe6699cc606

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00002#Gp

                Filesize

                74KB

                MD5

                4f39ba8b1c907e52d53215ea79a1896f

                SHA1

                975c70c4973697cce66c149a00cc8b20e79526be

                SHA256

                ace9abce7314ca6736b6b6acf5a1f96c7d24f7764678f99ffb795a897a6e7bf2

                SHA512

                e862921fbad7a8118a1c12f1c9ca33b7f41251b69b0dc48dcbf3c40350174f5db8946c75797b0042e3d9633821b66e523212a1998a901f712bc8b0053d1e7572

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00003#Management

                Filesize

                154KB

                MD5

                b0525ab549845919679f78453f554c1f

                SHA1

                3d2179acba0634cc71003502923c3a4a52b31d14

                SHA256

                31c86eb615672da32e64560553d46cb18c25e7ea794e4637cfac3c4be0a9fb47

                SHA512

                b983c3517cf878e99ad94d0227c25edb52e82c5ead93c7cbfa6ea2543d483db20be2f210029237131e8e5517497e910abcdb119edf88cdb7eac9e61c4f2a3087

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00004#Piece

                Filesize

                43KB

                MD5

                bf7a0cdf40d3aa9fc94c9accd73298d2

                SHA1

                a049a7323a8468d1bbd3e96a1ace4266fce4429c

                SHA256

                96eab71166cc7df7ec1eae988487d76d463c080f1da98b194bc60a1701e5d3ae

                SHA512

                6a0eb5de2f23ff986c90835b7b24e5299fdb882186bcc88fece6a6a4363871dda00b8313ee729557778cf4c14456e9c25d79108be35f31df1d9b697f5d89009e

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00005#Prototype

                Filesize

                33KB

                MD5

                ad1b6b16c6c6c23f01288183183ed0c1

                SHA1

                b60363ebd25d9953f202423b34e0c81fa24dafb6

                SHA256

                94fca15d4913ccc5955aef8942cb475306a6815190fe27ff742b40a808ff860e

                SHA512

                d461bf0dd5b20b1cb5dc07128be156b3ab144607c5794956635ca7ce90a2d643d539b2f6dd063c8889e01e074db74cacd41940a3d3bb53cd2406f77f0ccac6ce

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00006#Stands

                Filesize

                1.2MB

                MD5

                4a1f67fc0cacc5cf1c9ab1ab05e25ec6

                SHA1

                e955600ae7c0f6bec15a4126f1be10acc6a6b875

                SHA256

                ed299bf8533de2b3f0965295aa5be53e8486dfa0887e20de0b4c6c2fd3b30b4b

                SHA512

                e0f1a52209c13937afcdb954e59daba04d80f82cba702788e1d6d359f2e4dd189d01455f32a167b6014c68e5d670686d2ace1bfea0b8c31b3c91f2f052669675

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00007#Sue

                Filesize

                157KB

                MD5

                f51e203d3f2ac1e4f6ed5a89f5805fcb

                SHA1

                76195a680f2e178c03d35719a0adc776fe901289

                SHA256

                c6a7beb722fefad0a7f6f2057cbfda9a8cec198e56f2946191aeb9de7578b2ca

                SHA512

                8c2ab71bf608066d3a63cdac2924d8a6d6c983e8257aed07691f5dace70442de5e72ba0f3bfe8b6395314178ddde219ca5005e65aed305165a06cae2dba16bec

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00008#Welfare

                Filesize

                54KB

                MD5

                f5802553964d59c3874a7ea7f0313c68

                SHA1

                106f605a2e7704cb8341b27ca982f5f70d09bc0f

                SHA256

                35cc1497dc397cf46815bfb41953a134170bbea3fd0d5178ca45b6bbb01084f9

                SHA512

                8f495fc3ceda40788b3dc7a2eec223e3d40b5edf1ff4ed159f20a256f1ba71d8baba135b3b1bf9f6f07851dc99bd4e29fd2af1bc7984bccca4fc390c0fc83b23

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00009#Wines

                Filesize

                110KB

                MD5

                31ae6922272bfd6c6a863b679940d005

                SHA1

                df93b1021c3bb2087b249a82d4cbcd599659fcd6

                SHA256

                77031c9bf9a778abef4672a2b749dd7fb662a29b3e69ea391fe04dd4944601d8

                SHA512

                f0765279accdefbf611088e92433d258700bc97d28468b6cbd34c1be5b7cf27a54763009214bd4ce052c4bec87debd9464e2f040028fba40fb32da20d82669bd

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00010#Yugoslavia

                Filesize

                15KB

                MD5

                9852c7adb40127bf8e29ae2346482129

                SHA1

                d5decd97f329dc62f824a17b204a214a83a1292b

                SHA256

                85ad2b1fd775ecd859922d5550f76f87f8e8e9dd84d878ee786450a8aefee1ac

                SHA512

                0a89fa89340df63de408b106ac4503a649ac2bf60978f40452263b8690d81cedf9d812e4b71988a84e6fdb36fdd8dfc0ec30a78d1df2f0cb044b7afa3accc56b

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe

                Filesize

                1.3MB

                MD5

                e4656c54b03a03f816ab33101a324cdc

                SHA1

                48cd8d9c5a20d36362214d727e184fe4e0075d4f

                SHA256

                bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

                SHA512

                c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe

                Filesize

                1.3MB

                MD5

                e4656c54b03a03f816ab33101a324cdc

                SHA1

                48cd8d9c5a20d36362214d727e184fe4e0075d4f

                SHA256

                bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

                SHA512

                c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Modern_Icon.bmp

                Filesize

                7KB

                MD5

                1dd88f67f029710d5c5858a6293a93f1

                SHA1

                3e5ef66613415fe9467b2a24ccc27d8f997e7df6

                SHA256

                b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

                SHA512

                7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

              • C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Setup.txt

                Filesize

                2KB

                MD5

                9f82e028a899fe0dded45d76ed1ed06f

                SHA1

                fc0e0f3e34451087e28d8c51c486a52934e59d4a

                SHA256

                3dd4285197d7ad7004789eee6464594666ae8e5d913bec23e57151608bd3b109

                SHA512

                22d4ad271965c8c5fbe038ead00cb374c299e89f7d669ea7657064e5b3c18f4dc7f9d51b102dc388c6f79e805c7196c085edf6e990e6bb33c41ac36854192b18

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_koncyyv1.0bn.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

                Filesize

                925KB

                MD5

                0162a97ed477353bc35776a7addffd5c

                SHA1

                10db8fe20bbce0f10517c510ec73532cf6feb227

                SHA256

                15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

                SHA512

                9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

              • C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

                Filesize

                925KB

                MD5

                0162a97ed477353bc35776a7addffd5c

                SHA1

                10db8fe20bbce0f10517c510ec73532cf6feb227

                SHA256

                15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

                SHA512

                9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

              • C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

                Filesize

                925KB

                MD5

                0162a97ed477353bc35776a7addffd5c

                SHA1

                10db8fe20bbce0f10517c510ec73532cf6feb227

                SHA256

                15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

                SHA512

                9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

              • C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\Finding

                Filesize

                925KB

                MD5

                f39dff6e12fa4e21277d39149fa7da7e

                SHA1

                804aa8256d1a98311d737e13ef62db0fa7d15ec0

                SHA256

                27deb687c50fe4c33b19f43ccb0d4cbdaa8292511df2a93c138d6740862e9fd0

                SHA512

                cceca80987fcfad926734a7c2ed16919a237ceb02f391fe9de667405f014498b10bcf735547e5ee53f9b146ed56b24db025be285422c53dac2770f1885d31f5c

              • C:\Users\Admin\AppData\Local\Temp\tmpDF3F.tmp

                Filesize

                1KB

                MD5

                77ec8ab3ef8b3ef2a686a15310512a3d

                SHA1

                692276bd162b83505cb99b85bb0466956a46ee7a

                SHA256

                209c3bbd86caced68e591bd6ca92caf036b70d0eb4a3ea74f23dbb0939920509

                SHA512

                87d258f1974d0097c14e77835f1d5128b10fd5fc34862fb999e308a7c4afdcd44e62fd962ef1c3b00a988c1f920764f9ef0125a69e587831a6ca112fef6484fd

              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                Filesize

                89KB

                MD5

                73df88d68a4f5e066784d462788cf695

                SHA1

                e4bfed336848d0b622fa464d40cf4bd9222aab3f

                SHA256

                f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

                SHA512

                64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                Filesize

                89KB

                MD5

                73df88d68a4f5e066784d462788cf695

                SHA1

                e4bfed336848d0b622fa464d40cf4bd9222aab3f

                SHA256

                f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

                SHA512

                64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                Filesize

                89KB

                MD5

                73df88d68a4f5e066784d462788cf695

                SHA1

                e4bfed336848d0b622fa464d40cf4bd9222aab3f

                SHA256

                f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

                SHA512

                64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                162B

                MD5

                1b7c22a214949975556626d7217e9a39

                SHA1

                d01c97e2944166ed23e47e4a62ff471ab8fa031f

                SHA256

                340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

                SHA512

                ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

              • C:\Users\Admin\Videos\Captures\desktop.ini

                Filesize

                190B

                MD5

                b0d27eaec71f1cd73b015f5ceeb15f9d

                SHA1

                62264f8b5c2f5034a1e4143df6e8c787165fbc2f

                SHA256

                86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

                SHA512

                7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

              • memory/64-1164-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

                Filesize

                64KB

              • memory/484-1148-0x00000000068B0000-0x00000000068CA000-memory.dmp

                Filesize

                104KB

              • memory/484-1134-0x0000000005C60000-0x0000000005CC6000-memory.dmp

                Filesize

                408KB

              • memory/484-1113-0x0000000002A20000-0x0000000002A56000-memory.dmp

                Filesize

                216KB

              • memory/484-1131-0x0000000005630000-0x0000000005C58000-memory.dmp

                Filesize

                6.2MB

              • memory/484-1132-0x0000000004FF0000-0x0000000005000000-memory.dmp

                Filesize

                64KB

              • memory/484-1133-0x0000000005460000-0x0000000005482000-memory.dmp

                Filesize

                136KB

              • memory/484-1135-0x0000000005CD0000-0x0000000005D36000-memory.dmp

                Filesize

                408KB

              • memory/484-1146-0x00000000063C0000-0x00000000063DE000-memory.dmp

                Filesize

                120KB

              • memory/484-1147-0x0000000006930000-0x00000000069C6000-memory.dmp

                Filesize

                600KB

              • memory/484-1149-0x0000000006900000-0x0000000006922000-memory.dmp

                Filesize

                136KB

              • memory/1028-1321-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

                Filesize

                64KB

              • memory/1028-1317-0x0000000004DE0000-0x0000000004E36000-memory.dmp

                Filesize

                344KB

              • memory/1028-1360-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

                Filesize

                64KB

              • memory/1028-1316-0x0000000004B20000-0x0000000004B2A000-memory.dmp

                Filesize

                40KB

              • memory/1028-1313-0x0000000000170000-0x000000000020C000-memory.dmp

                Filesize

                624KB

              • memory/1028-1315-0x0000000004C10000-0x0000000004CA2000-memory.dmp

                Filesize

                584KB

              • memory/1028-1314-0x0000000004A30000-0x0000000004ACC000-memory.dmp

                Filesize

                624KB

              • memory/1036-1165-0x0000000000700000-0x0000000000701000-memory.dmp

                Filesize

                4KB

              • memory/1036-1099-0x0000000000700000-0x0000000000701000-memory.dmp

                Filesize

                4KB

              • memory/1036-1392-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

              • memory/1036-1394-0x0000000005040000-0x0000000005050000-memory.dmp

                Filesize

                64KB

              • memory/1064-1361-0x000000006F860000-0x000000006F8AC000-memory.dmp

                Filesize

                304KB

              • memory/1064-1379-0x00000000079E0000-0x00000000079FA000-memory.dmp

                Filesize

                104KB

              • memory/1064-1362-0x000000007EED0000-0x000000007EEE0000-memory.dmp

                Filesize

                64KB

              • memory/1064-1372-0x0000000006930000-0x000000000694E000-memory.dmp

                Filesize

                120KB

              • memory/1064-1373-0x0000000007D50000-0x00000000083CA000-memory.dmp

                Filesize

                6.5MB

              • memory/1064-1357-0x00000000029F0000-0x0000000002A00000-memory.dmp

                Filesize

                64KB

              • memory/1064-1358-0x00000000029F0000-0x0000000002A00000-memory.dmp

                Filesize

                64KB

              • memory/1064-1359-0x0000000007560000-0x0000000007592000-memory.dmp

                Filesize

                200KB

              • memory/1064-1380-0x00000000079C0000-0x00000000079C8000-memory.dmp

                Filesize

                32KB

              • memory/1064-1374-0x0000000007720000-0x000000000772A000-memory.dmp

                Filesize

                40KB

              • memory/1064-1377-0x00000000076B0000-0x00000000076BE000-memory.dmp

                Filesize

                56KB

              • memory/2904-258-0x00000000024C0000-0x00000000024F5000-memory.dmp

                Filesize

                212KB

              • memory/2904-1115-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                Filesize

                64KB

              • memory/2904-255-0x00000000005D0000-0x0000000000616000-memory.dmp

                Filesize

                280KB

              • memory/2904-1074-0x0000000007620000-0x0000000007C38000-memory.dmp

                Filesize

                6.1MB

              • memory/2904-256-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                Filesize

                64KB

              • memory/2904-259-0x00000000024C0000-0x00000000024F5000-memory.dmp

                Filesize

                212KB

              • memory/2904-1116-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                Filesize

                64KB

              • memory/2904-261-0x00000000024C0000-0x00000000024F5000-memory.dmp

                Filesize

                212KB

              • memory/2904-1151-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                Filesize

                64KB

              • memory/2904-257-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                Filesize

                64KB

              • memory/2904-1114-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                Filesize

                64KB

              • memory/2904-263-0x00000000024C0000-0x00000000024F5000-memory.dmp

                Filesize

                212KB

              • memory/2904-1075-0x0000000002720000-0x0000000002732000-memory.dmp

                Filesize

                72KB

              • memory/2904-1094-0x0000000007D50000-0x0000000007D8C000-memory.dmp

                Filesize

                240KB

              • memory/2904-1093-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                Filesize

                64KB

              • memory/2904-1076-0x0000000007C40000-0x0000000007D4A000-memory.dmp

                Filesize

                1.0MB

              • memory/3060-1184-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

                Filesize

                4KB

              • memory/3736-1346-0x00000000008F0000-0x0000000001259000-memory.dmp

                Filesize

                9.4MB

              • memory/3736-1381-0x00000000008F0000-0x0000000001259000-memory.dmp

                Filesize

                9.4MB

              • memory/3896-172-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-166-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-161-0x0000000002350000-0x0000000002360000-memory.dmp

                Filesize

                64KB

              • memory/3896-162-0x0000000002350000-0x0000000002360000-memory.dmp

                Filesize

                64KB

              • memory/3896-188-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-190-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-192-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-184-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-182-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-180-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-178-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-176-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-174-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-163-0x0000000002350000-0x0000000002360000-memory.dmp

                Filesize

                64KB

              • memory/3896-164-0x00000000049C0000-0x0000000004F64000-memory.dmp

                Filesize

                5.6MB

              • memory/3896-186-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-165-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-195-0x0000000002350000-0x0000000002360000-memory.dmp

                Filesize

                64KB

              • memory/3896-194-0x0000000002350000-0x0000000002360000-memory.dmp

                Filesize

                64KB

              • memory/3896-193-0x0000000002350000-0x0000000002360000-memory.dmp

                Filesize

                64KB

              • memory/3896-170-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3896-168-0x0000000002360000-0x0000000002373000-memory.dmp

                Filesize

                76KB

              • memory/3932-220-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-237-0x0000000000400000-0x0000000000466000-memory.dmp

                Filesize

                408KB

              • memory/3932-224-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-226-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-232-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

                Filesize

                64KB

              • memory/3932-222-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-228-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-201-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-202-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-204-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-206-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-229-0x00000000005E0000-0x000000000060D000-memory.dmp

                Filesize

                180KB

              • memory/3932-208-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-210-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-212-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-214-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-233-0x0000000000400000-0x0000000000466000-memory.dmp

                Filesize

                408KB

              • memory/3932-230-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

                Filesize

                64KB

              • memory/3932-231-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

                Filesize

                64KB

              • memory/3932-235-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

                Filesize

                64KB

              • memory/3932-236-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

                Filesize

                64KB

              • memory/3932-216-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB

              • memory/3932-218-0x00000000023A0000-0x00000000023B2000-memory.dmp

                Filesize

                72KB