amadey | 5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75

Analysis

max time kernel
165s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe
Size

1.5MB
MD5

ee19c02edc80174071bcd1306c2a8406
SHA1

f1e150c5b3a9c4b01ad633a03a57de79e0d6570f
SHA256

5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75
SHA512

c3d6308ec2939b6efdef4db59fd115daf582e1a25b1ce251c9c6076c0655264483d782c1bd9bea0c57616d9039102cf4fbf660fd3700c86f8bf74055e428b0b6
SSDEEP

24576:EydBMwYRHEWGEHkdtryKmrRYXXyGWLyUWAena6Zjkoqc:TLaHWtOK2CEaacw

Score

10^/10

amadey redline gena life evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/1884-6696-0x0000000005200000-0x0000000005818000-memory.dmp	redline_stealer
behavioral2/memory/2056-6734-0x0000000005140000-0x0000000005768000-memory.dmp	redline_stealer
behavioral2/memory/2056-6743-0x0000000005A00000-0x0000000005A66000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

26628038.exew61MO23.exeoneetx.exexLorO71.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	26628038.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	w61MO23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	xLorO71.exe

Executes dropped EXE 16 IoCs

Processes:

za265333.exeza571665.exeza966696.exe26628038.exe1.exeu14115753.exew61MO23.exeoneetx.exexLorO71.exeDelta2023.exe1.exeoneetx.exeEngine.exeys490490.exeBondage.exe.pifoneetx.exe

pid	process
4888	za265333.exe
3628	za571665.exe
3912	za966696.exe
3720	26628038.exe
4488	1.exe
4524	u14115753.exe
4152	w61MO23.exe
4080	oneetx.exe
400	xLorO71.exe
844	Delta2023.exe
1884	1.exe
3624	oneetx.exe
1000	Engine.exe
3488	ys490490.exe
2208	Bondage.exe.pif
4452	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4272 rundll32.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe

pid	process
4272	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za265333.exeza571665.exeza966696.exe5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za265333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za265333.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za571665.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za571665.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za966696.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za966696.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

992 4524 WerFault.exe u14115753.exe
4068 400 WerFault.exe xLorO71.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

pid	pid_target	process	target process
992	4524	WerFault.exe	u14115753.exe
4068	400	WerFault.exe	xLorO71.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1060 schtasks.exe
2144 schtasks.exe

pid	process
1060	schtasks.exe
2144	schtasks.exe

Modifies registry class 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1529757233-3489015626-3409890339-1000\{4846AC91-994E-4207-A2B9-D791C9FE9C56}	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1932 PING.EXE

pid	process
1932	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

1.exepowershell.exepowershell.exeBondage.exe.pif

pid	process
4488	1.exe
4488	1.exe
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

26628038.exe1.exeu14115753.exexLorO71.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3720	26628038.exe
Token: SeDebugPrivilege	4488	1.exe
Token: SeDebugPrivilege	4524	u14115753.exe
Token: SeDebugPrivilege	400	xLorO71.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

w61MO23.exeBondage.exe.pif

pid process

4152 w61MO23.exe
2208 Bondage.exe.pif
2208 Bondage.exe.pif
2208 Bondage.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Bondage.exe.pif

pid process

2208 Bondage.exe.pif
2208 Bondage.exe.pif
2208 Bondage.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

100 OpenWith.exe

pid	process
4152	w61MO23.exe
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif

pid	process
2208	Bondage.exe.pif
2208	Bondage.exe.pif
2208	Bondage.exe.pif

pid	process
100	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exeza265333.exeza571665.exeza966696.exe26628038.exew61MO23.exeoneetx.exexLorO71.exeDelta2023.exeEngine.execmd.execmd.exe

description	pid	process	target process
PID 4764 wrote to memory of 4888	4764	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 4764 wrote to memory of 4888	4764	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 4764 wrote to memory of 4888	4764	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 4888 wrote to memory of 3628	4888	za265333.exe	za571665.exe
PID 4888 wrote to memory of 3628	4888	za265333.exe	za571665.exe
PID 4888 wrote to memory of 3628	4888	za265333.exe	za571665.exe
PID 3628 wrote to memory of 3912	3628	za571665.exe	za966696.exe
PID 3628 wrote to memory of 3912	3628	za571665.exe	za966696.exe
PID 3628 wrote to memory of 3912	3628	za571665.exe	za966696.exe
PID 3912 wrote to memory of 3720	3912	za966696.exe	26628038.exe
PID 3912 wrote to memory of 3720	3912	za966696.exe	26628038.exe
PID 3912 wrote to memory of 3720	3912	za966696.exe	26628038.exe
PID 3720 wrote to memory of 4488	3720	26628038.exe	1.exe
PID 3720 wrote to memory of 4488	3720	26628038.exe	1.exe
PID 3912 wrote to memory of 4524	3912	za966696.exe	u14115753.exe
PID 3912 wrote to memory of 4524	3912	za966696.exe	u14115753.exe
PID 3912 wrote to memory of 4524	3912	za966696.exe	u14115753.exe
PID 3628 wrote to memory of 4152	3628	za571665.exe	w61MO23.exe
PID 3628 wrote to memory of 4152	3628	za571665.exe	w61MO23.exe
PID 3628 wrote to memory of 4152	3628	za571665.exe	w61MO23.exe
PID 4152 wrote to memory of 4080	4152	w61MO23.exe	oneetx.exe
PID 4152 wrote to memory of 4080	4152	w61MO23.exe	oneetx.exe
PID 4152 wrote to memory of 4080	4152	w61MO23.exe	oneetx.exe
PID 4888 wrote to memory of 400	4888	za265333.exe	xLorO71.exe
PID 4888 wrote to memory of 400	4888	za265333.exe	xLorO71.exe
PID 4888 wrote to memory of 400	4888	za265333.exe	xLorO71.exe
PID 4080 wrote to memory of 1060	4080	oneetx.exe	schtasks.exe
PID 4080 wrote to memory of 1060	4080	oneetx.exe	schtasks.exe
PID 4080 wrote to memory of 1060	4080	oneetx.exe	schtasks.exe
PID 4080 wrote to memory of 844	4080	oneetx.exe	Delta2023.exe
PID 4080 wrote to memory of 844	4080	oneetx.exe	Delta2023.exe
PID 4080 wrote to memory of 844	4080	oneetx.exe	Delta2023.exe
PID 400 wrote to memory of 1884	400	xLorO71.exe	1.exe
PID 400 wrote to memory of 1884	400	xLorO71.exe	1.exe
PID 400 wrote to memory of 1884	400	xLorO71.exe	1.exe
PID 844 wrote to memory of 1000	844	Delta2023.exe	Engine.exe
PID 844 wrote to memory of 1000	844	Delta2023.exe	Engine.exe
PID 844 wrote to memory of 1000	844	Delta2023.exe	Engine.exe
PID 4764 wrote to memory of 3488	4764	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	ys490490.exe
PID 4764 wrote to memory of 3488	4764	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	ys490490.exe
PID 4764 wrote to memory of 3488	4764	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	ys490490.exe
PID 1000 wrote to memory of 216	1000	Engine.exe	cmd.exe
PID 1000 wrote to memory of 216	1000	Engine.exe	cmd.exe
PID 1000 wrote to memory of 216	1000	Engine.exe	cmd.exe
PID 216 wrote to memory of 4688	216	cmd.exe	cmd.exe
PID 216 wrote to memory of 4688	216	cmd.exe	cmd.exe
PID 216 wrote to memory of 4688	216	cmd.exe	cmd.exe
PID 4688 wrote to memory of 2056	4688	cmd.exe	powershell.exe
PID 4688 wrote to memory of 2056	4688	cmd.exe	powershell.exe
PID 4688 wrote to memory of 2056	4688	cmd.exe	powershell.exe
PID 4688 wrote to memory of 1288	4688	cmd.exe	powershell.exe
PID 4688 wrote to memory of 1288	4688	cmd.exe	powershell.exe
PID 4688 wrote to memory of 1288	4688	cmd.exe	powershell.exe
PID 4080 wrote to memory of 4272	4080	oneetx.exe	rundll32.exe
PID 4080 wrote to memory of 4272	4080	oneetx.exe	rundll32.exe
PID 4080 wrote to memory of 4272	4080	oneetx.exe	rundll32.exe
PID 4688 wrote to memory of 3652	4688	cmd.exe	findstr.exe
PID 4688 wrote to memory of 3652	4688	cmd.exe	findstr.exe
PID 4688 wrote to memory of 3652	4688	cmd.exe	findstr.exe
PID 4688 wrote to memory of 2208	4688	cmd.exe	Bondage.exe.pif
PID 4688 wrote to memory of 2208	4688	cmd.exe	Bondage.exe.pif
PID 4688 wrote to memory of 2208	4688	cmd.exe	Bondage.exe.pif
PID 4688 wrote to memory of 1932	4688	cmd.exe	PING.EXE
PID 4688 wrote to memory of 1932	4688	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe
"C:\Users\Admin\AppData\Local\Temp\5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u14115753.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u14115753.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1264
6⤵
- Program crash
PID:992

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61MO23.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61MO23.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
6⤵
- Creates scheduled task(s)
PID:1060

C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\SETUP_3032\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\Engine.exe /TH_ID=_4484 /OriginExe="C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Yugoslavia
8⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\cmd.exe
cmd
9⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^TiesHighsFridayPromisedOrganismsPromotedStronglyBannersTermExplainOrganisedPhpLastingMaritime$" Finding
10⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27976\Bondage.exe.pif
27976\\Bondage.exe.pif 27976\\M
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "dZVxEGlqbg" /tr "C:\Users\Admin\AppData\Roaming\claRXiEwVe\dZVxEGlqbg.exe.com C:\Users\Admin\AppData\Roaming\claRXiEwVe\H" /sc onlogon /F /RL HIGHEST
11⤵
- Creates scheduled task(s)
PID:2144

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 18
10⤵
- Runs ping.exe
PID:1932

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:4272

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLorO71.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLorO71.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1456
4⤵
- Program crash
PID:4068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys490490.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys490490.exe
2⤵
- Executes dropped EXE
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4524 -ip 4524
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 400 -ip 400
1⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4680

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a16f8619ba4749274cdc556c04d0efbd

SHA1
b254f0462857e930baaf8c06e09dd20ca98f155c

SHA256
b81dafe08ab461f760d68545f24d0c3f527b0741f567c220e872452062036d6f

SHA512
655a4037577512abfd4fe69bf6f4762eb088e76dfba6bfe9148feb22cca54b56035ec9ad76b1bf67b3eb206ac2061d0a86cc12e96238e1dd603f992826c70580

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
Filesize
1.7MB

MD5
4f24c94182a964c6706c1920a73822c0

SHA1
5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

SHA256
45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

SHA512
d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
Filesize
1.7MB

MD5
4f24c94182a964c6706c1920a73822c0

SHA1
5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

SHA256
45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

SHA512
d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
Filesize
1.7MB

MD5
4f24c94182a964c6706c1920a73822c0

SHA1
5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

SHA256
45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

SHA512
d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
ce5803218604f5a7b5843e7be82c5204

SHA1
cbfb0b33c881d6e517467a7a83cd9ae9ebab7bef

SHA256
e05d02b51e01f68d1e86dd95d004c27025ecdc4fcb38b972934ad12053c627f0

SHA512
49bd7f638d43e20a7eb377faee36e940bfb0c6e3dddcd20dd7ce092700c29a61c4254113728d7d886aa1011e2d02082f3fdd214952521f7faf351bb8c548cc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
ce5803218604f5a7b5843e7be82c5204

SHA1
cbfb0b33c881d6e517467a7a83cd9ae9ebab7bef

SHA256
e05d02b51e01f68d1e86dd95d004c27025ecdc4fcb38b972934ad12053c627f0

SHA512
49bd7f638d43e20a7eb377faee36e940bfb0c6e3dddcd20dd7ce092700c29a61c4254113728d7d886aa1011e2d02082f3fdd214952521f7faf351bb8c548cc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
ce5803218604f5a7b5843e7be82c5204

SHA1
cbfb0b33c881d6e517467a7a83cd9ae9ebab7bef

SHA256
e05d02b51e01f68d1e86dd95d004c27025ecdc4fcb38b972934ad12053c627f0

SHA512
49bd7f638d43e20a7eb377faee36e940bfb0c6e3dddcd20dd7ce092700c29a61c4254113728d7d886aa1011e2d02082f3fdd214952521f7faf351bb8c548cc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
ce5803218604f5a7b5843e7be82c5204

SHA1
cbfb0b33c881d6e517467a7a83cd9ae9ebab7bef

SHA256
e05d02b51e01f68d1e86dd95d004c27025ecdc4fcb38b972934ad12053c627f0

SHA512
49bd7f638d43e20a7eb377faee36e940bfb0c6e3dddcd20dd7ce092700c29a61c4254113728d7d886aa1011e2d02082f3fdd214952521f7faf351bb8c548cc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
ce5803218604f5a7b5843e7be82c5204

SHA1
cbfb0b33c881d6e517467a7a83cd9ae9ebab7bef

SHA256
e05d02b51e01f68d1e86dd95d004c27025ecdc4fcb38b972934ad12053c627f0

SHA512
49bd7f638d43e20a7eb377faee36e940bfb0c6e3dddcd20dd7ce092700c29a61c4254113728d7d886aa1011e2d02082f3fdd214952521f7faf351bb8c548cc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys490490.exe
Filesize
168KB

MD5
f1516d0ff9ed6f5cd8ceea1e878c327b

SHA1
06201b2fad7a8166f0572b43e0b77f46ae631cac

SHA256
17c5a224a869017a809ad3bf7e32a60ce00ed83f6d6c80fe66f11f4106861036

SHA512
b801119440249561cbe96de6a70e0d9fd5084dcae587ed5432f5a4482b789d56b9d24cd0ed6e811c302023c6d181e29a56a4f977a5b85691e75d77edfd068b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys490490.exe
Filesize
168KB

MD5
f1516d0ff9ed6f5cd8ceea1e878c327b

SHA1
06201b2fad7a8166f0572b43e0b77f46ae631cac

SHA256
17c5a224a869017a809ad3bf7e32a60ce00ed83f6d6c80fe66f11f4106861036

SHA512
b801119440249561cbe96de6a70e0d9fd5084dcae587ed5432f5a4482b789d56b9d24cd0ed6e811c302023c6d181e29a56a4f977a5b85691e75d77edfd068b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
Filesize
1.3MB

MD5
a8a6ef2febad43893677a572fa95be38

SHA1
69e8b6d96cd4a696b05e0134613f142a7e69bff6

SHA256
e530058dc47a1440e15d65bc073de8077b191c42fc43875fcf3010d883cb2adc

SHA512
ffbde4fcd9ff5fe40782be3770a3f43396ccf2b5b4ec21d17ba2768bff0bcd001f71194c32e924e4b785bad277123ade5d7b4acd1d3af1657d500285cdeb66dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
Filesize
1.3MB

MD5
a8a6ef2febad43893677a572fa95be38

SHA1
69e8b6d96cd4a696b05e0134613f142a7e69bff6

SHA256
e530058dc47a1440e15d65bc073de8077b191c42fc43875fcf3010d883cb2adc

SHA512
ffbde4fcd9ff5fe40782be3770a3f43396ccf2b5b4ec21d17ba2768bff0bcd001f71194c32e924e4b785bad277123ade5d7b4acd1d3af1657d500285cdeb66dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLorO71.exe
Filesize
582KB

MD5
b8862a816b0ebf13894d3cb9203030d1

SHA1
c5da30742deb0bfee95fe43b3b35c5bb00b16d87

SHA256
684e8c37549e58e744794725a043a23201f760bad0deb7677b0457bc39f88887

SHA512
d910415ebdbccdcbff488ef1e5f6cec49cd84bfd471cbeee25a2b3b97d7a7f3e259b0e8ea8ed3d23a6b97e603619e8affa7891826dd6efb7162b8572ead3f0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLorO71.exe
Filesize
582KB

MD5
b8862a816b0ebf13894d3cb9203030d1

SHA1
c5da30742deb0bfee95fe43b3b35c5bb00b16d87

SHA256
684e8c37549e58e744794725a043a23201f760bad0deb7677b0457bc39f88887

SHA512
d910415ebdbccdcbff488ef1e5f6cec49cd84bfd471cbeee25a2b3b97d7a7f3e259b0e8ea8ed3d23a6b97e603619e8affa7891826dd6efb7162b8572ead3f0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
Filesize
862KB

MD5
66395e26e84dc21c79985fd3a139b5e3

SHA1
1b1307f6ce9ae56ee22c90cc5e8289be72d8fbc3

SHA256
7e7cfe0ed4d33db41b4fd83d2d26c2338c62ec4583f5c7bc5aef1fb8bd181030

SHA512
cb0dbf34779e21c1750f2288a8d7daee18382616848ca30271492b92730c9d7ca222ed185e9c4f921bf1d0b475d6077f9eb9f437dbf1a3f996763d5804d982c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
Filesize
862KB

MD5
66395e26e84dc21c79985fd3a139b5e3

SHA1
1b1307f6ce9ae56ee22c90cc5e8289be72d8fbc3

SHA256
7e7cfe0ed4d33db41b4fd83d2d26c2338c62ec4583f5c7bc5aef1fb8bd181030

SHA512
cb0dbf34779e21c1750f2288a8d7daee18382616848ca30271492b92730c9d7ca222ed185e9c4f921bf1d0b475d6077f9eb9f437dbf1a3f996763d5804d982c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61MO23.exe
Filesize
229KB

MD5
ce5803218604f5a7b5843e7be82c5204

SHA1
cbfb0b33c881d6e517467a7a83cd9ae9ebab7bef

SHA256
e05d02b51e01f68d1e86dd95d004c27025ecdc4fcb38b972934ad12053c627f0

SHA512
49bd7f638d43e20a7eb377faee36e940bfb0c6e3dddcd20dd7ce092700c29a61c4254113728d7d886aa1011e2d02082f3fdd214952521f7faf351bb8c548cc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61MO23.exe
Filesize
229KB

MD5
ce5803218604f5a7b5843e7be82c5204

SHA1
cbfb0b33c881d6e517467a7a83cd9ae9ebab7bef

SHA256
e05d02b51e01f68d1e86dd95d004c27025ecdc4fcb38b972934ad12053c627f0

SHA512
49bd7f638d43e20a7eb377faee36e940bfb0c6e3dddcd20dd7ce092700c29a61c4254113728d7d886aa1011e2d02082f3fdd214952521f7faf351bb8c548cc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
Filesize
679KB

MD5
937f6dedf6857f63d25fcba51be5814c

SHA1
38491ffc15c92cca4980309276a18801d631db89

SHA256
0543b203b2304754d6ee2ac1786f79891949767ff1682ea0a0b30e1ec6528e28

SHA512
8870fa67cf45b8ff3390d09f9751096ba5d18a9855db87baef84e2ebe636be1155fdcecdfde27091a2a75d0c12926544d8edbf5f67e3bbf8d92431b83fdbc6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
Filesize
679KB

MD5
937f6dedf6857f63d25fcba51be5814c

SHA1
38491ffc15c92cca4980309276a18801d631db89

SHA256
0543b203b2304754d6ee2ac1786f79891949767ff1682ea0a0b30e1ec6528e28

SHA512
8870fa67cf45b8ff3390d09f9751096ba5d18a9855db87baef84e2ebe636be1155fdcecdfde27091a2a75d0c12926544d8edbf5f67e3bbf8d92431b83fdbc6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
Filesize
301KB

MD5
e7b0bcef13515391e5b51b1b2844714b

SHA1
bca78d7c9224224dbe5912f7f1a57d33f9c46b99

SHA256
abd9b763cd3ae279fff255957be9f44831f1a8cf26eda089de5e9e1684d22783

SHA512
3c4af3b85745d9360889aa5417cf35b0b4a56ae5bbec512d6700acd88dca273238a78db31bd772907c3ebaf51d7f264078d884ddcb440f0a0b3598d68cfe2a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
Filesize
301KB

MD5
e7b0bcef13515391e5b51b1b2844714b

SHA1
bca78d7c9224224dbe5912f7f1a57d33f9c46b99

SHA256
abd9b763cd3ae279fff255957be9f44831f1a8cf26eda089de5e9e1684d22783

SHA512
3c4af3b85745d9360889aa5417cf35b0b4a56ae5bbec512d6700acd88dca273238a78db31bd772907c3ebaf51d7f264078d884ddcb440f0a0b3598d68cfe2a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u14115753.exe
Filesize
521KB

MD5
5ba11eccd1e4cbdd689ac719f33317b2

SHA1
8aea6cb401a737b36463ffc64ee32625d1bb6165

SHA256
4d8e85653b120795e233db5833504b1826d51990ec07178a19921ba286282535

SHA512
a9449254bac0b5418dc20555970d2c2235ffe23e12b5078fba46924b33c15caf9540ec5b8d17eb26f0600693cc2f38c5532e765b3ac87e84bd23029fbd536c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u14115753.exe
Filesize
521KB

MD5
5ba11eccd1e4cbdd689ac719f33317b2

SHA1
8aea6cb401a737b36463ffc64ee32625d1bb6165

SHA256
4d8e85653b120795e233db5833504b1826d51990ec07178a19921ba286282535

SHA512
a9449254bac0b5418dc20555970d2c2235ffe23e12b5078fba46924b33c15caf9540ec5b8d17eb26f0600693cc2f38c5532e765b3ac87e84bd23029fbd536c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00000#Cancer
Filesize
101KB

MD5
d4c65e691f5a42538b02417f60c042be

SHA1
7726b2bd52dc94a9d3e79f2e82e92dd8820997ad

SHA256
d71b5a80bc3d6fce71c6fc6efb62542bd5536d7d3805d92067a29f512bd12c33

SHA512
e487f30b27b178a09d381802767f7425d63e6538bc9b0d5406ea39cf7f7c2c586d53850e460b897a49014b61e75ffbe817b4a93b9460a18ed89d223048dab62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00001#Foto
Filesize
199KB

MD5
60ad6b661b7d878936b63c39e7d94555

SHA1
655ca3b2c75ad015a02470c92e8d7b9d58541524

SHA256
650f797d33d5ecf29e1876324de2507a3b97cad3cc00c1e25ff02420a2e4e70e

SHA512
f44b3d36f26666c079354085471d44b2838c24553fd0797e12c3c96b14794aa24073574379e1e0abce3b38aaaa179dd1bf05c51ca3831aff82c90fe6699cc606

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00002#Gp
Filesize
74KB

MD5
4f39ba8b1c907e52d53215ea79a1896f

SHA1
975c70c4973697cce66c149a00cc8b20e79526be

SHA256
ace9abce7314ca6736b6b6acf5a1f96c7d24f7764678f99ffb795a897a6e7bf2

SHA512
e862921fbad7a8118a1c12f1c9ca33b7f41251b69b0dc48dcbf3c40350174f5db8946c75797b0042e3d9633821b66e523212a1998a901f712bc8b0053d1e7572

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00003#Management
Filesize
154KB

MD5
b0525ab549845919679f78453f554c1f

SHA1
3d2179acba0634cc71003502923c3a4a52b31d14

SHA256
31c86eb615672da32e64560553d46cb18c25e7ea794e4637cfac3c4be0a9fb47

SHA512
b983c3517cf878e99ad94d0227c25edb52e82c5ead93c7cbfa6ea2543d483db20be2f210029237131e8e5517497e910abcdb119edf88cdb7eac9e61c4f2a3087

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00004#Piece
Filesize
43KB

MD5
bf7a0cdf40d3aa9fc94c9accd73298d2

SHA1
a049a7323a8468d1bbd3e96a1ace4266fce4429c

SHA256
96eab71166cc7df7ec1eae988487d76d463c080f1da98b194bc60a1701e5d3ae

SHA512
6a0eb5de2f23ff986c90835b7b24e5299fdb882186bcc88fece6a6a4363871dda00b8313ee729557778cf4c14456e9c25d79108be35f31df1d9b697f5d89009e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00005#Prototype
Filesize
33KB

MD5
ad1b6b16c6c6c23f01288183183ed0c1

SHA1
b60363ebd25d9953f202423b34e0c81fa24dafb6

SHA256
94fca15d4913ccc5955aef8942cb475306a6815190fe27ff742b40a808ff860e

SHA512
d461bf0dd5b20b1cb5dc07128be156b3ab144607c5794956635ca7ce90a2d643d539b2f6dd063c8889e01e074db74cacd41940a3d3bb53cd2406f77f0ccac6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00006#Stands
Filesize
1.2MB

MD5
4a1f67fc0cacc5cf1c9ab1ab05e25ec6

SHA1
e955600ae7c0f6bec15a4126f1be10acc6a6b875

SHA256
ed299bf8533de2b3f0965295aa5be53e8486dfa0887e20de0b4c6c2fd3b30b4b

SHA512
e0f1a52209c13937afcdb954e59daba04d80f82cba702788e1d6d359f2e4dd189d01455f32a167b6014c68e5d670686d2ace1bfea0b8c31b3c91f2f052669675

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00007#Sue
Filesize
157KB

MD5
f51e203d3f2ac1e4f6ed5a89f5805fcb

SHA1
76195a680f2e178c03d35719a0adc776fe901289

SHA256
c6a7beb722fefad0a7f6f2057cbfda9a8cec198e56f2946191aeb9de7578b2ca

SHA512
8c2ab71bf608066d3a63cdac2924d8a6d6c983e8257aed07691f5dace70442de5e72ba0f3bfe8b6395314178ddde219ca5005e65aed305165a06cae2dba16bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00008#Welfare
Filesize
54KB

MD5
f5802553964d59c3874a7ea7f0313c68

SHA1
106f605a2e7704cb8341b27ca982f5f70d09bc0f

SHA256
35cc1497dc397cf46815bfb41953a134170bbea3fd0d5178ca45b6bbb01084f9

SHA512
8f495fc3ceda40788b3dc7a2eec223e3d40b5edf1ff4ed159f20a256f1ba71d8baba135b3b1bf9f6f07851dc99bd4e29fd2af1bc7984bccca4fc390c0fc83b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00009#Wines
Filesize
110KB

MD5
31ae6922272bfd6c6a863b679940d005

SHA1
df93b1021c3bb2087b249a82d4cbcd599659fcd6

SHA256
77031c9bf9a778abef4672a2b749dd7fb662a29b3e69ea391fe04dd4944601d8

SHA512
f0765279accdefbf611088e92433d258700bc97d28468b6cbd34c1be5b7cf27a54763009214bd4ce052c4bec87debd9464e2f040028fba40fb32da20d82669bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\00010#Yugoslavia
Filesize
15KB

MD5
9852c7adb40127bf8e29ae2346482129

SHA1
d5decd97f329dc62f824a17b204a214a83a1292b

SHA256
85ad2b1fd775ecd859922d5550f76f87f8e8e9dd84d878ee786450a8aefee1ac

SHA512
0a89fa89340df63de408b106ac4503a649ac2bf60978f40452263b8690d81cedf9d812e4b71988a84e6fdb36fdd8dfc0ec30a78d1df2f0cb044b7afa3accc56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\Engine.exe
Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\Engine.exe
Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3032\Setup.txt
Filesize
2KB

MD5
9f82e028a899fe0dded45d76ed1ed06f

SHA1
fc0e0f3e34451087e28d8c51c486a52934e59d4a

SHA256
3dd4285197d7ad7004789eee6464594666ae8e5d913bec23e57151608bd3b109

SHA512
22d4ad271965c8c5fbe038ead00cb374c299e89f7d669ea7657064e5b3c18f4dc7f9d51b102dc388c6f79e805c7196c085edf6e990e6bb33c41ac36854192b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4w4idpgl.mcm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27976\Bondage.exe.pif
Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27976\Bondage.exe.pif
Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\Finding
Filesize
925KB

MD5
f39dff6e12fa4e21277d39149fa7da7e

SHA1
804aa8256d1a98311d737e13ef62db0fa7d15ec0

SHA256
27deb687c50fe4c33b19f43ccb0d4cbdaa8292511df2a93c138d6740862e9fd0

SHA512
cceca80987fcfad926734a7c2ed16919a237ceb02f391fe9de667405f014498b10bcf735547e5ee53f9b146ed56b24db025be285422c53dac2770f1885d31f5c

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/400-4528-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/400-4527-0x0000000000910000-0x000000000096B000-memory.dmp

Filesize
364KB

Download
memory/400-6686-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/400-6656-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/400-6654-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/400-6652-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/400-6650-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/400-4531-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/400-4530-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1000-6687-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1000-6692-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1288-6766-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/1288-6765-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/1884-6705-0x0000000004A70000-0x0000000004AAC000-memory.dmp

Filesize
240KB

Download
memory/1884-6703-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/1884-6789-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/1884-6680-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/1884-6696-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/2056-6750-0x0000000006550000-0x00000000065E6000-memory.dmp

Filesize
600KB

Download
memory/2056-6733-0x00000000026D0000-0x0000000002706000-memory.dmp

Filesize
216KB

Download
memory/2056-6734-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/2056-6735-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2056-6751-0x00000000064E0000-0x00000000064FA000-memory.dmp

Filesize
104KB

Download
memory/2056-6748-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/2056-6743-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/2056-6737-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/2056-6752-0x0000000006FD0000-0x0000000006FF2000-memory.dmp

Filesize
136KB

Download
memory/2056-6736-0x0000000005040000-0x0000000005062000-memory.dmp

Filesize
136KB

Download
memory/3488-6700-0x0000000000FC0000-0x0000000000FEE000-memory.dmp

Filesize
184KB

Download
memory/3488-6702-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3488-6704-0x000000000AD30000-0x000000000AD42000-memory.dmp

Filesize
72KB

Download
memory/3488-6788-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3488-6701-0x000000000AE00000-0x000000000AF0A000-memory.dmp

Filesize
1.0MB

Download
memory/3720-166-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-163-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-184-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-186-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-188-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-181-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-180-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3720-190-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-196-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-198-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-194-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-192-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-200-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-202-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-161-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3720-210-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-178-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-176-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-174-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-172-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-212-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-170-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-168-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-208-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-164-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-214-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-216-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-218-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-220-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-222-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-224-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-204-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-206-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-226-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-2298-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3720-2295-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3720-2294-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3720-182-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3720-2293-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3720-228-0x0000000004F80000-0x0000000004FD1000-memory.dmp

Filesize
324KB

Download
memory/3720-162-0x0000000004990000-0x0000000004F34000-memory.dmp

Filesize
5.6MB

Download
memory/4488-2308-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/4524-2471-0x0000000000900000-0x000000000094C000-memory.dmp

Filesize
304KB

Download
memory/4524-2475-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4524-2473-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4524-2477-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4524-4446-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4524-4448-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4524-4449-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4524-4450-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4524-4452-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download