hxxps://github[.]com/disepi/ambrosial/releases/download/1[.]5/Ambrosial[.]exe

max time kernel
32s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2023 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe

Score

8^/10

agilenet

Malware Config

Signatures

Downloads MZ/PE file

Obfuscated with Agile.Net obfuscator 32 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3300-407-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-409-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-411-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-413-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-415-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-417-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-419-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-421-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-423-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-425-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-427-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-429-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-431-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-433-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-435-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-437-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-439-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-441-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-443-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-445-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-447-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-449-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-451-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-453-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-455-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-457-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-459-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-461-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-463-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-465-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-467-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net
behavioral1/memory/3300-469-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d93b5b04e245d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{B9CD898C-D949-488D-8978-0F73706EC9EF}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AD1C73E1-0B0E-11EE-8227-EAFFBFCAB687} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1084 iexplore.exe
1084 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1084 iexplore.exe
1084 iexplore.exe
1920 IEXPLORE.EXE
1920 IEXPLORE.EXE

pid	process
1084	iexplore.exe
1084	iexplore.exe

pid	process
1084	iexplore.exe
1084	iexplore.exe
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1084 wrote to memory of 1920	1084	iexplore.exe	IEXPLORE.EXE
PID 1084 wrote to memory of 1920	1084	iexplore.exe	IEXPLORE.EXE
PID 1084 wrote to memory of 1920	1084	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1084 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2660

C:\Users\Admin\Downloads\Ambrosial.exe
"C:\Users\Admin\Downloads\Ambrosial.exe"
1⤵
PID:3300

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:1084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2044
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:3672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.0.72665636\1959893116" -parentBuildID 20221007134813 -prefsHandle 1728 -prefMapHandle 1824 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44fab8bf-c05e-410b-84e8-72aac8b43bf9} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 1916 1b838e18358 gpu
    3⤵
    PID:372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.1.2030335745\1367993628" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55d0723e-12b8-4dea-8222-b6d1225577b7} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 2316 1b82ae72e58 socket
    3⤵
    PID:3620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.2.1691074808\1184787681" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 2932 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {389b8f11-d78d-471f-8919-8e492b622ebe} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 3028 1b83bbf8558 tab
    3⤵
    PID:4120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.3.227057678\2124072822" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f625aca4-3bc0-4c31-93e2-7fe3c28957c1} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 3624 1b83b5a3258 tab
    3⤵
    PID:4188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.4.1227747399\1412187769" -childID 3 -isForBrowser -prefsHandle 4276 -prefMapHandle 4268 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5405268-93cd-43f8-939d-b11162e5b18f} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 3644 1b83d432d58 tab
    3⤵
    PID:3780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.5.2080061062\2085921851" -childID 4 -isForBrowser -prefsHandle 4996 -prefMapHandle 4964 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {919ce07a-7290-415e-b06a-7565e06927db} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 4916 1b83f23b558 tab
    3⤵
    PID:464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.8.781435779\420662100" -childID 7 -isForBrowser -prefsHandle 5896 -prefMapHandle 5892 -prefsLen 26849 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88f219d1-0eed-4b80-9ed8-bd55fb5cd567} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 5812 1b83deae258 tab
    3⤵
    PID:2456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.7.1983709922\626242854" -childID 6 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 26849 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b56e022-0444-477c-84cf-98d9bfb69ab0} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 5548 1b83deb1258 tab
    3⤵
    PID:3064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.6.1940774973\996575682" -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 26849 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6d6ab40-5d65-48f5-8594-d1a5594c6bf7} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 5472 1b83ced8958 tab
    3⤵
    PID:1952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.9.43030641\339877786" -childID 8 -isForBrowser -prefsHandle 5848 -prefMapHandle 5852 -prefsLen 27114 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4642c0d6-3817-49de-a43f-2e06f393f2fe} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 5840 1b83dcc1258 tab
    3⤵
    PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\1.19.3004.0\Zephyr Classic\launcherAssets\ProjectHalcyon.png

Filesize
54KB

MD5
cf4b10cab822fb4e563d5c1fc7757a30

SHA1
57328884b3e1ebf4eaeb4715a33bf93a52c95d53

SHA256
abb9e95c2b6bf7f7fad5f483b9e3e746bbca54a82ff79009d0760dcd2ff013cc

SHA512
f0607ac012b3e86a56f63b9778bde661424e56b3b048f24c8d82b693fe673e860bf0225863f4f71915a1c8c5c83f3caa0de796a0059860d62e378e0b98135eb0

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt

Filesize
1KB

MD5
10cbe938fc5cce695e9e6fb344065d21

SHA1
f4f20ec8aed96dcfe7da3c0349f17e98e0270dee

SHA256
af204bd1ef777763574c4db83a0e18655d92c32d4a8bfb88efff282f7fc6474a

SHA512
2d9c7752d2f25130e268f351d9fec36cf811471b8d96f0c4569c824ba9054bd9f207c39418e727b6ba0d4d97cf769bf3e9a68e0356552609e01e5e5d0b12b1b5

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt

Filesize
3KB

MD5
924b0a28e64db4ed0c0642e30e03647f

SHA1
a1ba5bfd80b6077e1345fb8e5874ba402d1bbbbd

SHA256
039cea723a4a4de57fd226b122f2724bc74dac9440ca67b3c625bd1fe9c68938

SHA512
f9725fd6c50120c6b9a3e3fc3526e47472b755c1e387195a14600c64b67d655a791f792fed25c50de568433fecd70f954f6173e5aed03ab6d1110b0da66ae734

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt

Filesize
3KB

MD5
994dee65d231fd2da48ee2205e6a9cbb

SHA1
fa6c68c23f26d3c21144821692f40517e4242acc

SHA256
befa594219c4a564697f677f05d22514dfda7efbf4b627cc90f8f815de3750e2

SHA512
02d048684d2809bf0f7de1e743d974029a1896f6f94199687b24dc3ab20b3841047efca4b280c6291eb2b2a1dd730c4e9d02a2e1734bee7894f170793ca16774

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt

Filesize
4KB

MD5
a1bf5e6569f3c55988a7f9a2aad4e512

SHA1
c1deb53ef5f2ca46a9b89cd6244bbae1f37c9c58

SHA256
7e835d9c7bd0d1de9f7faf6648c844f91e16c65796865a0611fec0adad52d574

SHA512
cf4617153e98b084592f847d454e640a19ec479f8cc579107478b438303a3c1ccf9cb0256f793b69436df843c8cf6413e247f5cf5397afb74490b3ade9ec1bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\Ambrosial[1].exe

Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
155KB

MD5
c5a3735c1d2a5fae1f7088719050ae1e

SHA1
3c44f3562a854954205b6468d864c8782a1dfd52

SHA256
80ca9243c38d6df5fb29a306f0e2b2610d8af254a6e3357b15add99afab5c287

SHA512
0da9265cf648bee152a6f89f9b8075cb6e3545863b07e060c2eb51d01abbda63f79bb0f5adda6d4f2540e10d37cf032c0ed9f8de6ee60860cc3aa0fe9ef0383c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\safebrowsing-updating\ads-track-digest256-1.vlpset

Filesize
54KB

MD5
4f9ef3d3a71d4cb49e623e3f4b7b1162

SHA1
c2d65973b44b051d043475e9387fa7100514acbd

SHA256
48ae004f3c542ac764dd5a1e894918ec4b250b5c1f7209256c191cae13106b1f

SHA512
f7017204ad37ceedbff4e8b58ab4edac75748d2f36693e59ea9d9157f637d29b53c6405d994ac9fc62712f2574013e95c4817ff49229c78dcc23cac805b13ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll

Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll

Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
eed86de2799a6253376478061e3fb2e3

SHA1
40d1c0e677e72cd9387ad4576d55da718105e222

SHA256
700d1c704e2ea08d025acbaa10d302ea36f20cd0c60d83fe29b33cabfc53f903

SHA512
a2c0af35561b4cc9544101290d7e44a959ae9d88a1a1d2c9fbfb3740df068689c9b31283174befa0c6434c2618b43af5e3adbbd50c01a02d8af25226f49ae944

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
75c8879e9892b1c8b038254da6e7abf6

SHA1
887225401772a8ff0abfcfa96fc47ff5cb85b887

SHA256
9eb5b0479e23ed5c2dac74260d01b22c440d8758b26abd340f6e0adc088d4826

SHA512
6e5bdc09da3943f02faa366ee11c114eae8864e515bced1bb0382681450c1252011b988fea3f706f4ab1d502e6d9458c05f417a47fd3b61d00ec75a6e9201b0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

Filesize
6KB

MD5
083a9841791adb554ef3e16cd07d6695

SHA1
6de51dd8ef565060e66e0455cfc4686519fd500f

SHA256
dd618663301a874a3af9810c7b25e602159af05a41f97629602d3b7b0880fc6d

SHA512
49ac9d2a2d887a71619566f4225690984cf1eec1f0caa02cf9dd4f9db29de1b480573390a4c82f52e4b0c8395423f2bd6201d514e5c70a961b12da374349f07c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a46531bdfe286542cf31d5c89a560091

SHA1
e3e9177d4043ddd72876990d57cbaf709fd6c03a

SHA256
3823537ee478f3dbaf88787f9d72e72219bb31842063758d1e68142bacfd5cfd

SHA512
e382f72c4185675f3a12f0844ecf58cb7724a2741d36ee59014f6ec3293c931e04d8a974c251a8849e3132276704c07afcd230325746f9af18f7dd0430595c40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
ef04fede82d8d5256dee67fc1ebb733c

SHA1
6c637deedeed9832b143429485d704898dceded8

SHA256
1834aa5af89e9a253cd59f0e3ee6e9965ec33d5a053afaed13149bae1c01a81c

SHA512
6e1a572e17029e179b9b57168f22e2fa3976a4ae6790aa336e17cf354a8cde2e54b83af2ccbf14520eb3d5591e14c57387846f55675cbb0949c2dc5c0cbe7ab8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a13507a61ec0fa5f2b1f0d8b92ce7080

SHA1
0b1a02fda3d93461e8ee73320ea0f7de156d5646

SHA256
b44dd8c9aa20d92d2d3c013232f75e711c50cc9bc354ee6425ea56dcb5b50fb6

SHA512
1222e486167c055fa6f8ac727bfadcec786c39bc3d1973b971c45c77bf31274018234fe7444dc9dc00a6712593303d7c3a6ee0487fb20a6f115e7b4df99bf966

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
7f54914f4d9f338a05f27b0f111241eb

SHA1
1f653ef256ab7410ea7119fdfc1ef05daf4f4f09

SHA256
e3cd2bf84209740683e10f29a5ba3ed1c7a232c2ad364aea710928b7f7cb0074

SHA512
89690eaba716444b454e09956c8a9b9534c466f898c9afa75529aec4c5c4134f0ba8cce66f9c1e801327a32472d69a5dbccee66dd21b4c29cde188af35d1fe56

Download Submit
C:\Users\Admin\Downloads\Ambrosial.exe

Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\Downloads\Ambrosial.exe.ja35wbn.partial

Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\Downloads\Azonix.otf

Filesize
11KB

MD5
cdfe47b31e9184a55cf02eef1baf7240

SHA1
b8825c605434d572f5277be0283d5a9b2cde59e4

SHA256
51a65e5c09bf27980adf640cb54cb2a5bbb217fdaab79b377e158f92533362a9

SHA512
a2e5141c0f7ca72bcf5b1a303fce1734953d83ad363d4c3c7d8786e1bfd872a6b96eeabce3740b547a5447e255415cdf688a0d2074cecfaa0c54c49d0f2882c5

Download Submit
C:\Users\Admin\Downloads\memz-trojan.qove7dp7.zip.part

Filesize
47KB

MD5
c31e52bf196d6936910fa3dff6b6031e

SHA1
405a89972d416d292b247fd70bbc080c3003b5e6

SHA256
8b47e773a782361209f8adacc8d6aeefb595e1c13ae6813df7de01c20a15c91e

SHA512
a5335c7d3beafdefa6cb1a459736615ca0151fa2e64dafb78de65aa4b924068ad0dc55c70a5317be19edeb899f94ea02e2e54279933b87828ebe86ef95f13291

Download Submit
C:\WINDOWS\FONTS\AZONIX.OTF

Filesize
11KB

MD5
cdfe47b31e9184a55cf02eef1baf7240

SHA1
b8825c605434d572f5277be0283d5a9b2cde59e4

SHA256
51a65e5c09bf27980adf640cb54cb2a5bbb217fdaab79b377e158f92533362a9

SHA512
a2e5141c0f7ca72bcf5b1a303fce1734953d83ad363d4c3c7d8786e1bfd872a6b96eeabce3740b547a5447e255415cdf688a0d2074cecfaa0c54c49d0f2882c5

Download Submit
C:\WINDOWS\FONTS\OPENSANSLIGHT.TTF

Filesize
217KB

MD5
1bf71be111189e76987a4bb9b3115cb7

SHA1
40442c189568184b6e6c27a25d69f14d91b65039

SHA256
cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424

SHA512
cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

Download Submit
C:\Windows\Fonts\OpenSansLight.ttf

Filesize
217KB

MD5
1bf71be111189e76987a4bb9b3115cb7

SHA1
40442c189568184b6e6c27a25d69f14d91b65039

SHA256
cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424

SHA512
cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

Download Submit
memory/3300-435-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-459-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-425-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-427-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-429-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-431-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-433-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-421-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-437-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-439-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-441-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-443-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-445-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-447-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-449-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-451-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-453-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-455-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-457-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-423-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-461-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-463-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-465-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-467-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-469-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-479-0x000001DF5B8E0000-0x000001DF5B8F0000-memory.dmp

Filesize
64KB

Download
memory/3300-869-0x00007FFD1F4F0000-0x00007FFD1F517000-memory.dmp

Filesize
156KB

Download
memory/3300-419-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-417-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-415-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-413-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-411-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-409-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-408-0x00007FFD1F4F0000-0x00007FFD1F517000-memory.dmp

Filesize
156KB

Download
memory/3300-407-0x000001DF5D2E0000-0x000001DF5D4C4000-memory.dmp

Filesize
1.9MB

Download
memory/3300-406-0x00007FFD1F210000-0x00007FFD1F35E000-memory.dmp

Filesize
1.3MB

Download
memory/3300-198-0x000001DF42F70000-0x000001DF42F92000-memory.dmp

Filesize
136KB

Download
memory/3300-186-0x000001DF5B8E0000-0x000001DF5B8F0000-memory.dmp

Filesize
64KB

Download
memory/3300-168-0x000001DF41660000-0x000001DF4167A000-memory.dmp

Filesize
104KB

Download
memory/3300-167-0x000001DF40260000-0x000001DF4124A000-memory.dmp

Filesize
15.9MB

Download