amadey | 74c6f240e2155ef7e20d2fb7fb31243b0ec4c061961cb1ada6f70593986f799c

Analysis

max time kernel
16s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exe
Size

791KB
MD5

b5ee067743155c953eb9b6426ede5062
SHA1

0725e7b508a48778c10a06c446845b0571480716
SHA256

f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4
SHA512

22afde42ebe8662746ba3c879a4978caf096e4b23503a12b3c74d32f80c2c647927bb458505071868ceb43f5eefcc026638ec124e85742cd7c395ddde48f0db5
SSDEEP

24576:nG12J/IT4nTwQo6icoEC2fWnDxeCym1+RY:+30nTlfoEjOnNQmA

Score

10^/10

amadey redline risepro xmrig zgrat 2024 @oleh_ps @pixelscloud @rlreborn cloud tg: @fatherofcarders)discovery evasion infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

65.109.90.47:50500

193.233.132.62:50500

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Extracted

Family

amadey

Version

4.17

http://5.42.64.4

Attributes

install_dir
a0b3b7d4a5
install_file
Dctooux.exe
strings_key
be8779cf0e6231090471d1ca85ec4a38
url_paths
/jPdsj3d4M/index.php

rc4.plain

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000812001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000812001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000812001\fsdfsfsfs.exe	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5088-117-0x0000000004B00000-0x0000000004B3E000-memory.dmp	family_redline
behavioral2/memory/5088-110-0x00000000025C0000-0x0000000002602000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000802001\2024.exe	family_redline
behavioral2/memory/4244-308-0x0000000000D50000-0x0000000000DA2000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000802001\2024.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000802001\2024.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000808001\MONTHRDX.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000808001\MONTHRDX.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000808001\MONTHRDX.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000811001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000811001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000811001\sadsadsadsa.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

lada.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lada.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lada.exe

XMRig Miner payload 18 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2364-168-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2364-171-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2364-173-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2364-175-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2364-169-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2364-193-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2364-192-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2364-217-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2364-218-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2364-216-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4640-270-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4640-271-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4640-273-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4640-275-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4640-278-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4640-276-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4640-274-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4640-290-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lada.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lada.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lada.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exeexplorhe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	explorhe.exe

Executes dropped EXE 7 IoCs

Processes:

explorhe.exeplata.exe1234pixxxx.exelada.exeleg221.exeredline1234.exeWerFault.exe

pid process

3712 explorhe.exe
1400 plata.exe
3604 1234pixxxx.exe
2200 lada.exe
5088 leg221.exe
4908 redline1234.exe
1244 WerFault.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

lada.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine lada.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3712	explorhe.exe
1400	plata.exe
3604	1234pixxxx.exe
2200	lada.exe
5088	leg221.exe
4908	redline1234.exe
1244	WerFault.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine	lada.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2364-164-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-167-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-168-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-171-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-173-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-174-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-175-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-172-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-169-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-166-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-165-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-163-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-193-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-192-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-214-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-217-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-218-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2364-216-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorhe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lada.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000778001\\lada.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plata.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000674001\\plata.exe"	explorhe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

plata.exeexplorhe.exelada.exe

pid process

1400 plata.exe
3712 explorhe.exe
2200 lada.exe
1400 plata.exe
3712 explorhe.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1244 set thread context of 2364 1244 WerFault.exe explorer.exe
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3028 sc.exe
4772 sc.exe
4460 sc.exe
2476 sc.exe
1712 sc.exe
3176 sc.exe
5076 sc.exe
4580 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1400	plata.exe
3712	explorhe.exe
2200	lada.exe
1400	plata.exe
3712	explorhe.exe

description	pid	process	target process
PID 1244 set thread context of 2364	1244	WerFault.exe	explorer.exe

pid	process
3028	sc.exe
4772	sc.exe
4460	sc.exe
2476	sc.exe
1712	sc.exe
3176	sc.exe
5076	sc.exe
4580	sc.exe

Program crash 33 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3896	3044	WerFault.exe	55555.exe
1836	2132	WerFault.exe	RegAsm.exe
3132	2132	WerFault.exe	RegAsm.exe
4604	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
1544	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
2180	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
4600	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
1480	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
3904	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
3908	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
4852	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
4724	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
2672	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
3104	4952	WerFault.exe	toolspub1.exe
2112	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
532	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
1332	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
4656	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
3448	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
4024	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
1916	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
2672	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
3592	5000	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
3904	5044	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
3416	5044	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
4552	5044	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
4412	5044	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
3968	5044	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
1412	5044	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
1008	5044	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
2084	5044	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
4272	5044	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
540	2276	WerFault.exe	nsx16EB.tmp

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2284 schtasks.exe
3004 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5032 timeout.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

lada.exeleg221.exeredline1234.exeWerFault.exe

pid process

2200 lada.exe
2200 lada.exe
5088 leg221.exe
4908 redline1234.exe
4908 redline1234.exe
4908 redline1234.exe
4908 redline1234.exe
1244 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

leg221.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 5088 leg221.exe
Token: SeLockMemoryPrivilege 2364 explorer.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exeexplorhe.exeplata.exe

pid process

1536 f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exe
3712 explorhe.exe
1400 plata.exe

pid	process
2284	schtasks.exe
3004	schtasks.exe

pid	process
5032	timeout.exe

pid	process
2200	lada.exe
2200	lada.exe
5088	leg221.exe
4908	redline1234.exe
4908	redline1234.exe
4908	redline1234.exe
4908	redline1234.exe
1244	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	5088	leg221.exe
Token: SeLockMemoryPrivilege	2364	explorer.exe

pid	process
1536	f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exe
3712	explorhe.exe
1400	plata.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exeexplorhe.exeWerFault.exe

description	pid	process	target process
PID 1536 wrote to memory of 3712	1536	f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exe	explorhe.exe
PID 1536 wrote to memory of 3712	1536	f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exe	explorhe.exe
PID 1536 wrote to memory of 3712	1536	f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exe	explorhe.exe
PID 3712 wrote to memory of 3004	3712	explorhe.exe	schtasks.exe
PID 3712 wrote to memory of 3004	3712	explorhe.exe	schtasks.exe
PID 3712 wrote to memory of 3004	3712	explorhe.exe	schtasks.exe
PID 3712 wrote to memory of 1400	3712	explorhe.exe	plata.exe
PID 3712 wrote to memory of 1400	3712	explorhe.exe	plata.exe
PID 3712 wrote to memory of 1400	3712	explorhe.exe	plata.exe
PID 3712 wrote to memory of 3604	3712	explorhe.exe	1234pixxxx.exe
PID 3712 wrote to memory of 3604	3712	explorhe.exe	1234pixxxx.exe
PID 3712 wrote to memory of 3604	3712	explorhe.exe	1234pixxxx.exe
PID 3712 wrote to memory of 2200	3712	explorhe.exe	lada.exe
PID 3712 wrote to memory of 2200	3712	explorhe.exe	lada.exe
PID 3712 wrote to memory of 2200	3712	explorhe.exe	lada.exe
PID 3712 wrote to memory of 5088	3712	explorhe.exe	leg221.exe
PID 3712 wrote to memory of 5088	3712	explorhe.exe	leg221.exe
PID 3712 wrote to memory of 5088	3712	explorhe.exe	leg221.exe
PID 3712 wrote to memory of 4908	3712	explorhe.exe	redline1234.exe
PID 3712 wrote to memory of 4908	3712	explorhe.exe	redline1234.exe
PID 1244 wrote to memory of 2364	1244	WerFault.exe	explorer.exe
PID 1244 wrote to memory of 2364	1244	WerFault.exe	explorer.exe
PID 1244 wrote to memory of 2364	1244	WerFault.exe	explorer.exe
PID 1244 wrote to memory of 2364	1244	WerFault.exe	explorer.exe
PID 1244 wrote to memory of 2364	1244	WerFault.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exe
"C:\Users\Admin\AppData\Local\Temp\f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:3004

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"
3⤵
- Executes dropped EXE
PID:3604

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Users\Admin\AppData\Local\Temp\1000798001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000798001\leg221.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
4⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\1000800001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000800001\redline1234.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4908

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
4⤵
- Launches sc.exe
PID:5076

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:4580

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
4⤵
- Launches sc.exe
PID:3028

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
4⤵
- Launches sc.exe
PID:4772

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\1000801001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000801001\moto.exe"
3⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000801001\moto.exe"
4⤵
PID:4280

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2276

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:4460

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:2476

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:1712

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:3176

C:\Users\Admin\AppData\Local\Temp\1000802001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000802001\2024.exe"
3⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\1000803001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000803001\55555.exe"
3⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1124
4⤵
- Program crash
PID:3896

C:\Users\Admin\AppData\Local\Temp\1000804001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000804001\mrk1234.exe"
3⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 1172
5⤵
- Program crash
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 1168
5⤵
- Program crash
PID:3132

C:\Users\Admin\AppData\Local\Temp\1000805001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000805001\alex.exe"
3⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3796

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
PID:2584

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:3896

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\1000806001\rockrunn.exe
"C:\Users\Admin\AppData\Local\Temp\1000806001\rockrunn.exe"
3⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\1000807001\goldklassd.exe
"C:\Users\Admin\AppData\Local\Temp\1000807001\goldklassd.exe"
3⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\1000808001\MONTHRDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000808001\MONTHRDX.exe"
3⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\1000809001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000809001\1233213123213.exe"
3⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\1000810001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000810001\crypted.exe"
3⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\1000811001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000811001\sadsadsadsa.exe"
3⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\1000812001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000812001\fsdfsfsfs.exe"
3⤵
PID:3696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3916

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:4372

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:4456

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:4640

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3044 -ip 3044
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3044 -ip 3044
1⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe
1⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\1000005001\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\7b0d48dbbf50fe239f1097f5d01c2a6d.exe"
2⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 372
3⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 388
3⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 392
3⤵
- Program crash
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 668
3⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 680
3⤵
- Program crash
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 680
3⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 680
3⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 756
3⤵
- Program crash
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 772
3⤵
- Program crash
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 752
3⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 888
3⤵
- Program crash
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 800
3⤵
- Program crash
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 888
3⤵
- Program crash
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 680
3⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 820
3⤵
- Program crash
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 788
3⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 780
3⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 728
3⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 800
3⤵
- Program crash
PID:3592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\1000005001\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\7b0d48dbbf50fe239f1097f5d01c2a6d.exe"
3⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 352
4⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 368
4⤵
- Program crash
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 184
4⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 652
4⤵
- Program crash
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 688
4⤵
- Program crash
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 688
4⤵
- Program crash
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 688
4⤵
- Program crash
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 728
4⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 744
4⤵
- Program crash
PID:4272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:4784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:624

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\1000006001\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\InstallSetup9.exe"
2⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
PID:1360

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:4904

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- Creates scheduled task(s)
PID:2284

C:\Users\Admin\AppData\Local\Temp\nsx16EB.tmp
C:\Users\Admin\AppData\Local\Temp\nsx16EB.tmp
3⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsx16EB.tmp" & del "C:\ProgramData\*.dll"" & exit
4⤵
PID:3104

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 2368
4⤵
- Program crash
PID:540

C:\Users\Admin\AppData\Local\Temp\1000007001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\toolspub1.exe"
2⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 348
3⤵
- Program crash
PID:3104

C:\Users\Admin\AppData\Local\Temp\1000008001\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\rty25.exe"
2⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\1000009001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\FirstZ.exe"
2⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2132 -ip 2132
1⤵
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2132 -ip 2132
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5000 -ip 5000
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5000 -ip 5000
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5000 -ip 5000
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5000 -ip 5000
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5000 -ip 5000
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5000 -ip 5000
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5000 -ip 5000
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5000 -ip 5000
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5000 -ip 5000
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5000 -ip 5000
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4952 -ip 4952
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5000 -ip 5000
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5000 -ip 5000
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5000 -ip 5000
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5000 -ip 5000
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5000 -ip 5000
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5000 -ip 5000
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5000 -ip 5000
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5000 -ip 5000
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5000 -ip 5000
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5044 -ip 5044
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5044 -ip 5044
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5044 -ip 5044
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5044 -ip 5044
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5044 -ip 5044
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5044 -ip 5044
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5044 -ip 5044
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5044 -ip 5044
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5044 -ip 5044
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2276 -ip 2276
1⤵
PID:3324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
271KB

MD5
a342fd7c8930fc429513d36bad763bf9

SHA1
e8f9bc3e3522ed6511ad531dd44829e604d32f19

SHA256
01226e0cfcbfd8cc22f022674834977e64e085f9cfa03dcb51d4293abf3a9a72

SHA512
3a2ab402729d135c440d3382c20b7fbc4181d7a8d621cc1b6f3da8edaef788617ebb4a439bee47b2a81600daf62659d6b9f1511b98e1a8359bc334c5acaec247

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
130KB

MD5
d2fb79a89a56323c0effcee3eaec2b1d

SHA1
797da9aa28893c1bb2e2e399e5c6d89b21d1ad2e

SHA256
75ea51f9eb6cb4bfc7bfca89203ad18b91f5de44e582e22df1609ba6be17f694

SHA512
fa45d06840c9b79e2c4cf8d6b2199ce7b2ada94196546eabd38f9c6aec758bd7872fbef21c9f5500db45906ea529ce131e4691cdccfb2171a73049b8db663664

Download Submit
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
Filesize
54KB

MD5
89f3055c28ec4436e8a25570f50f1797

SHA1
9a4be739de33f56bf13e82f4cd18c6d2f1591777

SHA256
578153ddeecde52d1cee7221acafe6437cdd8bce364b3fe301afdc0c7ae9f919

SHA512
e58899a7373a9b8313232050b01ec8b7135dc02c6e8a93beddb47699a089477f8cfc8aceff33f4b1b8c879e169bb51fc35294d8477c8733b5f2138d7fb4af88a

Download Submit
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
Filesize
130KB

MD5
5c1307d63e929737d0960c15bbfedd6b

SHA1
893dfd995bd2d69988b0fe4d49eb6c7e01723b5c

SHA256
3b924fb54874f8a3d3634b74d7b6a1c741d3b972ec0b8bd689190fbfaa0db8f4

SHA512
f5515127c40468d39106eb9648dd3d21c4777ba93b77ee2c1d078d12331e698798ebf6c688234557125f6cace891c9794e302204aaa1d2e6792c842e3e4b04a4

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
Filesize
127KB

MD5
2548b3a9a14a0af573f354b0588c2404

SHA1
0a6cd17ba117f609acd0fa784a46c094ed2f6bd9

SHA256
c8b061beb6fb013b1f5657abd88488e07ac853a6faa6c8955ad76fe8a0ea2f17

SHA512
508f1d6e64693c6a48188c45adc15a925149ea46ecb15ab5a3ba3d1d0ca29810e72c5daea9297ff0a9bb84b5a9f6f63657d67cb90602b55e70b072a6ac928fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
Filesize
64KB

MD5
c1ed6df891d35eb3965f999e2f0c1c0f

SHA1
4a3302394e687324f153a4a293b7f367547b3b48

SHA256
186a99e3dae9ef41074e5f03745c0a1b52927d2205ea36440a491f8ff2378947

SHA512
94173be224910821ace65b61453db96b391af6d08b42c957f0016b9f3881a0c1f9d3e4727c4fc1824fef3cc51882d5f6d140cd0f040a3024224d09694e3ece3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\InstallSetup9.exe
Filesize
76KB

MD5
6700b9c6633da1999e1021d0cd048084

SHA1
9d05b442c49fabb1b78c57c8b6285f651e56ad2c

SHA256
3143bdd75956a1f58f84b0d2fa6a1cd62d33bab307141d7d55abdf4b2ea6a497

SHA512
1fa56f63a02197eb9fe8d527e5c17fe808230dd484b5bed16335e1461736292fc2b674e20aee4b92253e791dd9656e35e5698c85b1613e4096af3db7595fffad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\InstallSetup9.exe
Filesize
143KB

MD5
635d05904cf2fe2691693c439c3e88e3

SHA1
93c148b6178e0f403b939e2f09c146d1c9fb9bdb

SHA256
fa116f27db9c628be53857ce17a2dcad21ee7e0655843cc370e71827cff2ef86

SHA512
026805b9a55faeed18c3fb7d03240bccc8871123f547bd72f1d8d9c6c9f970a25688c566140889f2a2cdec09bd91e87c0594f9457918d1225bf8a0f6af0cd05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\InstallSetup9.exe
Filesize
57KB

MD5
2bef1edbad4ae6fdb0d60e0e808f26d5

SHA1
c921b724da280daa57d86039f7c34fb601f4cb16

SHA256
53e87af13cf28ab83b58a234c52bce419492a84a78a1eac06d19c93af77f69d9

SHA512
64701f2276b7ec1a2fb15b5f6a944e017e5d2d5b9ec8d648ce3acc3fb3bf96fd42e5224b1b5af3580a3a85769086fb01791f0f094408e57b8eec9b95a32e5e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\toolspub1.exe
Filesize
151KB

MD5
89ce0f3c60bb0114455ee539a3169650

SHA1
6c6b693ac0d19df8ba260f2eb9ab2211ea920c23

SHA256
38e1afbeaacf4078912d11dbd12a39681f0967eb0cd2ea52608099624fc8f4cb

SHA512
1aa123c524be894ae816d97f710c3d4fc33871d336d1ab8fa04dd1da7836ab8717817a154c2bfef1f1784fc84e865158b2bd463e474d4d4ea72464c88ff0131f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\toolspub1.exe
Filesize
123KB

MD5
bf51a7b0908d366627a01956138d4399

SHA1
63b856118b5ee576119e12851407bc4cb6a9df61

SHA256
46766f085cba58ec97c216c6ed18ff461d73077944f10678980acd9071cf01ab

SHA512
19827241c81cb2c41e4efdff8025d9f8508d4d88eaba0d3db762098bcdcf1599032455c54f22cce2cf9e5114aa6132a34d3e6e17891e7cd353a966700e0fa672

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\rty25.exe
Filesize
119KB

MD5
9a81b8faf8a7ee9467505f8f5ae75d8c

SHA1
50f4d63dd0daa4928808a32858140051050deee6

SHA256
b26f3ea4fdc3e0096824637a7d4367ae229116abcfabde1e6d1f5dc2eca09f8f

SHA512
8180921f8e4fec0ac3616f8aabb5c4b3e411e5b1d5d4ee74c08c3317208d342cd89622ae80e1556db87304b4c691d8a09390d3ff8e03f15ab39f3910b6004592

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\FirstZ.exe
Filesize
43KB

MD5
cf49aec348c4d11510d706f36b748c58

SHA1
0dcc49ade507422d26de3dcb902111613b4ccb26

SHA256
73f7025d875a97b2983de7739f94bc5a1b0c761855c4d1e5f457eb46e4ec7114

SHA512
8fde694c9a2e8596e7d84139ffa004d332ddf4db6fe902efd13400982a7de313cd395b58c3f607e562c64c23cf8da4df011d546b3c8ac255e23ad0bf57c659d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
Filesize
179KB

MD5
658d3a8014ebb7be59ae07ec27287710

SHA1
92aba3ed3d7156b06bb503b95fba7c76c64108d9

SHA256
3bb2ea43f2bde9cae49bf55f1af7560a274159d89ef530995d0029b0a7372892

SHA512
74ec4fccf21797c21c00e7345ed2d3e5231535b6e2e8e74391c27c73e66425555457b83b218310a95f62799a7cfc825aa0ee5f7019b0d97895d423561f0d76b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
Filesize
129KB

MD5
0e95bd31671b9cd239c35127cc35b9f3

SHA1
179307578abffd619b0f8ca18ead073a91102b99

SHA256
31695970d5dcef74a9b6e68e7844c4c7aa2028e45e1bfbd949f20938ac529ec6

SHA512
5b59aa5605abf198f8d7651047653fdb6a1c3ffb124d0a9674247f059619a4339e4ae7d84eb2fb2cfa4f8b903bd55af05adfe39c43d9a4283fda400d8ced4c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
Filesize
64KB

MD5
516736fed9ccfa2ad2e1ef1aa513bf68

SHA1
9867ff68f6e2d7127991f7e24ac13a6e10684d48

SHA256
8684ddb3d32775093c483a9ed3d49576bfbf78540a02b149cf7df401a6862628

SHA512
638de2fb530353c9b44aab777b52ce79b93271e3bfd56f70d305808cc0f0db2a313cac9bf9737f4d161308fade087069c9967554a35ef2f300362ef330d278a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
Filesize
203KB

MD5
88bdfd84262f4891a673a4a72e62755c

SHA1
f874cd2abf4192ce967761c11680d022c3bb11dd

SHA256
f18d30f98f650b8eacee793fb404d36e75a038cc7e1c1d39637695b8d91a142e

SHA512
48f1c5baf43918a12afdc89e88ba5c1a2fc13d33d32bcfbe4dc8221b4184fed776947f0afa88f0474b84e5e0ba81c94b70b8b5e847ad32cb97421622ae788305

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
Filesize
195KB

MD5
cacd7fe553009ae2f98e2693570cb930

SHA1
d6a4c652d8891a95ee03d2fca5e4ecaa7a4d1e82

SHA256
f03c9d0d27b154a5b98cc837a5bce08250de6515f4b6088a2cd1f47725c4a948

SHA512
17e1ca11eaf89cd970eff528681b23dcb6735d558ce47f3a06dcc3c4b372ffcf763e802bbb8976c397753d395b18362a050b09c5ed7a0bf87faf2f4a64060afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
Filesize
181KB

MD5
006fb1116f52a57fbc911d597f91715b

SHA1
1be944e1a767887de00450e8a33e8157ef3c22dc

SHA256
8a1f6ccb2bb8e4b7393a9d232a517bc9c6cf00457d334bc566e248203e14b2c3

SHA512
d5c882fe7479e8a65109e546bbd0e53b11875719b22af3e85b8f9c5521e06b01fa0896e628d56d7b4db2a9003be27042c11495ed4e00b52235f4705ac3ee9b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
Filesize
304KB

MD5
9c8dd2f6560e10fd90eed2a4616852f5

SHA1
7b7b7b541cfddade8f85f44fd6404d11b698c51f

SHA256
edcd4f3339379870a8397d4d8236b8a3a2b9144e73eaea24d7d4e5064abf69de

SHA512
82381e7641ec01ab245ca5b6e9618dbd64e7f4b38263c0e670b93d18a32fe86b7af3724bdbae9b8285f7865228033542e8974c81bd1f08540d691ec10536481c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
Filesize
347KB

MD5
166522aee32c5a703213c8db01785967

SHA1
18bf510c8993e7b724628911a3745545d612dc98

SHA256
df64d9278576ee5dea7df0d429f5b86d13d43f0af81d01856a181b15bbae8df4

SHA512
31e8af185dff55a531d35ab808c8ad1ad38de215c2d0fdda88cb5fcb66795e76c35902c348dab0bfdb2cd202a005ba4cdaf50783282e1b2de9303edb2055cb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
Filesize
306KB

MD5
2c956b21dcbfba0e1f80fc3cca0185da

SHA1
aa206d5d74581732717db918ee33be49182749b0

SHA256
dfff649b6d3d2e0a6273ebdd9f6582908029c604fcb35a1a8be6fe46e015c75d

SHA512
d3145b20182d0678a8aec589d5ed01feeeff83ea58f5ac97390b9b0e4f628ef5117b179b81af8c5b803db8d44a288da1e4a680016b23af1e1f57cf3548c206cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000798001\leg221.exe
Filesize
81KB

MD5
80a699c2029014bb01aadd52319d7732

SHA1
a412b4c945cf4a9fd8a3f45c0a75aa05ee37518d

SHA256
1e35aa071d0afa0f3e6b195613fb12d80e940e5745a6cba14128fff3a6db08e2

SHA512
03dead0a1850d4f483ad8437d41a6d471b09fa2d1080f3ea19a1e701bd2b91091803fcfa199c0f1eeda9eae9c53073d4b8a5da9c5cc4a7a649f4cda75c28548f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000798001\leg221.exe
Filesize
185KB

MD5
49699751493da75d81a3532bb4d70a85

SHA1
273244fbcaae1457a1e9f90f68b84bff0704eacb

SHA256
e774a99dca8df1642f3d625df265d140e4a26405dcf221b13513071b0e803529

SHA512
b8fe6eb547c4205344e507b644c37e1610557f7d484d0b018916de1d2a7c4ded4787b110685ed89126a89e5bfc8edaeae2d0b1ac69d380c78b56996566dd4b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000798001\leg221.exe
Filesize
28KB

MD5
cee327514e245de5c8607d41664d1017

SHA1
40980466497a7112d73dfad993b548891234fe93

SHA256
7e127d1d56a24d38b39de4408854f6e09928b2621d05b68734670c73198df666

SHA512
388b3c47be310f27293f6fb7f1756a70ed1f605f097ca12a69962929aa0cb9c2202113836f9868c5a1f55651491e05101d6f6c6d7f5b1a054f7575199452d0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000800001\redline1234.exe
Filesize
14KB

MD5
997a54ac9332ac29f2a530a9c4fc2dd5

SHA1
89d9ee018ba29d29a29257e309ee565f7dd35172

SHA256
12e15aa3fff2d89a8bead97a6023984398920a7bed9a86881f71bbc8b29246f3

SHA512
d4e390b1b7e7d33a60fb7b0d52da5d5ed037f7ccb83085214a7ede4809c85c89c5148cfef64ca24b9a0487ccc4058bf0a8ccce39a1f228aaf88add2a60f6aa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000800001\redline1234.exe
Filesize
26KB

MD5
ff2bb2012cd1f897f1b4fbfb423c3d27

SHA1
8a4b59f7c88ca4f335383782bbc1983b4297c7a8

SHA256
8bfe475a0b2c48cbb5ac9a497cde97b472cffa7b979984c6dc4e9992ed30808e

SHA512
188c4588c291b44be421048a0bbe31e12a7df86413fc6a5db67238ae7388676ce9302cbbbb25c6935d04d4569a7443da9387c287286fe36f8e2e91b497070c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000800001\redline1234.exe
Filesize
56KB

MD5
eb285231d14d7215d8242f08af44437d

SHA1
63cde4bacabbac345203325777f68afe24ceab19

SHA256
ec1ae225ebc6c4ff0b5515b1b3192b2b1c4c1db8cf06a8044cbfb111c1dcee98

SHA512
9b390f1f6e0d42e06ed6f9c36a2c85bde94e19d6e5a193320a35d23c567deb09a64ba6c734694f638f5e980c78988222321a76348fb253b8a58d662d8b1960f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000801001\moto.exe
Filesize
98KB

MD5
74ee06679dc4cababf0851070dcaad79

SHA1
c0d75b89bd6ec11081e95aac544fb92ed54610f9

SHA256
ade1284177b66677189cd4851558723d737e5bc7330baa3233ae2a6de9e39050

SHA512
be08e1f613ebd1704cd88291652ce3038533579abf8ffdf1d4ac2707712942d276c73e5a50f70a2062a2ffb21a9b62f4f27c6a3cd26075fa4726ca5cf012e24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000801001\moto.exe
Filesize
57KB

MD5
b56b4b32ca0df8ffb96f721d1f5308c0

SHA1
a385dee2dfd7791624c78dd1b4be1c01a14bc92b

SHA256
b3911da1b8882ea431f2b40d7067a23842f9d5af48344e1200f6f5b8b790b906

SHA512
fe0bb514eae9fd91898490ec4e7267b6834ed472fe157be0f687fb880f7c33ee4d521b81d1d97a9fc0418aa02b90e19f20d95a14575872cccf4744bcf573d3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000801001\moto.exe
Filesize
28KB

MD5
0476828372c2cdf65d3762df80b9388a

SHA1
e7d9e6f8fec512f4641838786cf35949a76581dc

SHA256
07a8113e55bc7bac2e29b0f2b82cf7259b27f36752f5626574d7e9a03d5abeb6

SHA512
88d741ff6cbade636640dcccf2ec7f944e65199603cbe224e3729511b49d81335f661b553905d3f06cc233b2289a214dd9d284452caf1acd006fc58709e8e99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000802001\2024.exe
Filesize
53KB

MD5
3318343cb894fefb8ce2b6f303aea1ca

SHA1
012f6479f0b3a3ba3b2057d5c53bdaffb0e91dc2

SHA256
8d49cb192d871b8f4aa79410d6963eb3a52ac18eefbfc61f52a92402375a47f8

SHA512
ebdf64665907c7071e4669d9130a1633efc6aee7d8b73f02418d40032ef576450e7400ceb11518df2819d0488b482a2084f7c01b205e44a1f75da18fcdcf43d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000802001\2024.exe
Filesize
75KB

MD5
4932fe69f5af573f142fbd533f6d597b

SHA1
9ecb844aec1f2a0208e9ae130c1ba1137c47424d

SHA256
4635d5f78d2c2e633da5756d3028617c0cdd8be6102cf7cdbba05bb3a9a1ea14

SHA512
301ddc290a20bdc2ea9c9e28d40c4965c77cd81038c76351f3180d8936e6327360a6955e2c5359be6b1258cd2fdb4b5f980467538604f925e8374fe4ba2e33a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000802001\2024.exe
Filesize
80KB

MD5
31828c68e3db08dab5ae64d3c78e791e

SHA1
e1e8d2bda19f97ddd8bb80f66d4ae861eef2127e

SHA256
010d57ebace077d6746353a73303188ff967a94adf732f7a8fa583c3ae216285

SHA512
b397b21a7395310f0a52afe7ffffeb7dd631748625d550e9d82623ee933878ec5a767dc60953ef997655a394561a01340773f48c87dfc42dd4be9a4db4f7b83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000803001\55555.exe
Filesize
118KB

MD5
e98b189e84f414ef07234dc8ffe29eee

SHA1
6d4fa9fed089b9dd67d59d156b21729fbb7e12da

SHA256
3564973cf2b773c55e2d49f3368f7a0c366e6424a87c1ac21525189db4dbb614

SHA512
342516a25bda1b51eb3f23e4ee55593b0ffe5bf91e4540c450ff589d3b231dd2ffa843667806e2c21a634251a5ae91edcd9f780b62ebdd9ead55eae66f201d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000803001\55555.exe
Filesize
70KB

MD5
410069167e0cd7465b30e1a282522234

SHA1
26378d53a2f2f8f133b40810629bf2502c478354

SHA256
92cd92c652567b12930a0abb7dcd657bb6470a9e3a20c9839ff5c19e93d502c1

SHA512
634f392179fca75f4b156acede6f7c2221235d9419c8a335521fb624f8aa5b1a9891f645a34a6b88c15a4e5b8b8e00dc5f807fad2a82b143c028d38afc7dbc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000803001\55555.exe
Filesize
55KB

MD5
fcede6be037ef04968f6c8fbc1f795e6

SHA1
bc6da5d7493715ea4f12dd04d10b2bc4c7e6bd0c

SHA256
36fcff8ff1f05a55bf22ee0f2c6fb1a4ac3d65566feb2b5fd54b887fa9397bc9

SHA512
2a9eeb83b54fb31569d605ec087f60093c2fa26bd97891f9d34f01d9adfaa6b6feecf40f3140a0e217c276a1f8d289b7422681ef196b9b61e227a0fc0cd634b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000804001\mrk1234.exe
Filesize
96KB

MD5
8a940ccdce9a414ba15442362ddfbd56

SHA1
a8ad86359e432dda561f34188e687159a464642f

SHA256
2947a12b1177723634e269e803eb3b1e7b1b0c505ef2fadf94e62343a9239423

SHA512
806cbd62066fe41edaf4e4d40b206ebcdaf2759a4c6852050da12423badcbd3a0c1470a4924ee6e9062d32f57c774cec230dfb6cd91c59866c9d2ddb55f55299

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000804001\mrk1234.exe
Filesize
35KB

MD5
759a7f5a71d9c050d616c75b1d535548

SHA1
a07cbc5217515be48e1dbb5f39ecb08975300a08

SHA256
54dad2fce4d5b4883d6f613e8043e924f6510d372f872bec2eba3e8710fdeeec

SHA512
89573bff73ad9c9d4f6acc8222da3d7e1c197fb042bf5b43a3a48d6db1092e53ed72ee013dc0bd4e990de9d65d30ca91b78eacd8c0a0c404474463f3b4fbf863

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000804001\mrk1234.exe
Filesize
57KB

MD5
7f7b6995a31f1e45c56869e97fa924e8

SHA1
9dc052356343e4cffdbbf4df8ed4109829fd0334

SHA256
ebf8ce4c49c8984e881085760aa1774fd56ab9d8434db2eb6760891479ee8c69

SHA512
990eaa1135ce4ad8eb5972a3a29358f24e78eed7b291e4cf314e8d9ad3631d75321c2db5299c6b676c2708dbd56abdcf28f31508f226b5517be59ae451c0d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000805001\alex.exe
Filesize
32KB

MD5
31696f8d5a0c038dc7e615c09fc96145

SHA1
ad59916a10adf9886b9b943cf931d3aa762c134b

SHA256
13d73ff6d5800807f17696c59fa44a2076a6ea5037f06e2c17e44fe6350df9ee

SHA512
a863887941f4eee2abc61b2300c978568c387b40bf53a62d76e3f6d716027655bd13faf5657783c26b3f91034d852df3ff812aff7ab59923894e7491b96baeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000805001\alex.exe
Filesize
105KB

MD5
d41bad235681343e4089afd8ebe551df

SHA1
90eb1b63b58e27db924112ddcdcf81214f95f103

SHA256
2571eeb7f442e966f4239e594eefaa99b695794871d7ecf083e5ab0a80a9805a

SHA512
d746ea19528fe68497ca4c52c1c2c58c68b33317f96d6d119b581fb6072db8e03956f6525413b6790b24dd0b1aa1ea6d3b17d95c4206ddc19458c2e41ab351f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000805001\alex.exe
Filesize
29KB

MD5
dc30ba1e3f2326b418a00234a0af3504

SHA1
13670c0b4239b3b610a7b12b807678dc72d73ce5

SHA256
f7d11af06a4e06d857a3b266d88e01ea29ea8372930b8085d06490ce4d586247

SHA512
882cf6aae1d5f4c31664a58a7abecd14aba5fea5d12e342934031043fccfa190eedc436e6f3386adbd9caeb0742496676b7aa338dd8260be737431687d5669c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000806001\rockrunn.exe
Filesize
1KB

MD5
2d435a240645eaf702ca395f9931fd1b

SHA1
28b8daf0a6a36228afbd9dcd48c614ad83475c73

SHA256
be5a91bb97ac54c7e3298e397cae1043d8c04d419d3409b69d0f09cd71bd6f46

SHA512
244da958662947eb6911596ecb5a24d1a539f2032b6a7d00b4cc8fe3efc7f0c3901e07de841296864f613f7e070cca5acd8b5dd6d257e3725b9ca832f12f31e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000806001\rockrunn.exe
Filesize
64KB

MD5
7fde9ea27a1fa4502e91580d28984f6f

SHA1
23d2365b9ab1521c5b8b06630aa54815808fb82e

SHA256
a6675cfa71bb513444984baafb3dae7384f1d75c49f87da5122c46ef72efe39e

SHA512
ed278a590449890d804c05c572a68bdbb92fc53b2d4a37f13e7fa3a01e9a5a4ab0312d370ebf1e466a25b25c98160a9d6f3955e34225e21362b3414490306b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000806001\rockrunn.exe
Filesize
138KB

MD5
96ec3d20ddf6146a24f1e3d8fd1014e4

SHA1
3590fe77fc1d40fa7fe67254d6fd3e4cda10f83f

SHA256
b6ad465787ff8642c29997445c7b608842a21c61e94f3fbccb609dc277ff25be

SHA512
0c8cd68e4367c20a3d8cad2dd5264cfb25f664ad0d4a196497c82a3df20a7db1170034b42ab80514f3ad8dda5df915bf68dc9a3f3ffa18295270569f6231eac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000807001\goldklassd.exe
Filesize
57KB

MD5
e90220674e9f097b4da8c8fad9b6ee0d

SHA1
e3e04e41580d69f19d1b167720b7aea67786ead2

SHA256
6d070b7fe7b02c96905ee821f261965f35831041eea6df89d7f678727128c54d

SHA512
0682742932b320eadcf054992ec8e31a2634610c7ad41639d3afc1b239fb84b11180618a6f0562b58207d2d342fdcc3111caeac283024b5b7bda3b03cf4771f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000807001\goldklassd.exe
Filesize
45KB

MD5
9b4f3d54261988b0f42e0607f51698d4

SHA1
43d934829ddcae7ec5ff5808d7021eeff49bdf97

SHA256
dc93867f20abb97a29b45980d813762d7beaef0431a2c00dc6aeea1ebad5200e

SHA512
2f8b7b1094e5138d31583c125cad6162d40d22dc3bb09a7b3d0cd0792d76f66361d16fa2faf9e2d21441c8a981a1410dac9f70e87606ab57f3a27fe61aea6849

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000807001\goldklassd.exe
Filesize
48KB

MD5
7077b022525f97d26251ade46985bf6f

SHA1
809238af074851d60b1949fadb55fee4579b14bd

SHA256
f1b6cbca30d8eba48248653dcc21f163c3415cc044b998c0eb5cd3b8863319d9

SHA512
0ef70b0e6fb18f5418155f87483f05025e987a1b219a37431b4629a202c29a017b0d656a3ecc1190368faa742d8033a7c5a0419994dc1f9374b2fc753f0f65e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000808001\MONTHRDX.exe
Filesize
45KB

MD5
a03861ffe4113ec78b7746c8d7cdd41a

SHA1
4e77a4cd0352ef038125a950a320674c5d3013b9

SHA256
29c3c50e9ddf8ce952408a27158da27b69c2a5be2fcfefcf61bfd794be7fdaa5

SHA512
0c0ee972206b19ea1acdf4f39b0659d826fb2b66324fe53dc7b3a2aedd09e1736e82296bb4f587e97aeed7c822cc1914474e7cc4eef9a106e6d9b2a7c9d9000a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000808001\MONTHRDX.exe
Filesize
124KB

MD5
21818dc0c838e2969aeeed44b2106382

SHA1
d185a6f420dc0ba9fba2924ac97e8d84ec578d70

SHA256
d31437976866c31bc46e142f1b827208493d4011b8449200ae0227d8433fc201

SHA512
9fc3f252173fb6361220f7f3350e06d98f335416c16f463e1a3bcd0ce766e18f17f74a4387c0fc8041097dadbf430f1e308ab30c7152c704907aae4791d2df99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000808001\MONTHRDX.exe
Filesize
208KB

MD5
93699b68b406c7b0c29a4b8c65eca049

SHA1
19e20955713d37b1685a9a6e5711ec50c1bc93ac

SHA256
c61952cf117e1a87712705fd35ee6389c9a2ae862400514670431149b759b94e

SHA512
2f86051ebfd8e5a19045d7a44149b9cda504e972d1c46a7150463261d8ca3c3e887353fa5b46477b8a5aa33b98a54b6f87640d52ec258f5e4d3ee3c9fdb5a9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000809001\1233213123213.exe
Filesize
106KB

MD5
a8064f39636f127e19d09010510a0083

SHA1
db01b55e2a5118e29c0d1ac21ddc524c35ce7fa7

SHA256
abb3017c8d1a3b08a789c3dc772a11b85bd69fa55e19e036d056f649ad56ba58

SHA512
ec79087eacb4e01af5a5573ff6097846ec00c14f10170991033dad684dd8ff44b8d8b94b2f4e7c45a70e6f10482d4fc80866a1621927753e6f5b7f395a282235

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000809001\1233213123213.exe
Filesize
64KB

MD5
7762580d4337c354bc7954833fe4ecf8

SHA1
9aa3ac32dce2d56ad9e10c5dfc437b01335a571c

SHA256
8bdf5a45a099565e4e882681dc89f971a29e70e9e319ca2521d282d8f2c7f568

SHA512
3e6fed2e349ea1c2533d9675e9c9f99d91c52a99b1522a51b94c187ee28b740d2df85f772d12c9c54c109aee9169489b968eec5aa38f2c898a4127924ee5e99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000809001\1233213123213.exe
Filesize
163KB

MD5
cbba5ac4890fa0a5e82e6d34df8dcaad

SHA1
148db1436874cbd022afcbd7abf0556631b3a263

SHA256
a9222a7516ec684503d5ccbd3b7eafebda51a77c1e5468c36af65cfb5480488a

SHA512
a2045e35f5eee6bc41dc8a37bc040c72b17d5941648e81329bf96e1528bed5728e56fefcb5f1154f7b35a6603acaf3eef334a0a3602674170a1570b9a1f71e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000810001\crypted.exe
Filesize
125KB

MD5
6c0d90e4e464ea64fcb273c602a8dd65

SHA1
7485610c58c778dc104ff20a408a7674223a15b2

SHA256
bf1883d66b0c03aac487b8d43a91f610e0d7399a1d372d653287773eef072b6a

SHA512
7a94480de41b30e12af2252004db4e74f207a156de61be2a9797f118e15656e723198faf31199ce5d4310db7af42b0f9adfdf28bdb1825234f3061752fe9b2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000810001\crypted.exe
Filesize
86KB

MD5
8f51fa3afa268b077e8c54ffa9443871

SHA1
5c22b0f637bc6dadf2ccae1fbb8cf77cf92fb064

SHA256
679e7e4aff1e8db160a7593e6bac570df96b5483065fbcc993d12a1c85a09d3d

SHA512
43da7bb8ac58b92d3c54f2f686bd6061b653bab3f18b68dd3e0b3b1a135b3cfad7e701a34fe3e7006e17ef3c98fb4c009304e7292e2d0cc33cba0fafec73ba8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000810001\crypted.exe
Filesize
67KB

MD5
1b506f393c12257dc1566b530154f712

SHA1
d8efed0225a3c36bb075ff7f7fe39bcb39dfd41c

SHA256
e59f7339308052fb121ef4229be31cf9f5ad2f7b2719849d4596b3c3fd057039

SHA512
1ee46641d7270d37fa0e288d7e8fb1df7f22bf026c28aeb68eec4c238853ead20e695639ebe43da34c4079aa891ed291f6fe3b6053a6fa206f232c5a7c4c1e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000811001\sadsadsadsa.exe
Filesize
81KB

MD5
fba907210cb6dfef26d45df1954fb02b

SHA1
5c62f06e80919976ad893d824caf58294d601bda

SHA256
342fc81cb072f074808f66897556c1568a3dba2074fbd687e66f39744a2d56aa

SHA512
eaa94792ef069a948d0879eecd68bd1822bb5e727c80d999187dd9f17dd1f132a4e9c34573b53ab44ee76874820a1ba1af0714b6ab2de8fcee761e8eb38740c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000811001\sadsadsadsa.exe
Filesize
89KB

MD5
0471c6a734bdbcff7c48c7df2a6a86dc

SHA1
0c98636ebf5b13b5ec9bb90878301c44c6493c89

SHA256
f835a446259df09f338cc48779346c27bfc9be64bd2f7d9304c75726d663f523

SHA512
01559db05fdc13398d9180f1c30d10954e1f9600f6c1aa47a40ad417418fe375e6953981f96ba759d8ba58d4c3eee231b6ea8b538365627e6f4268d36260e21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000811001\sadsadsadsa.exe
Filesize
82KB

MD5
bc75d10e0b9e14b5c331430be3830f25

SHA1
c7e74ba3e99a149c58847f39615d5468cd6665ec

SHA256
88fd32f4b40c40d8700c86654372e04407ba3aca75662339d45975596ae05dd6

SHA512
212e348c1bf8c53fc5a1576600c3e33b21b7317b86d041d08155764a37b621fa707241b2fd32c29a6c2db45cba3bf4a3834942d1037962ae7da9a4adacf6ef8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000812001\fsdfsfsfs.exe
Filesize
174KB

MD5
a1c976c341fc98b661f38c2f1cbabbae

SHA1
2bce3974909a8cecd43d40c9593e9be5da901352

SHA256
ad60cdad8199f403cf5804f7d41a25b2fd2e5e37033ea0db2ac074202401bb86

SHA512
12620d5391fb952abb5dcd9366a6b75abb6ed52d12ee1c3bb72e96682dee5e916422f6304719788aa47327a24abee94637d7d074fb987bcc566cc46e9bae8b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000812001\fsdfsfsfs.exe
Filesize
33KB

MD5
bed01f40403e194ec1054863ac31f3a9

SHA1
8c1ef5567bc53aebc6651cb1c815b637b92578ff

SHA256
d983d7b16bb494332df3a8ee108d8bce28cb098aa9188f6079a6b3014221b886

SHA512
684b9b7ebc68d1731aab806f239e4b3c1e56cf31fb0007d330ca1d860ecdb80b5aaa99da26300e81cab4c9209ab49cd63c7a6c5b422d60fc74578980c9733215

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000812001\fsdfsfsfs.exe
Filesize
143KB

MD5
64b76390e3693cef41c44d3bddb79b59

SHA1
0c8d0c6133136595c0dd61819bf70a3da0ebf5da

SHA256
2a9c9edece045e2e46cf9d9c6623a3486cbe0125a736996f19fd15b26da73e64

SHA512
5532d888736c0acd05477a127b90a270f61a1f2ce140f9873e890e100878c918446e63834708ac24a1374d59b5d47aa3d8b23b47a21c29c07b3ab0a7385c4192

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
105KB

MD5
e169a125ca53698f4bd7dcc1ddaf561e

SHA1
079d9a1a03b9999b999ed528e3a6a64bb1f2d030

SHA256
35799f42b419cbf2326b1169067ed3fe10dac6630a1b024f648c60a4d3ec243a

SHA512
6a5cda4aaab4c8d072521b35e6d8b303401fe552eea1a77640d6c6d51e4532b79c32ec29fb73d6aae9866d9041d237e16c4862953c5698753a7e93b89ce758ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f10tbmvy.bhr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe
Filesize
151KB

MD5
26b75067bb5cb3ce20295692e276fca1

SHA1
727965f6dcf2200df0a8aa0c4e1d894fb61895cc

SHA256
a49f59a1cb15d3764462104ea474e8f660bcda89a9249580d554d64d1f50355e

SHA512
db8af6737524c388387ba2221667e206b7fba3228abd0431d01755d52f8f9fa05da03b5c3a096c15b395471c4a4499535cb96298071a6968c35e7ca29c0b5677

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe
Filesize
31KB

MD5
48101b4579920b2565c5fc5c22cffc0d

SHA1
4733d5074e402246ea03ec8c7ab4db1d57e97d9c

SHA256
e6a79f7569dc61e0120372cca6f61d6f1c87c3e9cd8826e9b9801c64c82629f0

SHA512
b1a15cb4e553a21c11573bc732243bb59b95bd0cc4cd299071f8faf9f433601ce1bf65b66bf86e299d9f5c0f1294b7b4881c53423b8348f0916d946fbbf4cee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
11KB

MD5
31a77c4c3b89d81ba8ec587b8febfdc5

SHA1
0a4e6d845234735cee2ed03d17fea4079ee8a48a

SHA256
7f1e8e22bf1eee2a200d12b678eb20ce804546c7062dd91e06780b1fb8fd564d

SHA512
33a32eda33c568cf9b43ca9a276e260f7a53f29a474cef982b5b7a5020a1c76d7c2ea529becc5a44907e15731028b7f73b6d4c9332a6e784df94767a10f48911

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
26KB

MD5
a3852df8509d0e1bd6f43aa4833a1a22

SHA1
d7cd8dbb8aac0a7492d33fab97bfefa75d303d20

SHA256
65fcc17da85efc15e79f2a7957a719cb0d8a5a3e325a87a190656cec3532088f

SHA512
fdaeec0919980408362f9674bb6a63c3079b302df186932e612567cb3d296a0edfcf27dde1ceab3c2170e0cc28f51d9ae9a2afe948659be4442f029e9386b1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
1KB

MD5
9ffa91cfff40b5c73fa27cc80687ec47

SHA1
3400f424161000918cf358467023b08de4d078cd

SHA256
498c2741cd6aeb68f9ed47f6729b8dc67e23e17343ebbe4c4a066be723df14b5

SHA512
cdd37c517b7bbec4b05ed96df03d9252e0af187c792f83f5bc382605747f373ca12acde67a1fd917dbf31ce2fe2454a0c889f4efd1ac957967e17bfd272f7c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
156KB

MD5
5e85c53e64276a0139745ead00f43672

SHA1
a0e9d9fcebaa616f403dd6e6e2f9ad2c87e7e82d

SHA256
9ab8af9b1c3b1b536e293413ad638ff30501040f1247cd5b5db7aacf0129b7fb

SHA512
9a9798c89db70c3f0ab99823ccc707fa42d4720d2e6d9a595984a0d5829363d72ae68a3cae7e5c9038dd5a5d1e8a8678501dd41dc379556c496cfaee3f3635b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
122KB

MD5
db04b16f8de3430b4843c186fb2ba8ad

SHA1
2f03bc3b52c43ab605b17076450e2fb222097862

SHA256
190a7fb32f4bcf00f2cea8fbdb7bd51564cd227dff48daed1d3f774e26560d95

SHA512
dabef41728fbb344309550d053b2195963af1e1796b026f9ba8871f5d7fa2f16579216509ea081c7389545f2ba5d669425e925ef37673e9ea0f8e9d4f7141dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
1KB

MD5
d5f3d2440a8ef3bc32ef9463ee2c3609

SHA1
29608184d847ae2b6a484b795b881799100592cb

SHA256
372ee45ed4ffd1c7125e5b257bd33f39391e1bd2a6d5d1fe1adb2b19b7c66c03

SHA512
65761d5f894648f70d3f4bdcd3071a59f854f8ceb6f71ad3f87159f2bfd808f1430cbcc4052bc51d60c2e2cf432a195bbfd6aaf8661322d7574a0eb530bf54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl11CA.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl11CA.tmp\INetC.dll
Filesize
10KB

MD5
b922d35abbdc91e0f148e7bd950aa8a6

SHA1
a85cc875a6e02e65bd99e3c93608eb9539fa1b91

SHA256
294247db25ef39ec9fbd95f6053b1e7a231e738408bcc8f46fd0eb85c35e6e95

SHA512
6d831b2a19355c74fedab04ea5e4b41ba41c09439295d7be8b6b30e6cde95d26650da435803bbc5bfd5a5e755873827c87ccf3f0b222cb2332e3500474027ca6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
65KB

MD5
e7b8bbcdf93321fad1455f21f1f7d831

SHA1
ac96161ed76c75f7e181bfa766160068a9c37d7c

SHA256
36b24adedba548ad3670d74df76e731111106fd43a6c7f7102f3fa98df7978aa

SHA512
aa38606763f778a244714540a96fe1e8603cec7cb114ea034a8e4adcea8dccd2f3185ac1f412a886eb302c8d4993b3f9247ec7f611bbc48ae2efc38202c28a41

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
68KB

MD5
0ff1b41d6e6285847bc0e69db4d816b1

SHA1
d5eb77af5c8bd3adad8f5419e3a443f325c949be

SHA256
bcd071e5682978a8323d29efbf9d72d69586a3906db0d764409f18b0e34fc121

SHA512
8cd89f7c1f4b21bc12320421f6405bf94135c4a5fb567c0fb89d587cbd85cb5d3cae6865cb60075d8a42818f2666b04d67047146aec0c326f4f0d5fa5acb05bf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
57KB

MD5
754c6fe263b7a0c9f58d3a2672f9a448

SHA1
a34aff8287588dc42b1bd2e435465e77920b657d

SHA256
4f3676655bbeee2cf33b365bb39d94e14a40630839df0189dc098391446082c4

SHA512
469c8836fee404a23514bee510d107c038e5c5e70a1dae581241212d809dcf20858a816feb15b91a9a6cf5877c39dcdc572f0e3cb7e2e1cf07ce79e39f1e0948

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
36KB

MD5
9561d3687c89d70992be6f6e4103b43f

SHA1
93d83df3c548b8534ac508b95beec53ba35c631d

SHA256
0f0bcf8db603b29759ecd5e87f9fd0db184593694469b5138cb28c91d2604007

SHA512
9d2ac28d7eb6abc92680fa15ca81502d3c097ee123d178e5857809cedf7b32e05dfe834e51829eac462969e5c0fdfc4ef209c723f365773436094b06cdd23a93

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
3KB

MD5
aa6b5f1a0d0cde959fb6717c5d8ccd72

SHA1
60909cf984fa82f3fd9ccf761007bc423644b731

SHA256
d33e61816f0acb2fcc0fb372e54713514e7d91a5ae00be242042ab87f7308443

SHA512
3ceabfcd99722d0d2c07dcaa9ef5b09b6b0ed489b30e898940781cba9eb313552752419c06df692733d43ea051c2bf7a701fe7ff82c28edc9c9c3f5e2384c34a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
32KB

MD5
86ea06d5140bd92bcf744130cbc5255f

SHA1
008a27f0bcb36e51b3422ac2a47f5da4d57e08ef

SHA256
95cfdb12796b9a88999d5395238ad252799a144fbd5cda35691933483e5948a7

SHA512
c1c0d047dfab7bba7e2c12cdbe4f1734d0999ab2b0bf3ea60c0e42ca5673a22469a99a4a006b6ba89320e2651d42d17baf553cf04fcc5c91a54898c596a6155d

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
37KB

MD5
500861e1bb9423cc447465a0acad7c0b

SHA1
a7a6eb52f83f34050386df38952ab5db527ee692

SHA256
b68fc9de74e58d8f10db32998790935b8b7ac517352672b4e8187d4805076467

SHA512
920604df54cb811fa7b66dc82952d3583f6832ac89e03a78efe4bdee83ee30cdeb92dc7351d1a8d0de95a103d1eb25e89bf73fa73b5d856cf5737340a6408d39

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
33KB

MD5
e1cf682c41683305e490c3695480efd8

SHA1
882927d1e5faf7fa5f2afb3004d9c94f692fe033

SHA256
05f714538a3267713d8ba907ed065c8503d12489e01e9adec8fac36de9464e10

SHA512
ba2283195742dea3d1b201fcb49f06e463183044b2ffbc0fca16e0616774419ce41b43311ab6d648748b1e3164c1772d6d30a296a77a331942aa1299fd090505

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
ffacaa7384e119c6e14e704c89ca242c

SHA1
10a8749922210769f2486f71f93366829f40bbbd

SHA256
735ed6ef6daaa7bb021a8619e16d62976cd3e0d5913338a8176185909a2b8d43

SHA512
eb73510629dedb5a778631b50095d3fb5d3ddf65d3fbc0b3a8edbde1cb378fc33fd54c812874cabb3b1ff1b7996f81687741238f38cb4913a5b41dda20fdb191

Download Submit
memory/1400-157-0x00000000004C0000-0x00000000009A0000-memory.dmp

Filesize
4.9MB

Download
memory/1400-213-0x00000000004C0000-0x00000000009A0000-memory.dmp

Filesize
4.9MB

Download
memory/1400-190-0x00000000004C0000-0x00000000009A0000-memory.dmp

Filesize
4.9MB

Download
memory/1400-232-0x00000000004C0000-0x00000000009A0000-memory.dmp

Filesize
4.9MB

Download
memory/1400-36-0x00000000004C0000-0x00000000009A0000-memory.dmp

Filesize
4.9MB

Download
memory/1400-118-0x00000000004C0000-0x00000000009A0000-memory.dmp

Filesize
4.9MB

Download
memory/1400-222-0x00000000004C0000-0x00000000009A0000-memory.dmp

Filesize
4.9MB

Download
memory/1536-13-0x0000000000FC0000-0x00000000013C8000-memory.dmp

Filesize
4.0MB

Download
memory/1536-2-0x0000000000FC0000-0x00000000013C8000-memory.dmp

Filesize
4.0MB

Download
memory/1536-0-0x0000000000FC0000-0x00000000013C8000-memory.dmp

Filesize
4.0MB

Download
memory/1536-1-0x0000000000FC0000-0x00000000013C8000-memory.dmp

Filesize
4.0MB

Download
memory/1688-260-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1688-267-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1688-264-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1688-263-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1688-262-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1688-261-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2200-215-0x00000000002A0000-0x000000000083A000-memory.dmp

Filesize
5.6MB

Download
memory/2200-82-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2200-89-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2200-224-0x00000000002A0000-0x000000000083A000-memory.dmp

Filesize
5.6MB

Download
memory/2200-90-0x0000000004F80000-0x0000000004F82000-memory.dmp

Filesize
8KB

Download
memory/2200-81-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2200-87-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/2200-86-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/2200-85-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/2200-88-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2200-253-0x00000000002A0000-0x000000000083A000-memory.dmp

Filesize
5.6MB

Download
memory/2200-84-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/2200-77-0x00000000002A0000-0x000000000083A000-memory.dmp

Filesize
5.6MB

Download
memory/2200-83-0x00000000002A0000-0x000000000083A000-memory.dmp

Filesize
5.6MB

Download
memory/2200-194-0x00000000002A0000-0x000000000083A000-memory.dmp

Filesize
5.6MB

Download
memory/2200-80-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2200-79-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2200-78-0x00000000779C4000-0x00000000779C6000-memory.dmp

Filesize
8KB

Download
memory/2200-158-0x00000000002A0000-0x000000000083A000-memory.dmp

Filesize
5.6MB

Download
memory/2200-176-0x00000000002A0000-0x000000000083A000-memory.dmp

Filesize
5.6MB

Download
memory/2364-219-0x0000000001990000-0x00000000019B0000-memory.dmp

Filesize
128KB

Download
memory/2364-169-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-192-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-196-0x0000000000EC0000-0x0000000000EE0000-memory.dmp

Filesize
128KB

Download
memory/2364-163-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-214-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-217-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-164-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-167-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-168-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-170-0x0000000000B80000-0x0000000000BA0000-memory.dmp

Filesize
128KB

Download
memory/2364-171-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-305-0x0000000001990000-0x00000000019B0000-memory.dmp

Filesize
128KB

Download
memory/2364-218-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-220-0x00000000019B0000-0x00000000019D0000-memory.dmp

Filesize
128KB

Download
memory/2364-216-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-165-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-306-0x00000000019B0000-0x00000000019D0000-memory.dmp

Filesize
128KB

Download
memory/2364-173-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-174-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-175-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-166-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-172-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2364-193-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3124-233-0x00007FFB4C0F0000-0x00007FFB4CBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-209-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/3124-211-0x00007FFB4C0F0000-0x00007FFB4CBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-156-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/3712-231-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/3712-16-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/3712-189-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/3712-17-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/3712-115-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/3712-221-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/3712-212-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/4244-310-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/4244-308-0x0000000000D50000-0x0000000000DA2000-memory.dmp

Filesize
328KB

Download
memory/4244-307-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/4244-309-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/4244-311-0x00000000059D0000-0x0000000005A1C000-memory.dmp

Filesize
304KB

Download
memory/4372-225-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/4372-227-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/4372-230-0x0000000000690000-0x0000000000A98000-memory.dmp

Filesize
4.0MB

Download
memory/4456-279-0x00007FF6D3780000-0x00007FF6D41BD000-memory.dmp

Filesize
10.2MB

Download
memory/4456-259-0x00007FF6D3780000-0x00007FF6D41BD000-memory.dmp

Filesize
10.2MB

Download
memory/4516-256-0x00007FF615BB0000-0x00007FF6165ED000-memory.dmp

Filesize
10.2MB

Download
memory/4516-254-0x00007FF615BB0000-0x00007FF6165ED000-memory.dmp

Filesize
10.2MB

Download
memory/4640-272-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-269-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-276-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-315-0x0000019CA90D0000-0x0000019CA90F0000-memory.dmp

Filesize
128KB

Download
memory/4640-275-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-273-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-278-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-271-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-268-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-270-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-295-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-292-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-291-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-290-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4640-274-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/5088-127-0x0000000006470000-0x0000000006502000-memory.dmp

Filesize
584KB

Download
memory/5088-114-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/5088-130-0x0000000007F50000-0x0000000008112000-memory.dmp

Filesize
1.8MB

Download
memory/5088-129-0x0000000006B30000-0x0000000006B80000-memory.dmp

Filesize
320KB

Download
memory/5088-191-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/5088-128-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/5088-126-0x00000000063B0000-0x0000000006426000-memory.dmp

Filesize
472KB

Download
memory/5088-125-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/5088-110-0x00000000025C0000-0x0000000002602000-memory.dmp

Filesize
264KB

Download
memory/5088-112-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/5088-113-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/5088-131-0x0000000008120000-0x000000000864C000-memory.dmp

Filesize
5.2MB

Download
memory/5088-124-0x0000000005A80000-0x0000000005ACC000-memory.dmp

Filesize
304KB

Download
memory/5088-120-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/5088-123-0x0000000004C10000-0x0000000004C4C000-memory.dmp

Filesize
240KB

Download
memory/5088-121-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/5088-122-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/5088-119-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/5088-116-0x0000000004C80000-0x0000000005224000-memory.dmp

Filesize
5.6MB

Download
memory/5088-117-0x0000000004B00000-0x0000000004B3E000-memory.dmp

Filesize
248KB

Download
memory/5088-210-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/5088-111-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/5088-177-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/5088-195-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download