quasar | 29d1b3fbd0c2615f298de1abbbb110757c4ed6a04b4e3957212e0d8796c37b44

Analysis

max time kernel
194s
max time network
211s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
12-03-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Telegram Desktop.rar
Size

802.5MB
MD5

c27b7a4ff8387a553aa8ece1233f6f70
SHA1

436290ab35fd3e4de206d9a260c249f4ee14b4cc
SHA256

29d1b3fbd0c2615f298de1abbbb110757c4ed6a04b4e3957212e0d8796c37b44
SHA512

4793d7a3c3ed65cab477c75406dd56d416baa952f25b2812b673922bffc8ac76ae4844de21946ac7e281230c4e42ae8f8ab2f37e374de2e0ab5e5309642ff99d
SSDEEP

12582912:fpcYZCKX/IwdHf9eeXZRvu2zVVx3LziQSLoULgG8LfQa6FWQwUyu0VJARhNzVTI:Rc4X/h/1Jdu2zjxLzicU0GoILJnaJks

Score

10^/10

quasar venomrat bitcoin evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

BITCOIN

23.105.131.186:7812

Mutex

VNM_MUTEX_jTeJaJnI35a3HyFP0B

Attributes

encryption_key
370UTlW1JPDmtk3VcEH8
install_name
Window Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
windows Security Update 32

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral4/memory/2104-187-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Windows Security.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Windows Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Windows Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Windows Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Windows Security.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2104-187-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 29 IoCs

Processes:

Affliction.exeBOSS RAT.exeCLIENT.EXEBitcoin Fake Transaction V3.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindow Security.exeWindow Security.exeWindow Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeBitcoinFakeTransaction.exeWmiPrvSE.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exe

pid	process
3620	Affliction.exe
1772	BOSS RAT.exe
3008	CLIENT.EXE
2684	Bitcoin Fake Transaction V3.exe
1256	Windows Security.exe
1988	Windows Security.exe
2840	Windows Security.exe
2104	Windows Security.exe
3824	Window Security.exe
3548	Window Security.exe
3792	Window Security.exe
920	Windows Security.exe
4692	Windows Security.exe
2928	Windows Security.exe
2164	Windows Security.exe
2200	Windows Security.exe
2020	Windows Security.exe
2484	Windows Security.exe
404	Windows Security.exe
1216	Windows Security.exe
2500	BitcoinFakeTransaction.exe
2508	WmiPrvSE.exe
2376	Windows Security.exe
3968	Windows Security.exe
1188	Windows Security.exe
4988	Windows Security.exe
5084	Windows Security.exe
3440	Windows Security.exe
2464	Windows Security.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Windows Security.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Windows Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Windows Security.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Security.exeBitcoinFakeTransaction.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xBLQRnSbFD = "C:\\Users\\Admin\\AppData\\Roaming\\bCKCiADRfy\\NsTBLfnFEE.exe"	Windows Security.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WmiPrv\\WmiPrvSE.exe"	BitcoinFakeTransaction.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 9 IoCs

Processes:

Windows Security.exeWindow Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exe

description	pid	process	target process
PID 1256 set thread context of 2104	1256	Windows Security.exe	Windows Security.exe
PID 3824 set thread context of 3792	3824	Window Security.exe	Window Security.exe
PID 920 set thread context of 4692	920	Windows Security.exe	Windows Security.exe
PID 2928 set thread context of 2164	2928	Windows Security.exe	Windows Security.exe
PID 2200 set thread context of 2020	2200	Windows Security.exe	Windows Security.exe
PID 2484 set thread context of 1216	2484	Windows Security.exe	Windows Security.exe
PID 2376 set thread context of 1188	2376	Windows Security.exe	Windows Security.exe
PID 4988 set thread context of 5084	4988	Windows Security.exe	Windows Security.exe
PID 3440 set thread context of 2464	3440	Windows Security.exe	Windows Security.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4720 schtasks.exe
2128 schtasks.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings cmd.exe
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3568 PING.EXE
2064 PING.EXE
1008 PING.EXE
2716 PING.EXE
1308 PING.EXE
4736 PING.EXE
1108 PING.EXE

pid	process
4720	schtasks.exe
2128	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings	cmd.exe

pid	process
3568	PING.EXE
2064	PING.EXE
1008	PING.EXE
2716	PING.EXE
1308	PING.EXE
4736	PING.EXE
1108	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Windows Security.exeWindow Security.exepowershell.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exe

pid	process
1256	Windows Security.exe
1256	Windows Security.exe
1256	Windows Security.exe
1256	Windows Security.exe
3824	Window Security.exe
3824	Window Security.exe
5056	powershell.exe
5056	powershell.exe
2104	Windows Security.exe
2104	Windows Security.exe
2104	Windows Security.exe
2104	Windows Security.exe
2104	Windows Security.exe
2104	Windows Security.exe
2104	Windows Security.exe
4692	Windows Security.exe
2164	Windows Security.exe
2020	Windows Security.exe
2484	Windows Security.exe
2484	Windows Security.exe
1216	Windows Security.exe
2376	Windows Security.exe
2376	Windows Security.exe
1188	Windows Security.exe
5084	Windows Security.exe
2464	Windows Security.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2344 7zFM.exe

pid	process
2344	7zFM.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

7zFM.exe7zG.exeCLIENT.EXEWindows Security.exeWindows Security.exeWindow Security.exepowershell.exeWindow Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exeWindows Security.exe

description	pid	process
Token: SeRestorePrivilege	2344	7zFM.exe
Token: 35	2344	7zFM.exe
Token: SeSecurityPrivilege	2344	7zFM.exe
Token: SeRestorePrivilege	3216	7zG.exe
Token: 35	3216	7zG.exe
Token: SeSecurityPrivilege	3216	7zG.exe
Token: SeSecurityPrivilege	3216	7zG.exe
Token: SeIncreaseQuotaPrivilege	3008	CLIENT.EXE
Token: SeSecurityPrivilege	3008	CLIENT.EXE
Token: SeTakeOwnershipPrivilege	3008	CLIENT.EXE
Token: SeLoadDriverPrivilege	3008	CLIENT.EXE
Token: SeSystemProfilePrivilege	3008	CLIENT.EXE
Token: SeSystemtimePrivilege	3008	CLIENT.EXE
Token: SeProfSingleProcessPrivilege	3008	CLIENT.EXE
Token: SeIncBasePriorityPrivilege	3008	CLIENT.EXE
Token: SeCreatePagefilePrivilege	3008	CLIENT.EXE
Token: SeBackupPrivilege	3008	CLIENT.EXE
Token: SeRestorePrivilege	3008	CLIENT.EXE
Token: SeShutdownPrivilege	3008	CLIENT.EXE
Token: SeDebugPrivilege	3008	CLIENT.EXE
Token: SeSystemEnvironmentPrivilege	3008	CLIENT.EXE
Token: SeRemoteShutdownPrivilege	3008	CLIENT.EXE
Token: SeUndockPrivilege	3008	CLIENT.EXE
Token: SeManageVolumePrivilege	3008	CLIENT.EXE
Token: 33	3008	CLIENT.EXE
Token: 34	3008	CLIENT.EXE
Token: 35	3008	CLIENT.EXE
Token: 36	3008	CLIENT.EXE
Token: SeDebugPrivilege	1256	Windows Security.exe
Token: SeDebugPrivilege	2104	Windows Security.exe
Token: SeDebugPrivilege	3824	Window Security.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	3792	Window Security.exe
Token: SeDebugPrivilege	3792	Window Security.exe
Token: SeDebugPrivilege	4692	Windows Security.exe
Token: SeDebugPrivilege	2164	Windows Security.exe
Token: SeDebugPrivilege	2020	Windows Security.exe
Token: SeDebugPrivilege	2484	Windows Security.exe
Token: SeDebugPrivilege	1216	Windows Security.exe
Token: SeDebugPrivilege	2376	Windows Security.exe
Token: SeDebugPrivilege	1188	Windows Security.exe
Token: SeDebugPrivilege	5084	Windows Security.exe
Token: SeDebugPrivilege	2464	Windows Security.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe7zG.exe

pid process

2344 7zFM.exe
2344 7zFM.exe
3216 7zG.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Affliction.exeWindow Security.exe

pid process

3620 Affliction.exe
3620 Affliction.exe
3792 Window Security.exe

pid	process
2344	7zFM.exe
2344	7zFM.exe
3216	7zG.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeBOSS RAT.exeBitcoin Fake Transaction V3.exeWindows Security.exeWindows Security.exeWindow Security.exeWindow Security.execmd.execmd.exeWindows Security.exe

description	pid	process	target process
PID 4912 wrote to memory of 2344	4912	cmd.exe	7zFM.exe
PID 4912 wrote to memory of 2344	4912	cmd.exe	7zFM.exe
PID 1772 wrote to memory of 3008	1772	BOSS RAT.exe	CLIENT.EXE
PID 1772 wrote to memory of 3008	1772	BOSS RAT.exe	CLIENT.EXE
PID 2684 wrote to memory of 1256	2684	Bitcoin Fake Transaction V3.exe	Windows Security.exe
PID 2684 wrote to memory of 1256	2684	Bitcoin Fake Transaction V3.exe	Windows Security.exe
PID 2684 wrote to memory of 1256	2684	Bitcoin Fake Transaction V3.exe	Windows Security.exe
PID 1256 wrote to memory of 1988	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 1988	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 1988	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2840	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2840	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2840	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2104	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2104	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2104	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2104	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2104	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2104	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2104	1256	Windows Security.exe	Windows Security.exe
PID 1256 wrote to memory of 2104	1256	Windows Security.exe	Windows Security.exe
PID 2104 wrote to memory of 4720	2104	Windows Security.exe	schtasks.exe
PID 2104 wrote to memory of 4720	2104	Windows Security.exe	schtasks.exe
PID 2104 wrote to memory of 4720	2104	Windows Security.exe	schtasks.exe
PID 2104 wrote to memory of 3824	2104	Windows Security.exe	Window Security.exe
PID 2104 wrote to memory of 3824	2104	Windows Security.exe	Window Security.exe
PID 2104 wrote to memory of 3824	2104	Windows Security.exe	Window Security.exe
PID 2104 wrote to memory of 5056	2104	Windows Security.exe	powershell.exe
PID 2104 wrote to memory of 5056	2104	Windows Security.exe	powershell.exe
PID 2104 wrote to memory of 5056	2104	Windows Security.exe	powershell.exe
PID 3824 wrote to memory of 3548	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3548	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3548	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3792	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3792	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3792	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3792	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3792	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3792	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3792	3824	Window Security.exe	Window Security.exe
PID 3824 wrote to memory of 3792	3824	Window Security.exe	Window Security.exe
PID 3792 wrote to memory of 2128	3792	Window Security.exe	schtasks.exe
PID 3792 wrote to memory of 2128	3792	Window Security.exe	schtasks.exe
PID 3792 wrote to memory of 2128	3792	Window Security.exe	schtasks.exe
PID 2104 wrote to memory of 4112	2104	Windows Security.exe	cmd.exe
PID 2104 wrote to memory of 4112	2104	Windows Security.exe	cmd.exe
PID 2104 wrote to memory of 4112	2104	Windows Security.exe	cmd.exe
PID 4112 wrote to memory of 4200	4112	cmd.exe	cmd.exe
PID 4112 wrote to memory of 4200	4112	cmd.exe	cmd.exe
PID 4112 wrote to memory of 4200	4112	cmd.exe	cmd.exe
PID 2104 wrote to memory of 3224	2104	Windows Security.exe	cmd.exe
PID 2104 wrote to memory of 3224	2104	Windows Security.exe	cmd.exe
PID 2104 wrote to memory of 3224	2104	Windows Security.exe	cmd.exe
PID 3224 wrote to memory of 2056	3224	cmd.exe	chcp.com
PID 3224 wrote to memory of 2056	3224	cmd.exe	chcp.com
PID 3224 wrote to memory of 2056	3224	cmd.exe	chcp.com
PID 3224 wrote to memory of 2064	3224	cmd.exe	PING.EXE
PID 3224 wrote to memory of 2064	3224	cmd.exe	PING.EXE
PID 3224 wrote to memory of 2064	3224	cmd.exe	PING.EXE
PID 3224 wrote to memory of 920	3224	cmd.exe	Windows Security.exe
PID 3224 wrote to memory of 920	3224	cmd.exe	Windows Security.exe
PID 3224 wrote to memory of 920	3224	cmd.exe	Windows Security.exe
PID 920 wrote to memory of 4692	920	Windows Security.exe	Windows Security.exe
PID 920 wrote to memory of 4692	920	Windows Security.exe	Windows Security.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Telegram Desktop.rar"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Telegram Desktop.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5088

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap29135:1732:7zEvent30544
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3216

C:\Users\Admin\Desktop\New folder\Affiction Crypter\Affliction\Affliction.exe
"C:\Users\Admin\Desktop\New folder\Affiction Crypter\Affliction\Affliction.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Users\Admin\Desktop\New folder\B0SS RAT\BOSS RAT.exe
"C:\Users\Admin\Desktop\New folder\B0SS RAT\BOSS RAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\Documents\CLIENT.EXE
  "C:\Users\Admin\Documents\CLIENT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3008

C:\Users\Admin\Desktop\New folder\Bitcoin Fake Transacation V3\Bitcoin Fake Transaction V3.exe
"C:\Users\Admin\Desktop\New folder\Bitcoin Fake Transacation V3\Bitcoin Fake Transaction V3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Roaming\Windows Security.exe
  "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Roaming\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Users\Admin\AppData\Roaming\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Users\Admin\AppData\Roaming\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4720
  - - C:\Users\Admin\AppData\Roaming\windows Security Update 32\Window Security.exe
      "C:\Users\Admin\AppData\Roaming\windows Security Update 32\Window Security.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Users\Admin\AppData\Roaming\windows Security Update 32\Window Security.exe
        
        "C:\Users\Admin\AppData\Roaming\windows Security Update 32\Window Security.exe"
        5⤵
        Executes dropped EXE
        
        PID:3548
    - - C:\Users\Admin\AppData\Roaming\windows Security Update 32\Window Security.exe
        
        "C:\Users\Admin\AppData\Roaming\windows Security Update 32\Window Security.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3792
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows Security Update 32\Window Security.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:2128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        5⤵
        
        PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tbtEcWRqU6qB.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2064
    - - C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:920
      - C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muFpiL5DEjFO.bat" "
        7⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1r3K8xZqXNmX.bat" "
        10⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuLBLO6LBGpl.bat" "
        13⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        15⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bO7tJVz2BEjl.bat" "
        16⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        18⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmKNbgMdFUHH.bat" "
        19⤵
        
        PID:240
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BvATU4ODp4hz.bat" "
        22⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3440
        
        C:\Users\Admin\AppData\Roaming\Windows Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464

C:\Users\Admin\Desktop\New folder\BitcoinFakeTransaction\BitcoinFakeTransaction.exe
"C:\Users\Admin\Desktop\New folder\BitcoinFakeTransaction\BitcoinFakeTransaction.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2500
- C:\Users\Admin\AppData\Roaming\WmiPrv\WmiPrvSE.exe
  "C:\Users\Admin\AppData\Roaming\WmiPrv\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security.exe.log

Filesize
507B

MD5
a0c3e1aca0335d2d3a6c16038a5e1feb

SHA1
865132ecfd8bc3781419e10a57ef33686d80f83f

SHA256
68e52b0dae9281848730d457702a3fbe0868a0209d2740c9b5435dcf872d1072

SHA512
6b5dc7bb61bebea323e806e4eeaac8383621c84be7545af744923445dc4545b9395abcd8f7b82f8b30fddc28872e3f47a010a271f588b5dd725cdd1be2ee4ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1r3K8xZqXNmX.bat

Filesize
210B

MD5
109866f23794f9f0a10f2d1cba0f94ae

SHA1
cdb30ad64838fd3af2f8df7d6601e9234ea56d0d

SHA256
37afb1f31e635ba3d1e286900aad222a3a19061a913402832cdc0493d3347bf7

SHA512
2d11399ce3fac3f0c3d7176685a09a55b40f9d39a36421c99a4b53607b58bd89439eaa1edf1700f8bd1af5c157d9cf5e44a4d5b167d69a0d8ad0bb298469ad17

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvATU4ODp4hz.bat

Filesize
210B

MD5
9daa5079b64b9460e2b8ce18e3b28c51

SHA1
fc8bbb82ce1f5b3a9bfe25fb42e51521e4a5c300

SHA256
a8a684ee0d480c72c436d9df2e0b907eb89ee1c9589f4d37f5732f31ac46eef8

SHA512
d16ff21141a357c6524495fb304c485fe96b844ba7c9c585607015cb4252555ed530669dda8a650691d78d6869cb15ec15747eed20c0f95b5eb1c6ae6de09610

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuLBLO6LBGpl.bat

Filesize
210B

MD5
76af3376ae5f9feacdf76de011866a97

SHA1
a8cabd063b87e6f6abe06c2c35586242b3396012

SHA256
756805980737dafd9e6323a6627c673930fedf50acaf25e3df2abace66a907af

SHA512
dfb9e527ce22843245a97d0789eda8824e57c7d53a652a747e5e27d14ce07a68bce185fc82c0d113d625735d50c48b978a442c4853f1e3f143c2de5170f93a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnuw33zn.xnm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bO7tJVz2BEjl.bat

Filesize
210B

MD5
cb57b6c8a2d18eb118e0929700baf93c

SHA1
2e43641c3b666577b435c549b82270eedd96a92f

SHA256
290a208abe7eae867341c6819a66b886769b0315265993acc269bb211fb1cb2c

SHA512
63795f6c7397005eb9df3e050a3bd8adb5060276192340ed083d6eba308d0a4beb8b6138b0d325d4b08ad2b59890126f15302c37bb9ec41717819e7a22eb7431

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmKNbgMdFUHH.bat

Filesize
210B

MD5
7c2e4761b72180a2994a764952fe4ed0

SHA1
1c4f8d10a4d6849d601c9bb317c6b28ad8ba743f

SHA256
b86c81cc8cac3358cf0baa4c0ce82644f7517ffd1a05df8078a8400a624c1cc0

SHA512
01aa8af1f86cd7f34f268be53e0318f42a646b3934c0943105a945412344cc78287da5ad07f338ee275438df64aca9659b3444eff90ac49573f3a82b6662e741

Download Submit
C:\Users\Admin\AppData\Local\Temp\muFpiL5DEjFO.bat

Filesize
210B

MD5
1e3ec9fc75d9475f1a3ed2510eb91438

SHA1
c5e7e3af8f9a113271f473c8070bc237f641019a

SHA256
f0d2ff297c64de56552332ebb43b0c51c53bce7df234d4abe53c74b111810ad2

SHA512
3c0311555af9e5c760ef6b582b60301244b6085836d0d6c8ed28923e143a7d3dff26fc81b8981c26c9d194cc6e2af29df005ee05e08f98f76f0a99279b796863

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbtEcWRqU6qB.bat

Filesize
210B

MD5
55745c787dfa3c97da94ad752753b1c0

SHA1
4bae8013ad20ccef48d41f5d48f3f7b249705b2a

SHA256
67faa63d32e8ecb7a7ee3d1510534a834df6985ed9d06922c3944d205af300f3

SHA512
c63db5c39e08fcc543b1d5b1b1faae2e30ab2f7c955fb0370836d172f608a0b7d6c04d0809cdc7ea951e5c4fcfc46e436b2acacd1bdfaa29c91252409752d856

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security.exe

Filesize
820KB

MD5
0dc9aba9df1e1c3f6d9dc98633260e60

SHA1
b78d7946aa344eeb0d50f25ebbc525c608bf3ecd

SHA256
8edc6e2a826910600187023e17c0dc19b203a100767367ef79611d89ebfdc4ff

SHA512
07a2f9656e28af347716ca4113216c82335a0e8bd7e3f9578e2c79115c703272a8345038e43054b6a6e4a86fd7e18a8d22044816405bb5d95b29da7975b08d74

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security.exe

Filesize
597KB

MD5
28b3f6a14696ded879ede816ee0b5c56

SHA1
93f1d4a04e432da16be09ab3564da14d03e512f2

SHA256
850297319c507f521504576831910d6eb871493ce97a8fcbd9180c77738a3c03

SHA512
d9d7c21aa34fa6e2146ab664d87aa4b5a87176f297ae5be0e8e868eedec248972ef924f763ec1b2f5f26590c73b98a55ae531bed2c37865b4dee54a586672c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security.exe

Filesize
622KB

MD5
027a88efbfdd2b9117060963ce54fddd

SHA1
f4c2e7f025b7b8903e1101582fba9a5cd6b21603

SHA256
95933da9a8eae4022807ec2fdad2dfbca468a5478fe9824cf64e42ff67743c0d

SHA512
02ff4029acf43987c6acb1a00477f4446f4883f6eb7d64652f6ff8c8cf928f025d35b1989cdb6a792acbe2bf032d5d7c8956fbb9905e00e234393d7e019116d3

Download Submit
C:\Users\Admin\AppData\Roaming\WmiPrv\WmiPrvSE.exe

Filesize
162KB

MD5
cdfc8f8cf86df2ce518543d3eaf97fd7

SHA1
c074d1cb625aaac484e8f0dc5331293c7ed2b547

SHA256
8ef0ca821104f5e4033d66f7a1a5ce831393517aa046cf70b7b2c96cc8c214ea

SHA512
bb82ca01fc69ab6c9a5f5ac497d2fe291b3b64a861958f2ead1428f43d127136f67539e7b34e8f95d46d3faedfac65100d7d7e6a55c16d9fefc32f5c89c81e9b

Download Submit
C:\Users\Admin\Desktop\New folder\3301 Ransomware Builder.zip

Filesize
10.6MB

MD5
323e115a272620c142e4c66a2eb38f2c

SHA1
901fb06cf141017cc9b39c624faf05d08d94f4fb

SHA256
ea1919652631c05f796fcfb1be3d6b1fc5bd971df3a3e7bf1e51e1cfec4dd696

SHA512
4c6c7b44e014eee33dd64e77cec6245ae3a8ba3f207e8019d8e465389fb18f1808ddba3637b26c2a4f6a0695c11f91dc4ae738a2bfd7d8b4ee5a94a39b987e85

Download Submit
C:\Users\Admin\Desktop\New folder\Affiction Crypter.rar

Filesize
242KB

MD5
9372ee16173d7f655e3edd1eba269e20

SHA1
ae1316e5d86a6915068f814429f0839e20b2b04c

SHA256
73b6b013720a47f192d8e1a62132d40e7fa8fb410c26d7260ef3fe532bcb0088

SHA512
1cd7f4a355c853ee150ecdb2a97601fa89e1654d1b58513f4d3011d4d9b89d1c9bc5f0515f37d6f58bfc2e9206a5b9313c7eb5c632b8922fad6e38624a7710e2

Download Submit
C:\Users\Admin\Desktop\New folder\Affiction Crypter\Affliction\Affliction.exe

Filesize
780KB

MD5
81498e8081d9b624ba977256f582f2c7

SHA1
a7bed466f149687c96c9d99bab8f3d3eaf6abecb

SHA256
68e802ec820e6c84b57d788729c9e5184434b06bd26375735ae638d43907d14d

SHA512
562bdfc15ad85a80f3662cf5f83c1c8f2c7de7c21dfc0a47026c96695108370071315adba3c1b57c3e90bfb0cc301919bd33013d33f2648089a63a636fd70f74

Download Submit
C:\Users\Admin\Desktop\New folder\B0SS RAT-Fixed (Eng).zip

Filesize
8.7MB

MD5
e934fdce2f5fb6fc6b2e2da72f04562d

SHA1
e6e1b008de2d54f5ba7343a2ae601fe0f0287e83

SHA256
6f7b70c03fae348028e8639d7373e2c5d880cfb06ee05615a08e613023c59405

SHA512
caf1ce82f3841269a677a57344a183e10928c2342132b1f4df46756707d322359cf8ffb9e0690538a3b4374128cd065b92c76fe90b5094ca2d3fbe2f92d560de

Download Submit
C:\Users\Admin\Desktop\New folder\B0SS RAT\BOSS RAT.exe

Filesize
2.0MB

MD5
4df17525959ed87ac5cb31cb2399db13

SHA1
f035e334f17c1ff9f93de1a584c73bb00e13a8b6

SHA256
cf3b334cd120cff7c617c9e1bcb2ade22e172f64489c3f980c0ee7ecaced79ff

SHA512
6459f628f732b48ce3904bd7a6bcf22dcef085418e42b90e97a0223580df4941f21997aecb8fda6ff75b9514d63cb246dce0e214b10babbb43d966bcf2e3ad87

Download Submit
C:\Users\Admin\Desktop\New folder\BTC Fake Transaction.rar

Filesize
207KB

MD5
eb99b4e8d702f46303f069a16b2cc4b2

SHA1
1783a69c3ed1d0b0833e904a68b56b41eecfa94c

SHA256
cb2084f18a1be5cde59a204eda3d83198e590c5700781c2b92974a5ad3c86ffb

SHA512
00bc0f27f231ec0a166ac52858dc7a81eb0541f7b5f3dba65077bbeb1f66c806fdc0c73711c0c95f93c7c9b4f44228076a9283a7defc1d50a7241ae4a312d29d

Download Submit
C:\Users\Admin\Desktop\New folder\BTC_Fake_Transaction.rar

Filesize
3.5MB

MD5
c95fd92587626795b037f94dd5b5e715

SHA1
6b64f96b49febefa2e2858b1d2bb00604885f8c6

SHA256
041785b21eba3873bcadf05d8f64a43237fa4d6a39ec9e1cce7e0ff63c30b7d2

SHA512
822fae217e970ffcf433d20e8abe6a6ffee76ada85e3be41e29bf21a92f780ab8c7389ce78ccabbf23710cccd2f8eddd21f93a91b386d5dd1086b0a921296b24

Download Submit
C:\Users\Admin\Desktop\New folder\Bitcoin Fake Transacation V3.rar

Filesize
939KB

MD5
d79e5524cb33eea6f3e929a5610d2cc0

SHA1
e6a44a46d6756048427800229fe39f3dd9a020a3

SHA256
603c354efe61d6d91589f58043edc934f42eb157e1550537dc40dd399755f1cf

SHA512
21635d5e97050da29a37a1832b8d85783bbc421a36bf64653e6dab7bf5c194fa9f1974deee882b3d9e826dc97078db1f84838cfcee081519de5d8d46e3f554da

Download Submit
C:\Users\Admin\Desktop\New folder\Bitcoin Fake Transacation V3\Bitcoin Fake Transaction V3.exe

Filesize
1.3MB

MD5
eba58c770a9912467c74203650367fce

SHA1
342ae4a2714c0b3511e013f51a21e5739dcfd097

SHA256
e688c1b8bd1e34c34172497162daa1f46df0de2ae168d661ac2b62d513f3f08f

SHA512
1827b88d319cd43b6142ac8959b0318855429b35520116b9d6a700f0b43a6acaccfa6e558b10f8cab7c405ef0ee8dcf19a38464e81d6604d3eba4383b0cfbbf8

Download Submit
C:\Users\Admin\Desktop\New folder\Bitcoin Fake Transacation V3\Bitcoin Fake Transaction V3.exe

Filesize
1002KB

MD5
dc947b39004b36c56b1f8d0fb975be1e

SHA1
4e2d4b22a11dca95be9269ba279db1b28f1f23ce

SHA256
5aef0734dc85eb2d0e8868f574471ce71e7427f9db6fd75fbc5471c1fa9ce1f6

SHA512
5d187827e72c6c2e77b3a5dec28c232687f250f830cdd519617d6f110b11cd9364b6120108a982bf96bf4022f25795d5f26edfad6eec869fec0c74d0f61ccd50

Download Submit
C:\Users\Admin\Desktop\New folder\BitcoinFakeTransaction.zip

Filesize
1.4MB

MD5
d8e9207d0e5894a2d8f94ad8cdfcbf90

SHA1
18fe030bee89ca9dcab7a3deb11354a6351e68b3

SHA256
16cb231e8affd11fa6200becf4746928492db58051df83d4dd3dedddf33dbd18

SHA512
a14792efafd7b24144595aaa41e878b5b6a41916b76f3ba9fbdf7fe4a5d46cc4d1ae656350f6daf21cbe6a7dcdc009e319d71d0542cd8ecf3c815af63f62fa85

Download Submit
C:\Users\Admin\Desktop\New folder\BitcoinFakeTransaction\BitcoinFakeTransaction.exe

Filesize
605KB

MD5
4eb3bd08932bb9000f1dce389bdded6f

SHA1
8aedf59a815f67437d979b506eff4191d8c2b04d

SHA256
c038cf88206371d35a0e89612d8781cdfa69cc37fc5391a8e92d252ac6b9f0b1

SHA512
2a5366cebc3d56130ece83d2e5b64415b07c3c6e40f48048aabfafc9f6202d85da29023a2be586dc86300e58800086cb81662329e125b42fedde6e45b748e66f

Download Submit
C:\Users\Admin\Desktop\New folder\DedSec Latest FUD Ransomware.zip

Filesize
27.2MB

MD5
abf5e9274af39fe139ebf7fbe345592d

SHA1
606d1d301f71b99b7c59c684e5bc58f3db79f6d3

SHA256
7c4221f8792921de578d3d1640a1ba730a3215527d108c7fd5448ccf80c0f82d

SHA512
e797ad2488d6202b3b500e2aae72e78b1868e7f7ca916a4a2099e8351a93a19ab9d042babdcc2dcdbb5da0ace0ed0699e0f841e3974c44d515dd44345eeff50d

Download Submit
C:\Users\Admin\Desktop\New folder\Dedsec Cracking.rar

Filesize
26.8MB

MD5
842f31fd99a6a3c4a1040f189b08880a

SHA1
9472655e3ec833d6ddff275f005a6cd7d6768bca

SHA256
1c21f40038d5377c648a67a27349ca12425b4c595340fca9e6f479dfdb9ccb5e

SHA512
fa3e3452a3456627efdc04990ba63beff62240a4355b0a4bd595e5595eb9cce4dc31314c40a17f973ffb4953f428c229c2c61ee2873c6529bc78560797b13787

Download Submit
C:\Users\Admin\Desktop\New folder\Fake btc.rar

Filesize
3.0MB

MD5
d80e0dfd195c7ff4a6e9d63b4a939d38

SHA1
bef082a0c908e4930e9cdbff30f80f7f652d21f0

SHA256
33ea3414b4fdf5a8ec604dabc25bfe63c4f079796679570943dee3dd90bb99ec

SHA512
6c7d0ba74a2fa5cb1fc30ae91d9d3cc3be339bf19d24a8d5bd389c19e5a40425529411d2e569c8b696aa3472009bf37fda41ac7bc177af8726cc2cca9625a7b1

Download Submit
C:\Users\Admin\Desktop\New folder\RAT.zip

Filesize
11.1MB

MD5
829cfa5bd0c6e5d54444e1c79a1e3e0b

SHA1
02a9758f6b287c2b1a0f2269a47ab4febc647d34

SHA256
13f4907c03c66e86f8855eaa84cc10075677db5a612e8053b05cac7283e873ac

SHA512
1e2e4ca81a992d9509ed0a04884111efbe696dfcabc69a1b4a48cb8bb7cc29a69507d42bd8e05a0e7f754e76c5d1b4b378c1bb260f82d1432c3f68f3ff151741

Download Submit
C:\Users\Admin\Desktop\New folder\S500 G3 RAT.zip

Filesize
27.5MB

MD5
683b012c4cb43cd0d41d3993e344413f

SHA1
b8a0cb71a091af3936937ca525582f1df9e815d0

SHA256
775e675658ea68a8443cf43c53a4fa12ceb78105d40ccf2eb1c4c96fb54e6087

SHA512
97e53dbc5f9553c511b129665bbb5ef318eaeee4cb2c01aca231d8bd9cbf5d3a44ec6d8f9acd0a042eff9b4f9afb4b60f6412faf3f0a42df43e9c316d245a463

Download Submit
C:\Users\Admin\Desktop\New folder\Steam Gift Generator 2023.rar

Filesize
1.1MB

MD5
3c745fc3db1a960bf719f307c731ce5b

SHA1
08d71d0abd5ea775bed61be485a6fe8091f8f5d3

SHA256
010d0169cffdd38f6c7261e4406b1b2728b095bfa7b0bfff99f321e937eb3ebc

SHA512
008962891e4d47a08191b6b89b4bd53453e06413ed4be9ae16f3148edc1c0cfd90fd672b344159ef8662b5a36361ae5892ebbcf416cf9896c320bd22fb1ecc4a

Download Submit
C:\Users\Admin\Desktop\New folder\Valorant Checker by Xinax.rar

Filesize
1.1MB

MD5
dc323c44b0641af3e55d587989dce457

SHA1
9bd681513d9b07218bf60963f005384b23363f99

SHA256
20c01d10823a05e05cd3419f30d7266b9fe1bd564f5de91cf8ec38d029dde740

SHA512
f9cfebdc9469dd98ff3c53820ddb8aff19f06e843215b631aadc16a6e4bbff1cea9812dff4092655417ce5fb0ee0647713535f76f6ef80e7dbd0c19e55cd814a

Download Submit
C:\Users\Admin\Desktop\New folder\fake btc sender.rar

Filesize
2.4MB

MD5
d4a00a5b4f3ec0f85ca04ed3ed06ab06

SHA1
d4091247245e772a57af4952c8459b55545b9958

SHA256
ca5dcd04f58d702895f33212b6eb577c481e60f7842b760be2d5ecf7baa66104

SHA512
553b60de60cefd94372fff26840005bb12beeb72f0fae60556eb765a62a878055c63a02d2d8b7ebabf80903c86b8e5d740a43669684efd19029569285b0e4547

Download Submit
C:\Users\Admin\Documents\CLIENT.EXE

Filesize
56KB

MD5
e780d3ba577dce5849d7c66ba169148b

SHA1
385a9016f7fef89d679fbcd9c834d411781e50ed

SHA256
3f9be5b14cac0dedeaa1b3fc6c5b6f5818c3a4993e0cfdb09d09772697df878c

SHA512
7f4741838f7f47b73ee4cfa33a024b17353cc3aa9b45620ad44185dab844e866eaddfd00007d3ee6c30db54de89e3e8aabae98ae74323cbceb41e980f632b7b3

Download Submit
memory/920-268-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/920-265-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/920-264-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/1256-191-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/1256-182-0x0000000005B50000-0x0000000005BEC000-memory.dmp

Filesize
624KB

Download
memory/1256-184-0x00000000059B0000-0x00000000059BA000-memory.dmp

Filesize
40KB

Download
memory/1256-181-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/1256-180-0x0000000005FC0000-0x0000000006566000-memory.dmp

Filesize
5.6MB

Download
memory/1256-179-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/1256-177-0x0000000000E20000-0x0000000000EF4000-memory.dmp

Filesize
848KB

Download
memory/1256-178-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/2104-262-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/2104-195-0x0000000005E40000-0x0000000005E52000-memory.dmp

Filesize
72KB

Download
memory/2104-196-0x0000000006DA0000-0x0000000006DDC000-memory.dmp

Filesize
240KB

Download
memory/2104-257-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/2104-194-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/2104-193-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/2104-192-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/2104-187-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2684-160-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/2684-161-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/2684-176-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/2684-159-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/2928-278-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/2928-279-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2928-282-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/3008-153-0x00000000004B0000-0x00000000004C4000-memory.dmp

Filesize
80KB

Download
memory/3008-154-0x00007FFE6C050000-0x00007FFE6CB12000-memory.dmp

Filesize
10.8MB

Download
memory/3008-155-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/3008-156-0x00007FFE6C050000-0x00007FFE6CB12000-memory.dmp

Filesize
10.8MB

Download
memory/3792-231-0x0000000007160000-0x000000000716A000-memory.dmp

Filesize
40KB

Download
memory/3792-222-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3792-271-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3792-269-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/3792-213-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/3824-214-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/3824-203-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3824-202-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/4692-276-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/4692-270-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/5056-246-0x0000000007370000-0x000000000738A000-memory.dmp

Filesize
104KB

Download
memory/5056-244-0x0000000007030000-0x00000000070D4000-memory.dmp

Filesize
656KB

Download
memory/5056-251-0x00000000075C0000-0x00000000075D5000-memory.dmp

Filesize
84KB

Download
memory/5056-250-0x00000000075B0000-0x00000000075BE000-memory.dmp

Filesize
56KB

Download
memory/5056-209-0x0000000005290000-0x00000000058BA000-memory.dmp

Filesize
6.2MB

Download
memory/5056-252-0x00000000076C0000-0x00000000076DA000-memory.dmp

Filesize
104KB

Download
memory/5056-249-0x0000000007580000-0x0000000007591000-memory.dmp

Filesize
68KB

Download
memory/5056-248-0x0000000007600000-0x0000000007696000-memory.dmp

Filesize
600KB

Download
memory/5056-256-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/5056-247-0x00000000073F0000-0x00000000073FA000-memory.dmp

Filesize
40KB

Download
memory/5056-253-0x00000000076B0000-0x00000000076B8000-memory.dmp

Filesize
32KB

Download
memory/5056-245-0x00000000079C0000-0x000000000803A000-memory.dmp

Filesize
6.5MB

Download
memory/5056-242-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/5056-206-0x0000000072160000-0x0000000072911000-memory.dmp

Filesize
7.7MB

Download
memory/5056-243-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/5056-232-0x000000007F1C0000-0x000000007F1D0000-memory.dmp

Filesize
64KB

Download
memory/5056-233-0x0000000070730000-0x000000007077C000-memory.dmp

Filesize
304KB

Download
memory/5056-230-0x0000000006FF0000-0x0000000007024000-memory.dmp

Filesize
208KB

Download
memory/5056-228-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/5056-227-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/5056-204-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/5056-205-0x0000000004B70000-0x0000000004BA6000-memory.dmp

Filesize
216KB

Download
memory/5056-226-0x0000000005B80000-0x0000000005ED7000-memory.dmp

Filesize
3.3MB

Download
memory/5056-215-0x00000000058C0000-0x00000000058E2000-memory.dmp

Filesize
136KB

Download
memory/5056-221-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download