amadey | c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859

Analysis

max time kernel
50s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-03-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
Size

1.8MB
MD5

8aa378546345c521deb99bb241f6675c
SHA1

2d4361d087a3cff29665a1707f2633c3ec071a04
SHA256

c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859
SHA512

190323bc206c8b7ec26e11373961ee549f4dc6a3c58914cb3e5f088333c2612ceb41f865d9611d0a29b155cf51271da094341a96c7ac8249a79c2bc92b12ca6c
SSDEEP

49152:DTmyi3yos3EHXn/tGPeBG5WqaVVk/oOZp/fAepspE5BCkzwCM6:DTmyinwOX/YPeB4OkTBAeB5MkzwL

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

http://193.233.132.167

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe	family_zgrat_v1
behavioral2/memory/1908-68-0x0000000000D70000-0x0000000000DEA000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe	family_zgrat_v1
C:\Users\Admin\Pictures\e3NWLnmcdglmqIV5zqQ0niai.exe	family_zgrat_v1
C:\Users\Admin\Pictures\e3NWLnmcdglmqIV5zqQ0niai.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4188-756-0x0000000000400000-0x0000000000EDA000-memory.dmp	family_glupteba
behavioral2/memory/1304-766-0x0000000000400000-0x0000000000EDA000-memory.dmp	family_glupteba
behavioral2/memory/4676-774-0x0000000000400000-0x0000000000EDA000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4596-74-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe	family_redline
behavioral2/memory/2576-194-0x0000000000550000-0x00000000005DC000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
behavioral2/memory/2804-396-0x00000000016B0000-0x000000000173C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exeexplorgu.exerandom.exeamadka.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amadka.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

11 4180 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

5152 netsh.exe
3660 netsh.exe

flow	pid	process
11	4180	rundll32.exe

pid	process
5152	netsh.exe
3660	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

amadka.exec58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exeexplorgu.exerandom.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amadka.exe

Executes dropped EXE 5 IoCs

Processes:

explorgu.exeosminog.exegoldprimeldlldf.exerandom.exeamadka.exe

pid process

3056 explorgu.exe
2872 osminog.exe
1908 goldprimeldlldf.exe
4840 random.exe
1268 amadka.exe

pid	process
3056	explorgu.exe
2872	osminog.exe
1908	goldprimeldlldf.exe
4840	random.exe
1268	amadka.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exeexplorgu.exerandom.exeamadka.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	amadka.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4792 rundll32.exe
4180 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4792	rundll32.exe
4180	rundll32.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\nRO8bb7n0oXcyuQCFzYTSsYH.exe	themida
C:\Users\Admin\Pictures\nRO8bb7n0oXcyuQCFzYTSsYH.exe	themida
behavioral2/memory/4368-690-0x00007FF732A30000-0x00007FF733392000-memory.dmp	themida
behavioral2/memory/4368-693-0x00007FF732A30000-0x00007FF733392000-memory.dmp	themida
behavioral2/memory/4368-698-0x00007FF732A30000-0x00007FF733392000-memory.dmp	themida
behavioral2/memory/4368-719-0x00007FF732A30000-0x00007FF733392000-memory.dmp	themida
behavioral2/memory/4368-724-0x00007FF732A30000-0x00007FF733392000-memory.dmp	themida
behavioral2/memory/4368-741-0x00007FF732A30000-0x00007FF733392000-memory.dmp	themida
behavioral2/memory/4368-753-0x00007FF732A30000-0x00007FF733392000-memory.dmp	themida
behavioral2/memory/4368-765-0x00007FF732A30000-0x00007FF733392000-memory.dmp	themida
behavioral2/memory/4368-793-0x00007FF732A30000-0x00007FF733392000-memory.dmp	themida

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe	upx
C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe	upx
C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe	upx
C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LOBht3ily2yXF0S7ZfNgYOLH.exe	upx
behavioral2/memory/3856-688-0x0000000000940000-0x0000000000E78000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\u394.1.exe	upx
behavioral2/memory/4272-792-0x0000000000210000-0x0000000000748000-memory.dmp	upx
behavioral2/memory/3160-829-0x0000000000210000-0x0000000000748000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorgu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000875001\\amadka.exe"	explorgu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

16 pastebin.com
23 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 ipinfo.io
47 api.myip.com
66 api.myip.com
68 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exeexplorgu.exeamadka.exe

pid process

3528 c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
3056 explorgu.exe
1268 amadka.exe

flow	ioc
16	pastebin.com
23	pastebin.com

flow	ioc
46	ipinfo.io
47	api.myip.com
66	api.myip.com
68	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

Processes:

goldprimeldlldf.exeosminog.exe

description	pid	process	target process
PID 1908 set thread context of 4596	1908	goldprimeldlldf.exe	RegAsm.exe
PID 2872 set thread context of 3336	2872	osminog.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1112	3336	WerFault.exe	RegAsm.exe
2516	2804	WerFault.exe	yoffens_crypted_EASY.exe
3764	1876	WerFault.exe	RegAsm.exe
3256	4216	WerFault.exe	7TwsbrVDC5gizl2VMDgi8aln.exe
4036	2720	WerFault.exe	RegAsm.exe
4560	2720	WerFault.exe	RegAsm.exe
6120	5376	WerFault.exe	ISetup3.exe
756	5560	WerFault.exe	RegAsm.exe
1876	5560	WerFault.exe	RegAsm.exe
2296	5220	WerFault.exe	7EBD.exe
5520	3416	WerFault.exe	u394.0.exe
5528	5732	WerFault.exe	ISetup4.exe
5404	3268	WerFault.exe	u4f8.0.exe
1392	6108	WerFault.exe	u45c.0.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5068 schtasks.exe
2864 schtasks.exe
5660 schtasks.exe
5384 schtasks.exe
6092 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5884 PING.EXE

pid	process
5068	schtasks.exe
2864	schtasks.exe
5660	schtasks.exe
5384	schtasks.exe
6092	schtasks.exe

pid	process
5884	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exeexplorgu.exerundll32.exeamadka.exe

pid	process
3528	c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
3528	c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
3056	explorgu.exe
3056	explorgu.exe
4180	rundll32.exe
4180	rundll32.exe
4180	rundll32.exe
4180	rundll32.exe
4180	rundll32.exe
4180	rundll32.exe
1268	amadka.exe
1268	amadka.exe
4180	rundll32.exe
4180	rundll32.exe
4180	rundll32.exe
4180	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

osminog.exe

description pid process

Token: SeDebugPrivilege 2872 osminog.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe

pid process

3528 c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe

description	pid	process
Token: SeDebugPrivilege	2872	osminog.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

explorgu.exegoldprimeldlldf.exeosminog.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3056 wrote to memory of 2872	3056	explorgu.exe	osminog.exe
PID 3056 wrote to memory of 2872	3056	explorgu.exe	osminog.exe
PID 3056 wrote to memory of 2872	3056	explorgu.exe	osminog.exe
PID 3056 wrote to memory of 1908	3056	explorgu.exe	goldprimeldlldf.exe
PID 3056 wrote to memory of 1908	3056	explorgu.exe	goldprimeldlldf.exe
PID 3056 wrote to memory of 1908	3056	explorgu.exe	goldprimeldlldf.exe
PID 1908 wrote to memory of 4596	1908	goldprimeldlldf.exe	RegAsm.exe
PID 1908 wrote to memory of 4596	1908	goldprimeldlldf.exe	RegAsm.exe
PID 1908 wrote to memory of 4596	1908	goldprimeldlldf.exe	RegAsm.exe
PID 1908 wrote to memory of 4596	1908	goldprimeldlldf.exe	RegAsm.exe
PID 1908 wrote to memory of 4596	1908	goldprimeldlldf.exe	RegAsm.exe
PID 1908 wrote to memory of 4596	1908	goldprimeldlldf.exe	RegAsm.exe
PID 1908 wrote to memory of 4596	1908	goldprimeldlldf.exe	RegAsm.exe
PID 1908 wrote to memory of 4596	1908	goldprimeldlldf.exe	RegAsm.exe
PID 2872 wrote to memory of 3336	2872	osminog.exe	RegAsm.exe
PID 2872 wrote to memory of 3336	2872	osminog.exe	RegAsm.exe
PID 2872 wrote to memory of 3336	2872	osminog.exe	RegAsm.exe
PID 2872 wrote to memory of 3336	2872	osminog.exe	RegAsm.exe
PID 2872 wrote to memory of 3336	2872	osminog.exe	RegAsm.exe
PID 2872 wrote to memory of 3336	2872	osminog.exe	RegAsm.exe
PID 2872 wrote to memory of 3336	2872	osminog.exe	RegAsm.exe
PID 2872 wrote to memory of 3336	2872	osminog.exe	RegAsm.exe
PID 2872 wrote to memory of 3336	2872	osminog.exe	RegAsm.exe
PID 3056 wrote to memory of 4840	3056	explorgu.exe	random.exe
PID 3056 wrote to memory of 4840	3056	explorgu.exe	random.exe
PID 3056 wrote to memory of 4840	3056	explorgu.exe	random.exe
PID 3056 wrote to memory of 4792	3056	explorgu.exe	rundll32.exe
PID 3056 wrote to memory of 4792	3056	explorgu.exe	rundll32.exe
PID 3056 wrote to memory of 4792	3056	explorgu.exe	rundll32.exe
PID 4792 wrote to memory of 4180	4792	rundll32.exe	rundll32.exe
PID 4792 wrote to memory of 4180	4792	rundll32.exe	rundll32.exe
PID 4180 wrote to memory of 3916	4180	rundll32.exe	netsh.exe
PID 4180 wrote to memory of 3916	4180	rundll32.exe	netsh.exe
PID 3056 wrote to memory of 1268	3056	explorgu.exe	cmd.exe
PID 3056 wrote to memory of 1268	3056	explorgu.exe	cmd.exe
PID 3056 wrote to memory of 1268	3056	explorgu.exe	cmd.exe
PID 4180 wrote to memory of 3036	4180	rundll32.exe	Conhost.exe
PID 4180 wrote to memory of 3036	4180	rundll32.exe	Conhost.exe

C:\Users\Admin\AppData\Local\Temp\c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe
"C:\Users\Admin\AppData\Local\Temp\c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3528

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
  "C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1136
      4⤵
      Program crash
      PID:1112
- C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4596
- C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:4840
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:3036
- C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe
  "C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\1000034001\lumma21.exe
      "C:\Users\Admin\AppData\Local\Temp\1000034001\lumma21.exe"
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      PID:3740
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        
        PID:4184
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:1908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal
        6⤵
        
        PID:4612
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      PID:4692
- C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe
  "C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
  2⤵
  PID:3504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2616
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      PID:1344
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:1268
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5748
- C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
  2⤵
  PID:4340
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe
  "C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe"
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 808
    3⤵
    - Program crash
    PID:2516
- C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
  2⤵
  PID:4616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1140
      4⤵
      Program crash
      PID:3764
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\1001018001\file300un-1.exe
  "C:\Users\Admin\AppData\Local\Temp\1001018001\file300un-1.exe"
  2⤵
  PID:2972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:428
  - - C:\Users\Admin\Pictures\7TwsbrVDC5gizl2VMDgi8aln.exe
      "C:\Users\Admin\Pictures\7TwsbrVDC5gizl2VMDgi8aln.exe"
      4⤵
      PID:4216
    - - C:\Users\Admin\AppData\Local\Temp\u394.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u394.0.exe"
        5⤵
        
        PID:3416
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGDGCFBAEG.exe"
        6⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\CGDGCFBAEG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CGDGCFBAEG.exe"
        7⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CGDGCFBAEG.exe
        8⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:5884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 3512
        6⤵
        Program crash
        
        PID:5520
    - - C:\Users\Admin\AppData\Local\Temp\u394.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u394.1.exe"
        5⤵
        
        PID:4540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:6092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1544
        5⤵
        Program crash
        
        PID:3256
  - - C:\Users\Admin\Pictures\kygXBjtMH2vNHgQB3OVjw7aL.exe
      "C:\Users\Admin\Pictures\kygXBjtMH2vNHgQB3OVjw7aL.exe"
      4⤵
      PID:4980
  - - C:\Users\Admin\Pictures\M1YmgJ1YzqJI6FFlblHsWLsT.exe
      "C:\Users\Admin\Pictures\M1YmgJ1YzqJI6FFlblHsWLsT.exe"
      4⤵
      PID:4188
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2120
    - - C:\Users\Admin\Pictures\M1YmgJ1YzqJI6FFlblHsWLsT.exe
        
        "C:\Users\Admin\Pictures\M1YmgJ1YzqJI6FFlblHsWLsT.exe"
        5⤵
        
        PID:5872
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:2244
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5152
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:2596
  - - C:\Users\Admin\Pictures\1uZteJOdkdpxorPKVQQX8GFU.exe
      "C:\Users\Admin\Pictures\1uZteJOdkdpxorPKVQQX8GFU.exe"
      4⤵
      PID:1304
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5408
    - - C:\Users\Admin\Pictures\1uZteJOdkdpxorPKVQQX8GFU.exe
        
        "C:\Users\Admin\Pictures\1uZteJOdkdpxorPKVQQX8GFU.exe"
        5⤵
        
        PID:3888
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5264
  - - C:\Users\Admin\Pictures\e3NWLnmcdglmqIV5zqQ0niai.exe
      "C:\Users\Admin\Pictures\e3NWLnmcdglmqIV5zqQ0niai.exe"
      4⤵
      PID:4844
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2280
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 516
        6⤵
        Program crash
        
        PID:4036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 568
        6⤵
        Program crash
        
        PID:4560
  - - C:\Users\Admin\Pictures\y66B7J3bFvqVJH4noG8WlqUj.exe
      "C:\Users\Admin\Pictures\y66B7J3bFvqVJH4noG8WlqUj.exe"
      4⤵
      PID:4676
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1836
    - - C:\Users\Admin\Pictures\y66B7J3bFvqVJH4noG8WlqUj.exe
        
        "C:\Users\Admin\Pictures\y66B7J3bFvqVJH4noG8WlqUj.exe"
        5⤵
        
        PID:5128
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:1996
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3660
  - - C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe
      "C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe" --silent --allusers=0
      4⤵
      PID:4272
    - - C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe
        
        C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x300,0x304,0x308,0x2dc,0x30c,0x6b2221f8,0x6b222204,0x6b222210
        5⤵
        
        PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LOBht3ily2yXF0S7ZfNgYOLH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LOBht3ily2yXF0S7ZfNgYOLH.exe" --version
        5⤵
        
        PID:3856
    - - C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe
        
        "C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4272 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240323090845" --session-guid=5b9dbffe-8136-4a83-bb6e-547c188445cb --server-tracking-blob=OGI0ZWM0MWNlZjgzYTVkZWViNGI3MTEwNDMyODIxY2YwNTliNTc0Mjk3M2M3YjUxN2UzODI1NWYyYmY5ODFlMTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTE4NDkyMS42Mzk4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJjNjMxNTcyOC1mNDI1LTRiODItYTA3OC05M2JmODRhNzQxMTcifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7004000000000000
        5⤵
        
        PID:3872
      - C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe
        
        C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x30c,0x310,0x314,0x2dc,0x318,0x6a8021f8,0x6a802204,0x6a802210
        6⤵
        
        PID:3160
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403230908451\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403230908451\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        5⤵
        
        PID:6092
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403230908451\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403230908451\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:6040
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403230908451\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403230908451\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x730040,0x73004c,0x730058
        6⤵
        
        PID:3812
  - - C:\Users\Admin\Pictures\nRO8bb7n0oXcyuQCFzYTSsYH.exe
      "C:\Users\Admin\Pictures\nRO8bb7n0oXcyuQCFzYTSsYH.exe"
      4⤵
      PID:4368
  - - C:\Users\Admin\Pictures\pAXIL7oiJIlt0YGKF9jiCBtz.exe
      "C:\Users\Admin\Pictures\pAXIL7oiJIlt0YGKF9jiCBtz.exe"
      4⤵
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\7zSDC71.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:5192
      - C:\Users\Admin\AppData\Local\Temp\7zSEBE2.tmp\Install.exe
        
        .\Install.exe /edidh "385118" /S
        6⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:5652
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:4536
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:5532
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:5936
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gnJdKpefO" /SC once /ST 04:17:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:5068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gnJdKpefO"
        7⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gnJdKpefO"
        7⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bNoYxGgNiGReyhFIfY" /SC once /ST 09:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qeOxabDhDvCCKUygJ\MfJxEgkARsuSvOa\OEUQLNB.exe\" Qp /ELsite_idrfr 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:5660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:1020
- C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
  "C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
  2⤵
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    "C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe"
    3⤵
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe
      "C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe"
      4⤵
      PID:1908
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 716
        6⤵
        Program crash
        
        PID:756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 1132
        6⤵
        Program crash
        
        PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\1000068001\ISetup3.exe
      "C:\Users\Admin\AppData\Local\Temp\1000068001\ISetup3.exe"
      4⤵
      PID:5376
    - - C:\Users\Admin\AppData\Local\Temp\u45c.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u45c.0.exe"
        5⤵
        
        PID:6108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 1096
        6⤵
        Program crash
        
        PID:1392
    - - C:\Users\Admin\AppData\Local\Temp\u45c.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u45c.1.exe"
        5⤵
        
        PID:5876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:2864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 988
        5⤵
        Program crash
        
        PID:6120
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
      4⤵
      PID:5616
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
        5⤵
        
        PID:5664
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:5832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal
        6⤵
        
        PID:5492
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
      4⤵
      PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3336 -ip 3336
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2804 -ip 2804
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1876 -ip 1876
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4216 -ip 4216
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5608

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2720 -ip 2720
1⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe
1⤵
PID:5172
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
  2⤵
  PID:5752
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
    3⤵
    PID:5488
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:5764
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
  2⤵
  PID:5308

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2720 -ip 2720
1⤵
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5376 -ip 5376
1⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5560 -ip 5560
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5560 -ip 5560
1⤵
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5836

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6383.dll
1⤵
PID:2648
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\6383.dll
  2⤵
  PID:5644

C:\Users\Admin\AppData\Local\Temp\6A0C.exe
C:\Users\Admin\AppData\Local\Temp\6A0C.exe
1⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\7EBD.exe
C:\Users\Admin\AppData\Local\Temp\7EBD.exe
1⤵
PID:5220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 440
  2⤵
  - Program crash
  PID:2296

C:\Users\Admin\AppData\Local\Temp\8556.exe
C:\Users\Admin\AppData\Local\Temp\8556.exe
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5220 -ip 5220
1⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\8FF6.exe
C:\Users\Admin\AppData\Local\Temp\8FF6.exe
1⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\9853.exe
C:\Users\Admin\AppData\Local\Temp\9853.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
  "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
  2⤵
  PID:5732
- - C:\Users\Admin\AppData\Local\Temp\u4f8.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u4f8.0.exe"
    3⤵
    PID:3268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1364
      4⤵
      Program crash
      PID:5404
- - C:\Users\Admin\AppData\Local\Temp\u4f8.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u4f8.1.exe"
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:3464
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:5384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 1608
    3⤵
    - Program crash
    PID:5528
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5068
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    PID:4824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2616

C:\Users\Admin\AppData\Local\Temp\9EFB.exe
C:\Users\Admin\AppData\Local\Temp\9EFB.exe
1⤵
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3416 -ip 3416
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3268 -ip 3268
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5732 -ip 5732
1⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 6108 -ip 6108
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
320KB

MD5
359529e3fd3d1ef484b67ce5f3483d56

SHA1
d27c94914883ec2b7f6feab7b0f77d264a578c96

SHA256
4310414b8cf4ed75a52c8147b07d9fe4b03c818560878aaf829eff16fc172b50

SHA512
594dffe2101d93f6f9d16a9923c554025846c7df707d73c3a7c12545a39f3bf11243514b1aa351b99fc2bd5b96b944a4644fb02386eb59e969ca7b2d47744f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9853.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LOBht3ily2yXF0S7ZfNgYOLH.exe

Filesize
320KB

MD5
d3022ca3b1b3894379744b3fa986d3aa

SHA1
b127c5018823566716f0cb80df323a7240d1e375

SHA256
a84048aa3f869ec3a8d5c02f497632d7db58ff80fb5794fe6253a8e6a5091777

SHA512
0cab91c2000b31e23f1cb9e94ee10806abc4539afc68de28efcf787d95e24a7dec47e6156b456392c68630eba7fcf135e39b3a643f9be1d7e9d534963871efd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403230908451\additional_file0.tmp

Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403230908451\opera_package

Filesize
1.4MB

MD5
2b7859ae2af59580124d4d623eaf3af0

SHA1
879e4f0cfbc2e34620abd879c8d1c7ae0968ab78

SHA256
820a7d2627ed67888d368cf3c4a7f09458e75c9345bc0efdf7dfec9ba299f599

SHA512
bca9665ef1102e9d8fceb153839e2a351e02fbce5f3efce3b3aa9c96747c9eb394ef20c6f00707c9fa93e8aab0185e00580c75fe72aef1a05c16591db829755e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
8aa378546345c521deb99bb241f6675c

SHA1
2d4361d087a3cff29665a1707f2633c3ec071a04

SHA256
c58fedb61c1b111b8cc949dce2dfad1af9c6b69c522f759e7039ff5e9e172859

SHA512
190323bc206c8b7ec26e11373961ee549f4dc6a3c58914cb3e5f088333c2612ceb41f865d9611d0a29b155cf51271da094341a96c7ac8249a79c2bc92b12ca6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.6MB

MD5
30b0d030410aa653ec3e5bf90db18efb

SHA1
81db0aa0e914cd3dfb2c511b262296a156bc7ead

SHA256
002942f8e0e87c421630452157ad9a4ee7ecb1d499b3b0fee21c9b0cf0d120c7

SHA512
695dc5b02889098b9be9b015b749c9c1184f6664cfffa557ec26555fdf03d4f872028ff5dd71eb3a397f0fc05ab89d527347a79c28a7c1941016497feae4c914

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000034001\lumma21.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe

Filesize
534KB

MD5
a3f8b60a08da0f600cfce3bb600d5cb3

SHA1
b00d7721767b717b3337b5c6dade4ebf2d56345e

SHA256
0c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb

SHA512
14f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

Filesize
1.1MB

MD5
db31de3c3850a454071eeca9d5dc7af8

SHA1
3625600a98333db4f9b8f5dab7532e076fb5e722

SHA256
98f013c287bef3f388c814a0d8deb8b1ec92bbf81f1daa2db743ee9b95b723db

SHA512
2aaee4e82fb26d4a4b2b02581004bc1061c93b2db1a72c3e2802b3e363c30787fc0add90ee8e873d7f9e2bcf2838400244abf82d4619af5b61c8d5d0683e8d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

Filesize
1.2MB

MD5
830d0a6e22cc2773a5ed7e492bfece87

SHA1
ab1c0af8f2d1336deb7c28790acb05b42ff0272a

SHA256
3b4c078f357b4ecd818b84a9383d793f762a0cd3c8e4e29cb1a1d9fe01453cd1

SHA512
a7ec77fe1a74094596470a24663698e90f35f928142e464a7966c18729948924dbb3a724178a50f33e8f057a27cd868f2e9c2f1d921441a72d601e39acd3259e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

Filesize
1.2MB

MD5
d5923390c6ca2dc9ee4e080af5fac7e1

SHA1
d9f78b9c2f5b6d667185f80c42568e5cadfacf47

SHA256
6dbb9fc71491bc420015761260220adb749f558af84d4798070ba76d3d047f46

SHA512
3f22c2f595a77a22ff289fc85a7cc0a787c31d5bce864a5de3abd586bb7ab8e5c3c6df9693ab4eff207d28f38c041b17375829f954e2c96fcc301202abe139df

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe

Filesize
1.8MB

MD5
fce5f8997436fd2bc63548e8d6ae6bcb

SHA1
66f524d01d63c6b74b41a751ff6904465fa02376

SHA256
757f56b37925a1ee55942f5c8810bf1658f20dc288fbf341d3da09bbedd41fc7

SHA512
63896baa2769d57f7b46ad9e6d072645e109c958d8297732a00ac206afd0c7ac3bb671cb0b2ff7ab1e83caef62c4e5e91912790bdf02f937b82b54ca9931ab1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe

Filesize
384KB

MD5
eab29a4310805b7e9cce589a22a93f35

SHA1
1d8f62ae318a4503172b4a55ccceb4f544bcfc44

SHA256
225bf648ade87bcf005f733a13825d763923927ce6c53c0bdb88dbb8a48a44aa

SHA512
4c96f82b3fe448c63302fe4fff3d49706d9a186d97cdd6d8aa457a960e5ee4d907b582d5256f4af97884ccea431547fce278d20eb629f6e298dd0c339770159f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe

Filesize
896KB

MD5
1a7e913597412bf6d0a6729fb2d7fd97

SHA1
dfb2b01c9e6a87479f027a8b960e325f3b1020e0

SHA256
e197d1e56b0054e6947efe418c04fb31bcd25ee8a3283d3c18fa934afe5f6ddd

SHA512
f66cc3dbd7e03c2db7602e1078af2aa163a0a160b5596f029040b1aea6ae08abd005838fc325c791e7c428b6874886be49df9b0f6c4d6d96a4f3c1fd4a906003

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe

Filesize
541KB

MD5
3b069f3dd741e4360f26cb27cb10320a

SHA1
6a9503aaf1e297f2696482ddf1bd4605a8710101

SHA256
f63bdc068c453e7e22740681a0c280d02745807b1695ce86e5067069beca533e

SHA512
bda58c074f7bd5171d7e3188a48cbdc457607ff06045e64a9e8e33fcb6f66f941d75a7bf57eb0ef262491622b4a9936342384237fa61c1add3365d5006c6d0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe

Filesize
315KB

MD5
5fe67781ffe47ec36f91991abf707432

SHA1
137e6d50387a837bf929b0da70ab6b1512e95466

SHA256
a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9

SHA512
0e32d9a72b562d4c4a8c4edbd3d0ece54b67ee87c8ac382c6508c62b04b11a2dcd1fba23c3a78004fcd0c2b623dc854fd2fd82eb372dc7becdcbdd7ec7fe1b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe

Filesize
832KB

MD5
e3c0b0533534c6517afc94790d7b760c

SHA1
4de96db92debb740d007422089bed0bcddf0e974

SHA256
198edf9613054f8a569ac804bf23081fbfa8566270fff05bba9dc3c9a32d9952

SHA512
d12631796afca877c710b9308d1236fca1bfe3abe6582445d9df1bbb404160cff220316e3f600b3a87b46dd3bfb859734008b5c668e410466e82be9dc033249e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe

Filesize
320KB

MD5
7055a0ef0802677d823301ad0fd59294

SHA1
2a0c54d2c0ed38b8732e2e498a82f35a982c80e6

SHA256
34adff905e1bc7deb954ef3f7747fcef130452f7e9c736b29847f968efcbaf4c

SHA512
a5bc0c3f0a670f90c4516fe7761f86354933065370935107be9f7e02a97219a19a27b2a3370d2608f720481a4f091c160c3fe0ab7df15084045f96c0199bd994

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe

Filesize
350KB

MD5
04df085b57814d1a1accead4e153909e

SHA1
6d277da314ef185ba9072a9b677b599b1f46c35b

SHA256
91a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd

SHA512
f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe

Filesize
192KB

MD5
cfa11c4b0fab28e9402110a49d74ce05

SHA1
50484fdaccf2888dadec986d1b7734b77c1fadba

SHA256
bf940dc0c115ebed1d7b06dd94b5a3bc0517944811b06c65e041b8920e02a730

SHA512
c98ad77f8c67be03ca3090845b5d54fe97170b4b4b9c6bd514e6555936c0065a05df05408fe27d275064705790ae4923e81c42f9c370e2de71362c199f763142

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001018001\file300un-1.exe

Filesize
424KB

MD5
7660d1df7575e664c8f11be23a924bba

SHA1
22a6592b490e2ef908f7ecacb7cad34256bdd216

SHA256
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc

SHA512
77c22370eaed5e096a476778d24c26fcd0105d56419bbd1a5af125028dea702aa8537017629920de08f9b7c20d3b9242606e37ace3e456d34730d0e54f20c15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.1MB

MD5
22df5255370624a1669d117c75044d32

SHA1
5c3725dfa94cd5b6237c4da9cbed8723d69a82ca

SHA256
b0adbfcfdae31313f4e7339a1ddc724db6fe1c6ceb5c39470c416370b0c384f5

SHA512
c442b70821536caf2757bf619ed04fc704d9f0fe2b282362ac25b0c72bd5d8a2ec5c54c87fd11170ee3b865ba8bed7d24ae4c16d5e1d4c97f4a16589df69f926

Download Submit
C:\Users\Admin\AppData\Local\Temp\472529282816

Filesize
81KB

MD5
f4905789c33aee773a8b384bead283de

SHA1
bacab8a8cafc68ec270a00ae6e0565d370305ab6

SHA256
9b38c7f339185eac24f1164d62a91c8148d0e2bd9c7a7168f5e5388f675922a4

SHA512
7070705d957c1acea7ee1e091d11a6e0eabdc70a2e405fa8d5ab8500b3f3386ddaf6d7b0932b45f62dcf7e3b62b3434c23e1b181aa3b7a4836a1c75d0e040782

Download Submit
C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

Filesize
384KB

MD5
79f85cc30a3c16c030243ac26cd9b768

SHA1
34a6ff70803117fb2e16ed1f751c83801344d761

SHA256
7ac9069815d51ab6dc8e95dea9021e5d5974b6691e6f25720c92777526b5da0b

SHA512
141795bd25eea722e9f1bb0fb23aabdd53f9a22cc7d47ab637f1d8e66951fc0e06282a2d22bc8c90abd2870646598a2ef9015e1f9ec4868057dc281716059025

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe

Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403230908428274272.dll

Filesize
1.1MB

MD5
56d5557063ce2d3b79b89f67a8dc18c9

SHA1
2e3e83a5f7db1dcec4058ae202100a3ae85cf3db

SHA256
bc3302b36bb81c9235aa15e533edc0aaa41f4d7dd448ad36645f60904c68eb5d

SHA512
9646e1b9c3225c448bdeb44c05cab90f7d5f2781fc1e640fc2fa04613ae2fa3b4d66b7ee7009c3d3c0d87f9d643badcbd0ad83cfc78b91d9b62f59f20ef4fbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403230908431092156.dll

Filesize
128KB

MD5
c6cd3260bedd969efd8f6151d9a3b4d4

SHA1
15412cf7526f688344387401dbba84827340d2d4

SHA256
2a7a0090165469b01d905d4ba6513664ab65c732531891614a2c12ab38532239

SHA512
25d453cda995bbf2b58f3fe471e51f132a8879048f6ca85ea3eef984b4c99a0f40157a202a6427683c8b1abe054c2bfc9130ecc78872c163ef7a08ca3993dca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403230908444383856.dll

Filesize
320KB

MD5
b2f5d0edf7336f97c3ee18d0d9d4e2dd

SHA1
e633b9de44d8f44b1dc2687bd0712c7890068580

SHA256
5d6dbd524eb1c6e0869abca7ed86fedc2f8557bd25a28b8617dd70d511b2792c

SHA512
4d73bb45f78c1255d410c4ac2adf5aacdc35b9d76d77e49c5509668cbca702ce7ff27f68fe742b7d056db277e9b4a08064227b2d5d6d6f8950b82468b23559a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8076.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mq1dv4ym.bpz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\u394.0.exe

Filesize
311KB

MD5
e704133781890e4613a921e1e0a0c779

SHA1
6e47c833ee863b1b80309d8aa7a29945e7b818dd

SHA256
c8107782de97618a7218ed26465d2b2382596d4e554cf64fa16049d72c8d6a0d

SHA512
747ec9eca088fd9f55d0d7211c01099a8b0eb6a9e430c1efc5d54f45fb2e00541efa1a515f51f0eaa3e41a2833eedff6cc34562e67768ec728d331c598a8e299

Download Submit
C:\Users\Admin\AppData\Local\Temp\u394.1.exe

Filesize
256KB

MD5
e208b5f8f40832b0d96ecebfc615ada9

SHA1
fa27375b264506e66c52dea4e4843a5db451e4f0

SHA256
84575d8e927bdd4b6dfbd95dedddc3a4b51aa0b43253e535359f94766497da93

SHA512
9e5f4701b5fa6a933c59ad6915ef1510be9cb6b577075593091420323f4dbc37f056f7cc1d77e6ed3d68ef39a3108254b1f42fbd43e0e3b45bc176d377bb7609

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

Filesize
109KB

MD5
dbd964c5bacfeccb4182e6c740f70916

SHA1
e2d3b6d42fd41d890632636cca32d6cb6cdb3d5a

SHA256
13bad0cbf56b359a0fbe62ea2ea0c2c838e49fa271d7248b2938cb911b9904e0

SHA512
50ca2b6c12edfb555304b59662f79c2a2d9ce6c1bc7cdbc44fbebb9c337b061a34f204c1a7c47fb1800ee5bdf85b56115e05f60eb580860fa38329ba7f20cb96

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
384KB

MD5
6e26fa8dd28a1a32c94348205c2ec981

SHA1
f512894ea2ab5161b86b786e0497cd0d80ab9c71

SHA256
41146c186f534c3b2eb56315877ce5df2be8345624f8c62b3cf29060d0ba1e56

SHA512
573605df990a5b05787c7cd51094736b730b77bd59f68352406c51d0e0ea3fb15eae3fb56e2c6dabf53842a881c1a341a9a127f98eb8fa17589c40befc09cc75

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
768KB

MD5
3a3a1170465f5a91bd68beae44a819ca

SHA1
00ac0922d9ee0e378cdc7204f80dc7b651b84f13

SHA256
feba2939429349c65592dc5667aa97231b1495cf0cf24ffcd3ac7f0c826a514f

SHA512
ffa32fc695197b56deb35e7da194162f6f0bb336c8a9fa1a4d767ef9ec19fe55a1302c070912f52e54828c6cd727ffc0ec46c198fa8f19b183e5aa4b46a13413

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
64KB

MD5
d8e8beafbb55cc1d2050d8cee3d4b28d

SHA1
678d49a02563d0dbba7102b8f06d0bbb85ca381a

SHA256
d1e8a24a4fa8065736c398f6a93597086092b649307079681438bef1772082f9

SHA512
41393485656f2d24c64913b8fdcefd66a5adf6435c8888b36659e232846f652a40ed795b8064acff4cb244305ad6f0265751cb5e7a4227213d4b01598863dce0

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Pictures\1uZteJOdkdpxorPKVQQX8GFU.exe

Filesize
1.6MB

MD5
c0fcc22a2cc800537f06d0fc1517a849

SHA1
b7611ff1e3a0f1e65e0496a94c508d37653e62e8

SHA256
ccf8a01f8e037851f4d223f6dd6f786295702cc9d20cc966222cc02a4e7524c0

SHA512
f373a0946370fbc575911d078b7095eb96dd215e4151b9e3f40e07fefde40f816d499e4725a59ecb9d74efed10fb4424d30d8a616a9cb6d5e86d5515dde075e1

Download Submit
C:\Users\Admin\Pictures\1uZteJOdkdpxorPKVQQX8GFU.exe

Filesize
960KB

MD5
58ed25a0cd531118905a8824dcf058b1

SHA1
fc1d5037892fd7de97a08d2fe65cb4c2acb0ab4d

SHA256
b72dabed26a7357bd3be0848b8610fd731e9474fdf69ded823dd3000c6e9f448

SHA512
d9b09844dab4a3d739a2280396e2ba052e52749a9d3d6f23f627e81f4625095d4015e4ef4eb9749d1db511e787b6dab9af5ad87194955e45bd374bae63fa3bc2

Download Submit
C:\Users\Admin\Pictures\1uZteJOdkdpxorPKVQQX8GFU.exe

Filesize
640KB

MD5
321a53d3bfee103d8736e42031724521

SHA1
7725db4785d350689a7060a1e0073ddfffa513aa

SHA256
469d27e924a76bf9fbacf29736a5ea83944471383d3c1ee7f27d2b05283a37e2

SHA512
65fcac62445a382aa40fc21082ecc0b5d5abeb3bb11c3380ef1c67340b7a23739d52cc3485805392cda900d7076837bc1b9d2b1e2f08ac10669326581d2d56a7

Download Submit
C:\Users\Admin\Pictures\7TwsbrVDC5gizl2VMDgi8aln.exe

Filesize
456KB

MD5
97c973d8c462ad109921452b6c541c12

SHA1
f4c6ddb2149b12128e3091d0f60b58b43805088f

SHA256
d9dac5c1ac90a3c1d17cf5d0b17afc80ab5462e716466e5c87a17b8f962e6f56

SHA512
c993de0c3650a310ab18aafeb6803cdbef354fe1b5e000008b007ef423c42de590e04d7902fcd0e456dbea39be6ada7d9330e69cca9c5b45be733955a176cd30

Download Submit
C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe

Filesize
960KB

MD5
80fd641e7a4f3ef959d7b299722d5f05

SHA1
b335db7c83cf9eade8e5fc18497d62da7e5aafb1

SHA256
1063bbc5f4a3af524f7627c4a8a876809201177051fab172447cb8352621712f

SHA512
125b8324d7657e902438100bccc7adee168487a886ae506ffde7167d884858cfabe5f9a118a57f4e79fb20c9ace80be87334c0905978eeb83238fed4ac9bacce

Download Submit
C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe

Filesize
1.2MB

MD5
f628da7c62e53b2c8903d4309c1fe4c6

SHA1
63966b7dea8a8bba8226928573a649b2d9c97446

SHA256
3a6cec2d10f2156d3207253f799554d659b6fd4cd89888ff9501babb76a63b21

SHA512
f7a1459a82e050d76f190b5cef99d9337ed06faf9f489068bd4680a1e25049d4817caf4673f7674b434433276f6ed716a3edac34cf8302b2cb93eee4692e2210

Download Submit
C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe

Filesize
2.8MB

MD5
8bb6c6214fee5834f4f0755b2c24a9b5

SHA1
0bd706549cbebd6771f617ae78f6b61d6a938294

SHA256
23e53599dd831794d8f1f57fec519b03d43b3871f871d1235057dfe19f4b228f

SHA512
997e087c96d7a2cefa1687cec827b8c649296dba841a2daadb622ed287eea88f2097d8bc7108d04103f6a360c201e0c8e84a68ad946d1a5c3bdb91c2d9792e80

Download Submit
C:\Users\Admin\Pictures\LOBht3ily2yXF0S7ZfNgYOLH.exe

Filesize
2.3MB

MD5
03c1f1228c0ac6578ee921ee7b97b57e

SHA1
2a4b28a00c2c622e67a1462c0a04c6653cdb76aa

SHA256
4498035b681fcffa555ab4bd0613d041efe5255d2608767ceac522ae14c8c7b4

SHA512
ce9ecf100cb2283e649fd69a820d1b36c7d96b7d3aa0b7f3f1deda083c9a47fc769ee78ea906fee34b3bb1e324fd3f91248634a7926623246fa30cf549155f1c

Download Submit
C:\Users\Admin\Pictures\M1YmgJ1YzqJI6FFlblHsWLsT.exe

Filesize
4.2MB

MD5
2c00aaaf2d8434befcfe77a16733944a

SHA1
2f955efb7eb95fb619134ebb7e40dbe391b2011f

SHA256
ea7b762474478cee57333d9693c37a0ff363d230a5a4eba41c0f1c3882bf62f7

SHA512
b4a27494bf4314005fb11301a7c67acd619928d50b358f850a50234d11e61791f12c850b6e6ac770571995e57ff0996e499ac6999104e7dbde0a076cd0b38a72

Download Submit
C:\Users\Admin\Pictures\M1YmgJ1YzqJI6FFlblHsWLsT.exe

Filesize
576KB

MD5
e3eba913d36ea3fe126f8670a0db00a2

SHA1
adb8b8cfaf4bf09e34bbfa0330b8b72d3a4d5dae

SHA256
c77b418410d18da1cfe490fc3e8c444cd6a6792fd0db83cab606fdff775db6ee

SHA512
b5e77abde0a5b7355b7d8f977a29b94959b1eda76067576a18979ebbf814438d31cd6786199eb3b7c20d52e02fd793af3c47321f4fa21fe6ee40ff234dda0a00

Download Submit
C:\Users\Admin\Pictures\e3NWLnmcdglmqIV5zqQ0niai.exe

Filesize
522KB

MD5
b8616322186dcdf78032a74cf3497153

SHA1
bf1c1568d65422757cc88300df76a6740db6eab5

SHA256
43dda2be3813b81729b3d388f546838a36ee3471da5ed266fe958e2316f1f6ea

SHA512
7b1e4ad944960fc2aa661426f77e64ff151cd8d5860e584874da1c4f03c6d195d4ee9031c36c24a234a851176b003254d14f9334712e07babc6934cf19a7b2fb

Download Submit
C:\Users\Admin\Pictures\e3NWLnmcdglmqIV5zqQ0niai.exe

Filesize
128KB

MD5
4cd3f34f488c1797b09c52f6a66d5230

SHA1
ff5b66cf7a912178b3670e30711cadc565e288e6

SHA256
0e5d65248d71ef5cf1814c9053130878d7be0162a9f306cb65edc29ce29a6f2e

SHA512
ea42d408d82462d38d90c046425f0c840c3f01d7870a01ab3b202709ed8f92562cd0af248eefc823d2d82a86b5b003e551f4f3a74413eb5d9333d3661f930f38

Download Submit
C:\Users\Admin\Pictures\fBzMH0UQSHhbW5qfHzUsis2c.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\kygXBjtMH2vNHgQB3OVjw7aL.exe

Filesize
433KB

MD5
825441372bbba175c241a1cf4c798438

SHA1
84c1e2f2a24b338666dc98b64b266335b7fae5e9

SHA256
c307873c80fd5892e04c45d29ccc3f0ad506f0e77d768f20426851434df2f933

SHA512
08c009748b1e4167d933e4e8443dac4600a0b5d1281fbbb660a28fb26682d9d6da46f39f1640ee3ffa3bc5b3dd3ee87b400a9b007b98cffedbd75e360ec2ac18

Download Submit
C:\Users\Admin\Pictures\nRO8bb7n0oXcyuQCFzYTSsYH.exe

Filesize
512KB

MD5
38dacbbab270792d6b21fc325c9e77f9

SHA1
0cc9bb492a7bdb593541afe310455730c639c469

SHA256
aee61400cfde36ac48ad5462c18de6c154b614a4272885570ad1cf64190e1887

SHA512
db411de198d455451286f255463e0a44a682fc75fbbe488c9fed1f2f2c99101a94bd243a9d3748e4a4bc26a680f96af0df54ce180c88fe618225086f35af8c1a

Download Submit
C:\Users\Admin\Pictures\nRO8bb7n0oXcyuQCFzYTSsYH.exe

Filesize
2.6MB

MD5
f93f513ca8b0f4803e849bc36bea9629

SHA1
0891055e03a7b6a33a18ef7da33df313a553a824

SHA256
eea1f02648e48514e9629f779cd86038e1da15e35b0a1af7e0e4b965d7200267

SHA512
f2bb959bbe33c0e06330dd715203d27f3c3071aec8b817ae9ab434bcb2b11db167fe36fe51399a560fab323b6ab4e2f400b2340f0b9564242cf828526e8c8b53

Download Submit
C:\Users\Admin\Pictures\pAXIL7oiJIlt0YGKF9jiCBtz.exe

Filesize
256KB

MD5
71b05f0f1b7a69cfebe81d021f06e2de

SHA1
81aed80915ecacc088b0c5045c1092ec28f2a2c8

SHA256
f858904f61f9b3e27137e5a7511c0b8325794008d80b2888e2877c9bfcb17a94

SHA512
42caea4e0c88ab035cf48d516b39a6f94cbcdd8bd805b1187fbdd99dccaec9de87d9f1fca5e0a7a17deb0790166b0a883bed7a00bd4fdf4c208c713ed882b7ca

Download Submit
C:\Users\Admin\Pictures\sEgCAH10E8jxpZBWjHZyMoBl.exe

Filesize
3KB

MD5
933d5cd42a2a62cd3b804a90a0b587af

SHA1
e82ba79491f72071fedb61607d002ea2adfdac63

SHA256
975def21bc6355a41b09731ad8e393d7902383fd7f1a8abc598f852ec97b5060

SHA512
d0884018372523b1fb1cff86553bc3529d05bbf6e9f123b115847a7e5fd779e8fb44b15ee13d606ceb63935dfbe67e382d4ac68ad82c08980e605e5eab3639f2

Download Submit
C:\Users\Admin\Pictures\y66B7J3bFvqVJH4noG8WlqUj.exe

Filesize
1024KB

MD5
dc6610640eca5fb51479fc5a14eca4e6

SHA1
233b52c7783a3c88d736d69e74c1741a3589e727

SHA256
e6c9e788f3a9bb103c87f2779af4abe319dcda9042275bb7099647948313b470

SHA512
f75f6cd167dd42fcb0caf806468df5ddefc065d17d1ba85711f85e45659fb57e646ed9e206eb356995636f7d22ee151b0f7d8ea7f9685845878224ac08277cdf

Download Submit
C:\Users\Admin\Pictures\y66B7J3bFvqVJH4noG8WlqUj.exe

Filesize
448KB

MD5
83cf4d969a67b0ec2542b6f441fe1c09

SHA1
b8d2362e6f70f33d830dd724277c8af1ca3bda4b

SHA256
2a6bdcb359f213bf844e71e4359e7e9ee1647ab1f3c15cf2299f278967540e26

SHA512
a14d04a4d4f5c204e07074020c0174144ff494cb19fbf0e14c8ebbbd5eb042c2e9d701757da37cc40d69e465f9c3a3c33ed6100c6be4bd9aa77a59a9ca937140

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\Tasks\chrosha.job

Filesize
286B

MD5
98d95a0d081fb9eefc2011b9dc5d2067

SHA1
d0983f312ae5f85b640620bdb8a9fdded203c57d

SHA256
bd5bfabf3231d6e19de9b3d7e1b74d49ae04817b85d42bcfe4a72d56be49c406

SHA512
7448e46806a0ea25b1dd972830eda31ece5ad79c70c14134084fd79bc9b34358e9f8bfd3f308b70a1a5f00355b60b7009378549eb314a74513e1dff6d9120026

Download Submit
memory/428-485-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1268-170-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/1268-156-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1268-158-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1268-155-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/1268-154-0x0000000000CA0000-0x000000000114B000-memory.dmp

Filesize
4.7MB

Download
memory/1268-151-0x0000000000CA0000-0x000000000114B000-memory.dmp

Filesize
4.7MB

Download
memory/1268-157-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/1268-159-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1268-219-0x0000000000CA0000-0x000000000114B000-memory.dmp

Filesize
4.7MB

Download
memory/1268-160-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/1304-766-0x0000000000400000-0x0000000000EDA000-memory.dmp

Filesize
10.9MB

Download
memory/1876-443-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1876-449-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1908-80-0x0000000072D20000-0x00000000734D1000-memory.dmp

Filesize
7.7MB

Download
memory/1908-195-0x0000000003070000-0x0000000005070000-memory.dmp

Filesize
32.0MB

Download
memory/1908-68-0x0000000000D70000-0x0000000000DEA000-memory.dmp

Filesize
488KB

Download
memory/1908-84-0x0000000003070000-0x0000000005070000-memory.dmp

Filesize
32.0MB

Download
memory/1908-70-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/1908-69-0x0000000072D20000-0x00000000734D1000-memory.dmp

Filesize
7.7MB

Download
memory/2576-194-0x0000000000550000-0x00000000005DC000-memory.dmp

Filesize
560KB

Download
memory/2616-259-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2720-824-0x0000000004050000-0x0000000004450000-memory.dmp

Filesize
4.0MB

Download
memory/2720-832-0x0000000004050000-0x0000000004450000-memory.dmp

Filesize
4.0MB

Download
memory/2720-839-0x00007FFB76060000-0x00007FFB76269000-memory.dmp

Filesize
2.0MB

Download
memory/2720-842-0x0000000076620000-0x0000000076872000-memory.dmp

Filesize
2.3MB

Download
memory/2720-697-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2720-704-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2804-396-0x00000000016B0000-0x000000000173C000-memory.dmp

Filesize
560KB

Download
memory/2872-88-0x0000000072D20000-0x00000000734D1000-memory.dmp

Filesize
7.7MB

Download
memory/2872-64-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/2872-46-0x0000000000300000-0x000000000038C000-memory.dmp

Filesize
560KB

Download
memory/2872-47-0x0000000072D20000-0x00000000734D1000-memory.dmp

Filesize
7.7MB

Download
memory/3036-189-0x00007FFB54580000-0x00007FFB55042000-memory.dmp

Filesize
10.8MB

Download
memory/3036-190-0x0000025501580000-0x0000025501590000-memory.dmp

Filesize
64KB

Download
memory/3036-191-0x0000025501580000-0x0000025501590000-memory.dmp

Filesize
64KB

Download
memory/3036-188-0x000002557EE90000-0x000002557EEB2000-memory.dmp

Filesize
136KB

Download
memory/3056-20-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3056-21-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3056-810-0x0000000000470000-0x000000000092C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-117-0x0000000000470000-0x000000000092C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-119-0x0000000000470000-0x000000000092C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-662-0x0000000000470000-0x000000000092C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-254-0x0000000000470000-0x000000000092C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-18-0x0000000000470000-0x000000000092C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-87-0x0000000000470000-0x000000000092C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-448-0x0000000000470000-0x000000000092C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-26-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3056-25-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3056-24-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/3056-19-0x0000000000470000-0x000000000092C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-23-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3056-22-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3160-829-0x0000000000210000-0x0000000000748000-memory.dmp

Filesize
5.2MB

Download
memory/3176-435-0x0000000002DF0000-0x0000000002E06000-memory.dmp

Filesize
88KB

Download
memory/3336-152-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3336-85-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3336-92-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3336-79-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3336-91-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/3416-823-0x0000000000400000-0x0000000000AF7000-memory.dmp

Filesize
7.0MB

Download
memory/3528-10-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/3528-7-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/3528-6-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3528-5-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3528-4-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3528-3-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3528-0-0x0000000000DB0000-0x000000000126C000-memory.dmp

Filesize
4.7MB

Download
memory/3528-8-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3528-9-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/3528-2-0x0000000000DB0000-0x000000000126C000-memory.dmp

Filesize
4.7MB

Download
memory/3528-1-0x0000000077366000-0x0000000077368000-memory.dmp

Filesize
8KB

Download
memory/3528-15-0x0000000000DB0000-0x000000000126C000-memory.dmp

Filesize
4.7MB

Download
memory/3856-688-0x0000000000940000-0x0000000000E78000-memory.dmp

Filesize
5.2MB

Download
memory/4188-756-0x0000000000400000-0x0000000000EDA000-memory.dmp

Filesize
10.9MB

Download
memory/4216-739-0x0000000000400000-0x0000000000B1B000-memory.dmp

Filesize
7.1MB

Download
memory/4216-822-0x0000000000400000-0x0000000000B1B000-memory.dmp

Filesize
7.1MB

Download
memory/4272-792-0x0000000000210000-0x0000000000748000-memory.dmp

Filesize
5.2MB

Download
memory/4340-436-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/4368-741-0x00007FF732A30000-0x00007FF733392000-memory.dmp

Filesize
9.4MB

Download
memory/4368-693-0x00007FF732A30000-0x00007FF733392000-memory.dmp

Filesize
9.4MB

Download
memory/4368-765-0x00007FF732A30000-0x00007FF733392000-memory.dmp

Filesize
9.4MB

Download
memory/4368-753-0x00007FF732A30000-0x00007FF733392000-memory.dmp

Filesize
9.4MB

Download
memory/4368-690-0x00007FF732A30000-0x00007FF733392000-memory.dmp

Filesize
9.4MB

Download
memory/4368-724-0x00007FF732A30000-0x00007FF733392000-memory.dmp

Filesize
9.4MB

Download
memory/4368-698-0x00007FF732A30000-0x00007FF733392000-memory.dmp

Filesize
9.4MB

Download
memory/4368-793-0x00007FF732A30000-0x00007FF733392000-memory.dmp

Filesize
9.4MB

Download
memory/4368-719-0x00007FF732A30000-0x00007FF733392000-memory.dmp

Filesize
9.4MB

Download
memory/4548-430-0x0000000000690000-0x0000000000B3B000-memory.dmp

Filesize
4.7MB

Download
memory/4548-781-0x0000000000690000-0x0000000000B3B000-memory.dmp

Filesize
4.7MB

Download
memory/4548-626-0x0000000000690000-0x0000000000B3B000-memory.dmp

Filesize
4.7MB

Download
memory/4596-78-0x0000000005A50000-0x0000000005FF6000-memory.dmp

Filesize
5.6MB

Download
memory/4596-153-0x0000000006720000-0x0000000006770000-memory.dmp

Filesize
320KB

Download
memory/4596-95-0x0000000008310000-0x000000000841A000-memory.dmp

Filesize
1.0MB

Download
memory/4596-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4596-81-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/4596-196-0x0000000072D20000-0x00000000734D1000-memory.dmp

Filesize
7.7MB

Download
memory/4596-89-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/4596-94-0x0000000006930000-0x0000000006F48000-memory.dmp

Filesize
6.1MB

Download
memory/4596-134-0x0000000008D30000-0x0000000008D96000-memory.dmp

Filesize
408KB

Download
memory/4596-93-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/4596-90-0x0000000072D20000-0x00000000734D1000-memory.dmp

Filesize
7.7MB

Download
memory/4596-98-0x0000000008420000-0x000000000846C000-memory.dmp

Filesize
304KB

Download
memory/4596-97-0x00000000082A0000-0x00000000082DC000-memory.dmp

Filesize
240KB

Download
memory/4596-96-0x0000000008240000-0x0000000008252000-memory.dmp

Filesize
72KB

Download
memory/4676-774-0x0000000000400000-0x0000000000EDA000-memory.dmp

Filesize
10.9MB

Download
memory/4840-451-0x0000000000390000-0x000000000073B000-memory.dmp

Filesize
3.7MB

Download
memory/4840-120-0x0000000000390000-0x000000000073B000-memory.dmp

Filesize
3.7MB

Download
memory/4840-121-0x0000000000390000-0x000000000073B000-memory.dmp

Filesize
3.7MB

Download
memory/4840-257-0x0000000000390000-0x000000000073B000-memory.dmp

Filesize
3.7MB

Download
memory/4840-812-0x0000000000390000-0x000000000073B000-memory.dmp

Filesize
3.7MB

Download
memory/4840-663-0x0000000000390000-0x000000000073B000-memory.dmp

Filesize
3.7MB

Download
memory/5896-854-0x0000000000D20000-0x0000000000D29000-memory.dmp

Filesize
36KB

Download