amadey | 6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093

Analysis

max time kernel
101s
max time network
163s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24-03-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
Size

1.8MB
MD5

c07b259766e4a381335119c71e141cda
SHA1

e323ffb9ee168a11e764a2ef9599d8f93435d9e8
SHA256

6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093
SHA512

4318b0d828f21d45b92d08c47892ce8b8ceaa82439d7d334093080ec70e7138f7682cea1d73a40e373c3afe51e93bdc1cbd6e790eadaba719679229d92c8467b
SSDEEP

49152:z/g6iUFkmD5TGrtYUZSYpsg5OrZ7OTX31qC74odPGX4v:Tg6PkmD5axYZYpsXroTX3UA3GX

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe	family_zgrat_v1
behavioral2/memory/388-70-0x0000000000670000-0x00000000006EA000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe	family_zgrat_v1
behavioral2/memory/2236-182-0x0000000000480000-0x000000000063C000-memory.dmp	family_zgrat_v1
C:\Users\Admin\Pictures\dBEbDSgQdjcatProeOueOGlA.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2508-739-0x0000000000400000-0x0000000000ED5000-memory.dmp	family_glupteba
behavioral2/memory/4776-756-0x0000000000400000-0x0000000000ED5000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2528-76-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe	family_redline
behavioral2/memory/4144-157-0x0000000000BE0000-0x0000000000C6C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exeexplorgu.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

10 4760 rundll32.exe
16 1668 rundll32.exe
Downloads MZ/PE file

flow	pid	process
10	4760	rundll32.exe
16	1668	rundll32.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exeexplorgu.exerandom.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Drops startup file 7 IoCs

Processes:

regsvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YiD3kFiWZDAYcnG1bVOjuqKt.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zH6nEu7UKaXm88Hz2wNO4Jpz.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jj257oa143MN7qk4EycEAVjT.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WiU7cbN0KXl1xZLYT283eGVu.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iENkF7FIT1rPRk1KxKQACi2I.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABgxFuUBoNEONwyZSVOrLRxy.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bw77CiNryXtomJrbkFNiHUkw.bat	regsvcs.exe

Executes dropped EXE 21 IoCs

Processes:

explorgu.exeosminog.exegoldprimeldlldf.exerandom.exeTeamFour.exealex1234.exepropro.exeTraffic.exe987123.exelummalg.exechckik.exemk.exefile300un.exechrosha.exeboom8.exeUMfauYkQNKVawaKPdPcIyThS.exe1g1WQaD4IxybQD4cuNPOkJse.exedBEbDSgQdjcatProeOueOGlA.exeISetup8.exejOnu5jTK7deliOfGmHlavPDM.exeqvq5yED19Xf4L7nnW9LAZz1w.exe

pid	process
4680	explorgu.exe
472	osminog.exe
388	goldprimeldlldf.exe
5048	random.exe
4144	TeamFour.exe
2236	alex1234.exe
2264	propro.exe
2020	Traffic.exe
1128	987123.exe
2236	lummalg.exe
3940	chckik.exe
1908	mk.exe
2720	file300un.exe
4232	chrosha.exe
3968	boom8.exe
4768	UMfauYkQNKVawaKPdPcIyThS.exe
244	1g1WQaD4IxybQD4cuNPOkJse.exe
4428	dBEbDSgQdjcatProeOueOGlA.exe
4716	ISetup8.exe
2508	jOnu5jTK7deliOfGmHlavPDM.exe
4776	qvq5yED19Xf4L7nnW9LAZz1w.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exeexplorgu.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine	6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Wine	random.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeregsvr32.exe

pid process

1992 rundll32.exe
4760 rundll32.exe
1668 rundll32.exe
124 regsvr32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1992	rundll32.exe
4760	rundll32.exe
1668	rundll32.exe
124	regsvr32.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\k9xhIn46fXCTvCFE9jVIkVJ7.exe	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u3og.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u3og.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u3og.1.exe	upx
C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorgu.exefile300un.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\""	file300un.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

27 pastebin.com
25 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

54 api.myip.com
98 api.myip.com
99 ipinfo.io
100 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exeexplorgu.exe

pid process

3672 6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
4680 explorgu.exe

flow	ioc
27	pastebin.com
25	pastebin.com

flow	ioc
54	api.myip.com
98	api.myip.com
99	ipinfo.io
100	ipinfo.io

Suspicious use of SetThreadContext 6 IoCs

Processes:

goldprimeldlldf.exeosminog.exealex1234.exelummalg.exefile300un.exedBEbDSgQdjcatProeOueOGlA.exe

description	pid	process	target process
PID 388 set thread context of 2528	388	goldprimeldlldf.exe	RegAsm.exe
PID 472 set thread context of 1376	472	osminog.exe	RegAsm.exe
PID 2236 set thread context of 1436	2236	alex1234.exe	RegAsm.exe
PID 2236 set thread context of 3224	2236	lummalg.exe	RegAsm.exe
PID 2720 set thread context of 2280	2720	file300un.exe	regsvcs.exe
PID 4428 set thread context of 2084	4428	dBEbDSgQdjcatProeOueOGlA.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exechckik.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
File created	C:\Windows\Tasks\chrosha.job	chckik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2092	1376	WerFault.exe	RegAsm.exe
3700	3224	WerFault.exe	RegAsm.exe
2156	4768	WerFault.exe	UMfauYkQNKVawaKPdPcIyThS.exe
3496	244	WerFault.exe	1g1WQaD4IxybQD4cuNPOkJse.exe
3700	2084	WerFault.exe	RegAsm.exe
3856	2084	WerFault.exe	RegAsm.exe
4128	4716	WerFault.exe	ISetup8.exe
3716	2296	WerFault.exe	1F28.exe
3004	2296	WerFault.exe	1F28.exe
5292	5888	WerFault.exe	ISetup4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

987123.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2876 schtasks.exe
2652 schtasks.exe
3132 schtasks.exe
4144 schtasks.exe
5192 schtasks.exe
5856 schtasks.exe

pid	process
2876	schtasks.exe
2652	schtasks.exe
3132	schtasks.exe
4144	schtasks.exe
5192	schtasks.exe
5856	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exeexplorgu.exerundll32.exeRegAsm.exepowershell.exe987123.exeTeamFour.exepropro.exeTraffic.exe

pid	process
3672	6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
3672	6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
4680	explorgu.exe
4680	explorgu.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
2528	RegAsm.exe
2528	RegAsm.exe
2528	RegAsm.exe
2528	RegAsm.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
1412	powershell.exe
1412	powershell.exe
1412	powershell.exe
1128	987123.exe
1128	987123.exe
4144	TeamFour.exe
4144	TeamFour.exe
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
2264	propro.exe
2264	propro.exe
2264	propro.exe
2264	propro.exe
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
2020	Traffic.exe
2020	Traffic.exe
3232
3232
3232

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

987123.exe

pid process

1128 987123.exe

pid	process
1128	987123.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

osminog.exeTeamFour.exepowershell.exeTraffic.exepropro.exeRegAsm.exeRegAsm.exemk.exepowershell.exeregsvcs.exe

description	pid	process
Token: SeDebugPrivilege	472	osminog.exe
Token: SeDebugPrivilege	4144	TeamFour.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2020	Traffic.exe
Token: SeBackupPrivilege	4144	TeamFour.exe
Token: SeSecurityPrivilege	4144	TeamFour.exe
Token: SeSecurityPrivilege	4144	TeamFour.exe
Token: SeSecurityPrivilege	4144	TeamFour.exe
Token: SeSecurityPrivilege	4144	TeamFour.exe
Token: SeBackupPrivilege	2020	Traffic.exe
Token: SeSecurityPrivilege	2020	Traffic.exe
Token: SeSecurityPrivilege	2020	Traffic.exe
Token: SeSecurityPrivilege	2020	Traffic.exe
Token: SeSecurityPrivilege	2020	Traffic.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	2264	propro.exe
Token: SeDebugPrivilege	2528	RegAsm.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	1436	RegAsm.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	1908	mk.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2280	regsvcs.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe

pid process

3672 6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

explorgu.exegoldprimeldlldf.exeosminog.exerundll32.exerundll32.exealex1234.exeRegAsm.exe

description	pid	process	target process
PID 4680 wrote to memory of 472	4680	explorgu.exe	osminog.exe
PID 4680 wrote to memory of 472	4680	explorgu.exe	osminog.exe
PID 4680 wrote to memory of 472	4680	explorgu.exe	osminog.exe
PID 4680 wrote to memory of 388	4680	explorgu.exe	goldprimeldlldf.exe
PID 4680 wrote to memory of 388	4680	explorgu.exe	goldprimeldlldf.exe
PID 4680 wrote to memory of 388	4680	explorgu.exe	goldprimeldlldf.exe
PID 388 wrote to memory of 2528	388	goldprimeldlldf.exe	RegAsm.exe
PID 388 wrote to memory of 2528	388	goldprimeldlldf.exe	RegAsm.exe
PID 388 wrote to memory of 2528	388	goldprimeldlldf.exe	RegAsm.exe
PID 388 wrote to memory of 2528	388	goldprimeldlldf.exe	RegAsm.exe
PID 388 wrote to memory of 2528	388	goldprimeldlldf.exe	RegAsm.exe
PID 388 wrote to memory of 2528	388	goldprimeldlldf.exe	RegAsm.exe
PID 388 wrote to memory of 2528	388	goldprimeldlldf.exe	RegAsm.exe
PID 388 wrote to memory of 2528	388	goldprimeldlldf.exe	RegAsm.exe
PID 472 wrote to memory of 2208	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 2208	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 2208	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 1376	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 1376	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 1376	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 1376	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 1376	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 1376	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 1376	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 1376	472	osminog.exe	RegAsm.exe
PID 472 wrote to memory of 1376	472	osminog.exe	RegAsm.exe
PID 4680 wrote to memory of 5048	4680	explorgu.exe	random.exe
PID 4680 wrote to memory of 5048	4680	explorgu.exe	random.exe
PID 4680 wrote to memory of 5048	4680	explorgu.exe	random.exe
PID 4680 wrote to memory of 4144	4680	explorgu.exe	TeamFour.exe
PID 4680 wrote to memory of 4144	4680	explorgu.exe	TeamFour.exe
PID 4680 wrote to memory of 1992	4680	explorgu.exe	rundll32.exe
PID 4680 wrote to memory of 1992	4680	explorgu.exe	rundll32.exe
PID 4680 wrote to memory of 1992	4680	explorgu.exe	rundll32.exe
PID 1992 wrote to memory of 4760	1992	rundll32.exe	rundll32.exe
PID 1992 wrote to memory of 4760	1992	rundll32.exe	rundll32.exe
PID 4760 wrote to memory of 5020	4760	rundll32.exe	netsh.exe
PID 4760 wrote to memory of 5020	4760	rundll32.exe	netsh.exe
PID 4680 wrote to memory of 2236	4680	explorgu.exe	lummalg.exe
PID 4680 wrote to memory of 2236	4680	explorgu.exe	lummalg.exe
PID 4680 wrote to memory of 2236	4680	explorgu.exe	lummalg.exe
PID 4760 wrote to memory of 1412	4760	rundll32.exe	powershell.exe
PID 4760 wrote to memory of 1412	4760	rundll32.exe	powershell.exe
PID 2236 wrote to memory of 1436	2236	alex1234.exe	RegAsm.exe
PID 2236 wrote to memory of 1436	2236	alex1234.exe	RegAsm.exe
PID 2236 wrote to memory of 1436	2236	alex1234.exe	RegAsm.exe
PID 2236 wrote to memory of 1436	2236	alex1234.exe	RegAsm.exe
PID 2236 wrote to memory of 1436	2236	alex1234.exe	RegAsm.exe
PID 2236 wrote to memory of 1436	2236	alex1234.exe	RegAsm.exe
PID 2236 wrote to memory of 1436	2236	alex1234.exe	RegAsm.exe
PID 2236 wrote to memory of 1436	2236	alex1234.exe	RegAsm.exe
PID 1436 wrote to memory of 2264	1436	RegAsm.exe	propro.exe
PID 1436 wrote to memory of 2264	1436	RegAsm.exe	propro.exe
PID 1436 wrote to memory of 2264	1436	RegAsm.exe	propro.exe
PID 1436 wrote to memory of 2020	1436	RegAsm.exe	Traffic.exe
PID 1436 wrote to memory of 2020	1436	RegAsm.exe	Traffic.exe
PID 4680 wrote to memory of 1128	4680	explorgu.exe	987123.exe
PID 4680 wrote to memory of 1128	4680	explorgu.exe	987123.exe
PID 4680 wrote to memory of 1128	4680	explorgu.exe	987123.exe
PID 4680 wrote to memory of 1668	4680	explorgu.exe	rundll32.exe
PID 4680 wrote to memory of 1668	4680	explorgu.exe	rundll32.exe
PID 4680 wrote to memory of 1668	4680	explorgu.exe	rundll32.exe
PID 4680 wrote to memory of 2236	4680	explorgu.exe	lummalg.exe
PID 4680 wrote to memory of 2236	4680	explorgu.exe	lummalg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe
"C:\Users\Admin\AppData\Local\Temp\6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3672

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
  "C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1152
      4⤵
      Program crash
      PID:2092
- C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe
  "C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\602636161432_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1412
- C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2264
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:4400
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5008
- C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1128
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 476
      4⤵
      Program crash
      PID:3700
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:3596
- C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
  "C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe
  "C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:2720
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit
    3⤵
    PID:2820
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
  - - C:\Users\Admin\Pictures\UMfauYkQNKVawaKPdPcIyThS.exe
      "C:\Users\Admin\Pictures\UMfauYkQNKVawaKPdPcIyThS.exe"
      4⤵
      Executes dropped EXE
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\u3og.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3og.0.exe"
        5⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAAAECGHCB.exe"
        6⤵
        
        PID:5468
    - - C:\Users\Admin\AppData\Local\Temp\u3og.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3og.1.exe"
        5⤵
        
        PID:2984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:4144
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 704
        5⤵
        Program crash
        
        PID:2156
  - - C:\Users\Admin\Pictures\1g1WQaD4IxybQD4cuNPOkJse.exe
      "C:\Users\Admin\Pictures\1g1WQaD4IxybQD4cuNPOkJse.exe"
      4⤵
      Executes dropped EXE
      PID:244
    - - C:\Users\Admin\AppData\Local\Temp\u6s.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u6s.0.exe"
        5⤵
        
        PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\u6s.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u6s.1.exe"
        5⤵
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:3132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 1168
        5⤵
        Program crash
        
        PID:3496
  - - C:\Users\Admin\Pictures\dBEbDSgQdjcatProeOueOGlA.exe
      "C:\Users\Admin\Pictures\dBEbDSgQdjcatProeOueOGlA.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4428
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 544
        6⤵
        Program crash
        
        PID:3700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 572
        6⤵
        Program crash
        
        PID:3856
  - - C:\Users\Admin\Pictures\jOnu5jTK7deliOfGmHlavPDM.exe
      "C:\Users\Admin\Pictures\jOnu5jTK7deliOfGmHlavPDM.exe"
      4⤵
      Executes dropped EXE
      PID:2508
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5580
  - - C:\Users\Admin\Pictures\qvq5yED19Xf4L7nnW9LAZz1w.exe
      "C:\Users\Admin\Pictures\qvq5yED19Xf4L7nnW9LAZz1w.exe"
      4⤵
      Executes dropped EXE
      PID:4776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5612
  - - C:\Users\Admin\Pictures\bukICXNEBzhFL90kDR6EkJ23.exe
      "C:\Users\Admin\Pictures\bukICXNEBzhFL90kDR6EkJ23.exe"
      4⤵
      PID:3048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5840
  - - C:\Users\Admin\Pictures\IYUrq7vOpLeBaHVKnLTIH7ok.exe
      "C:\Users\Admin\Pictures\IYUrq7vOpLeBaHVKnLTIH7ok.exe"
      4⤵
      PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\7zS454C.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32.tmp\Install.exe
        
        .\Install.exe /zTdidMzw "385118" /S
        6⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:2384
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:5180
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:5544
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:5724
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gzhWcJHra" /SC once /ST 00:20:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:5856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gzhWcJHra"
        7⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gzhWcJHra"
        7⤵
        
        PID:5652
  - - C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe
      "C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe" --silent --allusers=0
      4⤵
      PID:2764
    - - C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe
        
        C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x300,0x304,0x308,0x2dc,0x30c,0x6e2521f8,0x6e252204,0x6e252210
        5⤵
        
        PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\jYOHb65F542b3ciuRTwmKZy8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\jYOHb65F542b3ciuRTwmKZy8.exe" --version
        5⤵
        
        PID:2384
    - - C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe
        
        "C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2764 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240324215325" --session-guid=89a0226c-b072-4c3c-bab7-d2adbc31dde0 --server-tracking-blob=ZWY3ZDg0ZDc3NDcxYjY4ZjIyYWQ3OTVhNDRkMTYxNjZjZTY1M2RjZDg3NDc3YTMxMGUxNGE1NWY2MDUwYTYzMDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTMxNzE4Mi45NjQwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI1OGExOTg3ZC03NzM3LTRmMTYtOWQyZS1kZDE0ZWJjODE1M2EifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1406000000000000
        5⤵
        
        PID:2900
      - C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe
        
        C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x328,0x32c,0x330,0x2f8,0x2bc,0x6d8d21f8,0x6d8d2204,0x6d8d2210
        6⤵
        
        PID:4768
  - - C:\Users\Admin\Pictures\k9xhIn46fXCTvCFE9jVIkVJ7.exe
      "C:\Users\Admin\Pictures\k9xhIn46fXCTvCFE9jVIkVJ7.exe"
      4⤵
      PID:5496
- C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe"
  2⤵
  - Executes dropped EXE
  PID:3968
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe"
    3⤵
    - Executes dropped EXE
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\u3n0.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u3n0.0.exe"
      4⤵
      PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\u3n0.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u3n0.1.exe"
      4⤵
      PID:3688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:3428
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:2788
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 864
      4⤵
      Program crash
      PID:4128
- - C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe"
    3⤵
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
    "C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"
    3⤵
    PID:2056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:6096
- C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
  "C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"
  2⤵
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1376 -ip 1376
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3224 -ip 3224
1⤵
PID:4800

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F6CF.dll
1⤵
PID:1924
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\F6CF.dll
  2⤵
  - Loads dropped DLL
  PID:124

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Executes dropped EXE
PID:4232
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  PID:2316
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    PID:1488
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\602636161432_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:2420
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4768 -ip 4768
1⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\1F28.exe
C:\Users\Admin\AppData\Local\Temp\1F28.exe
1⤵
PID:2296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1148
  2⤵
  - Program crash
  PID:3716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1132
  2⤵
  - Program crash
  PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 244 -ip 244
1⤵
PID:1408

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2084 -ip 2084
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2084 -ip 2084
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4716 -ip 4716
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2296 -ip 2296
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2296 -ip 2296
1⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\5220.exe
C:\Users\Admin\AppData\Local\Temp\5220.exe
1⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\5E84.exe
C:\Users\Admin\AppData\Local\Temp\5E84.exe
1⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\76C1.exe
C:\Users\Admin\AppData\Local\Temp\76C1.exe
1⤵
PID:5408
- C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
  "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
  2⤵
  PID:5888
- - C:\Users\Admin\AppData\Local\Temp\u4jk.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u4jk.0.exe"
    3⤵
    PID:5232
- - C:\Users\Admin\AppData\Local\Temp\u4jk.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u4jk.1.exe"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 1164
    3⤵
    - Program crash
    PID:5292
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  PID:5764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AA84.bat" "
1⤵
PID:4688
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5888 -ip 5888
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\C6D7.exe
C:\Users\Admin\AppData\Local\Temp\C6D7.exe
1⤵
PID:948
- C:\Users\Admin\AppData\Local\Temp\C6D7.exe
  C:\Users\Admin\AppData\Local\Temp\C6D7.exe
  2⤵
  PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1808 -ip 1808
1⤵
PID:200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\76C1.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a3d2d8ec742f283d8aa08d1382996e6

SHA1
122eabf3e0b279fea6e837d55cd642b16e352ea3

SHA256
02b28ebbce54c6722b45cc497a275c60698c1be6085cd2bd8bfd5a4c8a7b053f

SHA512
fc7ac5f6c369ec6e2bd5aca829d2f75eaadf03623e1d2ba4b563a86a62eb6c9ec953b641c3e38ce6ac7e6d6cde281f59c26d992d3f510880b3fe1919ea412dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403242153251\opera_package

Filesize
5.4MB

MD5
5052ff800812c3d0face0b0ac0f4622b

SHA1
281ae07f7ec44e9bfe575e527478f5a2ee779ae3

SHA256
9eec65a28ba06035542acdb1fcdd201ea3d476254c974aeffb2d89d81661acb5

SHA512
e1e59345b9714f00033ec2f3cb2c012edaac0fb28af582c7027e5f2c49a1d27ee4e63082ff42e11eeae16f11d6b7eec1fb60e46e855fcb653062ef5eecc37c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
c07b259766e4a381335119c71e141cda

SHA1
e323ffb9ee168a11e764a2ef9599d8f93435d9e8

SHA256
6b189c086a01d888d21ca95145ade2fd7290abb8aa97ca78fcab4c297ca9b093

SHA512
4318b0d828f21d45b92d08c47892ce8b8ceaa82439d7d334093080ec70e7138f7682cea1d73a40e373c3afe51e93bdc1cbd6e790eadaba719679229d92c8467b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe

Filesize
435KB

MD5
7234a7a0cef678e55d24ab48b9b89788

SHA1
7d2aafe5f6d0d52924edf54e955ab88a54bb6269

SHA256
50cf48fc16d0fdb591b300f4552b39da7ab5e7fa92051f3e25d09bac28e8c661

SHA512
9b32dfdb5dd292fa4649c04ae42170c1fdc7ee06e0703c88ad234ba82d9004f294fb94bd4ddd350959cc9e5dd2d0371afb07a8c26c58eb85a80bb79d6d039e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe

Filesize
294KB

MD5
5700c54d51e14d0ce00bbbb6015baed2

SHA1
71eb9361a9d6b35317fc8a385b748a8a6ce3bee7

SHA256
583d73f0111e0aeed0a34fa4fc4ba85875a11f88ac93f9bacb59359aaf5b94e2

SHA512
9dddd66cf82aead6400a19e81ccd0ebc0f5e312bc5772937e1929820a1db0fb74cf1480ef3bb9e9c70aefa25ce02c8c7d9f1a17bff6eb2137d76247a61eb2b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe

Filesize
534KB

MD5
a3f8b60a08da0f600cfce3bb600d5cb3

SHA1
b00d7721767b717b3337b5c6dade4ebf2d56345e

SHA256
0c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb

SHA512
14f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

Filesize
1.4MB

MD5
425e585b846eb74728ba9dd5f3f82800

SHA1
e3c4f7d00d58295d3039d10600adcd7fef2f01dc

SHA256
01ebe14e2bb9718bc9544926c7fefcd2c1de2df9115546f82fcad8412c75ea50

SHA512
f3cf754f82fb66bc3cd27ef0def1b1ef3b87eddd25e989f6a8ec9ccd7a52f156e434b739926db260eeb94e2dedcc38ff02ca2fdf5251ec4b1d3ffc2539c7065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

Filesize
1.1MB

MD5
8d3aae3b57dc6a02d3f2d222793648cf

SHA1
6e8da6b0a010e10874047d50dc8a8ddf5e7b012a

SHA256
ccd332b3c02e1956b9cede8ee9bd0d4554c538c5e03d934fad9f909758fb8d5d

SHA512
d56c9dea66260f74dbc65c5d6f6a3087b3b305e301e041ddbd5941805652e5b72d4fb1188221649b71dcf56e3bacf281a806ab2e4ce6c8c103ef6b9aa45ca13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

Filesize
640KB

MD5
15f7923bbc232f47c51bbd509a72b879

SHA1
726b81ad6c78071759c3ff7320af32618b9def9a

SHA256
1dbdde9f9a9d94c4706a1d18ee8cd7c3c5664ff9fefacf39816d3080fe08b05f

SHA512
0cc089100121765c110e528b2da72b2fcad3928f9551677b81885e96b8dca134ede195a713934aec9dacea18f9e3c998287a2bef59a961069e71db9c01416831

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe

Filesize
541KB

MD5
3b069f3dd741e4360f26cb27cb10320a

SHA1
6a9503aaf1e297f2696482ddf1bd4605a8710101

SHA256
f63bdc068c453e7e22740681a0c280d02745807b1695ce86e5067069beca533e

SHA512
bda58c074f7bd5171d7e3188a48cbdc457607ff06045e64a9e8e33fcb6f66f941d75a7bf57eb0ef262491622b4a9936342384237fa61c1add3365d5006c6d0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

Filesize
192KB

MD5
102a0be35edc91aba0f5cb51f2137fef

SHA1
f9f64558dee435f722fdd61780486532b9e53a35

SHA256
4d7c168e714c3ca1bb3c34e38d2b6b60b19b097d5abc7861d79c6fcfb32a4a4c

SHA512
6327eb3aa3af8d0a53e8da1f0389a3f9b2f8dd8115bea157d9115346f3132cd46a0f20cbda877aa2b95022f7d6dafbb2412d8f860b8558fc1f008b537fa3d7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe

Filesize
315KB

MD5
5fe67781ffe47ec36f91991abf707432

SHA1
137e6d50387a837bf929b0da70ab6b1512e95466

SHA256
a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9

SHA512
0e32d9a72b562d4c4a8c4edbd3d0ece54b67ee87c8ac382c6508c62b04b11a2dcd1fba23c3a78004fcd0c2b623dc854fd2fd82eb372dc7becdcbdd7ec7fe1b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe

Filesize
64KB

MD5
0844f2facbc14a3f4c9aac3e4885a999

SHA1
92243f1238adaad1cac354f1ccbdc5dd66f5ebfd

SHA256
2d3e03aa9756020c02a7513aca1b467b4f3b7caa89ce36c9cc5f57a843d14eb9

SHA512
00f997efe46fb00e69c64a4c5e2109b9fdf98969cd81a5df43869b0af0beb8ec0bb7d8a7c8ad1e81333530e373f60100b38bdb4d6b88c280edfae627a52c6271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe

Filesize
350KB

MD5
04df085b57814d1a1accead4e153909e

SHA1
6d277da314ef185ba9072a9b677b599b1f46c35b

SHA256
91a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd

SHA512
f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe

Filesize
297KB

MD5
cc1e287519f78a28dab6bde8e1093829

SHA1
9262753386caa4054aa845d918364e964e5505aa

SHA256
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2

SHA512
527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe

Filesize
4.1MB

MD5
c59b5442a81703579cded755bddcc63e

SHA1
c3e36a8ed0952db30676d5cf77b3671238c19272

SHA256
cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774

SHA512
c9c834860982652e7ec1db085e534f6b1c35298ce75b29c2cbb0ac04ff40cd64363b458bcbd8c0983cf1ed778a4269372c6bc4ce7f831a6e1e70ee5f4a0772f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe

Filesize
1.9MB

MD5
8b176c80a6ff69b7beb12254dfaac8ee

SHA1
a51457eb62364526addd00b610cb1e16c7d3918d

SHA256
773070e1373913ea1709dde27c293ceca45fa966a83cba6a0483954b94253f78

SHA512
2eca1765e9d9ab3859fbcfa444125a396d420e194295ecd6f293e6b9d989de85e7b9fbeffe33590274c85ecdcb6939e81c2856c863a57f668df5b01ca0d66c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F28.exe

Filesize
1.4MB

MD5
ce2c4cefb3d849d9178328c2a6dc717f

SHA1
c6b733d0985733126e241890581c0d8f03b3bed2

SHA256
30dd7ff7cef2873c9febbfef93bf667acfd5bee337e580e2607b819482a48547

SHA512
d20e6a9849145a2df5b5bfb5d00dcf5b5ef62575ec13c06232fd1b42a9906e8482bfd0b5c49a32ca6995725757bd1fc29a321bc354d10572306d37abde86ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F28.exe

Filesize
320KB

MD5
bb7e30f54652f02f6d713eb65907ae89

SHA1
886a00e85a8114ff7bb9436b1be938943971e62e

SHA256
ce2a26ced37fb8effc254cd2371e205a8958b5a1ff69b3e20c72a6e080db07e5

SHA512
771babbfdcfabb8b3b9bf7f93a2e4c78167116f1dda94842873f72d48edc29321992b96693a4e5da211984a3c917587b7eacb4c3da6a8123c29fb72bb3e562ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.2MB

MD5
43b4b9050e5b237de2d1412de8781f36

SHA1
125cd51af3ca81d4c3e517b8405b9afae92b86f2

SHA256
97bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d

SHA512
24e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6CF.dll

Filesize
2.2MB

MD5
e69125300a060d1eb870d352de33e4c3

SHA1
60f2c2e6f2a4289a05b5c6212cdaf0d02dad82ea

SHA256
009de0571eb77c7ed594b9e5cda731e2953fd2198e00b25a0e2c4c4ef7414355

SHA512
257d3b61b2c85c1e71d2a80a5fbf44436e9734785fe6b0a643c1939dd01c1d8b98f1c454695296f7137ff035ec6c0118f053e4833e0be91618f2a9066a8cace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe

Filesize
256KB

MD5
b9a1618a4382a354668c5f25769baeb7

SHA1
092a0ea495188ddeb96392771543a61f13d3c363

SHA256
254aa2e814c49e1bc2b1bc847f01b1fb24298b46b611643f88c564fa5dba02f3

SHA512
80f61a0342b0e5a4648aab4d956296ef56d0028b716da638200a07e7324c46ae3762670755015aa88d3687b8345f64fa1218469f2a269a0df8a118a5837c6856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403242153249542384.dll

Filesize
4.6MB

MD5
4bef2086f25c5813396d07b5fdce31ec

SHA1
89f3a0f7b5143abd610795bc2981ca5bbbc40071

SHA256
5a63f85ed97a4f41aa7e13228c35eef1ad60984f54ed2f843191c21fe7c45a98

SHA512
85dffa48f112024e9c644420f74c7bfff0e88b3c0e4b642f52927c5a5e46890acf8755d4f78d42badaf8512bdae2526bd9d79e61d71f99f5079fe50304ddf7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7683.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frtwyuju.3co.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3og.0.exe

Filesize
291KB

MD5
bca9f45d45410be3485717c7eb4320e4

SHA1
41d6a52b47d5251176d78e39eea0915186bfc49e

SHA256
1a55c2c2e090256a83f5913fc1548a35fba33d5e6d411bd2486e52217acdb113

SHA512
3d95a4789eacb46b079d8c12fc330bb10619d01d27b851206a08247fab3b6d1c768914baf2675abe0348cd616cfbf9d2028d855015fc260d70749c72934563f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3og.1.exe

Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3og.1.exe

Filesize
1.6MB

MD5
f0e775924790a1e58dd6931f5e10366f

SHA1
2dbfe7446d6216db704a0b9fd7fbef1574b1ba75

SHA256
2e01c1110d9379cc3d7fc8f70763e861791bd3d7456244496d5fb833c3f4c142

SHA512
b81c2a7d61c3e1ba6551139d2056d8c5c87f4e277cc3499fa9b8f4ddbf30e337b2b22b74ee6bfb71917e324385135fdd1819deb3796835b7380f29d709c5b35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3og.1.exe

Filesize
1.2MB

MD5
751f807e555a1c06dd2b8cb1f5297de8

SHA1
7e0af7a0df81bf657d7a46372cab7ead49efdc28

SHA256
79a3d83590ba6ff505d255c855093cb41c1185c35e437bee3d2d8652a5839c3c

SHA512
92ee075e84fa1a4e905e50f9ae8e13f62eeccbc786f31eb41595fe76cc9e99d1d32ab7bc0fc9c669355635f18bea9bc5822243c277ab8a1ddaac1a6f3ba7515a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
782KB

MD5
8d21c9be75266150275829541b35395a

SHA1
c4e33e6faf9b25be88f6c914e40371b4d30625ae

SHA256
6cbed091dd7ba94727050125ca2951ff3a3f1580bab8b84953b5c4b723a56b1b

SHA512
ea049ccb724d09cdf320d3425079bcf3f5fabf4bd742c6822af8a22e0a29f50442fa87eafc1c6b489f9350cbcd3bb5b4223b8d8c445b53c61a5c4d111c84f3db

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
556KB

MD5
d2e517ef2853de8f0ec036579484e09b

SHA1
acf496812d55b891b88e5505edba76ccebdc568c

SHA256
4a29a2b148769e9b1ca3b854daf01d24c11dfc31c67399aca30ad67c2a6cbbf9

SHA512
f88e97c1171dc246a4d0b0cea92f911387cf740543a1be3e249e2b84cfaf31a7c53689ef7147aef37f97290d64a60dffa59a216c52e42d04334d092904fa558c

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
320KB

MD5
c10dad55de7888d278ad5dc0e212d0e3

SHA1
21bbfe499707c29ea7d4c7139b6866524098c360

SHA256
f97c9de83a03ca73c86ffd734bc9a4f4f313ae4db27d5f1e3a4a27dde3280a7f

SHA512
36471b208ee49c60d20f4cb9da47bb29b78189dce2aad0222e4159ada01b47a379cb5e9496bb72544529185857ae3a6d8901dc6679d70dc5f4d6c6c6e1e01f00

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Pictures\1g1WQaD4IxybQD4cuNPOkJse.exe

Filesize
435KB

MD5
64221def71599c78cc7e2eb6aaa67c77

SHA1
ca63c44f8520646f4e7cc060915b242cf4ddf4b7

SHA256
c8a9fa305d0760ccc9b4a3f5c733d31f318f5653ed8b0fbf7c3c2466046f6e43

SHA512
6767c62e163bcf5184a91446bdb0fa6dc45477752094a3622f82802274c9a034ad60665a230381929559768cd20e73c838b3028fdc6a640c3505d93b42ff9779

Download Submit
C:\Users\Admin\Pictures\IYUrq7vOpLeBaHVKnLTIH7ok.exe

Filesize
5.6MB

MD5
7f76ad38b771da9cd7516e631e21a15c

SHA1
68b2875a40d50d8a64f6a78eff49f10a3910854f

SHA256
ba5ba571f64104ebaad0dddbfd1efd4cd219b3c6c17a25536127d45a5c5b5f57

SHA512
3a4d795179ea535a80e6dbb003aef99a9fc831630253eb0bfe36cc4e2d8bc9679d0d21c0f6101dda839aa47b3f7555ae90b265080cbda10238efc4fd8fa5072c

Download Submit
C:\Users\Admin\Pictures\UMfauYkQNKVawaKPdPcIyThS.exe

Filesize
435KB

MD5
2fa57f47559913ce70a7d2246cdcbba7

SHA1
2a720c5033a3e6ece00a174acae46f952e128e45

SHA256
9542489f0a499bd5ff86e08552b3d40fe42f6b4dd01f52351b317768adc4ad30

SHA512
d26e3dbe9f226be535e9f6ca53f4f6356ee583d39434d3bdb851690dde1aa9db453b7ec7d5f34581c9d574a2ed12d337ad3f72ad2ff0df825843cf0f2653fd4c

Download Submit
C:\Users\Admin\Pictures\bukICXNEBzhFL90kDR6EkJ23.exe

Filesize
591KB

MD5
cc122f16db23695c7fff745fbfb8b041

SHA1
29b0986657aca51d4f8d47ed27dcca608885a795

SHA256
4d17a34547d8f48c482a73b6aea27d5c10767612442b6c76a116147a6d6d1ab7

SHA512
fb0654c7e42d61f84ee38018c392ed9210f645e9f4e52aebac97ac9cc886763a4fa4f3276df7c2da613da786e7b2a46c0539914b9b01298b98b03b10fcb67f08

Download Submit
C:\Users\Admin\Pictures\bukICXNEBzhFL90kDR6EkJ23.exe

Filesize
640KB

MD5
180ca5477121be3a9fee0f633be068b2

SHA1
ff6a6152901bded6b662891ade87d1ff1da63b6e

SHA256
caa93ad304f36a130efff1aee8e809f94c31ad0cd64d7e7c9753d72b7a3e2000

SHA512
da1577d8005e3fa412e25caedb8e7974ad78caf77dcc065fb58cd7bd02d05e0d6c3f8b52b31c25ad1682310d1ab289fe1ea2aaf384621cd2d84f5db304cb53a1

Download Submit
C:\Users\Admin\Pictures\bukICXNEBzhFL90kDR6EkJ23.exe

Filesize
704KB

MD5
84e40792833811e9fcd7b3d849b25e6d

SHA1
180a1eb6f2043a74cd6a26bcd9da813f73877b88

SHA256
1cc35b481c3bcc76ea4e99164343bf11d8686c5f861dfb706c82c66ee41fddee

SHA512
fcfb26ff4c1bf9ef8f985607ebdf161f901dd131440be115b12ec3da2f9bd255185e3ec1fda93f9436d48108feac8897feca0a71b99074386b46518e353934e8

Download Submit
C:\Users\Admin\Pictures\dBEbDSgQdjcatProeOueOGlA.exe

Filesize
522KB

MD5
b8616322186dcdf78032a74cf3497153

SHA1
bf1c1568d65422757cc88300df76a6740db6eab5

SHA256
43dda2be3813b81729b3d388f546838a36ee3471da5ed266fe958e2316f1f6ea

SHA512
7b1e4ad944960fc2aa661426f77e64ff151cd8d5860e584874da1c4f03c6d195d4ee9031c36c24a234a851176b003254d14f9334712e07babc6934cf19a7b2fb

Download Submit
C:\Users\Admin\Pictures\dFn3MQTf7LNsNXsxqFYKzSJq.exe

Filesize
3KB

MD5
9a10e267101c0d14c0dfff580069238f

SHA1
f4997e13584fffe221be3e56296841ee48cb5757

SHA256
06bef96bf4c7f31f921ad0372ac7e496162ebe08b7e543b010036945451a9391

SHA512
bb0076f8d7f92ddf629232355ba53258cd856dbca81da85e2f51ba1a2a05964267c3d31281cdda50802876c729c273609601da26108a9b93cf9f15e6688614eb

Download Submit
C:\Users\Admin\Pictures\jOnu5jTK7deliOfGmHlavPDM.exe

Filesize
1.4MB

MD5
a8f3cd78eb9e7ad8c25cb59152f4c44e

SHA1
557ef13a598dfb4c19dc61804edd52cea154a7ca

SHA256
9f032c0bf85025504662275cd76bbb3f5c4a4fc1e5ca620784ff38e559580721

SHA512
727524705a81d0fde9be7a360ff83c647441567aa3a646323a8047005164873e019a88aa2b6112be0cc22afde2eba189898660470322419b7af7d562854710b0

Download Submit
C:\Users\Admin\Pictures\jOnu5jTK7deliOfGmHlavPDM.exe

Filesize
2.1MB

MD5
f4a8f692090430a9048f77488d8a9761

SHA1
2dce3b4cb326938a5c937b501eafc892a0c73749

SHA256
b7edbd585179d65406a50ed4fca43cfa69f744bbc713f8a53201be2cce97bc87

SHA512
181f673424ac911217a9a50b5d45b630751fc1deecf544b184f58917a4994c634b0bdb640d134d1a3a97a7ce165c1cd5f9db1eea8e678d6f4ce309c844116817

Download Submit
C:\Users\Admin\Pictures\jOnu5jTK7deliOfGmHlavPDM.exe

Filesize
2.0MB

MD5
d86b89e29881482a92d83cd59677a430

SHA1
dc6a3fac58d6df866bb7a9b3930881db717c76af

SHA256
dd8f39d9781a59808670992710e5bc6cbae81639eedc7fca93f84caa24474147

SHA512
5e5256a570d9fd9449edda16efc18cad6b7587afc7504d2f16a082bf71f76336f436037e85f173a2e7297a65524a447cf191c70f46d618d5f916c5e0e920ded8

Download Submit
C:\Users\Admin\Pictures\jYOHb65F542b3ciuRTwmKZy8.exe

Filesize
2.8MB

MD5
b58c8d8c403fea0f9ff206b2bff1c63d

SHA1
a0381b9408b97d69ac9f06db64ca7aa0ba8e12c2

SHA256
734ab18d1cafb9154c8494bf36f83b3524ffab03676e5daac2ade04dcd52c478

SHA512
468d9af5614ad45c84a06065b9b17a19bf4714fa65cd565b905a88e10b32cb2526a808bac994eda7c9ebebebfd920e6d222ebceef4ccde4bbb31cea7c8f2a49c

Download Submit
C:\Users\Admin\Pictures\k9xhIn46fXCTvCFE9jVIkVJ7.exe

Filesize
2.1MB

MD5
574bb5f95f99ab0e37c580e123d6d7a4

SHA1
fe4313ed357568f5d672be60332c9cf2a97b42e6

SHA256
ec6235926da6b272f3ed135baa50ed55363e4f9201db3ac8cc7b94a680210f2e

SHA512
6cf4b0fdbb02a5f9fbf4f4e677accba5c7f83fc9312105bf54226fd997216627076de149b5c12a54129e270c3e3a6d9111d4d97d06e88f9f1ca67159a5d5fa7e

Download Submit
C:\Users\Admin\Pictures\kqbqRVeXKyackZU3p3BYobWj.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\qvq5yED19Xf4L7nnW9LAZz1w.exe

Filesize
320KB

MD5
178de000c331534e4b12f6b3cf65242e

SHA1
3e98ab59da586f4741e1de3f5ccddd61f16fc146

SHA256
727258499e5f48f6f4684a744b16a6222a46a1abf089b442f7a842eda51f004e

SHA512
a8691f79bd0dcb689b61c8934f282f11b92d743104f98eb9c79115f553973cd514282edbb374765fb9a1f60699e994d04e728a7728a985bb50366ce7462e97c0

Download Submit
C:\Users\Admin\Pictures\qvq5yED19Xf4L7nnW9LAZz1w.exe

Filesize
1.5MB

MD5
5967c334b44a0c273745327eb22a6501

SHA1
96b9a3b3ff68fd2bf1202d505e3ad0a1023d11dd

SHA256
2bfaa73546bd1c3db2253e5e895ed81ccfe1dcc8d136c9a08cb9d7e84d856b02

SHA512
f1c36ed635a687409e3327e1dff89299a9e6a2d059c78b435a4e234f7db7e9af150af7ae83faf8f11092fd2566df04330974910f21f7c791194067c062239e56

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
306B

MD5
7534b5b74212cb95b819401235bd116c

SHA1
787ad181b22e161330aab804de4abffbfc0683b0

SHA256
b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04

SHA512
ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

Download Submit
memory/124-618-0x0000000002AD0000-0x0000000002BD8000-memory.dmp

Filesize
1.0MB

Download
memory/124-455-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/124-573-0x00000000029A0000-0x0000000002AC3000-memory.dmp

Filesize
1.1MB

Download
memory/124-624-0x0000000002AD0000-0x0000000002BD8000-memory.dmp

Filesize
1.0MB

Download
memory/124-649-0x0000000002AD0000-0x0000000002BD8000-memory.dmp

Filesize
1.0MB

Download
memory/244-730-0x0000000000400000-0x0000000000B16000-memory.dmp

Filesize
7.1MB

Download
memory/388-75-0x00000000010C0000-0x00000000010D0000-memory.dmp

Filesize
64KB

Download
memory/388-84-0x0000000002A00000-0x0000000004A00000-memory.dmp

Filesize
32.0MB

Download
memory/388-81-0x0000000072AC0000-0x0000000073271000-memory.dmp

Filesize
7.7MB

Download
memory/388-71-0x0000000072AC0000-0x0000000073271000-memory.dmp

Filesize
7.7MB

Download
memory/388-70-0x0000000000670000-0x00000000006EA000-memory.dmp

Filesize
488KB

Download
memory/472-68-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/472-48-0x00000000009D0000-0x0000000000A5C000-memory.dmp

Filesize
560KB

Download
memory/472-92-0x0000000003010000-0x0000000005010000-memory.dmp

Filesize
32.0MB

Download
memory/472-90-0x0000000072AC0000-0x0000000073271000-memory.dmp

Filesize
7.7MB

Download
memory/472-49-0x0000000072AC0000-0x0000000073271000-memory.dmp

Filesize
7.7MB

Download
memory/896-741-0x0000000000400000-0x0000000000AF2000-memory.dmp

Filesize
6.9MB

Download
memory/1128-359-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/1376-88-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1376-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1376-94-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1376-82-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1412-197-0x0000021B2D270000-0x0000021B2D292000-memory.dmp

Filesize
136KB

Download
memory/1412-183-0x00007FFF3C6D0000-0x00007FFF3D192000-memory.dmp

Filesize
10.8MB

Download
memory/1412-185-0x0000021B2D410000-0x0000021B2D420000-memory.dmp

Filesize
64KB

Download
memory/1412-184-0x0000021B2D410000-0x0000021B2D420000-memory.dmp

Filesize
64KB

Download
memory/1436-199-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1632-732-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/1632-744-0x0000000002190000-0x0000000002590000-memory.dmp

Filesize
4.0MB

Download
memory/1632-745-0x00007FFF5D7C0000-0x00007FFF5D9C9000-memory.dmp

Filesize
2.0MB

Download
memory/1632-753-0x00000000756F0000-0x0000000075942000-memory.dmp

Filesize
2.3MB

Download
memory/1808-749-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2084-726-0x00007FFF5D7C0000-0x00007FFF5D9C9000-memory.dmp

Filesize
2.0MB

Download
memory/2084-621-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2084-718-0x0000000003C90000-0x0000000004090000-memory.dmp

Filesize
4.0MB

Download
memory/2084-723-0x0000000003C90000-0x0000000004090000-memory.dmp

Filesize
4.0MB

Download
memory/2084-731-0x00000000756F0000-0x0000000075942000-memory.dmp

Filesize
2.3MB

Download
memory/2084-609-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2236-186-0x0000000072AC0000-0x0000000073271000-memory.dmp

Filesize
7.7MB

Download
memory/2236-187-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2236-204-0x0000000072AC0000-0x0000000073271000-memory.dmp

Filesize
7.7MB

Download
memory/2236-182-0x0000000000480000-0x000000000063C000-memory.dmp

Filesize
1.7MB

Download
memory/2236-205-0x0000000002930000-0x0000000004930000-memory.dmp

Filesize
32.0MB

Download
memory/2280-470-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-717-0x00000000002F0000-0x0000000000687000-memory.dmp

Filesize
3.6MB

Download
memory/2508-739-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/2528-98-0x0000000006300000-0x0000000006312000-memory.dmp

Filesize
72KB

Download
memory/2528-76-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2528-96-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/2528-87-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/2528-99-0x0000000006360000-0x000000000639C000-memory.dmp

Filesize
240KB

Download
memory/2528-100-0x00000000063B0000-0x00000000063FC000-memory.dmp

Filesize
304KB

Download
memory/2528-101-0x0000000072AC0000-0x0000000073271000-memory.dmp

Filesize
7.7MB

Download
memory/2528-83-0x00000000052D0000-0x0000000005876000-memory.dmp

Filesize
5.6MB

Download
memory/2528-91-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

Filesize
40KB

Download
memory/2528-93-0x0000000006420000-0x0000000006A38000-memory.dmp

Filesize
6.1MB

Download
memory/2528-95-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/2528-153-0x0000000008630000-0x0000000008696000-memory.dmp

Filesize
408KB

Download
memory/2528-162-0x0000000008F70000-0x000000000949C000-memory.dmp

Filesize
5.2MB

Download
memory/2528-161-0x0000000008870000-0x0000000008A32000-memory.dmp

Filesize
1.8MB

Download
memory/2528-207-0x00000000087F0000-0x0000000008840000-memory.dmp

Filesize
320KB

Download
memory/3224-349-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3224-344-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3232-357-0x0000000003090000-0x00000000030A6000-memory.dmp

Filesize
88KB

Download
memory/3232-737-0x0000000003220000-0x0000000003236000-memory.dmp

Filesize
88KB

Download
memory/3672-7-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/3672-0-0x0000000000E50000-0x000000000130F000-memory.dmp

Filesize
4.7MB

Download
memory/3672-9-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3672-5-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/3672-4-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/3672-16-0x0000000000E50000-0x000000000130F000-memory.dmp

Filesize
4.7MB

Download
memory/3672-11-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/3672-3-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3672-10-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/3672-6-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3672-2-0x0000000000E50000-0x000000000130F000-memory.dmp

Filesize
4.7MB

Download
memory/3672-8-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3672-1-0x0000000077106000-0x0000000077108000-memory.dmp

Filesize
8KB

Download
memory/4144-160-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/4144-158-0x00007FFF3C6D0000-0x00007FFF3D192000-memory.dmp

Filesize
10.8MB

Download
memory/4144-157-0x0000000000BE0000-0x0000000000C6C000-memory.dmp

Filesize
560KB

Download
memory/4680-26-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4680-472-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-21-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4680-25-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4680-20-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-697-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-159-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-27-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4680-28-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4680-388-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-423-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-19-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-22-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4680-334-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-24-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4680-23-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4680-102-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-73-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4680-122-0x00000000005C0000-0x0000000000A7F000-memory.dmp

Filesize
4.7MB

Download
memory/4716-735-0x0000000000400000-0x0000000000B16000-memory.dmp

Filesize
7.1MB

Download
memory/4776-756-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/5048-123-0x00000000009A0000-0x0000000000D52000-memory.dmp

Filesize
3.7MB

Download
memory/5048-587-0x00000000009A0000-0x0000000000D52000-memory.dmp

Filesize
3.7MB

Download
memory/5048-206-0x00000000009A0000-0x0000000000D52000-memory.dmp

Filesize
3.7MB

Download
memory/5048-427-0x00000000009A0000-0x0000000000D52000-memory.dmp

Filesize
3.7MB

Download
memory/5048-142-0x00000000009A0000-0x0000000000D52000-memory.dmp

Filesize
3.7MB

Download
memory/5048-419-0x00000000009A0000-0x0000000000D52000-memory.dmp

Filesize
3.7MB

Download
memory/5048-754-0x00000000009A0000-0x0000000000D52000-memory.dmp

Filesize
3.7MB

Download
memory/5048-361-0x00000000009A0000-0x0000000000D52000-memory.dmp

Filesize
3.7MB

Download