amadey | cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53

Resubmissions

27-03-2024 16:03

240327-thm1wsff24 10

27-03-2024 03:34

240327-d42heabg73 10

Analysis

max time kernel
40s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
27-03-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe
Size

1.8MB
MD5

25a84242d258a18a96fe6368ec43c068
SHA1

02fd34ce3f48e6cee06d98bbfe7788a9a5074625
SHA256

cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53
SHA512

cf29554dbf5a824a5d08d7e323331f794942361a5988c0c209fdc517fbc3369c79d29d18f13b8e9497673721c46ae510bcdc2e2f1e6bf78d1141d7887f37e545
SSDEEP

49152:p3yyzw2ng66Y1WyY1uJtd+hNeSjNKpnoR+h5COq:NjbvDJieSjNynXh5C

Score

10^/10

amadey purelogstealer redline smokeloader stealc zgrat @oleh_psp livetraffic backdoor discovery evasion infostealer rat stealer themida trojan upx

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Extracted

Family

amadey

Version

4.12

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 20 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe	family_zgrat_v1
behavioral2/memory/2880-62-0x0000000000920000-0x000000000099A000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe	family_zgrat_v1
behavioral2/memory/4028-103-0x0000000000530000-0x00000000006EC000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_zgrat_v1
behavioral2/memory/4388-563-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-562-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-565-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-567-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-569-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-572-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-576-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4704-577-0x0000000005EF0000-0x0000000006144000-memory.dmp	family_zgrat_v1
behavioral2/memory/4704-585-0x0000000005EF0000-0x0000000006144000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-583-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-589-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4704-590-0x0000000005EF0000-0x0000000006144000-memory.dmp	family_zgrat_v1
behavioral2/memory/4704-575-0x0000000005EF0000-0x0000000006144000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-594-0x00000000059C0000-0x0000000005BDE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4704-593-0x0000000005EF0000-0x0000000006144000-memory.dmp	family_zgrat_v1

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe	family_purelog_stealer
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe	family_purelog_stealer
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe	family_purelog_stealer
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe	family_purelog_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4824-67-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
behavioral2/memory/4864-162-0x0000000000E60000-0x0000000000EB2000-memory.dmp	family_redline
behavioral2/memory/1732-186-0x0000000000480000-0x000000000050C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

6996 netsh.exe

pid	process
6996	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe

Executes dropped EXE 7 IoCs

Processes:

explorgu.exegoldprimeldlldf.exealex1234.exeTraffic.exepropro.exe987123.exechckik.exe

pid process

1432 explorgu.exe
2880 goldprimeldlldf.exe
4028 alex1234.exe
1732 Traffic.exe
4864 propro.exe
3468 987123.exe
2356 chckik.exe

pid	process
1432	explorgu.exe
2880	goldprimeldlldf.exe
4028	alex1234.exe
1732	Traffic.exe
4864	propro.exe
3468	987123.exe
2356	chckik.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Wine	cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe
Key opened	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Wine	explorgu.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4172 rundll32.exe
1396 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4752 icacls.exe

pid	process
4172	rundll32.exe
1396	rundll32.exe

pid	process
4752	icacls.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\L0y9wocw6Kf4FJp2D6o5e9nQ.exe	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u12o.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u12o.1.exe	upx
behavioral2/memory/1508-513-0x0000000000400000-0x0000000000930000-memory.dmp	upx
C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

56 pastebin.com
64 pastebin.com
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

76 ipinfo.io
91 api.myip.com
103 api.myip.com
104 ipinfo.io
42 api.2ip.ua
49 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exeexplorgu.exe

pid process

4140 cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe
1432 explorgu.exe

flow	ioc
56	pastebin.com
64	pastebin.com

flow	ioc
76	ipinfo.io
91	api.myip.com
103	api.myip.com
104	ipinfo.io
42	api.2ip.ua
49	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

goldprimeldlldf.exealex1234.exe

description	pid	process	target process
PID 2880 set thread context of 4824	2880	goldprimeldlldf.exe	RegAsm.exe
PID 4028 set thread context of 4712	4028	alex1234.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exechckik.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe
File created	C:\Windows\Tasks\chrosha.job	chckik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1660	1392	WerFault.exe	ISetup8.exe
1352	1144	WerFault.exe	u12o.0.exe
5708	1040	WerFault.exe	ISetup4.exe
6892	5296	WerFault.exe	n6rEc4TdSneyEp8tM4hTveTd.exe
2856	6936	WerFault.exe	u434.0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

987123.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5088 schtasks.exe
3768 schtasks.exe

pid	process
5088	schtasks.exe
3768	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4680 PING.EXE

pid	process
4680	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exeexplorgu.exe987123.exe

pid	process
4140	cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe
4140	cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe
1432	explorgu.exe
1432	explorgu.exe
3468	987123.exe
3468	987123.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

987123.exe

pid process

3468 987123.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Traffic.exe

description pid process

Token: SeDebugPrivilege 1732 Traffic.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe

pid process

4140 cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe

pid	process
3468	987123.exe

description	pid	process
Token: SeDebugPrivilege	1732	Traffic.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

explorgu.exegoldprimeldlldf.exealex1234.exeRegAsm.exerundll32.exe

description	pid	process	target process
PID 1432 wrote to memory of 2880	1432	explorgu.exe	goldprimeldlldf.exe
PID 1432 wrote to memory of 2880	1432	explorgu.exe	goldprimeldlldf.exe
PID 1432 wrote to memory of 2880	1432	explorgu.exe	goldprimeldlldf.exe
PID 2880 wrote to memory of 2804	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 2804	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 2804	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 4824	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 4824	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 4824	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 4824	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 4824	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 4824	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 4824	2880	goldprimeldlldf.exe	RegAsm.exe
PID 2880 wrote to memory of 4824	2880	goldprimeldlldf.exe	RegAsm.exe
PID 1432 wrote to memory of 4028	1432	explorgu.exe	alex1234.exe
PID 1432 wrote to memory of 4028	1432	explorgu.exe	alex1234.exe
PID 1432 wrote to memory of 4028	1432	explorgu.exe	alex1234.exe
PID 4028 wrote to memory of 2196	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 2196	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 2196	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 4712	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 4712	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 4712	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 4712	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 4712	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 4712	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 4712	4028	alex1234.exe	RegAsm.exe
PID 4028 wrote to memory of 4712	4028	alex1234.exe	RegAsm.exe
PID 4712 wrote to memory of 1732	4712	RegAsm.exe	Traffic.exe
PID 4712 wrote to memory of 1732	4712	RegAsm.exe	Traffic.exe
PID 4712 wrote to memory of 4864	4712	RegAsm.exe	propro.exe
PID 4712 wrote to memory of 4864	4712	RegAsm.exe	propro.exe
PID 4712 wrote to memory of 4864	4712	RegAsm.exe	propro.exe
PID 1432 wrote to memory of 3468	1432	explorgu.exe	987123.exe
PID 1432 wrote to memory of 3468	1432	explorgu.exe	987123.exe
PID 1432 wrote to memory of 3468	1432	explorgu.exe	987123.exe
PID 1432 wrote to memory of 2356	1432	explorgu.exe	chckik.exe
PID 1432 wrote to memory of 2356	1432	explorgu.exe	chckik.exe
PID 1432 wrote to memory of 2356	1432	explorgu.exe	chckik.exe
PID 1432 wrote to memory of 4172	1432	explorgu.exe	rundll32.exe
PID 1432 wrote to memory of 4172	1432	explorgu.exe	rundll32.exe
PID 1432 wrote to memory of 4172	1432	explorgu.exe	rundll32.exe
PID 4172 wrote to memory of 1396	4172	rundll32.exe	rundll32.exe
PID 4172 wrote to memory of 1396	4172	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe
"C:\Users\Admin\AppData\Local\Temp\cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4140

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:2228

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
"C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3468

C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
"C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2356

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:1396

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:3112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\084248216164_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"
2⤵
PID:3684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:3768

C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe"
3⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\u12o.0.exe
"C:\Users\Admin\AppData\Local\Temp\u12o.0.exe"
4⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJDAFIEHIE.exe"
5⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\HJDAFIEHIE.exe
"C:\Users\Admin\AppData\Local\Temp\HJDAFIEHIE.exe"
6⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HJDAFIEHIE.exe
7⤵
PID:3468

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
8⤵
- Runs ping.exe
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 2504
5⤵
- Program crash
PID:1352

C:\Users\Admin\AppData\Local\Temp\u12o.1.exe
"C:\Users\Admin\AppData\Local\Temp\u12o.1.exe"
4⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
5⤵
PID:344

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:1524

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
6⤵
- Creates scheduled task(s)
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1164
4⤵
- Program crash
PID:1660

C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe"
3⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe"
3⤵
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe"
4⤵
PID:3200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:6228

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:6996

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\1001038001\file.exe
"C:\Users\Admin\AppData\Local\Temp\1001038001\file.exe"
2⤵
PID:3872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
3⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe"
4⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
4⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
2⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2KG035
3⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc78313cb8,0x7ffc78313cc8,0x7ffc78313cd8
4⤵
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
4⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
4⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
4⤵
PID:572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
4⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
4⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
4⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
4⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
4⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
4⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
4⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
4⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
4⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
4⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
4⤵
PID:6928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
4⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,16277984366283389838,15188832588309872479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
4⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
2⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1392 -ip 1392
1⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\AA54.exe
C:\Users\Admin\AppData\Local\Temp\AA54.exe
1⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe
"C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe"
2⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\1000022001\82fe48f0ad.exe
"C:\Users\Admin\AppData\Local\Temp\1000022001\82fe48f0ad.exe"
4⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
4⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe
"C:\Users\Admin\AppData\Local\Temp\1000037001\lumma21.exe"
4⤵
PID:2508

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
PID:4028

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
5⤵
PID:1360

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\084248216164_Desktop.zip' -CompressionLevel Optimal
6⤵
PID:5656

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe"
2⤵
PID:2696

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
PID:4084

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
PID:3884

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\084248216164_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:3124

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\1000105001\un300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000105001\un300un.exe"
2⤵
PID:6128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
3⤵
PID:1584

C:\Users\Admin\Pictures\n6rEc4TdSneyEp8tM4hTveTd.exe
"C:\Users\Admin\Pictures\n6rEc4TdSneyEp8tM4hTveTd.exe"
4⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\u434.0.exe
"C:\Users\Admin\AppData\Local\Temp\u434.0.exe"
5⤵
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 1096
6⤵
- Program crash
PID:2856

C:\Users\Admin\AppData\Local\Temp\u434.1.exe
"C:\Users\Admin\AppData\Local\Temp\u434.1.exe"
5⤵
PID:6508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:6788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 1560
5⤵
- Program crash
PID:6892

C:\Users\Admin\Pictures\uNaaxPr6b7zE521ItmcPNCHn.exe
"C:\Users\Admin\Pictures\uNaaxPr6b7zE521ItmcPNCHn.exe"
4⤵
PID:6308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5972

C:\Users\Admin\Pictures\ko3fw4xthVtPfmL2GGBy3nDh.exe
"C:\Users\Admin\Pictures\ko3fw4xthVtPfmL2GGBy3nDh.exe"
4⤵
PID:6360

C:\Users\Admin\Pictures\L0y9wocw6Kf4FJp2D6o5e9nQ.exe
"C:\Users\Admin\Pictures\L0y9wocw6Kf4FJp2D6o5e9nQ.exe"
4⤵
PID:6740

C:\Users\Admin\Pictures\urB29QDauDD2nqT0XjqUhKcJ.exe
"C:\Users\Admin\Pictures\urB29QDauDD2nqT0XjqUhKcJ.exe"
4⤵
PID:6816

C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe
"C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe" --silent --allusers=0
4⤵
PID:3008

C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe
C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x300,0x304,0x308,0x2dc,0x30c,0x6aba21f8,0x6aba2204,0x6aba2210
5⤵
PID:6196

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe" --version
5⤵
PID:6552

C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe
"C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3008 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240327033651" --session-guid=a03b3ed3-c083-4be7-9574-a1f579b627a5 --server-tracking-blob=NmQxNmQxNzliNjEwOTY2NjUxZWExZTc0ZWRiNWNkODFmYzcxOWFiYTM2ODBkODI2MDdjMzU0NWM2Mzc2OWViNjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTUxMDYwMy4zOTc1IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJjNmI0NWQxOC1lOWU0LTRhMmEtODAzOC00NzhmMWYwMDdlNzkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4005000000000000
5⤵
PID:6700

C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe
C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x30c,0x310,0x314,0x2dc,0x318,0x6a2221f8,0x6a222204,0x6a222210
6⤵
PID:6604

C:\Users\Admin\Pictures\tHZYBcvJPnKNLId7FF9sJXTb.exe
"C:\Users\Admin\Pictures\tHZYBcvJPnKNLId7FF9sJXTb.exe"
4⤵
PID:6292

C:\Users\Admin\AppData\Local\Temp\7zS94E3.tmp\Install.exe
.\Install.exe
5⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\7zSA714.tmp\Install.exe
.\Install.exe /ZvlibdidQxY "385118" /S
6⤵
PID:5880

C:\Users\Admin\Pictures\tFZbSBoGWWpIvpeACHbBNZAn.exe
"C:\Users\Admin\Pictures\tFZbSBoGWWpIvpeACHbBNZAn.exe"
4⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\7zSA697.tmp\Install.exe
.\Install.exe
5⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\7zSB973.tmp\Install.exe
.\Install.exe /ZvlibdidQxY "385118" /S
6⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\1000107001\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\1000107001\redlinepanel.exe"
2⤵
PID:5772

C:\Users\Admin\AppData\Local\Temp\1000110001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1000110001\32456.exe"
2⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\1000111001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1000111001\goldprimeldlldf.exe"
2⤵
PID:6376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe
1⤵
PID:4324

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D388.dll
1⤵
PID:4384

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\D388.dll
2⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1144 -ip 1144
1⤵
PID:244

C:\Users\Admin\AppData\Local\Temp\E6E2.exe
C:\Users\Admin\AppData\Local\Temp\E6E2.exe
1⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
"C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
2⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 464
3⤵
- Program crash
PID:5708

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
2⤵
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
3⤵
PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1B90.bat" "
1⤵
PID:5016

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\34A7.exe
C:\Users\Admin\AppData\Local\Temp\34A7.exe
1⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\34A7.exe
C:\Users\Admin\AppData\Local\Temp\34A7.exe
2⤵
PID:2404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c1d4da8c-568a-487c-9409-5c1945250b1e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4752

C:\Users\Admin\AppData\Local\Temp\34A7.exe
"C:\Users\Admin\AppData\Local\Temp\34A7.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:6860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1040 -ip 1040
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5296 -ip 5296
1⤵
PID:6672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6936 -ip 6936
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c194bbd45fc5d3714e8db77e01ac25a

SHA1
e758434417035cccc8891d516854afb4141dd72a

SHA256
253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3

SHA512
aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
caaacbd78b8e7ebc636ff19241b2b13d

SHA1
4435edc68c0594ebb8b0aa84b769d566ad913bc8

SHA256
989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a

SHA512
c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8f9407a1714ab3f4d26852126ec89bc3

SHA1
ef25af9037a608d63b609f8cc06b540b1a21dbd2

SHA256
28c43c841f1bce60a5b23ac3eda7f975cd4d84a7226ea7c663a7e75b373fa783

SHA512
e9d4509cecf9fc0a2f67c39fac4f73e38e961ef8b1726accd63a2338a4a44de0995bdfb100085f2412022b5fd53b0b1a4ed0a84054d383e6c6f88fb324eff793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
249f96408965f94f9de009a95016690f

SHA1
021aff07ce27ce50245af2a35442d3c9500b4666

SHA256
e76d1c6093071c1e844fda8fa48c9f6c46c093139ccd344d2268b9fce147406d

SHA512
de973d6b845e50dfa9b7dbbd16f9e01b82473d55c6160bc3a6107889c64cb7618f9d4c92b8c1a2cf430e3f63ef73065564aada6d71b89ceb1760ba7dbb8c5a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73de6281c28efd7a1f430fcc6b4cdea5

SHA1
78ef230dc18bf1dc867f65e357aa7005ceb8d077

SHA256
556106af53a484bcb7823a170f157304d0dc9f84d330cc0263de43071ae744c7

SHA512
7b3979fd35a80fd35367519a2ab73d0798bff3b8d0e8aa6270d7c59344ed04773f5ed6badaddc792b57865fbfd327bdf54ae8ad90940f93b6915a329776935cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e829247cfd81d47583d42b5546abe4c6

SHA1
9bab843290074021fbc41e53abe0a82f614ddce7

SHA256
1639a431ae14b5d76095f8503a967401426d2a9d6e96cb151d9cea39ea295fce

SHA512
d15dc0ff478b93cffc2181e99e521e28dfc5b7bef0424226a53c2f1803c093c299a34b58d64cc2f8705aa7dc7581566b7e6dc8b04d2f1112ec931ade4e8dd109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b667bbb248771a125ca02d19c9d9599

SHA1
94ab68e718dda6ab2f05d55404ac3b92f4cd4380

SHA256
09172a970998f9dd89e92781fb2ce0c7b475a53824905607f184002d10178fc5

SHA512
97244eebaeb2f4e8f8fd80427dbfb862495595b1740bbb1d88a94e954f94534f6eb301b00107035412e9d9be62cf9296fb167d8f1b8dc4426d62c1990521ef6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
25a84242d258a18a96fe6368ec43c068

SHA1
02fd34ce3f48e6cee06d98bbfe7788a9a5074625

SHA256
cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53

SHA512
cf29554dbf5a824a5d08d7e323331f794942361a5988c0c209fdc517fbc3369c79d29d18f13b8e9497673721c46ae510bcdc2e2f1e6bf78d1141d7887f37e545

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\82fe48f0ad.exe

Filesize
2.5MB

MD5
261fb7c3500f63885fd2828196fdd8b8

SHA1
1e97a7f04307980ffd77404dfe973f1c87ee2704

SHA256
36459bb27b988062c39aa330a37d802db254dcb183c4c16e449f53154c478d77

SHA512
6580a8c6d19540fe523c2b5e966d78e8709378f95f960c34121040d309e6334a4fb85e0f31f653f6530c4f4d9e90dfcd2ea5840cc0bfef5f0eb051166d35130a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe

Filesize
1.8MB

MD5
c73c10b9d507ee109985ac6be175cac0

SHA1
842d28061b47291b8754cfb06ef3c4562d161a9e

SHA256
13fe3af07ccdbfd8071a69a50059fc8a61a137e681f3fdfbcd1a94f64128b3e0

SHA512
16084f67fa767bc650e9fbc9e9d7b296ddd37799fba1d9c0f9d3f5c062dfe15b287208d463cccde87ab82d8ecd9af068f9677bef14930cb4848f5924e3da5a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe

Filesize
1.8MB

MD5
00d454d4e389bb07ddc2146aef648d54

SHA1
5efcb076f438b4902f54e62dc47712869df31ca0

SHA256
b4e8bf072be54339bb6db8929696105cf86ecd0d730a21ffae40a9a67450b3af

SHA512
170abb29a538b43eefd0cfbc9c0689946ba750e697900eec0c485682f694e4cdaaf5bc5a7df2774e4f6cdf1b146d4d15ff30058ec461b4c97f0b166322ed335b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000105001\un300un.exe

Filesize
1.5MB

MD5
d47c54d8705104ef3b76018aa9a97869

SHA1
1c29d5732338983dd6396dbd03e2d736d5dec0bf

SHA256
f556c74b42577ecf8c1828932e094011ab71b2d5f7ac24325e9922e5fdbf72ba

SHA512
20284ad06558702979066acc3fd3f867ad191cf8f3a16c3e371671e5885235e2fbd73f2919053e745a2c629b2fe497886a9cd162e5c5c188ff3f0b5b6837481d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000180001\ISetup8.exe

Filesize
454KB

MD5
92ac4ce0b0dc08ada03a6e29057e5dc9

SHA1
106d37a6d16f36f3f9387a4af30893cd24c86d4e

SHA256
6796432ce9d1daecb03daf92888fdd66418b433b41a7f00ab5a6bcd1fa8e13fc

SHA512
0dbd0c4b19cce7321b68992b788a301678f131d39b77c2b6ab417ebe4c4920cc3489b7878b67f2a2e1c6cb1267efe5787fb9e141218313025c8ddbe10f35598d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe

Filesize
311KB

MD5
3d7dd2b2871160b365b94480b15b9ac5

SHA1
a081bf4469537ac9b30e6e55fac4021833a5fe56

SHA256
e6cf2ae79432017ed234aa7d595ebcf4934f8955223518d2a5ea7eefc8d83afd

SHA512
dd0b03fc18ae326a0853f30b34479e6e0fa37c10ce97798188ffaab394ff23180009be267d856c7f4e00f957e6d3d3ac44f5537c13979b714ae2ed48cd91b4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
768KB

MD5
a8cca97de95a3a6e492abff7fc9f383a

SHA1
13802ce966219fcd26dec2331c676881a66dccec

SHA256
1cf459960c9a149238032feb74e2033b0a965e1463db5c79b6ec440ba24e4f06

SHA512
43864d1d5f008e7c16b8fa7a47d44774e57cf58ca13674b86e735241fd19473d672f9a9953bfc10828327ade64335d3f0e888bab92728c60783bf34e5a653ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
3.8MB

MD5
8fb9a0454cf4391a083d1fef2ca097aa

SHA1
9ff246cd4ffd5354396ea93d58d02a5214689c12

SHA256
258b4767e82ed024a8341d0c583408dbfbbabd3acf486d19477808c3731f366b

SHA512
757b226a36a7e2323f1f6f2fe1dfd93886291ef2fa26128a28a7b3ee0200bfff0634752777ef7f768fabc84cce89202d0ddc714845d3965ddec74f345fae76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
3.8MB

MD5
dc38a60130e71a3cc9491f4e36f52d19

SHA1
bc30432cf21c2f4150dc42e213c19c822289424d

SHA256
44c70e8f20b7b526138d9463b3c89e32b4f1bd1d500e5318405a565d1ccc4079

SHA512
929b36b5c994159c2a50597120e9b083d13bbbed9097a9f2ca0d6b2bef145c0c4da5b061f75f3ebd72330c68b17429e60c9d7cddf3035420df408ed72c93ad0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe

Filesize
315KB

MD5
5fe67781ffe47ec36f91991abf707432

SHA1
137e6d50387a837bf929b0da70ab6b1512e95466

SHA256
a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9

SHA512
0e32d9a72b562d4c4a8c4edbd3d0ece54b67ee87c8ac382c6508c62b04b11a2dcd1fba23c3a78004fcd0c2b623dc854fd2fd82eb372dc7becdcbdd7ec7fe1b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka111.exe

Filesize
1KB

MD5
5343c1a8b203c162a3bf3870d9f50fd4

SHA1
04b5b886c20d88b57eea6d8ff882624a4ac1e51d

SHA256
dc1d54dab6ec8c00f70137927504e4f222c8395f10760b6beecfcfa94e08249f

SHA512
e0f50acb6061744e825a4051765cebf23e8c489b55b190739409d8a79bb08dac8f919247a4e5f65a015ea9c57d326bbef7ea045163915129e01f316c4958d949

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe

Filesize
384KB

MD5
5a67e4802a52a577c2d07f49c45fcef4

SHA1
75773efc981d19a3b442f20a2ec234bc346ccd92

SHA256
c928fe6752632f9cb936098daafeabca505841f29f503d65d8cc8293039e05a6

SHA512
6f71fe452ffcd03e8dced22688c7554686cf5b795d3af85c3c75febc17509d20157bb8b748fb8954aafb1592988439f960ceaa41c2f352d62531b4f367ecf93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001038001\file.exe

Filesize
320KB

MD5
bfaae81f78ac1c57c3ddef94b604e9bd

SHA1
514303140b985f9fad0edfee9880bc633b5c95f7

SHA256
eedbb8b21590cb2bc1b251c858ea212448cf41d07acfc6d8b482a7a8e4ab5b52

SHA512
4a89a800964eac0f960253966fbec59cf527ddec940f71943fd0e30516e06cf0c0400704bd342b68e73e9ec363e9941041fc74e6ef08b3bf9c190be08484e3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001038001\file.exe

Filesize
4.8MB

MD5
90489ae7eda45c9ab0904ec54c1caa71

SHA1
ad96a6b3b10bb1452143f2fb0c450afb6ef6cd3e

SHA256
d545f5b27e90abc54cf5a37c35e866c08336a500cecd95e8267c0c729a6b9bbc

SHA512
2f7f0494ae586bd0dc65cb9100d6259858de08970c980fff83a4169e04a192954ea88c38c0ec07d448c711a81ad710265a0ecc50e49d6709c35c1116c76816d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe

Filesize
301KB

MD5
832eb4dc3ed8ceb9a1735bd0c7acaf1b

SHA1
b622a406927fbb8f6cd5081bd4455fb831948fca

SHA256
2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7

SHA512
3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe

Filesize
499KB

MD5
83d0b41c7a3a0d29a268b49a313c5de5

SHA1
46f3251c771b67b40b1f3268caef8046174909a5

SHA256
09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9

SHA512
705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
192KB

MD5
3ed4dc67a349d5bb7e69482c667aebae

SHA1
6f8925d1b208b4870708e0368a143c501e1cbd91

SHA256
3c0c89fb54580f04f0a3d1b82c095ca430223b81d3dfe46b49a3b8b1332e02eb

SHA512
d681a0faeb669904223c6289c10a33d3eb701e491523585cccdc6566cfc1e04202700e46972d18ef595dc1368571d706d3cd46eb070b30062b98894930986e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB973.tmp\Install.exe

Filesize
512KB

MD5
c0038997e45ed3cab971c9daff006546

SHA1
172896a5c1353413acc85a5db92e620cfcd56ef9

SHA256
80386325264f92dcf9521905be0a55c301578e0f0a3ab6d2a6a78136dee6d094

SHA512
c6e99453cb5adff2f7cfad7f9474b1de5a9091681ed92d4641d04c655337589d4a8f200db9ea5eefb103984dcbb258c9b401dae6c34f1c584bd346fa9afa6af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA54.exe

Filesize
1.9MB

MD5
2687c17194c09bc3b7604da4d1207399

SHA1
3e76818697226119d56ad9b243590ea3a40b0615

SHA256
402cb5c9ab6bd6e874fd76e9254d6b168db9ca4c9128c15f0a696688c5c55abb

SHA512
3121be4106a5ca712b82b39610941d6f23fc1f4b34935c140f476acfdc95587cba8005625e3e53700bd8af1ea661f76b5e00ecc4ab26e1d535d0dceb3bfd9354

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA54.exe

Filesize
1.4MB

MD5
ce2c4cefb3d849d9178328c2a6dc717f

SHA1
c6b733d0985733126e241890581c0d8f03b3bed2

SHA256
30dd7ff7cef2873c9febbfef93bf667acfd5bee337e580e2607b819482a48547

SHA512
d20e6a9849145a2df5b5bfb5d00dcf5b5ef62575ec13c06232fd1b42a9906e8482bfd0b5c49a32ca6995725757bd1fc29a321bc354d10572306d37abde86ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D388.dll

Filesize
3.0MB

MD5
a3621c096c304b8e9cbd64dbbad2e7ae

SHA1
9c53c1a8ffc2afa8d476270c05789260b88d5b2f

SHA256
9805d7ea0b73b0322cdb7a7b7def139f75fd01c446556e1c68c43b329d554723

SHA512
0c1f80587fc05f5d55c1a8055c514dd8fa332d0889c447e6da7f01272bb0b6da055f2e9e5226aa4f8ba30dc6ce3269ab8b1c6727d63c2c6a6d455cf69da2a347

Download Submit
C:\Users\Admin\AppData\Local\Temp\D388.dll

Filesize
576KB

MD5
918c1284d198270797c213187d6f1b3b

SHA1
d64b699ad5403b1eee29ac48a2ba622dcdc43017

SHA256
5c82102f1388466449fccfbd48874dc3d7db6a4559aa08492982f0e745ed814a

SHA512
449c35dfb1660922608604484459c2733daf7d5e0757fde8d45513bb6fdddcd4880a2f222c2043e7a9fb9217d86ebee16aab480154e73135bea878836e3de609

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6E2.exe

Filesize
4.1MB

MD5
a3dcd270e6e535a1aa6293b52c611728

SHA1
e32a901da7145d31ccf7252143d05bf724982233

SHA256
ad96f38cd0c07c10b0be5c0bd0ae34b8231a5e4e4749b791acf09a94936c4a2f

SHA512
bf515e5410ef5211aaa76cfab5da6c027076f4ae809cbd24606b9d6817c6367f922ef4e38013c8be71ee20558373174f0217c0ba406e8f0f182f857ee9eae5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJDAFIEHIE.exe

Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe

Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403270336504906552.dll

Filesize
130KB

MD5
5959e732ad0bc882f57744309974e56f

SHA1
a32514779a9b342a2752c4827d92bf80c8b2b1f0

SHA256
db420d83e1db3bd1f303fd0a3b0417bea0baa2e0734a0fa44e6fd4a5916f7c0e

SHA512
de453d7eaa71bca3bdad5e99d81a4778f371ace0aab056f05b6cf57c2b28252528328fcba6173c8bbef6424dd3e32d3e2a9c2d6b3606992f7da7efaef99d6786

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

Filesize
260B

MD5
841c24716c25d1d8c1f5eab82fc73be7

SHA1
a2cae95040bff067feaa70e45441f197d13a5f5d

SHA256
29cd1166bdab2568a4a4665c9c072ed0c21e9365be74e01c01d39ca927631b53

SHA512
00f67e7c3b342fca261c8ba9aad1325e56864eaa7359d4f68ab05b2dfe9fb165898d8d74f08d5b90b47dcb6c7ce2f6e56e1bfb53aebf272c38fb6f2404f715aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
768KB

MD5
5b328c1d3efd51f7d5a2ce26146ea8e3

SHA1
64cd806c089debd38b2288895a70f157ffca0b51

SHA256
03db873bb530cc2d7260edf2c6566c62b0f0e0557d65bb08bf461b5713d3a725

SHA512
2631c8fa5be8e5cca5b24d7e4d25ed260343c4d68aebb64ef107c56ca59f22ef9dbc3b47e04cbbad2dc097a507a4c5763eaf79f663c6d1dd4781bec6a8b02b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
2.4MB

MD5
6adf971492254cf2a5f8894c8a0d637f

SHA1
009a265a5dc2c1fb960c4cffde17d95fc21fa16d

SHA256
0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd

SHA512
e3455f81e1c8f8aed6e314319b67eea695f6bfc881dacf7703f4f7c9ee11fa60fca77b5ec185f5c383b4ebec5b03c7d235724c2be7899304b07ddd2b0cc48f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
2.2MB

MD5
0919d76709704c22d602ca37aadab717

SHA1
dafdc1303d028b36a7fe9b71465f9144b1c83ba6

SHA256
495c76a1f5b27c1d1dd4c02a2d6b14c33f02f7fff1d4720e9f751055f9dd9a51

SHA512
e58ed25f8e456ebe29904b10c6b79de863cdd788eee13d04c5ac5800d5693874b9d62003312f8580576a140a9d22a93e5e6c4d1d778734f5d8b345863ca8f938

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
704KB

MD5
a6276ea82b04b55c2afb33c37dc0cead

SHA1
fd454b5118ab0a52c7e8883eb15c0c59384e9b9b

SHA256
9c07ad332be8883ff9613a0227f109849924f42387b8aac61bdd057a01660ce5

SHA512
512c30967a1d5f76a9bdbe6a9de62378be0457d3437c4f676ba3e97d596381684230fd1ac52450d54afdad3617c04159b417c5de8107aa5a20a57342aa89300a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp12A8.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mq3gm2ux.10j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4478.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4650.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\u12o.0.exe

Filesize
310KB

MD5
e0a5b9bdadb0ba852cc3efd6b6e0cc38

SHA1
8ef0464a27a686ca76bfb907caf04163f65f68fe

SHA256
d14d6b781211f0e119132259d31da661841e91e12137bf021595ee2e3ced3ea1

SHA512
a3319dbeaabcae345984c03d3a8f7bde513519bbb9eab22f85b4ff12a0d2c34ac0655ad4b6284f72735113514e3e19213313afea96a23772ece9aab75f2960e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u12o.0.exe

Filesize
128KB

MD5
3eb39e112149a256642f57b340dbfae0

SHA1
8328e4264a7d8ac8efa7483ed30ce503374c165f

SHA256
d31e1d7021602ec353cc7c5e095db56bc6d2b65633938208091c362af8b70e32

SHA512
20afe92cf622a20e45355c2c78352250400031cee974069391edccb2c64abceee7c21fbecf8782ebe3dc79ec0ad4ee768533ca938a402a5e7ef9e0d3907958c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u12o.1.exe

Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\u12o.1.exe

Filesize
1.6MB

MD5
f0e775924790a1e58dd6931f5e10366f

SHA1
2dbfe7446d6216db704a0b9fd7fbef1574b1ba75

SHA256
2e01c1110d9379cc3d7fc8f70763e861791bd3d7456244496d5fb833c3f4c142

SHA512
b81c2a7d61c3e1ba6551139d2056d8c5c87f4e277cc3499fa9b8f4ddbf30e337b2b22b74ee6bfb71917e324385135fdd1819deb3796835b7380f29d709c5b35c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
768KB

MD5
0ce28fe2eceb639b18c48659b6fb8a99

SHA1
406a6446cf1cd49fc2d70289fa8c4d81f916c683

SHA256
24cc138962da1724642ea7956666183b20f97d2a49d0bf6a6c9cffd388a9742c

SHA512
a0ab8990614ad001a9961761325c0c3298bd31dada9b5610ea76e5c537ee2db8ed03b3bbc1cf5afadaec636c8b5a8bc71b6ec3be0d5442df8046efad576aca47

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
576KB

MD5
61928ef2ba2edda651904c983af3dbba

SHA1
b01db4b12759428d654d1d562c3125b1ee88e002

SHA256
8ccdf5fb0780af3ff2526e6581d900b0b143891f9ffec179fae0de99d5d48751

SHA512
087495930cdbaf98b365bacf5dc0f53ce65f266cc0ebc14b49448f4bfa0e55ff7099bfdf08a2e248a131ca75b8e745d90a61a740b50f1652cc2f572fff3a797c

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
576KB

MD5
0dbf7be9756a1527348b822603b77d03

SHA1
15c815137220fd4fadaf2752b91c991149a7910f

SHA256
8bc98d48ba8672dd85aa33a7dfe0178553a3705d42f84359f047cf57fab21284

SHA512
a0f4b373e13ef062806b63bce74acfc237d5c696386b8af741354ff0a2eda80ef4a8bfa6859ffb7f26cc2a7e16ce2802baeeb3aa6c2f9afe482186b81690ce3a

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
6416d9607a2d6ea6948f1ac96d748258

SHA1
0934ab17ef21631a1e3935576302e25faf670804

SHA256
4cd48713bcc9fb09b46c421953931542717202678f346b9331cf83f16972478a

SHA512
78b24e82750d83ac504afcdc605a1f752765390ca7cbf8f7aa162fba32423f882f4744278724d7bfc72a72f5de6891145f53ab5ee163dd99e5b8a37fafc49226

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
ec0ee482ed831ff0aa3ea008e1449638

SHA1
af9513bedbe379f3f0ca154a8a5cd32fbc99c988

SHA256
898898c254bc38bc90d5c85636d484cf748979716d456a67caf0d31345f56b46

SHA512
d818ba9900d0935e31c5ecc940be4d1c9e94a1571fb60cc04a491bcf307291bf665e8ad49765591f80d65520518341c6527ebb9282d0bbbf1e55a9b6d5f40915

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
14f0c2bccdd307549c41fa72c8d645a6

SHA1
33e3cb617379dbc65a0cc19eb9d5ff3675fffe6d

SHA256
577d64ae1ec813259204998fec6e3f0ec31555ed041585d95a0404ecab650791

SHA512
5d74cda18d67959ec5736b88be7ce88b5f678d4be7641a5d5cb6b32aff6fb81e0266f243d1219d0443837867151118b6a0961089f474fa081048ee29565311c8

Download Submit
C:\Users\Admin\Pictures\0ymLbV5rzcMb9i1rcdftTAvk.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\L0y9wocw6Kf4FJp2D6o5e9nQ.exe

Filesize
64KB

MD5
1f2f5585f0405abd4ca117e41f93fc03

SHA1
221673ef690b936db60087b57e1f7124cf44857c

SHA256
0bc98f7178b009f18d23677d8ae77f8b8e3d23cfa2b1c75a2bbf082ac823e553

SHA512
8459ee304492e4cc1f1e28d5d546e99d243c2fc67cdf407cd25fd1f0686edabb2dd03a2919ad42a6707744dedff6fe178a24e4d51a5c398ddb05d2b9927ba435

Download Submit
C:\Users\Admin\Pictures\Wt0L2BdQNqu0Z3xIJbVxeAWu.exe

Filesize
640KB

MD5
8cd4175813cdc6b7842741a936a7ab7d

SHA1
120ce478f1cdb7696986df59f25770f69323ee11

SHA256
60473b09fbb2bc1dc6499658c519a855a57c6a93842cf1ec9855508faf9dff2c

SHA512
59d84b456ed064cb10f9f3f4601e02ce81f0a75ca16169298b12e66606c034f4550ccda8d44ac82a9774ed549c3fc249140f2f573e9725369d4feae597e41768

Download Submit
C:\Users\Admin\Pictures\tHZYBcvJPnKNLId7FF9sJXTb.exe

Filesize
4.4MB

MD5
01b088047fdd8b6d1fe71337dbc9c2c0

SHA1
14502b24871eb4fc0410670f43c9987cef8d330e

SHA256
cb03434671bf6bcbb796f0e534b2ac52705e703d62d1bae674c5cbc71faa3880

SHA512
3de026595b5e9e0534edffe6605a90dad1b3006d5f12e920794d607e583f4ec61bc9eb1c0edd6ce34afcac7e00e9fc0ffc54e4868c2aa14e47056b163c6c58da

Download Submit
C:\Users\Admin\Pictures\uNaaxPr6b7zE521ItmcPNCHn.exe

Filesize
1.9MB

MD5
e886d6f2fb083ebd862b84f51e28d898

SHA1
6bff8b2824ebee19c589f7fe6d36cb4b630252f5

SHA256
4de2931e3df9de69477579ddcbb217221f495b0f87922db64d566d9c810e6ac1

SHA512
0e9865890b6d1a866848fe608e30ea1919cb2cba64266634fa1059d8c00c43061b122d25d7d1e4ef8aded41dcd6d4611ff1780ba80ee20579baf61d2c4b1b852

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
882d87707cdc5d165d9e600d0048ab91

SHA1
43551b533a6ccd2b93273e6f53630efbb97857b0

SHA256
324c70731c4e539e1aa95c85ab741298a0076bcde9fec4e04d23a1e440194e51

SHA512
f4a2a41439d8720076fd098ca9616df97664e4bee5d18df72b72c2d4f694f219fc49947a9c3367d0a1494bb54bbfb316d309d735e35ef706aee001e2ea18f388

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/1144-409-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1144-454-0x0000000000400000-0x0000000000AF7000-memory.dmp

Filesize
7.0MB

Download
memory/1392-438-0x0000000000400000-0x0000000000B1B000-memory.dmp

Filesize
7.1MB

Download
memory/1432-20-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/1432-21-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/1432-25-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/1432-105-0x00000000004C0000-0x0000000000966000-memory.dmp

Filesize
4.6MB

Download
memory/1432-512-0x00000000004C0000-0x0000000000966000-memory.dmp

Filesize
4.6MB

Download
memory/1432-23-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/1432-26-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/1432-254-0x00000000004C0000-0x0000000000966000-memory.dmp

Filesize
4.6MB

Download
memory/1432-24-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/1432-100-0x00000000004C0000-0x0000000000966000-memory.dmp

Filesize
4.6MB

Download
memory/1432-18-0x00000000004C0000-0x0000000000966000-memory.dmp

Filesize
4.6MB

Download
memory/1432-101-0x00000000004C0000-0x0000000000966000-memory.dmp

Filesize
4.6MB

Download
memory/1432-19-0x00000000004C0000-0x0000000000966000-memory.dmp

Filesize
4.6MB

Download
memory/1432-22-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1432-369-0x00000000004C0000-0x0000000000966000-memory.dmp

Filesize
4.6MB

Download
memory/1508-513-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/1732-259-0x000000001DCD0000-0x000000001DD46000-memory.dmp

Filesize
472KB

Download
memory/1732-253-0x000000001D5F0000-0x000000001D62C000-memory.dmp

Filesize
240KB

Download
memory/1732-187-0x00007FFC7CF30000-0x00007FFC7D9F2000-memory.dmp

Filesize
10.8MB

Download
memory/1732-190-0x000000001B210000-0x000000001B220000-memory.dmp

Filesize
64KB

Download
memory/1732-248-0x000000001D6C0000-0x000000001D7CA000-memory.dmp

Filesize
1.0MB

Download
memory/1732-258-0x000000001B210000-0x000000001B220000-memory.dmp

Filesize
64KB

Download
memory/1732-186-0x0000000000480000-0x000000000050C000-memory.dmp

Filesize
560KB

Download
memory/1732-252-0x000000001C1E0000-0x000000001C1F2000-memory.dmp

Filesize
72KB

Download
memory/2880-256-0x0000000002F00000-0x0000000004F00000-memory.dmp

Filesize
32.0MB

Download
memory/2880-62-0x0000000000920000-0x000000000099A000-memory.dmp

Filesize
488KB

Download
memory/2880-72-0x0000000002F00000-0x0000000004F00000-memory.dmp

Filesize
32.0MB

Download
memory/2880-63-0x0000000072F30000-0x00000000736E1000-memory.dmp

Filesize
7.7MB

Download
memory/2880-64-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/2880-70-0x0000000072F30000-0x00000000736E1000-memory.dmp

Filesize
7.7MB

Download
memory/3232-226-0x00000000044C0000-0x00000000044D6000-memory.dmp

Filesize
88KB

Download
memory/3232-405-0x00000000042A0000-0x00000000042B6000-memory.dmp

Filesize
88KB

Download
memory/3292-408-0x0000000000400000-0x0000000000AF7000-memory.dmp

Filesize
7.0MB

Download
memory/3468-181-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/3468-164-0x0000000002F70000-0x0000000002F7B000-memory.dmp

Filesize
44KB

Download
memory/3468-188-0x0000000002F80000-0x0000000003080000-memory.dmp

Filesize
1024KB

Download
memory/3468-229-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/4028-103-0x0000000000530000-0x00000000006EC000-memory.dmp

Filesize
1.7MB

Download
memory/4028-120-0x0000000002B90000-0x0000000004B90000-memory.dmp

Filesize
32.0MB

Download
memory/4028-119-0x0000000072F30000-0x00000000736E1000-memory.dmp

Filesize
7.7MB

Download
memory/4028-106-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/4028-104-0x0000000072F30000-0x00000000736E1000-memory.dmp

Filesize
7.7MB

Download
memory/4140-4-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4140-1-0x0000000077576000-0x0000000077578000-memory.dmp

Filesize
8KB

Download
memory/4140-10-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4140-9-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4140-15-0x0000000000050000-0x00000000004F6000-memory.dmp

Filesize
4.6MB

Download
memory/4140-2-0x0000000000050000-0x00000000004F6000-memory.dmp

Filesize
4.6MB

Download
memory/4140-3-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4140-0-0x0000000000050000-0x00000000004F6000-memory.dmp

Filesize
4.6MB

Download
memory/4140-7-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4140-8-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4140-5-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4140-6-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4388-576-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4388-569-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4388-563-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4388-562-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4388-594-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4388-565-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4388-567-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4388-572-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4388-589-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4388-583-0x00000000059C0000-0x0000000005BDE000-memory.dmp

Filesize
2.1MB

Download
memory/4704-585-0x0000000005EF0000-0x0000000006144000-memory.dmp

Filesize
2.3MB

Download
memory/4704-577-0x0000000005EF0000-0x0000000006144000-memory.dmp

Filesize
2.3MB

Download
memory/4704-590-0x0000000005EF0000-0x0000000006144000-memory.dmp

Filesize
2.3MB

Download
memory/4704-593-0x0000000005EF0000-0x0000000006144000-memory.dmp

Filesize
2.3MB

Download
memory/4704-575-0x0000000005EF0000-0x0000000006144000-memory.dmp

Filesize
2.3MB

Download
memory/4712-114-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4712-121-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/4712-122-0x0000000072F30000-0x00000000736E1000-memory.dmp

Filesize
7.7MB

Download
memory/4824-75-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/4824-80-0x0000000006610000-0x000000000664C000-memory.dmp

Filesize
240KB

Download
memory/4824-71-0x0000000005590000-0x0000000005B36000-memory.dmp

Filesize
5.6MB

Download
memory/4824-74-0x0000000072F30000-0x00000000736E1000-memory.dmp

Filesize
7.7MB

Download
memory/4824-67-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4824-76-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4824-77-0x00000000066F0000-0x0000000006D08000-memory.dmp

Filesize
6.1MB

Download
memory/4824-78-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

Filesize
1.0MB

Download
memory/4824-79-0x00000000065B0000-0x00000000065C2000-memory.dmp

Filesize
72KB

Download
memory/4824-73-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/4824-81-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/4824-257-0x0000000072F30000-0x00000000736E1000-memory.dmp

Filesize
7.7MB

Download
memory/4824-255-0x0000000009C00000-0x0000000009C50000-memory.dmp

Filesize
320KB

Download
memory/4824-180-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/4864-179-0x0000000006380000-0x00000000063F6000-memory.dmp

Filesize
472KB

Download
memory/4864-183-0x0000000006C60000-0x0000000006C7E000-memory.dmp

Filesize
120KB

Download
memory/4864-189-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/4864-163-0x0000000072F30000-0x00000000736E1000-memory.dmp

Filesize
7.7MB

Download
memory/4864-162-0x0000000000E60000-0x0000000000EB2000-memory.dmp

Filesize
328KB

Download