amadey | 1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de

Analysis

max time kernel
45s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
Size

1.8MB
MD5

b12443e562ba3aafa61814481fa175f1
SHA1

f481d69dfba724fb73fe5df811e62302f9d04c09
SHA256

1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de
SHA512

987e8fa1a53f5174916d42a3f787816693b8a1e92e342f18186e5e6a71c0bad7bbe6310da4f426a1e5789aae722fdac505f624bbfd80f7906f50b9a5c7f2ed72
SSDEEP

49152:qm6ZA6DSfJ063UQtFIWJ6xWLx6doqtExY0cdwMFQ69N:ZuAAcmUUMF66AdosdldwMFX

Score

10^/10

amadey lumma redline stealc zgrat @oleh_psp livetraffic test1234 evasion infostealer rat stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.184.225.183:30592

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 20 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe	family_zgrat_v1
behavioral1/memory/2940-83-0x0000000000740000-0x00000000008FC000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-437-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-441-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-455-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-466-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-478-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-485-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-488-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-491-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-494-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-496-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-498-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-502-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-505-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-508-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-510-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-512-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-514-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/3512-516-0x00000282FF600000-0x00000282FF8BB000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2056-115-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/4756-116-0x0000000000100000-0x000000000017D000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
behavioral1/memory/3416-157-0x00000000008E0000-0x0000000000932000-memory.dmp	family_redline
behavioral1/memory/4756-117-0x0000000000100000-0x000000000017D000-memory.dmp	family_redline
behavioral1/memory/4144-159-0x00000000009C0000-0x0000000000A4C000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe	family_redline
behavioral1/memory/3576-230-0x0000000000CA0000-0x0000000000CF2000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exechrosha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exechrosha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrosha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	chrosha.exe

Executes dropped EXE 4 IoCs

Processes:

chrosha.exeswiiiii.exealexxxxxxxx.exegold.exe

pid process

1712 chrosha.exe
1472 swiiiii.exe
2940 alexxxxxxxx.exe
4756 gold.exe

pid	process
1712	chrosha.exe
1472	swiiiii.exe
2940	alexxxxxxxx.exe
4756	gold.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exechrosha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Wine	1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
Key opened	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Wine	chrosha.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\CyNdWQUatNa4EHL1HKv2tZcC.exe	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

82 pastebin.com
85 pastebin.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

132 ipinfo.io
133 ipinfo.io
74 ip-api.com
128 api.myip.com
129 api.myip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exechrosha.exe

pid process

4580 1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
1712 chrosha.exe

flow	ioc
82	pastebin.com
85	pastebin.com

flow	ioc
132	ipinfo.io
133	ipinfo.io
74	ip-api.com
128	api.myip.com
129	api.myip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

swiiiii.exealexxxxxxxx.exe

description	pid	process	target process
PID 1472 set thread context of 3332	1472	swiiiii.exe	RegAsm.exe
PID 2940 set thread context of 3656	2940	alexxxxxxxx.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe

description ioc process

File created C:\Windows\Tasks\chrosha.job 1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2868 1472 WerFault.exe swiiiii.exe
3040 2000 WerFault.exe EHLseogawOxTuCq5BpiSRm5E.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3776 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe

pid	pid_target	process	target process
2868	1472	WerFault.exe	swiiiii.exe
3040	2000	WerFault.exe	EHLseogawOxTuCq5BpiSRm5E.exe

pid	process
3776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exechrosha.exe

pid	process
4580	1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
4580	1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
1712	chrosha.exe
1712	chrosha.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe

pid process

4580 1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

chrosha.exeswiiiii.exealexxxxxxxx.exe

description	pid	process	target process
PID 1712 wrote to memory of 1472	1712	chrosha.exe	swiiiii.exe
PID 1712 wrote to memory of 1472	1712	chrosha.exe	swiiiii.exe
PID 1712 wrote to memory of 1472	1712	chrosha.exe	swiiiii.exe
PID 1472 wrote to memory of 3252	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3252	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3252	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3332	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3332	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3332	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3332	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3332	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3332	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3332	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3332	1472	swiiiii.exe	RegAsm.exe
PID 1472 wrote to memory of 3332	1472	swiiiii.exe	RegAsm.exe
PID 1712 wrote to memory of 2940	1712	chrosha.exe	alexxxxxxxx.exe
PID 1712 wrote to memory of 2940	1712	chrosha.exe	alexxxxxxxx.exe
PID 1712 wrote to memory of 2940	1712	chrosha.exe	alexxxxxxxx.exe
PID 2940 wrote to memory of 3172	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3172	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3172	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 1144	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 1144	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 1144	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3656	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3656	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3656	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3656	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3656	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3656	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3656	2940	alexxxxxxxx.exe	RegAsm.exe
PID 2940 wrote to memory of 3656	2940	alexxxxxxxx.exe	RegAsm.exe
PID 1712 wrote to memory of 4756	1712	chrosha.exe	gold.exe
PID 1712 wrote to memory of 4756	1712	chrosha.exe	gold.exe
PID 1712 wrote to memory of 4756	1712	chrosha.exe	gold.exe

C:\Users\Admin\AppData\Local\Temp\1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe
"C:\Users\Admin\AppData\Local\Temp\1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4580

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 876
3⤵
- Program crash
PID:2868

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3656

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
PID:4144

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
2⤵
- Executes dropped EXE
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
2⤵
PID:1280

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:3776

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
PID:1368

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
PID:1968

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:3228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\092317236202_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
2⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
2⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
"C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe"
2⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe
"C:\Users\Admin\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe"
2⤵
PID:3376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4124

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe
"C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe"
2⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
2⤵
PID:3480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
3⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:2836

C:\Users\Admin\Pictures\EHLseogawOxTuCq5BpiSRm5E.exe
"C:\Users\Admin\Pictures\EHLseogawOxTuCq5BpiSRm5E.exe"
4⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\u1jk.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1jk.0.exe"
5⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\u1jk.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1jk.0.exe"
6⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
5⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
6⤵
PID:4300

C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
7⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
8⤵
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
9⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\u1jk.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1jk.1.exe"
5⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
6⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1184
5⤵
- Program crash
PID:3040

C:\Users\Admin\Pictures\XHJrCKvhV9ujjNHbbphgKqwJ.exe
"C:\Users\Admin\Pictures\XHJrCKvhV9ujjNHbbphgKqwJ.exe"
4⤵
PID:4160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3792

C:\Users\Admin\Pictures\XHJrCKvhV9ujjNHbbphgKqwJ.exe
"C:\Users\Admin\Pictures\XHJrCKvhV9ujjNHbbphgKqwJ.exe"
5⤵
PID:4196

C:\Users\Admin\Pictures\Ik621cC5WcwXKbg6q70NnGVK.exe
"C:\Users\Admin\Pictures\Ik621cC5WcwXKbg6q70NnGVK.exe"
4⤵
PID:3220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3340

C:\Users\Admin\Pictures\Ik621cC5WcwXKbg6q70NnGVK.exe
"C:\Users\Admin\Pictures\Ik621cC5WcwXKbg6q70NnGVK.exe"
5⤵
PID:2920

C:\Users\Admin\Pictures\pdflHyALeSwjVrcYjlUNOagw.exe
"C:\Users\Admin\Pictures\pdflHyALeSwjVrcYjlUNOagw.exe" --silent --allusers=0
4⤵
PID:4028

C:\Users\Admin\Pictures\pdflHyALeSwjVrcYjlUNOagw.exe
C:\Users\Admin\Pictures\pdflHyALeSwjVrcYjlUNOagw.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x298,0x2a8,0x6b6ee1d0,0x6b6ee1dc,0x6b6ee1e8
5⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pdflHyALeSwjVrcYjlUNOagw.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pdflHyALeSwjVrcYjlUNOagw.exe" --version
5⤵
PID:1664

C:\Users\Admin\Pictures\pdflHyALeSwjVrcYjlUNOagw.exe
"C:\Users\Admin\Pictures\pdflHyALeSwjVrcYjlUNOagw.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4028 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240418160243" --session-guid=b4e14861-c55a-4ae3-b461-580ed6aba731 --server-tracking-blob="Y2NhNjgxODIwYWU0ZTlhMzhhZWFiZjY1NmEzMjBkMDFjNTJlZDJiNjI3ODZmZjViOGZjOWQ4MGNhY2MzMjdhZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNDU2MTU3LjczNzkiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYmUwMmZkOWEtMGVjYi00YjkzLWFjNjYtZTI0ZDRhMzhjZmRhIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3805000000000000
5⤵
PID:1208

C:\Users\Admin\Pictures\pdflHyALeSwjVrcYjlUNOagw.exe
C:\Users\Admin\Pictures\pdflHyALeSwjVrcYjlUNOagw.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6aa6e1d0,0x6aa6e1dc,0x6aa6e1e8
6⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181602431\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181602431\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
5⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181602431\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181602431\assistant\assistant_installer.exe" --version
5⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181602431\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181602431\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x6d6038,0x6d6044,0x6d6050
6⤵
PID:1976

C:\Users\Admin\Pictures\CyNdWQUatNa4EHL1HKv2tZcC.exe
"C:\Users\Admin\Pictures\CyNdWQUatNa4EHL1HKv2tZcC.exe"
4⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1472 -ip 1472
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2000 -ip 2000
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
1KB

MD5
23c47bfae5a9ba5838dd6680aab26e5c

SHA1
5ba065c2b1179f3a3ef94842b3df35e202f388da

SHA256
11fcd222a57d666985f4c5780454577bbcbc3afb8bf78ea2bbd25cea54bdda9b

SHA512
2fbfdfdd06edfc020cd5dc241234849a21752baead1ec0421c0b855585dc37d3b5a8d653fdebca4a344825d5aec068333cbb685810b130afebd2358738041576

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181602431\additional_file0.tmp

Filesize
2.5MB

MD5
15d8c8f36cef095a67d156969ecdb896

SHA1
a1435deb5866cd341c09e56b65cdda33620fcc95

SHA256
1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

SHA512
d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181602431\opera_package

Filesize
71.4MB

MD5
53bcfd7e2d5207d2f4fd22c031f8ce2d

SHA1
a191c960985a68d2611d68382b5e227938ebf3e1

SHA256
b3c7111ab7f8f8a257b19a1b7ff9ee545aac02f104cefd0554e4225b3dfdd2f5

SHA512
53636a1f74043342e0861a424084dc45c7464c78d758660370e1486aae521852fb6babd1f36013d3a7f947f4f563a6bcf910db50535ea0a991808bafd1f711ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

Filesize
488KB

MD5
82053649cadec1a338509e46ba776fbd

SHA1
6d8e479a6dc76d54109bb2e602b8087d55537510

SHA256
30468f8b767772214c60a701ecfee11c634516c3e2de146cd07638ea00dd0b6e

SHA512
e4b2b219483477a73fec5a207012f77c7167bf7b7f9adcb80ee92f87ddfe592a0d520f2afee531d1cce926ef56da2b065b13630a1cc171f48db8f7987e10897a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe

Filesize
210KB

MD5
51b0ed6b4908a21e5cc1d9ec7c046040

SHA1
d874f6da7327b2f1b3ace5e66bc763c557ac382e

SHA256
4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d

SHA512
48ec96b209d7061a1276496feb250cf183891b950465d3a916c999aa1efc1c8831b068ce0fce4ce21d09677f945b3d816ed4040146462a0ce0845318041586a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe

Filesize
3.3MB

MD5
76eae6ef736073145d6c06d981615ff9

SHA1
6612a26d5db4a6a745fed7518ec93a1121fffd9c

SHA256
3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb

SHA512
e7c118bbe9f62d5834b374e05242636b32daab2c1fe607521d6e78520665c59f78637b74c85d171f8608e255be50731771f0a09dcca69e016b281ee02ab77231

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe

Filesize
559KB

MD5
9ee0c556e1b952495a74709e6b06459a

SHA1
1b631e41b43d6f7ef3f7d140c1eb14ecf1cd861d

SHA256
0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129

SHA512
1ec91c9e0ab4e359be73677f81150922ed06fc58e621e2115d4c607afb94dbf69a8362db14a531ff6aba69b1dc8e3cd2a0aa0ba626320caa9c250060bbe44558

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

Filesize
1.8MB

MD5
b12443e562ba3aafa61814481fa175f1

SHA1
f481d69dfba724fb73fe5df811e62302f9d04c09

SHA256
1c8105cf7450a8c70da44758b28c48250cb3afbc49b8b6b1db17614c0a0777de

SHA512
987e8fa1a53f5174916d42a3f787816693b8a1e92e342f18186e5e6a71c0bad7bbe6310da4f426a1e5789aae722fdac505f624bbfd80f7906f50b9a5c7f2ed72

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ebfa4fa

Filesize
5.9MB

MD5
dcc26dd014bad9eafa9066d3781b615d

SHA1
b0cb8621ca58a196ac73bed4e525deacfaf2d836

SHA256
69502ffc7e2b8946d420e682cd1421f58a17f489590f761c580ce2a4feb74ae3

SHA512
5a7804fdebe09aada86e327899fa7ce6830c26c426d398dd72ef68121c33e59c2572709a725f43d6f1d31c52e7b4ea10b2128d00d530a00ef9db9a8efef204e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404181602387824028.dll

Filesize
4.6MB

MD5
0415cb7be0361a74a039d5f31e72fa65

SHA1
46ae154436c8c059ee75cbc6a18ccda96bb2021d

SHA256
bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798

SHA512
f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe

Filesize
14.7MB

MD5
6955715b6ff15bdc153a2431cc395cca

SHA1
272e1eec66a1871b300484b2200b507a4abe5420

SHA256
a6d40169be9c151e9e6c86fe53d2bac3b4c2ddb41c0b650d961f8328939b4761

SHA512
cf82d27d7010be69ab1c288fef9d820905407c8018e2a91f3c39a0eda5e9378e0ff04d077520d556d46d7a9cb0a3a640d15a10ad4090e482be3c83930836019d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp12E7.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe

Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbyrk45l.tvv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
54f4a9037f78f346763557806417b8d5

SHA1
6c4b14efd941b80f97555528c3488597309b6494

SHA256
59a7a591b9bb40c7544d97bea08329aadbb3c81e5ccc8440a618c3f00c8ad2b3

SHA512
0bb7c5efd8c8f491c15fb9e7fdb7d7111e92d0b8a4fe603eae088cbceeeb48a901bd80203eadabf409df7cdbd1c5661d35106189ac93472e63a446e7ff27da4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
e24f33c5cb9182e42942975561ed72df

SHA1
7ca8f571977bb72a638e173dd14c3fb084f64500

SHA256
3f8f2cbef68ba37cd0d737e5b6021794997625b9ff1222c273d40159ea7940de

SHA512
968cbbe0de63e78c0c63fede05d273bc7e993e15ec28221b2f58a186345eb6f99a4f0484750b82d73fa8f372fa89032729de3dcd3e675d7ad0aa6cc1e6d8acd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B3D.tmp

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C4A.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1jk.0.exe

Filesize
270KB

MD5
4d4c77c00856a031b4dfddc1efa53935

SHA1
0cdc801919204006d333059744a44a28c0d8e784

SHA256
cb29ec8937bb30cabd8f2bc26e58b3a6b1cb9058e94b89357a4db162660bd150

SHA512
7243f776d69199c1dc0db6214167baa7715924eac70cdf45bfbc2f2ca7506a80b7ced30ef06556ed12fa9e8f0988c81f90ddfc95b6fc14542f11f2f33391c3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1jk.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4092317236-2027488869-1227795436-1000\76b53b3ec448f7ccdda2063b15d2bfc3_fc8888f8-2944-4e65-865d-fee6b64d83f6

Filesize
2KB

MD5
0c35bfb4a25c3930ddf926b005905960

SHA1
6214af9ec892fb0c07aaa83e3d2f91b1d0cb07e8

SHA256
6fafa50836888ab2961a16385591d18264868e7d3ab5a83ced133d986fe18492

SHA512
d047372baf6aced8d63a2e4f09fbdfd1a5a25a041160136cd9ec3cb724d897f89a0e52f6e3d8aa892a249dc3460ffc90816e44a794b34178b8118281e3fc4834

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
3425190511cf6948b2e8b93bac64f5ad

SHA1
bc23478d9c1187bbe5f0b4d00003139e4df62d0c

SHA256
44fb249b03b511f848ecd514ad1a4040b8d9412c86f713c54a6224d1a9346f08

SHA512
a14a83ceae7f69fb23152c53edd3cb5c47f864e986d8ec48577f8cfcd60a955b9c4c4e4b36e9541ba3a5881f0501c797d99cc45661fa46a9a2ac70e8b7c9f92b

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
f4118dfcb53afcf9d35f6369b9b2c7e9

SHA1
2b6a7374a9415d356bdfc392debf956bf4e37ff5

SHA256
48fa84a82ba4d8811c6deb1ad586d060c8f062dfee4391b4dc9ac3d1eecd7e6d

SHA512
1fda46b2f7b131e8e565ec6b5031897b32eff65ce0c707f7de39067a2dd983ab109731309c42939485201d64883fb6060b31276a472e38bfe08fc4cf930be16a

Download Submit
C:\Users\Admin\Pictures\CyNdWQUatNa4EHL1HKv2tZcC.exe

Filesize
3.8MB

MD5
193692e1cf957eef7e6cf2f6bc74be86

SHA1
9d1f849b57c96ca71f0f90c73de97fa912b691d7

SHA256
fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6

SHA512
d0bcad2b98e5efc9c767f9a6ad87a6d62638131753bff22b21b883d90c23be17b65594b6d8c4510b255f28806b2a1dc2a01fc0e2138c3146d6e64abcd4a37697

Download Submit
C:\Users\Admin\Pictures\E28aJrcQfHExGLHsiNuFwCQE.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\EHLseogawOxTuCq5BpiSRm5E.exe

Filesize
412KB

MD5
f59946d86735f031f6f5a02bcd09bd4a

SHA1
763a739793c3f14044c2a8cbaf96891ac11689d4

SHA256
eeb2fa386b503656436a6b9684b2635cb7823da8d7eb8f5af20fa5162185a765

SHA512
ee5b7e57ed7a820457dbbc9e85317beaa055a36b7bee9e3ec05e2a913fe591b374a2dbcf0eda0c2bb44d75288e8029a284fb8c57469d708ccbf98f55b039bf49

Download Submit
C:\Users\Admin\Pictures\Ik621cC5WcwXKbg6q70NnGVK.exe

Filesize
4.2MB

MD5
e497ea444eadaff158450e085d7b3c38

SHA1
d177434d06c78424835520eef0e139073ef11873

SHA256
2f1b09f69d4c8e83edbb37dbc2614d31be587cda032b0bd3837dc5fa13fc6fde

SHA512
6568f0a0c1328c4bdc2a0ce9fa6609304c02c226c23dae1031268ab962c27b9d2ed09b0f7d3875285b42fbaf35e2dd0179a1b882147d4592669284d5ba0fe826

Download Submit
C:\Users\Admin\Pictures\pdflHyALeSwjVrcYjlUNOagw.exe

Filesize
5.1MB

MD5
e1c083fbe56eab432e90fad54967d95c

SHA1
008cc9513ad8af92a5c8993f0c8652730f5647e0

SHA256
3391283ced5f13e94db5366fe71c59aa26907d667eeb7256c1308963128d6141

SHA512
db6fdf88cbda6aeef005439639f0d4e6874ae334f1cad49e6919d244d3a662398dcfa3e027219d4898613672995a15b745cc4b6a4d878a33133c198abd22ae3f

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
57fb43d4565b968b01ab4ee35097e478

SHA1
24a34eb8ed463cd0bc08e2c89fef03082ac4b885

SHA256
76a3bee42c488ebf3f545cf6113bf6ab01b8f2ba3915f5d000d7aaf093286f9f

SHA512
f872f150057ebfd7fd8154841a63fbf3b5d622e17ea5fc7d4050c7e46063d9fe035062fd44a94f7a7bdd210aea482fc89d0482f1bc1cfe3e5c4b223237f81d68

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
7f162029e9a786835fa117dc719ad2f0

SHA1
3e82ce93459c2122577565f7e2e0b41e548cf46a

SHA256
124c3dd6ffd8c5f0e3a16f011b80ef00c500dc7493cffdac7ca0ed6333c63f82

SHA512
ad9b8b1a5fbe10addbe8e107f302beab19bc31c8499fea01b8d3dffba2aed2304a838af1f1e9d2722830519fe650df434ceec2ac54b4851f464eff648d4cc357

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/1472-49-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1472-50-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/1472-86-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/1472-57-0x0000000002940000-0x0000000004940000-memory.dmp

Filesize
32.0MB

Download
memory/1712-25-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1712-111-0x0000000000200000-0x00000000006C4000-memory.dmp

Filesize
4.8MB

Download
memory/1712-19-0x0000000000200000-0x00000000006C4000-memory.dmp

Filesize
4.8MB

Download
memory/1712-26-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1712-20-0x0000000000200000-0x00000000006C4000-memory.dmp

Filesize
4.8MB

Download
memory/1712-21-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1712-22-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/1712-23-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1712-27-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/1712-24-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1712-82-0x0000000000200000-0x00000000006C4000-memory.dmp

Filesize
4.8MB

Download
memory/1712-29-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/1712-297-0x0000000000200000-0x00000000006C4000-memory.dmp

Filesize
4.8MB

Download
memory/1712-28-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1828-285-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/1888-317-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1888-289-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1888-292-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2056-152-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/2056-233-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/2056-218-0x00000000060C0000-0x0000000006136000-memory.dmp

Filesize
472KB

Download
memory/2056-280-0x0000000006DE0000-0x0000000006E2C000-memory.dmp

Filesize
304KB

Download
memory/2056-179-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/2056-137-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/2056-146-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/2056-180-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/2056-276-0x0000000006DA0000-0x0000000006DDC000-memory.dmp

Filesize
240KB

Download
memory/2056-275-0x0000000006D40000-0x0000000006D52000-memory.dmp

Filesize
72KB

Download
memory/2056-115-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2940-107-0x0000000002C50000-0x0000000004C50000-memory.dmp

Filesize
32.0MB

Download
memory/2940-85-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/2940-84-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/2940-108-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/2940-83-0x0000000000740000-0x00000000008FC000-memory.dmp

Filesize
1.7MB

Download
memory/3332-60-0x0000000001460000-0x0000000001492000-memory.dmp

Filesize
200KB

Download
memory/3332-53-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3332-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3332-58-0x0000000001460000-0x0000000001492000-memory.dmp

Filesize
200KB

Download
memory/3332-59-0x0000000001460000-0x0000000001492000-memory.dmp

Filesize
200KB

Download
memory/3332-61-0x0000000001460000-0x0000000001492000-memory.dmp

Filesize
200KB

Download
memory/3332-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3416-156-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/3416-267-0x0000000006A10000-0x0000000006B1A000-memory.dmp

Filesize
1.0MB

Download
memory/3416-190-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/3416-266-0x0000000006EC0000-0x00000000074D8000-memory.dmp

Filesize
6.1MB

Download
memory/3416-157-0x00000000008E0000-0x0000000000932000-memory.dmp

Filesize
328KB

Download
memory/3512-437-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-514-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-516-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-441-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-512-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-510-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-508-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-455-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-466-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-478-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-485-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-488-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-491-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-494-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-496-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-498-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-502-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3512-505-0x00000282FF600000-0x00000282FF8BB000-memory.dmp

Filesize
2.7MB

Download
memory/3576-231-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/3576-232-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/3576-230-0x0000000000CA0000-0x0000000000CF2000-memory.dmp

Filesize
328KB

Download
memory/3656-113-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/3656-112-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/3656-100-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4124-336-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4144-188-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

Filesize
64KB

Download
memory/4144-159-0x00000000009C0000-0x0000000000A4C000-memory.dmp

Filesize
560KB

Download
memory/4144-178-0x00007FFF3CC90000-0x00007FFF3D751000-memory.dmp

Filesize
10.8MB

Download
memory/4580-5-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/4580-7-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/4580-1-0x0000000077094000-0x0000000077096000-memory.dmp

Filesize
8KB

Download
memory/4580-16-0x0000000000A70000-0x0000000000F34000-memory.dmp

Filesize
4.8MB

Download
memory/4580-11-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4580-10-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4580-9-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4580-2-0x0000000000A70000-0x0000000000F34000-memory.dmp

Filesize
4.8MB

Download
memory/4580-8-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4580-6-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4580-0-0x0000000000A70000-0x0000000000F34000-memory.dmp

Filesize
4.8MB

Download
memory/4580-4-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/4580-3-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/4756-117-0x0000000000100000-0x000000000017D000-memory.dmp

Filesize
500KB

Download
memory/4756-116-0x0000000000100000-0x000000000017D000-memory.dmp

Filesize
500KB

Download