amadey | 49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4

Analysis

max time kernel
142s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
02-06-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
Size

1.8MB
MD5

028dd36801f3b1f0b82a5c75f181798f
SHA1

372f942dfe325d3cd22ef8f172d8d7cb90dc14f0
SHA256

49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4
SHA512

b5cdc00601d5b660ccbd755a40960f260dbe2a52ac0b240b8933fb20d023cff7b55536f241d1aec05afdefde5e662be11dd01c9d9a0b62cad97f487d21f5bb98
SSDEEP

49152:y38J7qrsixjUqzmAou4QCjBRGyVrnjGts2HqqGmkVW:W8FqrFx4q6AouErGyVrnjGWilQw

Score

10^/10

amadey redline smokeloader 0e6740 49e482 newbild pub1 backdoor discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Extracted

Family

smokeloader

Botnet

pub1

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe	family_redline
behavioral2/memory/3972-257-0x00000000003F0000-0x0000000000440000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

President.pif

description pid process target process

PID 2120 created 3292 2120 President.pif Explorer.EXE

description	pid	process	target process
PID 2120 created 3292	2120	President.pif	Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

b78a8ccb6e.exec609814bf5.exeaxplont.exeaxplont.exe49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeexplortu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b78a8ccb6e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c609814bf5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplont.exeexplortu.exeaxplont.exeexplortu.exeexplortu.exeaxplont.exec609814bf5.exeaxplont.exeexplortu.exe49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exeb78a8ccb6e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c609814bf5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c609814bf5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b78a8ccb6e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b78a8ccb6e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Executes dropped EXE 14 IoCs

Processes:

explortu.exeb78a8ccb6e.exeaxplont.exec609814bf5.exe9a3efc.exenewbild.exePresident.pifaxplont.exeexplortu.exePresident.pifaxplont.exeexplortu.exeaxplont.exeexplortu.exe

pid	process
3872	explortu.exe
1628	b78a8ccb6e.exe
3160	axplont.exe
4440	c609814bf5.exe
4756	9a3efc.exe
3972	newbild.exe
2120	President.pif
4540	axplont.exe
2116	explortu.exe
2564	President.pif
4684	axplont.exe
3632	explortu.exe
1156	axplont.exe
1712	explortu.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeexplortu.exeb78a8ccb6e.exeaxplont.exec609814bf5.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	b78a8ccb6e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	c609814bf5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplont.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explortu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\c609814bf5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\c609814bf5.exe"	explortu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exeexplortu.exeb78a8ccb6e.exeaxplont.exec609814bf5.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exe

pid	process
3012	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
3872	explortu.exe
1628	b78a8ccb6e.exe
3160	axplont.exe
4440	c609814bf5.exe
4540	axplont.exe
2116	explortu.exe
4684	axplont.exe
3632	explortu.exe
1156	axplont.exe
1712	explortu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

President.pif

description pid process target process

PID 2120 set thread context of 2564 2120 President.pif President.pif

description	pid	process	target process
PID 2120 set thread context of 2564	2120	President.pif	President.pif

Drops file in Windows directory 2 IoCs

Processes:

49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exeb78a8ccb6e.exe

description	ioc	process
File created	C:\Windows\Tasks\explortu.job	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
File created	C:\Windows\Tasks\axplont.job	b78a8ccb6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

President.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	President.pif
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	President.pif
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	President.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1584 tasklist.exe
5012 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4620 PING.EXE

pid	process
1584	tasklist.exe
5012	tasklist.exe

pid	process
4620	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exeexplortu.exeb78a8ccb6e.exeaxplont.exec609814bf5.exePresident.pifaxplont.exeexplortu.exenewbild.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exe

pid	process
3012	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
3012	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
3872	explortu.exe
3872	explortu.exe
1628	b78a8ccb6e.exe
1628	b78a8ccb6e.exe
3160	axplont.exe
3160	axplont.exe
4440	c609814bf5.exe
4440	c609814bf5.exe
2120	President.pif
2120	President.pif
2120	President.pif
2120	President.pif
2120	President.pif
2120	President.pif
4540	axplont.exe
4540	axplont.exe
2116	explortu.exe
2116	explortu.exe
3972	newbild.exe
3972	newbild.exe
3972	newbild.exe
3972	newbild.exe
3972	newbild.exe
2120	President.pif
2120	President.pif
2120	President.pif
2120	President.pif
4684	axplont.exe
4684	axplont.exe
3632	explortu.exe
3632	explortu.exe
1156	axplont.exe
1156	axplont.exe
1712	explortu.exe
1712	explortu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exetasklist.exenewbild.exe

description pid process

Token: SeDebugPrivilege 1584 tasklist.exe
Token: SeDebugPrivilege 5012 tasklist.exe
Token: SeDebugPrivilege 3972 newbild.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

President.pif

pid process

2120 President.pif
2120 President.pif
2120 President.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

President.pif

pid process

2120 President.pif
2120 President.pif
2120 President.pif

description	pid	process
Token: SeDebugPrivilege	1584	tasklist.exe
Token: SeDebugPrivilege	5012	tasklist.exe
Token: SeDebugPrivilege	3972	newbild.exe

pid	process
2120	President.pif
2120	President.pif
2120	President.pif

pid	process
2120	President.pif
2120	President.pif
2120	President.pif

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exeexplortu.exeb78a8ccb6e.exeaxplont.exe9a3efc.execmd.exePresident.pif

description	pid	process	target process
PID 3012 wrote to memory of 3872	3012	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe	explortu.exe
PID 3012 wrote to memory of 3872	3012	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe	explortu.exe
PID 3012 wrote to memory of 3872	3012	49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe	explortu.exe
PID 3872 wrote to memory of 3044	3872	explortu.exe	explortu.exe
PID 3872 wrote to memory of 3044	3872	explortu.exe	explortu.exe
PID 3872 wrote to memory of 3044	3872	explortu.exe	explortu.exe
PID 3872 wrote to memory of 1628	3872	explortu.exe	b78a8ccb6e.exe
PID 3872 wrote to memory of 1628	3872	explortu.exe	b78a8ccb6e.exe
PID 3872 wrote to memory of 1628	3872	explortu.exe	b78a8ccb6e.exe
PID 1628 wrote to memory of 3160	1628	b78a8ccb6e.exe	axplont.exe
PID 1628 wrote to memory of 3160	1628	b78a8ccb6e.exe	axplont.exe
PID 1628 wrote to memory of 3160	1628	b78a8ccb6e.exe	axplont.exe
PID 3872 wrote to memory of 4440	3872	explortu.exe	c609814bf5.exe
PID 3872 wrote to memory of 4440	3872	explortu.exe	c609814bf5.exe
PID 3872 wrote to memory of 4440	3872	explortu.exe	c609814bf5.exe
PID 3160 wrote to memory of 4756	3160	axplont.exe	9a3efc.exe
PID 3160 wrote to memory of 4756	3160	axplont.exe	9a3efc.exe
PID 3160 wrote to memory of 4756	3160	axplont.exe	9a3efc.exe
PID 4756 wrote to memory of 1100	4756	9a3efc.exe	cmd.exe
PID 4756 wrote to memory of 1100	4756	9a3efc.exe	cmd.exe
PID 4756 wrote to memory of 1100	4756	9a3efc.exe	cmd.exe
PID 3160 wrote to memory of 3972	3160	axplont.exe	newbild.exe
PID 3160 wrote to memory of 3972	3160	axplont.exe	newbild.exe
PID 3160 wrote to memory of 3972	3160	axplont.exe	newbild.exe
PID 1100 wrote to memory of 1584	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 1584	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 1584	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 1680	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 1680	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 1680	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 5012	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 5012	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 5012	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 3572	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 3572	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 3572	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 4668	1100	cmd.exe	cmd.exe
PID 1100 wrote to memory of 4668	1100	cmd.exe	cmd.exe
PID 1100 wrote to memory of 4668	1100	cmd.exe	cmd.exe
PID 1100 wrote to memory of 2380	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 2380	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 2380	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 1480	1100	cmd.exe	cmd.exe
PID 1100 wrote to memory of 1480	1100	cmd.exe	cmd.exe
PID 1100 wrote to memory of 1480	1100	cmd.exe	cmd.exe
PID 1100 wrote to memory of 2120	1100	cmd.exe	President.pif
PID 1100 wrote to memory of 2120	1100	cmd.exe	President.pif
PID 1100 wrote to memory of 2120	1100	cmd.exe	President.pif
PID 1100 wrote to memory of 4620	1100	cmd.exe	PING.EXE
PID 1100 wrote to memory of 4620	1100	cmd.exe	PING.EXE
PID 1100 wrote to memory of 4620	1100	cmd.exe	PING.EXE
PID 2120 wrote to memory of 2564	2120	President.pif	President.pif
PID 2120 wrote to memory of 2564	2120	President.pif	President.pif
PID 2120 wrote to memory of 2564	2120	President.pif	President.pif
PID 2120 wrote to memory of 2564	2120	President.pif	President.pif
PID 2120 wrote to memory of 2564	2120	President.pif	President.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe
"C:\Users\Admin\AppData\Local\Temp\49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
4⤵
PID:3044

C:\Users\Admin\1000004002\b78a8ccb6e.exe
"C:\Users\Admin\1000004002\b78a8ccb6e.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\1000050001\9a3efc.exe
"C:\Users\Admin\AppData\Local\Temp\1000050001\9a3efc.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Cook Cook.cmd & Cook.cmd & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\tasklist.exe
tasklist
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
8⤵
PID:1680

C:\Windows\SysWOW64\tasklist.exe
tasklist
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
8⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
cmd /c md 563203
8⤵
PID:4668

C:\Windows\SysWOW64\findstr.exe
findstr /V "DevelRespectNicoleDisclosure" Terror
8⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Delays + Henderson 563203\O
8⤵
PID:1480

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\563203\President.pif
563203\President.pif 563203\O
8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
8⤵
- Runs ping.exe
PID:4620

C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe
"C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Users\Admin\AppData\Local\Temp\1000005001\c609814bf5.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\c609814bf5.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4440

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\563203\President.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\563203\President.pif
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2564

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4540

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3632

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000004002\b78a8ccb6e.exe

Filesize
1.8MB

MD5
756697c6784807bd3637d8f56670849f

SHA1
35d192e1cba489bf066c5b107bbe975b9a3a5b48

SHA256
e31f3dfd7a7b1be8dfcf0f75b6e8c4a0ccc5b16a1f51395526b258f67c076f05

SHA512
6f03a98590cae05235d1458eb8f18455f71135c4b23e9fb186c3db12129dece9e1dfc097adfefc451db005c7f5e8382506a6776a1e52a2d04c3be283e1a0030c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\563203\O

Filesize
216KB

MD5
91cd4e3580ca92286bdb196f22875bf1

SHA1
70d0cd801e5e098bbfbafcf3c19a6ba26728b86b

SHA256
37e50cf73cfdd4435f97adfbf59faeb2e1d4ab3078f7f755e830513e9cc6e79b

SHA512
39eec7e06e2de23476a4cee20aef09e85d63a3859e5cfe4664d177c4dd1b0e861f1c09509f66ad73b8602f88d18b55e54dbc17d40f3a04cc2dfd1df76adf24b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\563203\President.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Angry

Filesize
56KB

MD5
e18980f3e797bcd18c50562093e9b36e

SHA1
baeb4c031fcfd6a4e88653451c21b6ec45117cd0

SHA256
1fa979096150b9a56a9232db961fc0596c8c40398715c14d58aed3b145411f50

SHA512
ce18e64068d1291235645abbb05fc943a323b50916dee3cde1d7d01252c1ae1786e6d76115f472aae3e4a71ef9298800e217ca5e7455318d448579dd18e82e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\B

Filesize
7KB

MD5
b7d9c136eecc64a785c01089396d41a8

SHA1
94df96f87743ffd6041f3128bf846ca1b8d29ec4

SHA256
c11ce1480bfd2200e822f10aa0ed07776e11df2151aec771108b312d89943a15

SHA512
09a5c2c2980da1fb49974bca8f4386ed9ac7073db3428db4be9673bc03c198a6980c73fbf3e9d837cd632befa55ed456da77531079af8ac1dad8f12e725aa1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Buildings

Filesize
45KB

MD5
e70f8848642374e572eeb3294df8e8c8

SHA1
c6ee2c36066f0eae34204b2b1cd94bcb4a90f6de

SHA256
f8b18cec905732f4fc42b906128db848aead34ac55121d161e2175714eab8810

SHA512
734a0eac7e32c2c88e47fd16dbb9b88e510398982986b6fb56e342cd548feff7f4578ca0817138316c08b477c72b5bf21e4c188715c6a844bbb1a5442a3c5bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Contributions

Filesize
11KB

MD5
547e6c2dfd17e4e6733a44d820710fa5

SHA1
959ac2048356a611cd0dff448f334a6c3cd6a6be

SHA256
ba42b13f174900b329cdb6b6c4f56b2e8850ec23e6f9c9cbc65c362b3cc90e4c

SHA512
e89f91e30f40147179b1198be52f79f68e50d6279fe9c20ed02ec8bf40046ef7ba72ff3a443658960ec1af2095a74d5aa2511ead00217f2476c6c42f891174ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Conviction

Filesize
19KB

MD5
17c4cd8940d548c0e931d47ca4282097

SHA1
e15b4e84d8a423c507a93c2bad4c08498a1fca1e

SHA256
a7ac695e870c4bf4bca2f0fe6498ff16f18f362137872b555b77218f9421d2e7

SHA512
1a73ff59fcc2f130e9228fc509c6050c9035a67b891e36cd18a63a2ff51a5941649959d20ab87124418f99b44545365f74ba4c77888586a4f3be5c11cc817e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cook

Filesize
13KB

MD5
72ac8f5d3b645e12754f774ef0082827

SHA1
95c155eb363622ebb6cf3be2acc30c83c1891ebb

SHA256
e5290af5d914d9819b4331fd04032fa96d0c24930403c3e6465327b4b8ccd6cb

SHA512
8fa8c830296a0a9e2b174ab183dd1f8bded39d10c6fdd8a28c0ed692746ac7dfa63e0e0e8ade9e36df4c4c22e8c47f48cb74a108cde721c52747dbfcdb226d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Corrections

Filesize
22KB

MD5
160dd3f75650e3262ae922f94df43b5e

SHA1
305fb54410e5884431ae1ba6099a01604f0d8b1b

SHA256
33f3b7dcdf19f5e2267b74870913f7858ff5988eb671c63cf463461ddfc8d7b5

SHA512
2cbc89bf1e5e3702a6cb440863156a74113abb1dc14868d55ad729cf3d33a862993dce03889a2cce050e6a8786ed4603e01f8dae43a87626a1a7633bfc32cb39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Delays

Filesize
111KB

MD5
5c8b293ae271ac2e1eec401981adb26f

SHA1
e3fe18684f70719a381ef74cf930c30f64192942

SHA256
5f67f5840e974a2fd55f50899b81fd263a1bcbddcf367fefddd3ca7f16e2a203

SHA512
d5d9d3c732ad6054c50388788e0ae47fc0a6a8d929de206e35fcf497bb47ea249b92354c0f8e0f3fc75e8763c3f55240783aca855b51584db8909c212022571d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Designers

Filesize
37KB

MD5
6a653b0ed4ebfa39e9da239d24f1f158

SHA1
44317d9330cd38b10f50acb5e68e36207abda9f6

SHA256
be6a357d7859810ea4b4711fcfb9f8014e9199c7fcbe923a2b0d4d38e243fce5

SHA512
32cf97ec96e97cc33f9e8b45b51b2d8c6f76f8f776a21fed15c058590b136c5018efef111ac3399f0524e1d73676954c84d2611c69ea7559bf7c30a9fc5b7d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Disney

Filesize
65KB

MD5
78efbe43cb7c371e5ddd7b2078ccc20b

SHA1
1134db4595e346412ee9e465734997751ff8ed9b

SHA256
65ee83c45f247005a126487d9f8907ee8a042681cd8ad994e18a2e04635a50f6

SHA512
d16cb724edb2d8afa57e9f636b84cce8fbd3065919021c52bb0faedbc23e5f92515a1ea6ce23f87923de86bd1260198eebc455d1267e74fdcf869911dad2acf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fewer

Filesize
22KB

MD5
af75af70eb60196ed3630d60998bc775

SHA1
1ade680e66356206ba9673820c94b274350d0d81

SHA256
4a641b0fe10f7248f5c60596363148b7875043db9e86ee0843f81f85a9c6c263

SHA512
0719321f0a1d55a8503a1c58af598c197e56f75af5feb533d87867027f6e8ce14978153774725ad9d334b12f4d26d08f94873bd0987dba38270c7704fcc3fee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fiji

Filesize
43KB

MD5
39ec4a7c5d26eb9f5f3304c84eeea25c

SHA1
a8d6c4d838f572622aedac0e7386174bfbced330

SHA256
3e232e2c78ff8e01921236ec565549ad5248ff5f6895b507bb771af29989bed8

SHA512
21742e138ff468770b0ffee64aceb95dc583f11c8eccfcb9e62b668582e7092f1df2d7767a31aa2b8446483bc07ab2a19ccb7d6b90c06a6d1429daf086bf02df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Flu

Filesize
34KB

MD5
55cfb011757bbcaba2e9bcb3ccb9975a

SHA1
2464ce62c3521624622f4ce48ebbfde7e41934c7

SHA256
ea4209aa1d5f5b62f9d03d92152f1a0e3d483b0392866d9c4a178b6456cfb533

SHA512
254f9b6a917d1b90067b1054544459a7e4aa733a289f7de53895659c27055003608e1c5213b3f1edbdeea4ae8197d767846c92f06d501fa6899ab4f71809cdcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fm

Filesize
44KB

MD5
9795ccf6c9065e8704fa03a13b6aa2fe

SHA1
0456713d9a845e74845f73443132bfe127d53668

SHA256
4419537a70f52d206e902bcca85ad89d46aa54201c78294629de1040aa8821de

SHA512
3e3000e0604a5f7e4e5880dcaecaea57ef709c5c5487a81d1f22e8d82c811c001cb5d00bda990c446026b4a127d59bde9a4971c8daca293b36318e40f751ecbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gm

Filesize
12KB

MD5
f7fb2bc3248b0ee5dba2986695b98812

SHA1
9cbb3e3d9a03255b4b3e91537e972ef152ac3229

SHA256
c40168bd53ee5162509e60c82051043abfeb7dd39e410532aafabc7fee0a077e

SHA512
8ec2ff703a6deae34c3ac4d29477c80353386094ae38be811e65883b75ff06ffc85642b6feda8b63a184488c04aee8024cc4c57d9ee80c7ed473a31c3477146a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Henderson

Filesize
105KB

MD5
ad09a146fba7ae6cd87f51d12a1a693d

SHA1
83fa720abe91355367246f1d6f2807d48f4d40f0

SHA256
5611d55c0aa854b9a4dd89491a41289ca3b820fe91d4320d2a5cc0086270ac73

SHA512
86218a658469003eb61310216eae3fa5946715b543ccc48d692deba9fac55a92ec02683fb45d3ad3434104eafef1930d184c28aaa0ccc26ca8ed3d1947d4c3af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lace

Filesize
11KB

MD5
bd312452a757c260392bbc628544e6d0

SHA1
a8c30954812dcd1ebdbca09caec9fbec2199d751

SHA256
9396d9578348eb849ae025d861e44dd8a40917639b174b82c919f8cc3bad0b1f

SHA512
3ffe41fb106f0feea9cca2ed5c492d35170b0506fff3800d29b33ec685af9b35826fcec5bececaa1b143a7dab40bf6e2c75a10a6ca5d9b64436d0bbb392f58da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Legendary

Filesize
16KB

MD5
400fd3a9597b793504b425fe3b47d7d9

SHA1
976933490d0350599b7d32e10374e2c5de7c82af

SHA256
925d48d6688214a199f5f8174f553fa5f2758ad7951fcf7a382adb5a26a4a4d4

SHA512
f32bcd8343e1e99b1bef637729ac7ddd21a5d0ba49cb9b05bc54e7ac2474825eed39aab7a6280eaa146815c5a2344f685c6661e7704f7640e53a6ba2b66c57cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Maritime

Filesize
16KB

MD5
fea9b4695247a7309ecda1efe57753f8

SHA1
09ff6ed62b43c0f7d73a55a2cedd1ba3289f473e

SHA256
fecfbca6c470a36c65863a99ba344c3178743f4f88e2b90487bb593b6465113a

SHA512
da84da3046b76cb242dc672b27d3ff51e9bc59497e14ffd724e9e90145b90cf701ebded6f3f59d292d065c040b4f3dcd9c4735bc5736f559ab2efb4cad69811e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Meals

Filesize
44KB

MD5
c0c467f587f39d31df92dd23eeca1f5e

SHA1
1a599ee719efca8850ca32a3c7cf1df3e1ceb3bd

SHA256
7210618bc3ab8bbcfbbbaf2306e968d837c9cb94e9e1ebc7efbf606001f1badc

SHA512
e9374c9d4d37693726c918d246a3cdaf50a8ca56632c36e8ab0bd1fae01b0cde6dd5778600bc847341886fac0abd3b50e5c73b6eb048b69730c1fa2a9fb05753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Page

Filesize
6KB

MD5
ce16aa75833a4a636982fb3b3a77a3b6

SHA1
9632df321dfe00d9ba893fd5a6465c18b4d0e55a

SHA256
8e60f86c54e4655d1c8d94901d4fe561fc4cc306fe6cc6560ea7c7cf2c520c81

SHA512
f4d27bdbd9b7158bc5ea3367396d00a9300b546158c066c8654b15ff1e4726e0cbe2713dde019f6000f5e367b436f4ef26db58014a6306b0b62029cca6697c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Prefers

Filesize
14KB

MD5
fbcd1f4be3e5db07f98dc1ccd88bdad1

SHA1
f8331fe7a221880cf44886e9d9a996e4d3a16cc7

SHA256
d0f124dfa3b6ccf6da00103032abc766a55527debb7516b1bb926a743eec4d83

SHA512
10ccabe3a20da8a89b9a1ae31031f8daa0003c4429051f0d8fb9a84b20e2bdeb1a9ef7b35f8787f8af2b81b0a4811c755b6deb79b35713f926beb050f82c2ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Range

Filesize
54KB

MD5
e2fdd75a64c0d4ba44ff2f5e20cb2283

SHA1
49e25c8bff36f67ec80b41658d67cc3c870d1bf7

SHA256
766405ceb93549aefe8206628a9a187af822f1b198b690328c0f41bc35e8665e

SHA512
af15b149b2cd3ebbbbe2b8f408f04067c310a51b390df63e193b47f9c903c21ad1669fdca8c2bfec16cf9838d9cb3fef735ee0ee3f9b51a2794ecb9e573438e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Refurbished

Filesize
33KB

MD5
3c8d029caf185f0bea5a2d550dd26024

SHA1
2995cec9c0a2859a5628c5f503386370bb1531e3

SHA256
b2bd8ee14ea85b2f8ef701cf8ceea54020f7f45469645bfece0ad94df8a24590

SHA512
991ad6e7b233a0c71f9ab803f4dd93d45f7e2856ba2ba8f8ef4391f28b0d8abda596bc8db71ecd6b42e150cabd997e1972ade76fce585acdbc514a0036fdcc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Responding

Filesize
23KB

MD5
e3cac6d999f67dfd41451b3175ed76c2

SHA1
eb0286c35b5fc290609bea4ae709bab602fab90b

SHA256
bf1bbcd4dddf3e4d355889a72a6114dcd9939d32c966f8efda25d5db9015a4aa

SHA512
ace65b9f98a13b3fb0ac1bc12f9584f7698ab91f91c69562aec92030171129d6bbc24fc45f452612264e7444066f9d71a7fe179a4bf3c6bc4a75e6dca92d722d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rug

Filesize
31KB

MD5
1efe3e8770086c83c8eecbd265c90779

SHA1
09bb8a3080db495f59073a8f443e3f824cad3c8e

SHA256
a31798a500ec18047cd37c69e443f10e076d1c52632fd4d25db23c7572a3dafa

SHA512
cd128d00121755aa75c93ed649271755a0128bf3850cd005bb69b562d9ca604ac84e4ba0523a951a155be33f3716d05f7021be0de4f3ca8bd1370ab764851aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scan

Filesize
58KB

MD5
fcb9fd60df8fe390ad8ed9c06496b759

SHA1
838524f37d4626c645cb098bc6558c58401a741e

SHA256
8173d910d9e0dab456ccbfa5665a11933fb83c8008036e6e8358f34c82412f80

SHA512
516e20e7e9e068a4f0998a67c7c407f438f32b2153d6521e5f2eeb36b7a0bbcc7f6b111998ad1dd9b74bfda9907bae5b4a4a787bf9ea1d195187ccec14d59d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scottish

Filesize
9KB

MD5
b95bd4c9623cfc6552d417434f029f1e

SHA1
16b0c7a9e7ad9c09daecbf421885e82acc023d3d

SHA256
b0523cb0e6a6290d8b8093f9879054ef96bac841f9d40f3bf5841ee14f44be1d

SHA512
8514760889dc6ed0436e0b35c4f483696cf4a2f1128af12426a17951fb5cddfc5e2192568068151a9fc2d57d40dc28a0a9868e1c40a8e93d31cc146923a9a824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sexo

Filesize
23KB

MD5
59a98bdf5d5405ded56f942783e14d8d

SHA1
37a88d4e3c7baf7dbb4ccacec414fbfacd5f309a

SHA256
7cde8b7bc8ec782b30b76f34015ded9847b94e2e6cd19df8fa0d840958680cd0

SHA512
3c633a5c4f535ff28563e643ae71a4fbdd8a2e827204ddc85328d233cfbc4607d0428802f8346620bdeb7d43c12606d3854ad2051e2c26db5abf6c6f5666452d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Signup

Filesize
20KB

MD5
252e4dd74cf8d4cf5e26b98a5b388bce

SHA1
41ca9d1675157b972da01915be6c43c0b5799570

SHA256
8b1c1b67954884f916f5b15750fc4d858c51adec07aa7e82e7e8bf4d9194c31d

SHA512
09e8b96bad9b3edd2e1ebc7eb6c12d455b6411146365d1857bac79dbbe675957d31a88ae3f331e18514754136cb0831dbe2fb18e929d6e142405f915da1d2cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Terror

Filesize
77B

MD5
ab88f3131ff8f39218c6d759b47250ba

SHA1
db5edfd3bb14616bb5bbea47317a1f3fb87b15f9

SHA256
be1248ab4e992e02c1946264556ec61cfed7e6e18c5b44422c09aa87d1afd643

SHA512
ab891b6169043ad1ceb9751c72b4ca081c1e0c41a71da66e5696e327f3bc667783c7244af2ae818b8d7de9b3f057b4a55af7983fd86ee2dc51be1cc3e854c7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Test

Filesize
25KB

MD5
1e55eedd05f025d9b2231044b53e8d3a

SHA1
352f89a1886f79358e04fbaa49535d03e9e2b908

SHA256
c0b11266453e8b269482fe5685da28ddc1ccacfd979fc9ae4a20241e7896ec95

SHA512
46c3056ef061e042686246be3d9d69535bdd454c7baa03edcbb9ebf510e2072a43ce45dc558d1d3416268f518122641e18c27205608aaf9874a2c585f5f01e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Totally

Filesize
54KB

MD5
32e4e9a325717105f480e7c24a0dd198

SHA1
ca225bb1c5cca055b9ee45fd9e086d1291e57e33

SHA256
0d0d7470cc9c588f9b213de107dd5d38c32fc6dc445fdbc4e26f28d8deac7f21

SHA512
a6a3233f71a6fa47bc767275cd17f3bed27d8ea5279ca2839bb5a75e38adb54ebf607005c46e491313feb6d743782aed3f119d1b7c5f3ee31a28388cfe4a53de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Underlying

Filesize
61KB

MD5
ae9633eaed1d0acd12cc4dc0aceb6b6a

SHA1
5254d65915d37a4339cf1a9d758b5008609ca81a

SHA256
7953a724ef2c9ab8f3d6f2ae98ea32944b061c34d80698cd2df163d40ffc47b2

SHA512
e35568d13bfcc60012ac0d7716fb20fb5a67bf038de2e643f0ad4b9a0b394fc47c6ad800f362b5ea35848e65e2d8dacc73ac2b7395ec320cd4095b75df010144

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\c609814bf5.exe

Filesize
2.3MB

MD5
c858279b34d2ea3982203ba11dc59cb3

SHA1
921227ece0c988c7ffb6b84ae7e93049d3148246

SHA256
bd16cbd2d6866544b614db1c8e7f6a2e22c83deb9b9b15d0fa56c34e5c04a533

SHA512
dcd536c491b04c6b0f34f3ecc3d843d1eed8db7ed9093fac9119bf3100896fb0676115929cb377ed766cea7e62842cb1ea4bfd95477379423efa64a75c2615bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000050001\9a3efc.exe

Filesize
804KB

MD5
f72cedeb043278f63f9645424dbc36f5

SHA1
28a8be67a02280d90a97884d4d429edc8d8fada1

SHA256
c4cf60e7a1678f6deec1f8ec4f4ddeca41528854950f6ac21693f7a14ca04677

SHA512
f9b485ae582f37968339f753aca428f448c3f72bd92d4815fb831d23974f5e09ccec65cae4305e0f928acf68ef47d1f2215509ce0b35520f14006063934ce5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe

Filesize
297KB

MD5
c302ed158d988bc5aeb37a4658e3eb0a

SHA1
af658ccf6f44899a0ffb97759e6135f46dcd2f8e

SHA256
58bdeb7c3da885110d6983f3e7e752119ec8bf9da9631452b94ddc8bed6abf90

SHA512
94e4576e39d6cac2d5553cdec9def10926929a3f4262b5bc1caa3e7db64f0e73c00e5fc1aef08eff003d25a294edc1b95ba89a7880d93d97b873f8d275a4f09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
028dd36801f3b1f0b82a5c75f181798f

SHA1
372f942dfe325d3cd22ef8f172d8d7cb90dc14f0

SHA256
49e8fba664cd8d538e8b5911dc575e7b873ea97de7ad70e1498539ff671a8bd4

SHA512
b5cdc00601d5b660ccbd755a40960f260dbe2a52ac0b240b8933fb20d023cff7b55536f241d1aec05afdefde5e662be11dd01c9d9a0b62cad97f487d21f5bb98

Download Submit
memory/1156-547-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/1156-550-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/1628-52-0x0000000000500000-0x00000000009BD000-memory.dmp

Filesize
4.7MB

Download
memory/1628-39-0x0000000000500000-0x00000000009BD000-memory.dmp

Filesize
4.7MB

Download
memory/1712-549-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/1712-551-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/2116-480-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/2116-478-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/2564-506-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2564-502-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3012-3-0x00000000009A0000-0x0000000000E34000-memory.dmp

Filesize
4.6MB

Download
memory/3012-17-0x00000000009A0000-0x0000000000E34000-memory.dmp

Filesize
4.6MB

Download
memory/3012-1-0x0000000077E36000-0x0000000077E38000-memory.dmp

Filesize
8KB

Download
memory/3012-2-0x00000000009A1000-0x00000000009CF000-memory.dmp

Filesize
184KB

Download
memory/3012-0-0x00000000009A0000-0x0000000000E34000-memory.dmp

Filesize
4.6MB

Download
memory/3012-5-0x00000000009A0000-0x0000000000E34000-memory.dmp

Filesize
4.6MB

Download
memory/3160-511-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-537-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-500-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-534-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-491-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-499-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-532-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-528-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-514-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-517-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-53-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-540-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-508-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-543-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3160-552-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/3632-527-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3632-523-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-21-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-482-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-536-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-531-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-497-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-553-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-493-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-529-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-503-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-538-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-20-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-18-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-481-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-324-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-510-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-19-0x00000000000E1000-0x000000000010F000-memory.dmp

Filesize
184KB

Download
memory/3872-512-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-541-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-518-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-515-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3872-544-0x00000000000E0000-0x0000000000574000-memory.dmp

Filesize
4.6MB

Download
memory/3972-373-0x0000000005100000-0x000000000514C000-memory.dmp

Filesize
304KB

Download
memory/3972-369-0x0000000005FF0000-0x0000000006608000-memory.dmp

Filesize
6.1MB

Download
memory/3972-349-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/3972-370-0x00000000051D0000-0x00000000052DA000-memory.dmp

Filesize
1.0MB

Download
memory/3972-371-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/3972-494-0x0000000007370000-0x00000000073C0000-memory.dmp

Filesize
320KB

Download
memory/3972-372-0x00000000050C0000-0x00000000050FC000-memory.dmp

Filesize
240KB

Download
memory/3972-273-0x0000000005420000-0x00000000059C6000-memory.dmp

Filesize
5.6MB

Download
memory/3972-490-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/3972-312-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/3972-496-0x00000000079F0000-0x0000000007F1C000-memory.dmp

Filesize
5.2MB

Download
memory/3972-495-0x0000000006A60000-0x0000000006C22000-memory.dmp

Filesize
1.8MB

Download
memory/3972-257-0x00000000003F0000-0x0000000000440000-memory.dmp

Filesize
320KB

Download
memory/4440-509-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-519-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-533-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-530-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-72-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-539-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-554-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-492-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-542-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-535-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-516-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-545-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-504-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-513-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4440-505-0x0000000000F90000-0x000000000157E000-memory.dmp

Filesize
5.9MB

Download
memory/4540-479-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/4540-476-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/4684-521-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download
memory/4684-525-0x0000000000DD0000-0x000000000128D000-memory.dmp

Filesize
4.7MB

Download