amadey | 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
Size

1.8MB
MD5

80f73c8cbbe5599b4e21e4956023116d
SHA1

102c906a769b228996cdfee698fe02cc8d8487e7
SHA256

4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d
SHA512

a90995e9340d2696d3b635f199c7f4e7e010633536234c24f2731c29815303f04c807fb71915c4e3c60a0431405553c06b25431644987cfde0e6eca961c5a68c
SSDEEP

49152:N6TRoHP8EL8svVnx9SeasvO3ug4PGSUYiIg0e:NiRSPZRPSeE4PG/XIg0e

Score

10^/10

amadey redline stealc buy tg @fatherofcarders default fed3aa credential_access discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
wightman.ca
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
28966516

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

185.215.113.67:21405

Extracted

Family

stealc

Botnet

default

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

BUY TG @FATHEROFCARDERS

45.66.231.214:9932

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000500000001941f-91.dat	family_redline
behavioral1/memory/1132-101-0x0000000001230000-0x0000000001282000-memory.dmp	family_redline
behavioral1/files/0x0005000000019468-127.dat	family_redline
behavioral1/memory/888-137-0x00000000009B0000-0x0000000000A02000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2540 created 1204	2540	Beijing.pif	21
PID 2540 created 1204	2540	Beijing.pif	21

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rorukal.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	rorukal.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	rorukal.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe

Executes dropped EXE 18 IoCs

pid	Process
2744	axplong.exe
1484	GOLD.exe
2820	crypteda.exe
112	newalp.exe
2404	Hkbsse.exe
1132	06082025.exe
680	stealc_default.exe
888	MYNEWRDX.exe
3020	rorukal.exe
2036	runtime.exe
2540	Beijing.pif
2452	Ukodbcdcl.exe
1204	Explorer.EXE
6572	Ukodbcdcl.exe
6900	ajujnub.exe
6172	ajujnub.exe
2644	ajujnub.exe
5188	ajujnub.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	axplong.exe

Loads dropped DLL 32 IoCs

pid	Process
2368	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
2744	axplong.exe
2744	axplong.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2744	axplong.exe
2744	axplong.exe
2744	axplong.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
112	newalp.exe
2744	axplong.exe
2744	axplong.exe
2744	axplong.exe
2744	axplong.exe
680	stealc_default.exe
680	stealc_default.exe
2744	axplong.exe
2744	axplong.exe
864	cmd.exe
2744	axplong.exe
2452	Ukodbcdcl.exe
2540	Beijing.pif
6816	WerFault.exe
6816	WerFault.exe
6816	WerFault.exe
6816	WerFault.exe
6816	WerFault.exe
6816	WerFault.exe
6816	WerFault.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvaurnhq = "C:\\Users\\Admin\\AppData\\Roaming\\Nvaurnhq.exe"	Ukodbcdcl.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3032	tasklist.exe
1308	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2368	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
2744	axplong.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 6572	2452	Ukodbcdcl.exe	67
PID 6900 set thread context of 6172	6900	ajujnub.exe	73
PID 2644 set thread context of 5188	2644	ajujnub.exe	75

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	rorukal.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EquationExplorer	runtime.exe
File opened for modification	C:\Windows\TreeProfessor	runtime.exe
File opened for modification	C:\Windows\SysOrleans	runtime.exe
File opened for modification	C:\Windows\HostelGalleries	runtime.exe
File opened for modification	C:\Windows\ConfiguringUps	runtime.exe
File created	C:\Windows\Tasks\Test Task17.job	Ukodbcdcl.exe
File opened for modification	C:\Windows\ChestAntique	runtime.exe
File created	C:\Windows\Tasks\Hkbsse.job	newalp.exe
File opened for modification	C:\Windows\ExplorerProprietary	runtime.exe
File created	C:\Windows\Tasks\axplong.job	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2244	1484	WerFault.exe	33
316	2820	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ukodbcdcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajujnub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beijing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ukodbcdcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajujnub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajujnub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajujnub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MYNEWRDX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runtime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06082025.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2368	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
2744	axplong.exe
680	stealc_default.exe
888	MYNEWRDX.exe
888	MYNEWRDX.exe
888	MYNEWRDX.exe
680	stealc_default.exe
1132	06082025.exe
1132	06082025.exe
1132	06082025.exe
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
3020	rorukal.exe
6464	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	MYNEWRDX.exe
Token: SeDebugPrivilege	1132	06082025.exe
Token: SeDebugPrivilege	3032	tasklist.exe
Token: SeDebugPrivilege	1308	tasklist.exe
Token: SeDebugPrivilege	2452	Ukodbcdcl.exe
Token: SeDebugPrivilege	6464	powershell.exe
Token: SeDebugPrivilege	2452	Ukodbcdcl.exe
Token: SeDebugPrivilege	6900	ajujnub.exe
Token: SeDebugPrivilege	6900	ajujnub.exe
Token: SeDebugPrivilege	2644	ajujnub.exe
Token: SeDebugPrivilege	2644	ajujnub.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2368	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
112	newalp.exe
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2540	Beijing.pif
2540	Beijing.pif
2540	Beijing.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2744	2368	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe	30
PID 2368 wrote to memory of 2744	2368	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe	30
PID 2368 wrote to memory of 2744	2368	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe	30
PID 2368 wrote to memory of 2744	2368	4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe	30
PID 2744 wrote to memory of 1484	2744	axplong.exe	33
PID 2744 wrote to memory of 1484	2744	axplong.exe	33
PID 2744 wrote to memory of 1484	2744	axplong.exe	33
PID 2744 wrote to memory of 1484	2744	axplong.exe	33
PID 1484 wrote to memory of 2244	1484	GOLD.exe	35
PID 1484 wrote to memory of 2244	1484	GOLD.exe	35
PID 1484 wrote to memory of 2244	1484	GOLD.exe	35
PID 1484 wrote to memory of 2244	1484	GOLD.exe	35
PID 2744 wrote to memory of 2820	2744	axplong.exe	36
PID 2744 wrote to memory of 2820	2744	axplong.exe	36
PID 2744 wrote to memory of 2820	2744	axplong.exe	36
PID 2744 wrote to memory of 2820	2744	axplong.exe	36
PID 2744 wrote to memory of 112	2744	axplong.exe	38
PID 2744 wrote to memory of 112	2744	axplong.exe	38
PID 2744 wrote to memory of 112	2744	axplong.exe	38
PID 2744 wrote to memory of 112	2744	axplong.exe	38
PID 2820 wrote to memory of 316	2820	crypteda.exe	39
PID 2820 wrote to memory of 316	2820	crypteda.exe	39
PID 2820 wrote to memory of 316	2820	crypteda.exe	39
PID 2820 wrote to memory of 316	2820	crypteda.exe	39
PID 112 wrote to memory of 2404	112	newalp.exe	40
PID 112 wrote to memory of 2404	112	newalp.exe	40
PID 112 wrote to memory of 2404	112	newalp.exe	40
PID 112 wrote to memory of 2404	112	newalp.exe	40
PID 2744 wrote to memory of 1132	2744	axplong.exe	41
PID 2744 wrote to memory of 1132	2744	axplong.exe	41
PID 2744 wrote to memory of 1132	2744	axplong.exe	41
PID 2744 wrote to memory of 1132	2744	axplong.exe	41
PID 2744 wrote to memory of 680	2744	axplong.exe	42
PID 2744 wrote to memory of 680	2744	axplong.exe	42
PID 2744 wrote to memory of 680	2744	axplong.exe	42
PID 2744 wrote to memory of 680	2744	axplong.exe	42
PID 2744 wrote to memory of 888	2744	axplong.exe	44
PID 2744 wrote to memory of 888	2744	axplong.exe	44
PID 2744 wrote to memory of 888	2744	axplong.exe	44
PID 2744 wrote to memory of 888	2744	axplong.exe	44
PID 2744 wrote to memory of 3020	2744	axplong.exe	46
PID 2744 wrote to memory of 3020	2744	axplong.exe	46
PID 2744 wrote to memory of 3020	2744	axplong.exe	46
PID 2744 wrote to memory of 3020	2744	axplong.exe	46
PID 2744 wrote to memory of 2036	2744	axplong.exe	47
PID 2744 wrote to memory of 2036	2744	axplong.exe	47
PID 2744 wrote to memory of 2036	2744	axplong.exe	47
PID 2744 wrote to memory of 2036	2744	axplong.exe	47
PID 2036 wrote to memory of 864	2036	runtime.exe	48
PID 2036 wrote to memory of 864	2036	runtime.exe	48
PID 2036 wrote to memory of 864	2036	runtime.exe	48
PID 2036 wrote to memory of 864	2036	runtime.exe	48
PID 864 wrote to memory of 3032	864	cmd.exe	50
PID 864 wrote to memory of 3032	864	cmd.exe	50
PID 864 wrote to memory of 3032	864	cmd.exe	50
PID 864 wrote to memory of 3032	864	cmd.exe	50
PID 864 wrote to memory of 1340	864	cmd.exe	51
PID 864 wrote to memory of 1340	864	cmd.exe	51
PID 864 wrote to memory of 1340	864	cmd.exe	51
PID 864 wrote to memory of 1340	864	cmd.exe	51
PID 864 wrote to memory of 1308	864	cmd.exe	52
PID 864 wrote to memory of 1308	864	cmd.exe	52
PID 864 wrote to memory of 1308	864	cmd.exe	52
PID 864 wrote to memory of 1308	864	cmd.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1204
- C:\Users\Admin\AppData\Local\Temp\4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
  "C:\Users\Admin\AppData\Local\Temp\4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 64
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 64
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:316
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe
      "C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:680
  - - C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe
      "C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\1000120101\rorukal.exe
      "C:\Users\Admin\AppData\Local\Temp\1000120101\rorukal.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Looks for VirtualBox Guest Additions in registry
      Looks for VMWare Tools registry key
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Suspicious behavior: EnumeratesProcesses
      PID:3020
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3020 -s 220
        5⤵
        Loads dropped DLL
        
        PID:6816
  - - C:\Users\Admin\AppData\Local\Temp\1000123001\runtime.exe
      "C:\Users\Admin\AppData\Local\Temp\1000123001\runtime.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:776
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 40365
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "HopeBuildersGeniusIslam" Sonic
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:912
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
        
        Beijing.pif s
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
        
        "C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif"
        7⤵
        
        PID:6736
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:304
  - - C:\Users\Admin\AppData\Local\Temp\1000125001\Ukodbcdcl.exe
      "C:\Users\Admin\AppData\Local\Temp\1000125001\Ukodbcdcl.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2452
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAAxADIANQAwADAAMQBcAFUAawBvAGQAYgBjAGQAYwBsAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAMAAwADAAMQAyADUAMAAwADEAXABVAGsAbwBkAGIAYwBkAGMAbAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATgB2AGEAdQByAG4AaABxAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE4AdgBhAHUAcgBuAGgAcQAuAGUAeABlAA==
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6464
    - - C:\Users\Admin\AppData\Local\Temp\1000125001\Ukodbcdcl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000125001\Ukodbcdcl.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2160

C:\Windows\system32\taskeng.exe
taskeng.exe {B9A38F05-649B-45D0-835B-F7FDC165471E} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
PID:6868
- C:\ProgramData\qxjv\ajujnub.exe
  C:\ProgramData\qxjv\ajujnub.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6900
- - C:\ProgramData\qxjv\ajujnub.exe
    "C:\ProgramData\qxjv\ajujnub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6172
- C:\ProgramData\qxjv\ajujnub.exe
  C:\ProgramData\qxjv\ajujnub.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- - C:\ProgramData\qxjv\ajujnub.exe
    "C:\ProgramData\qxjv\ajujnub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe

Filesize
954KB

MD5
e71c0c5d72455dde6510ba23552d7d2f

SHA1
4dff851c07a9f9ebc9e71b7f675cc20b06a2439c

SHA256
de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f

SHA512
c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

Filesize
1.4MB

MD5
04e90b2cf273efb3f6895cfcef1e59ba

SHA1
79afcc39db33426ee8b97ad7bfb48f3f2e4c3449

SHA256
e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e

SHA512
72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe

Filesize
416KB

MD5
6093bb59e7707afe20ca2d9b80327b49

SHA1
fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc

SHA256
3acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3

SHA512
d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe

Filesize
304KB

MD5
0d76d08b0f0a404604e7de4d28010abc

SHA1
ef4270c06b84b0d43372c5827c807641a41f2374

SHA256
6dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e

SHA512
979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe

Filesize
304KB

MD5
0f02da56dab4bc19fca05d6d93e74dcf

SHA1
a809c7e9c3136b8030727f128004aa2c31edc7a9

SHA256
e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379

SHA512
522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120101\rorukal.exe

Filesize
3.3MB

MD5
77ecafee1b0ba32bd4e3b90b6d92a81f

SHA1
59d3e7bd118a34918e3a39d5a680ff75568482bb

SHA256
14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3

SHA512
aa8aaf0c455c80d0dfd17ce67eff54f75f9cdbb92287693bf395cf33cec19ab8063a0e5766c96aa5fc75825db6e9a57d90ccf3698796f4e6875075225a9e1baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000123001\runtime.exe

Filesize
1.1MB

MD5
7adfc6a2e7a5daa59d291b6e434a59f3

SHA1
e21ef8be7b78912bed36121404270e5597a3fe25

SHA256
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

SHA512
30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000125001\Ukodbcdcl.exe

Filesize
1.0MB

MD5
25ed0fce4a9df59b3ed88853db8206f3

SHA1
4382f0adb2a94e8a4eccd6aa2d222842000b7895

SHA256
c5b32f1cdc2a48f1dd2b1623598c24a2635dc57fdab3b4328f1cb3b66f5079ba

SHA512
5a329229506e3f9feaefbe477699cc4b8510f949f4b1df0bf5b66ac892404a94fa5effef3d9acbdfa90bb6e494e5799fa721e14a29ec4e0f1e7b97719397939f

Download Submit
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\40365\s

Filesize
554KB

MD5
30ab54ae1c615436d881fc336c264fef

SHA1
7e2a049923d49ae5859d2a0aa3a7dd092e672bd1

SHA256
ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db

SHA512
1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
80f73c8cbbe5599b4e21e4956023116d

SHA1
102c906a769b228996cdfee698fe02cc8d8487e7

SHA256
4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d

SHA512
a90995e9340d2696d3b635f199c7f4e7e010633536234c24f2731c29815303f04c807fb71915c4e3c60a0431405553c06b25431644987cfde0e6eca961c5a68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continue

Filesize
31KB

MD5
6184a8fc79d602bc18c0badb08598580

SHA1
de3a273e7020d43729044e41272c301118cc3641

SHA256
a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7

SHA512
41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continues

Filesize
14KB

MD5
2226738a67da04cef580c99f70b9a514

SHA1
48bbfbfdce94231ebc1833b87ff6e79aa716e3b4

SHA256
e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1

SHA512
c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corresponding

Filesize
871KB

MD5
7eb7312237cf8653a876136046ce8b3e

SHA1
250d61e72b9a6d0d436e04b569459bb69bb2ab9e

SHA256
fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725

SHA512
778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dietary

Filesize
89KB

MD5
30a3ed3849e36b4c26a02cf030ea985a

SHA1
d3d29d3ba2c033d0abb6105cd274001e65d07f4e

SHA256
6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca

SHA512
158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minister

Filesize
98KB

MD5
97dd60ac57e3f1873f3120688d47cd3d

SHA1
e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736

SHA256
526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452

SHA512
831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mobile

Filesize
76KB

MD5
b81b3a6c6725be1cdd528e5fb3a9aa07

SHA1
069d5fd30b48bf5345d21c2af0106325e9372c8f

SHA256
08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84

SHA512
7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mr

Filesize
86KB

MD5
0c3f23378f256b116fca366d08dbd146

SHA1
c6c92667dea09b7a4b2b00193ee043278854db1e

SHA256
5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65

SHA512
0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sonic

Filesize
982B

MD5
1b5bba21607d9a9c3293ff564ecf4f1a

SHA1
de790d57fbfae12e649bf65fd9695e36a266696a

SHA256
fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e

SHA512
b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speak

Filesize
55KB

MD5
0e16cafd2403c552149e325d90637d12

SHA1
efe1e6af41751ca9978c3a21c82ef135a8846f21

SHA256
93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0

SHA512
0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Template

Filesize
56KB

MD5
0e70f873cb8f5615dd364325b714895a

SHA1
089a8f5d7d90e7eedd6d02e30aa458440c89d7a7

SHA256
4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94

SHA512
867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zinc

Filesize
63KB

MD5
51143491656ae2ee983d709c45a41861

SHA1
1cf8eb8d13246195cfc6168524d212c9a65b4681

SHA256
dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81

SHA512
239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/680-122-0x0000000000090000-0x00000000002D3000-memory.dmp

Filesize
2.3MB

Download
memory/680-207-0x0000000000090000-0x00000000002D3000-memory.dmp

Filesize
2.3MB

Download
memory/680-138-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/888-137-0x00000000009B0000-0x0000000000A02000-memory.dmp

Filesize
328KB

Download
memory/1132-101-0x0000000001230000-0x0000000001282000-memory.dmp

Filesize
328KB

Download
memory/1484-40-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2368-17-0x0000000000B20000-0x0000000000FED000-memory.dmp

Filesize
4.8MB

Download
memory/2368-0-0x0000000000B20000-0x0000000000FED000-memory.dmp

Filesize
4.8MB

Download
memory/2368-11-0x0000000000B20000-0x0000000000FED000-memory.dmp

Filesize
4.8MB

Download
memory/2368-5-0x0000000000B20000-0x0000000000FED000-memory.dmp

Filesize
4.8MB

Download
memory/2368-4-0x0000000000B20000-0x0000000000FED000-memory.dmp

Filesize
4.8MB

Download
memory/2368-3-0x0000000000B20000-0x0000000000FED000-memory.dmp

Filesize
4.8MB

Download
memory/2368-2-0x0000000000B21000-0x0000000000B4F000-memory.dmp

Filesize
184KB

Download
memory/2368-1-0x0000000077400000-0x0000000077402000-memory.dmp

Filesize
8KB

Download
memory/2452-286-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-316-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-1358-0x0000000004E00000-0x0000000004E54000-memory.dmp

Filesize
336KB

Download
memory/2452-298-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-300-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-304-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-306-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-308-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-310-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-312-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-314-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-318-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-322-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-324-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-275-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/2452-276-0x00000000009B0000-0x0000000000A8C000-memory.dmp

Filesize
880KB

Download
memory/2452-277-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-278-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-280-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-292-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-284-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-302-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-320-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-282-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-1349-0x00000000006B0000-0x0000000000708000-memory.dmp

Filesize
352KB

Download
memory/2452-288-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-290-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-294-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-296-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2452-1350-0x0000000000940000-0x000000000098C000-memory.dmp

Filesize
304KB

Download
memory/2644-2493-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/2744-194-0x0000000001030000-0x00000000014FD000-memory.dmp

Filesize
4.8MB

Download
memory/2744-22-0x0000000001030000-0x00000000014FD000-memory.dmp

Filesize
4.8MB

Download
memory/2744-118-0x00000000069F0000-0x0000000006C33000-memory.dmp

Filesize
2.3MB

Download
memory/2744-19-0x0000000001031000-0x000000000105F000-memory.dmp

Filesize
184KB

Download
memory/2744-170-0x0000000001030000-0x00000000014FD000-memory.dmp

Filesize
4.8MB

Download
memory/2744-113-0x0000000001030000-0x00000000014FD000-memory.dmp

Filesize
4.8MB

Download
memory/2744-119-0x00000000069F0000-0x0000000006C33000-memory.dmp

Filesize
2.3MB

Download
memory/2744-177-0x0000000001030000-0x00000000014FD000-memory.dmp

Filesize
4.8MB

Download
memory/2744-23-0x0000000001030000-0x00000000014FD000-memory.dmp

Filesize
4.8MB

Download
memory/2744-20-0x0000000001030000-0x00000000014FD000-memory.dmp

Filesize
4.8MB

Download
memory/2744-120-0x0000000001030000-0x00000000014FD000-memory.dmp

Filesize
4.8MB

Download
memory/2744-18-0x0000000001030000-0x00000000014FD000-memory.dmp

Filesize
4.8MB

Download
memory/2744-208-0x00000000069F0000-0x000000000714A000-memory.dmp

Filesize
7.4MB

Download
memory/2744-1382-0x00000000069F0000-0x000000000714A000-memory.dmp

Filesize
7.4MB

Download
memory/3020-1383-0x0000000000400000-0x0000000000B5A000-memory.dmp

Filesize
7.4MB

Download
memory/3020-209-0x0000000000400000-0x0000000000B5A000-memory.dmp

Filesize
7.4MB

Download
memory/6900-1395-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download