amadey | 13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade

Analysis

max time kernel
42s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/12/2024, 02:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
Size

2.9MB
MD5

117d5bc15e223805f55b2890713cd193
SHA1

a01bcb2fbea608834b0d644bc7cdcd9d304eca5b
SHA256

13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade
SHA512

f9d2668b08702dc76d4e7aa52938b3765a13bb4b71413ff3d328b5675bfc8cfd92b25dee4db68df84037410ae2d32f431921628d3238186bdbe2f41e6d36523d
SSDEEP

49152:7PIOh+mCXpv9KjHkwJIaImhEFm49THMCOV5V8yjODNO:7f0pvSE8IaIUEFkC65Vb6D

Score

10^/10

amadey cryptbot lumma stealc 9c9aa5 stok discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

https://shineugler.biz/api

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

cryptbot

Extracted

Family

lumma

https://tacitglibbr.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f4c940b739.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dc5ae68837.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f4c940b739.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dc5ae68837.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dc5ae68837.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f4c940b739.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	g6aAPRGUMbVDWu99.exe

Executes dropped EXE 30 IoCs

pid	Process
1856	skotes.exe
2884	ShtrayEasy35.exe
2964	g6aAPRGUMbVDWu99.exe
2612	8ftzdpRC5GCJRtSg.exe
1688	wZeHZBDjL01KR4ut.exe
1936	4VxXVS3egtSGOtN0.exe
2216	rHn6ymqvS9GSB2Xh.exe
1196	rYpwXgMpVbmUlDgE.exe
1144	bQ9ogZ8Sa4YSsJcx.exe
908	i9G6KcT8xrXI5aQy.exe
1468	20f2k2UdYiZ1kGk7.exe
2308	trc5sdfjAAEhEi5a.exe
1908	ONDhziA1wBQc8MLG.exe
1760	YO4Zvu6dkBiEsvkY.exe
1900	F5461hu8lA2hzyC7.exe
1416	IQ7ux2z.exe
2384	Xd1ugVEz4fXbf3Cx.exe
1528	sUSFJjY.exe
2588	dLvMi3X3weOJUYt0.exe
2660	NXwW7VhgAxyH7Esy.exe
2796	f4c940b739.exe
2644	izhE5KV3FQfR4zxf.exe
1248	BFKOYwt3qQGfpTzN.exe
604	WH8dxaZwjig6w3k0.exe
2972	7SYgcNJZTXS6Zg0e.exe
1836	qgRNNZta45NJiT2T.exe
2224	b8jCheL15MlSaRjf.exe
2728	JehQWfjp5U6UzN80.exe
1852	Mwx2ErahA8JKh0Rg.exe
2348	dc5ae68837.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	f4c940b739.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	dc5ae68837.exe

Loads dropped DLL 29 IoCs

pid	Process
2692	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
2692	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
1856	skotes.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2964	g6aAPRGUMbVDWu99.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
1856	skotes.exe
2884	ShtrayEasy35.exe
1856	skotes.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
1856	skotes.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
2884	ShtrayEasy35.exe
1856	skotes.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8UVSR8lK\\g6aAPRGUMbVDWu99.exe"	g6aAPRGUMbVDWu99.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\f4c940b739.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015870001\\f4c940b739.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc5ae68837.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015871001\\dc5ae68837.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\1820046172.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1015872001\\1820046172.exe"	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001a48c-286.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2692	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
1856	skotes.exe
2796	f4c940b739.exe
2348	dc5ae68837.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShtrayEasy35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g6aAPRGUMbVDWu99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IQ7ux2z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4c940b739.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3184	taskkill.exe
3980	taskkill.exe
5144	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
1856	skotes.exe
2884	ShtrayEasy35.exe
2964	g6aAPRGUMbVDWu99.exe
2612	8ftzdpRC5GCJRtSg.exe
2612	8ftzdpRC5GCJRtSg.exe
2612	8ftzdpRC5GCJRtSg.exe
1688	wZeHZBDjL01KR4ut.exe
1688	wZeHZBDjL01KR4ut.exe
1688	wZeHZBDjL01KR4ut.exe
1688	wZeHZBDjL01KR4ut.exe
1936	4VxXVS3egtSGOtN0.exe
1936	4VxXVS3egtSGOtN0.exe
1936	4VxXVS3egtSGOtN0.exe
2216	rHn6ymqvS9GSB2Xh.exe
2216	rHn6ymqvS9GSB2Xh.exe
2216	rHn6ymqvS9GSB2Xh.exe
2216	rHn6ymqvS9GSB2Xh.exe
1936	4VxXVS3egtSGOtN0.exe
2216	rHn6ymqvS9GSB2Xh.exe
2216	rHn6ymqvS9GSB2Xh.exe
1936	4VxXVS3egtSGOtN0.exe
1936	4VxXVS3egtSGOtN0.exe
1196	rYpwXgMpVbmUlDgE.exe
1196	rYpwXgMpVbmUlDgE.exe
1196	rYpwXgMpVbmUlDgE.exe
1196	rYpwXgMpVbmUlDgE.exe
1196	rYpwXgMpVbmUlDgE.exe
1196	rYpwXgMpVbmUlDgE.exe
1196	rYpwXgMpVbmUlDgE.exe
1144	bQ9ogZ8Sa4YSsJcx.exe
1144	bQ9ogZ8Sa4YSsJcx.exe
1144	bQ9ogZ8Sa4YSsJcx.exe
1144	bQ9ogZ8Sa4YSsJcx.exe
1144	bQ9ogZ8Sa4YSsJcx.exe
1144	bQ9ogZ8Sa4YSsJcx.exe
1144	bQ9ogZ8Sa4YSsJcx.exe
1144	bQ9ogZ8Sa4YSsJcx.exe
908	i9G6KcT8xrXI5aQy.exe
908	i9G6KcT8xrXI5aQy.exe
908	i9G6KcT8xrXI5aQy.exe
908	i9G6KcT8xrXI5aQy.exe
908	i9G6KcT8xrXI5aQy.exe
908	i9G6KcT8xrXI5aQy.exe
908	i9G6KcT8xrXI5aQy.exe
908	i9G6KcT8xrXI5aQy.exe
908	i9G6KcT8xrXI5aQy.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
1468	20f2k2UdYiZ1kGk7.exe
2308	trc5sdfjAAEhEi5a.exe
2308	trc5sdfjAAEhEi5a.exe
2308	trc5sdfjAAEhEi5a.exe
2308	trc5sdfjAAEhEi5a.exe
2308	trc5sdfjAAEhEi5a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	IQ7ux2z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1856	2692	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe	31
PID 2692 wrote to memory of 1856	2692	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe	31
PID 2692 wrote to memory of 1856	2692	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe	31
PID 2692 wrote to memory of 1856	2692	13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe	31
PID 1856 wrote to memory of 2884	1856	skotes.exe	33
PID 1856 wrote to memory of 2884	1856	skotes.exe	33
PID 1856 wrote to memory of 2884	1856	skotes.exe	33
PID 1856 wrote to memory of 2884	1856	skotes.exe	33
PID 2884 wrote to memory of 2964	2884	ShtrayEasy35.exe	34
PID 2884 wrote to memory of 2964	2884	ShtrayEasy35.exe	34
PID 2884 wrote to memory of 2964	2884	ShtrayEasy35.exe	34
PID 2884 wrote to memory of 2964	2884	ShtrayEasy35.exe	34
PID 2884 wrote to memory of 2612	2884	ShtrayEasy35.exe	35
PID 2884 wrote to memory of 2612	2884	ShtrayEasy35.exe	35
PID 2884 wrote to memory of 2612	2884	ShtrayEasy35.exe	35
PID 2884 wrote to memory of 2612	2884	ShtrayEasy35.exe	35
PID 2884 wrote to memory of 1688	2884	ShtrayEasy35.exe	36
PID 2884 wrote to memory of 1688	2884	ShtrayEasy35.exe	36
PID 2884 wrote to memory of 1688	2884	ShtrayEasy35.exe	36
PID 2884 wrote to memory of 1688	2884	ShtrayEasy35.exe	36
PID 2884 wrote to memory of 1936	2884	ShtrayEasy35.exe	37
PID 2884 wrote to memory of 1936	2884	ShtrayEasy35.exe	37
PID 2884 wrote to memory of 1936	2884	ShtrayEasy35.exe	37
PID 2884 wrote to memory of 1936	2884	ShtrayEasy35.exe	37
PID 2884 wrote to memory of 2216	2884	ShtrayEasy35.exe	38
PID 2884 wrote to memory of 2216	2884	ShtrayEasy35.exe	38
PID 2884 wrote to memory of 2216	2884	ShtrayEasy35.exe	38
PID 2884 wrote to memory of 2216	2884	ShtrayEasy35.exe	38
PID 2884 wrote to memory of 1196	2884	ShtrayEasy35.exe	39
PID 2884 wrote to memory of 1196	2884	ShtrayEasy35.exe	39
PID 2884 wrote to memory of 1196	2884	ShtrayEasy35.exe	39
PID 2884 wrote to memory of 1196	2884	ShtrayEasy35.exe	39
PID 2884 wrote to memory of 1144	2884	ShtrayEasy35.exe	40
PID 2884 wrote to memory of 1144	2884	ShtrayEasy35.exe	40
PID 2884 wrote to memory of 1144	2884	ShtrayEasy35.exe	40
PID 2884 wrote to memory of 1144	2884	ShtrayEasy35.exe	40
PID 2884 wrote to memory of 908	2884	ShtrayEasy35.exe	41
PID 2884 wrote to memory of 908	2884	ShtrayEasy35.exe	41
PID 2884 wrote to memory of 908	2884	ShtrayEasy35.exe	41
PID 2884 wrote to memory of 908	2884	ShtrayEasy35.exe	41
PID 2884 wrote to memory of 1468	2884	ShtrayEasy35.exe	42
PID 2884 wrote to memory of 1468	2884	ShtrayEasy35.exe	42
PID 2884 wrote to memory of 1468	2884	ShtrayEasy35.exe	42
PID 2884 wrote to memory of 1468	2884	ShtrayEasy35.exe	42
PID 2884 wrote to memory of 1760	2884	ShtrayEasy35.exe	43
PID 2884 wrote to memory of 1760	2884	ShtrayEasy35.exe	43
PID 2884 wrote to memory of 1760	2884	ShtrayEasy35.exe	43
PID 2884 wrote to memory of 1760	2884	ShtrayEasy35.exe	43
PID 2884 wrote to memory of 2308	2884	ShtrayEasy35.exe	44
PID 2884 wrote to memory of 2308	2884	ShtrayEasy35.exe	44
PID 2884 wrote to memory of 2308	2884	ShtrayEasy35.exe	44
PID 2884 wrote to memory of 2308	2884	ShtrayEasy35.exe	44
PID 2884 wrote to memory of 1900	2884	ShtrayEasy35.exe	45
PID 2884 wrote to memory of 1900	2884	ShtrayEasy35.exe	45
PID 2884 wrote to memory of 1900	2884	ShtrayEasy35.exe	45
PID 2884 wrote to memory of 1900	2884	ShtrayEasy35.exe	45
PID 2884 wrote to memory of 1908	2884	ShtrayEasy35.exe	46
PID 2884 wrote to memory of 1908	2884	ShtrayEasy35.exe	46
PID 2884 wrote to memory of 1908	2884	ShtrayEasy35.exe	46
PID 2884 wrote to memory of 1908	2884	ShtrayEasy35.exe	46
PID 1856 wrote to memory of 1416	1856	skotes.exe	47
PID 1856 wrote to memory of 1416	1856	skotes.exe	47
PID 1856 wrote to memory of 1416	1856	skotes.exe	47
PID 1856 wrote to memory of 1416	1856	skotes.exe	47

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5692	attrib.exe

C:\Users\Admin\AppData\Local\Temp\13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe
"C:\Users\Admin\AppData\Local\Temp\13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe
    "C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\8UVSR8lK\g6aAPRGUMbVDWu99.exe
      C:\Users\Admin\AppData\Local\Temp\8UVSR8lK\g6aAPRGUMbVDWu99.exe 2884
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\8ftzdpRC5GCJRtSg.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\8ftzdpRC5GCJRtSg.exe 2884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\wZeHZBDjL01KR4ut.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\wZeHZBDjL01KR4ut.exe 2884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\4VxXVS3egtSGOtN0.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\4VxXVS3egtSGOtN0.exe 2884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\rHn6ymqvS9GSB2Xh.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\rHn6ymqvS9GSB2Xh.exe 2884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\rYpwXgMpVbmUlDgE.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\rYpwXgMpVbmUlDgE.exe 2884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\bQ9ogZ8Sa4YSsJcx.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\bQ9ogZ8Sa4YSsJcx.exe 2884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\i9G6KcT8xrXI5aQy.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\i9G6KcT8xrXI5aQy.exe 2884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:908
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\20f2k2UdYiZ1kGk7.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\20f2k2UdYiZ1kGk7.exe 2884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\YO4Zvu6dkBiEsvkY.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\YO4Zvu6dkBiEsvkY.exe 2884
      4⤵
      Executes dropped EXE
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\trc5sdfjAAEhEi5a.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\trc5sdfjAAEhEi5a.exe 2884
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\F5461hu8lA2hzyC7.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\F5461hu8lA2hzyC7.exe 2884
      4⤵
      Executes dropped EXE
      PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\ONDhziA1wBQc8MLG.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\ONDhziA1wBQc8MLG.exe 2884
      4⤵
      Executes dropped EXE
      PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Xd1ugVEz4fXbf3Cx.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Xd1ugVEz4fXbf3Cx.exe 2884
      4⤵
      Executes dropped EXE
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\dLvMi3X3weOJUYt0.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\dLvMi3X3weOJUYt0.exe 2884
      4⤵
      Executes dropped EXE
      PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\NXwW7VhgAxyH7Esy.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\NXwW7VhgAxyH7Esy.exe 2884
      4⤵
      Executes dropped EXE
      PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\WH8dxaZwjig6w3k0.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\WH8dxaZwjig6w3k0.exe 2884
      4⤵
      Executes dropped EXE
      PID:604
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\izhE5KV3FQfR4zxf.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\izhE5KV3FQfR4zxf.exe 2884
      4⤵
      Executes dropped EXE
      PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\7SYgcNJZTXS6Zg0e.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\7SYgcNJZTXS6Zg0e.exe 2884
      4⤵
      Executes dropped EXE
      PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\BFKOYwt3qQGfpTzN.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\BFKOYwt3qQGfpTzN.exe 2884
      4⤵
      Executes dropped EXE
      PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\qgRNNZta45NJiT2T.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\qgRNNZta45NJiT2T.exe 2884
      4⤵
      Executes dropped EXE
      PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\b8jCheL15MlSaRjf.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\b8jCheL15MlSaRjf.exe 2884
      4⤵
      Executes dropped EXE
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Mwx2ErahA8JKh0Rg.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Mwx2ErahA8JKh0Rg.exe 2884
      4⤵
      Executes dropped EXE
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\JehQWfjp5U6UzN80.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\JehQWfjp5U6UzN80.exe 2884
      4⤵
      Executes dropped EXE
      PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\FaguxCZ5HOYK8e9K.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\FaguxCZ5HOYK8e9K.exe 2884
      4⤵
      PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\FT8KrbGhELWYeWTb.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\FT8KrbGhELWYeWTb.exe 2884
      4⤵
      PID:344
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\v4iycR0ZpXN5cyC3.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\v4iycR0ZpXN5cyC3.exe 2884
      4⤵
      PID:840
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\mFkBJ5gsK3LjB7q3.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\mFkBJ5gsK3LjB7q3.exe 2884
      4⤵
      PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\dzMwBOubScEuXYdZ.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\dzMwBOubScEuXYdZ.exe 2884
      4⤵
      PID:328
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\VmSpZ4a1UxVObiQD.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\VmSpZ4a1UxVObiQD.exe 2884
      4⤵
      PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\4KX0UK3iKJ0ZzI6Z.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\4KX0UK3iKJ0ZzI6Z.exe 2884
      4⤵
      PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\1IqNVbkRoQg0uLdM.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\1IqNVbkRoQg0uLdM.exe 2884
      4⤵
      PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\uyVdqdJk8yHEWngo.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\uyVdqdJk8yHEWngo.exe 2884
      4⤵
      PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\EHD30SPOLzL2DlB9.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\EHD30SPOLzL2DlB9.exe 2884
      4⤵
      PID:5272
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\10VZixPrhOIhV6FT.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\10VZixPrhOIhV6FT.exe 2884
      4⤵
      PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\AKXyRfvOZeVbqvdD.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\AKXyRfvOZeVbqvdD.exe 2884
      4⤵
      PID:7816
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\ZQcZ9KMqXwePexPV.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\ZQcZ9KMqXwePexPV.exe 2884
      4⤵
      PID:8084
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\SHUklLgwIsJWVdXy.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\SHUklLgwIsJWVdXy.exe 2884
      4⤵
      PID:8148
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\fjZIBLJeTpJbwxsN.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\fjZIBLJeTpJbwxsN.exe 2884
      4⤵
      PID:5620
- - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
    "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
      "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
      4⤵
      PID:6984
- - C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe
    "C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"
    3⤵
    - Executes dropped EXE
    PID:1528
- - C:\Users\Admin\AppData\Local\Temp\1015870001\f4c940b739.exe
    "C:\Users\Admin\AppData\Local\Temp\1015870001\f4c940b739.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\1015871001\dc5ae68837.exe
    "C:\Users\Admin\AppData\Local\Temp\1015871001\dc5ae68837.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2348
- - C:\Users\Admin\AppData\Local\Temp\1015872001\1820046172.exe
    "C:\Users\Admin\AppData\Local\Temp\1015872001\1820046172.exe"
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:3184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:3980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:5144
- - C:\Users\Admin\AppData\Local\Temp\1015873001\f71f21f94c.exe
    "C:\Users\Admin\AppData\Local\Temp\1015873001\f71f21f94c.exe"
    3⤵
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\1015874001\5e6899d697.exe
    "C:\Users\Admin\AppData\Local\Temp\1015874001\5e6899d697.exe"
    3⤵
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\1015875001\a19cd40679.exe
    "C:\Users\Admin\AppData\Local\Temp\1015875001\a19cd40679.exe"
    3⤵
    PID:3456
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:1972
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:7840
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        
        PID:7884
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        
        PID:7948
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        
        PID:8004
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        
        PID:8036
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        
        PID:8108
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        
        PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        
        PID:5348
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        
        PID:7048
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5692
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        
        PID:5772
- - C:\Users\Admin\AppData\Local\Temp\1015876001\430b6b221d.exe
    "C:\Users\Admin\AppData\Local\Temp\1015876001\430b6b221d.exe"
    3⤵
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\1015876001\430b6b221d.exe
      "C:\Users\Admin\AppData\Local\Temp\1015876001\430b6b221d.exe"
      4⤵
      PID:6672
- - C:\Users\Admin\AppData\Local\Temp\1015877001\df41cea226.exe
    "C:\Users\Admin\AppData\Local\Temp\1015877001\df41cea226.exe"
    3⤵
    PID:5264
- - C:\Users\Admin\AppData\Local\Temp\1015878001\294f4e8214.exe
    "C:\Users\Admin\AppData\Local\Temp\1015878001\294f4e8214.exe"
    3⤵
    PID:4672
- - C:\Users\Admin\AppData\Local\Temp\1015879001\e35b971207.exe
    "C:\Users\Admin\AppData\Local\Temp\1015879001\e35b971207.exe"
    3⤵
    PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe

Filesize
256KB

MD5
c37a981bc24c4aba6454da4eecb7acbe

SHA1
2bffdf27d0d4f7c810e323c1671a87ed2d6b644f

SHA256
d6fc121d54e4cdf3a1b6b0505c4f691f16d91fdd421bf96c04388b1c6f19e361

SHA512
2f44b5218b323bc2bad3ee37426b5bbcbb089b1a561e5f2f48fd455fed0a395b50a6cbb3783bf06e25b144b3f77078629ab1d86fb2c8df1a532230c81a3b2ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe

Filesize
2.8MB

MD5
0dad190f420a0a09ed8c262ca18b1097

SHA1
b97535bf2960278b19bda8cad9e885b8eefbdc85

SHA256
29e1e95110c03e84720e213a2bb0dcdff95af85a8a894d71518e06c62131e64a

SHA512
8ae92676fc5539899414f0a70cba1ed01685b30af9002c68114720d6a7213e4e9c2368e17717c4e3e02650781a022001e4a2e43f83afbd709e7f1ab81003b646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe

Filesize
87KB

MD5
3c104350cc2661c345673e91ed672c4c

SHA1
d205e94d47949cf3bc3f5226978f6d370c3d3b94

SHA256
1fb9f279263c252a09f12b69c7238c18d2325f7cf7250ebe24ad9149abe62cf4

SHA512
9c02bde2d096e181f00e906f4e242905d0e54dd207f309764805c7444c9f43073106812ade97fca9fc2363f59ed071371276880ce85e9a307fcdb03d3250cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015870001\f4c940b739.exe

Filesize
1.8MB

MD5
f9694cb15c258cf8125cf0c317c77479

SHA1
ad7ab004164e247a32fb8eb4187103a1eaf73657

SHA256
37aafa95a96bdc9144593c820466f3f063cd0e9fb3c6d2bcfab4c1bf0b61e51b

SHA512
41504ae13f21e126508b91cdacc3d993790b7ce6001a0d58353860ad4eccb76858f553f4dd49d1960fae09a777160493932c0bb9acebd3bad3aae6e0dc2e2351

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015871001\dc5ae68837.exe

Filesize
1.7MB

MD5
f660a7ff99befe7ae52d2636a0e8db46

SHA1
41b7e90dbf2ce54bd4e3048d0dc1b7e9d59d81ee

SHA256
526d8ce745c14bac28de547ee616d66bec13517e558da772982b41cb9d6dda62

SHA512
4f13dc0b5c8003b3dc7a5f3faa02c4e103da106722d53494a74e419756d1ce8c35b308641e7690bb932002b0d16411caedb60e63138d33cbfe78520ca8bd0240

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015872001\1820046172.exe

Filesize
946KB

MD5
6bf59db9dafe72201466700ea8cb334d

SHA1
e3649b55eb5141245e634374aa4a6385dba214e6

SHA256
acdc360a0c9680c407d43df48f143af92d99d5c034a152e78b5da5220dbeb249

SHA512
f44354e412d85b7025c486d2582976f684a57216267c37dbc2fea2b6ba5e9808a098f663258569a5a998d849e97b15a15d617f834e9b768e01391daf0ff261bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015873001\f71f21f94c.exe

Filesize
2.6MB

MD5
e5cfad81f5397d7eeed2e7251b7e6e7a

SHA1
84184161e1b542773e5c74909ce37bb1f8f2238e

SHA256
46cb31f14f15b4f13d203fe4138401adccf3163cf405fe907e7ee86bbd1c2387

SHA512
fad966d925810d75be01d20b2b2bbf45755a30d385754878764fec0f1d45100490ba8c4ea279429f91c627cfa8f6b0e2abc70abdb8b645dddf1abd4cf021656a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015874001\5e6899d697.exe

Filesize
1.7MB

MD5
6c1d0dabe1ec5e928f27b3223f25c26b

SHA1
e25ab704a6e9b3e4c30a6c1f7043598a13856ad9

SHA256
92228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d

SHA512
3a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015875001\a19cd40679.exe

Filesize
4.2MB

MD5
3a425626cbd40345f5b8dddd6b2b9efa

SHA1
7b50e108e293e54c15dce816552356f424eea97a

SHA256
ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

SHA512
a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015876001\430b6b221d.exe

Filesize
710KB

MD5
28e568616a7b792cac1726deb77d9039

SHA1
39890a418fb391b823ed5084533e2e24dff021e1

SHA256
9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

SHA512
85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015877001\df41cea226.exe

Filesize
4.2MB

MD5
3617bfad36063c68a129b7e2bd89ceef

SHA1
6621e1f1403b9fa874124c374021034a3c86421e

SHA256
e5637e64459e1868bf6318ea3b48b76ecf3f5669992ba882a7ddab2567af8b24

SHA512
fdf2d08361b48faccf5ee0e2f04104f07f4677a0299a80d49cf50aabd952a6bb23332f51b12102d87c01ee3291bf1bc3833035e42d613e4c35e657dc06044c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015878001\294f4e8214.exe

Filesize
4.3MB

MD5
c5f945671aec219fd0af66f72065a536

SHA1
7956212b4272158ebf29243e79067cc73066fee6

SHA256
7fdc637cd02ad95b233c17569424fe28b53228f5d7dc853dc1449527ad2fd05d

SHA512
1cf363e35bbdaa90af47ff79e59a3175559b81d6ec63b296534793b1b406b883dd0b89412b0115be4a42041d27c15e97e494b284e092397d1878b8dfb544144a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1015879001\e35b971207.exe

Filesize
384KB

MD5
dfd5f78a711fa92337010ecc028470b4

SHA1
1a389091178f2be8ce486cd860de16263f8e902e

SHA256
da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

SHA512
a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.9MB

MD5
117d5bc15e223805f55b2890713cd193

SHA1
a01bcb2fbea608834b0d644bc7cdcd9d304eca5b

SHA256
13da1ea004efe3af75113c29b1de6d3a63d86e9f54c4a4e422e2a509099aaade

SHA512
f9d2668b08702dc76d4e7aa52938b3765a13bb4b71413ff3d328b5675bfc8cfd92b25dee4db68df84037410ae2d32f431921628d3238186bdbe2f41e6d36523d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
440B

MD5
3626532127e3066df98e34c3d56a1869

SHA1
5fa7102f02615afde4efd4ed091744e842c63f78

SHA256
2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

SHA512
dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

Download Submit
memory/1416-420-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-446-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-430-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-432-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-434-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-174-0x00000000012E0000-0x00000000015BC000-memory.dmp

Filesize
2.9MB

Download
memory/1416-426-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-411-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-424-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-436-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-438-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-440-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-422-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-442-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-444-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-428-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-448-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-450-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-452-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-454-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-456-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-418-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-412-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-416-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-458-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-414-0x0000000005780000-0x0000000005938000-memory.dmp

Filesize
1.7MB

Download
memory/1416-409-0x0000000005780000-0x000000000593E000-memory.dmp

Filesize
1.7MB

Download
memory/1528-300-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1528-189-0x0000000000F30000-0x0000000000F48000-memory.dmp

Filesize
96KB

Download
memory/1856-215-0x0000000006DF0000-0x0000000007293000-memory.dmp

Filesize
4.6MB

Download
memory/1856-274-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-343-0x00000000067D0000-0x0000000006A78000-memory.dmp

Filesize
2.7MB

Download
memory/1856-29423-0x0000000006DF0000-0x00000000079D5000-memory.dmp

Filesize
11.9MB

Download
memory/1856-3962-0x0000000006DF0000-0x00000000079D5000-memory.dmp

Filesize
11.9MB

Download
memory/1856-353-0x0000000006DF0000-0x000000000727B000-memory.dmp

Filesize
4.5MB

Download
memory/1856-352-0x0000000006DF0000-0x000000000727B000-memory.dmp

Filesize
4.5MB

Download
memory/1856-3500-0x0000000006DF0000-0x00000000079D5000-memory.dmp

Filesize
11.9MB

Download
memory/1856-21-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-22-0x00000000011E1000-0x000000000120F000-memory.dmp

Filesize
184KB

Download
memory/1856-23-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-362-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-25-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-26-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-377-0x00000000067D0000-0x0000000006A78000-memory.dmp

Filesize
2.7MB

Download
memory/1856-344-0x00000000067D0000-0x0000000006A78000-memory.dmp

Filesize
2.7MB

Download
memory/1856-97-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-389-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-115-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-322-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-320-0x0000000006DF0000-0x0000000007485000-memory.dmp

Filesize
6.6MB

Download
memory/1856-126-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-125-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-292-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-173-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/1856-280-0x0000000006DF0000-0x0000000007485000-memory.dmp

Filesize
6.6MB

Download
memory/1856-276-0x0000000006DF0000-0x0000000007293000-memory.dmp

Filesize
4.6MB

Download
memory/1856-214-0x00000000011E0000-0x00000000014F8000-memory.dmp

Filesize
3.1MB

Download
memory/2348-324-0x0000000000340000-0x00000000009D5000-memory.dmp

Filesize
6.6MB

Download
memory/2348-282-0x0000000000340000-0x00000000009D5000-memory.dmp

Filesize
6.6MB

Download
memory/2348-351-0x0000000000340000-0x00000000009D5000-memory.dmp

Filesize
6.6MB

Download
memory/2348-361-0x0000000000340000-0x00000000009D5000-memory.dmp

Filesize
6.6MB

Download
memory/2348-305-0x0000000000340000-0x00000000009D5000-memory.dmp

Filesize
6.6MB

Download
memory/2500-354-0x00000000008E0000-0x0000000000D6B000-memory.dmp

Filesize
4.5MB

Download
memory/2500-398-0x00000000008E0000-0x0000000000D6B000-memory.dmp

Filesize
4.5MB

Download
memory/2692-2-0x0000000000351000-0x000000000037F000-memory.dmp

Filesize
184KB

Download
memory/2692-359-0x0000000000380000-0x0000000000628000-memory.dmp

Filesize
2.7MB

Download
memory/2692-1-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/2692-345-0x0000000000380000-0x0000000000628000-memory.dmp

Filesize
2.7MB

Download
memory/2692-0-0x0000000000350000-0x0000000000668000-memory.dmp

Filesize
3.1MB

Download
memory/2692-3-0x0000000000350000-0x0000000000668000-memory.dmp

Filesize
3.1MB

Download
memory/2692-358-0x0000000000380000-0x0000000000628000-memory.dmp

Filesize
2.7MB

Download
memory/2692-5-0x0000000000350000-0x0000000000668000-memory.dmp

Filesize
3.1MB

Download
memory/2692-2396-0x0000000000380000-0x0000000000628000-memory.dmp

Filesize
2.7MB

Download
memory/2692-18-0x0000000006550000-0x0000000006868000-memory.dmp

Filesize
3.1MB

Download
memory/2692-17-0x0000000000350000-0x0000000000668000-memory.dmp

Filesize
3.1MB

Download
memory/2692-19-0x0000000006550000-0x0000000006868000-memory.dmp

Filesize
3.1MB

Download
memory/2796-216-0x0000000000AB0000-0x0000000000F53000-memory.dmp

Filesize
4.6MB

Download
memory/2796-277-0x0000000000AB0000-0x0000000000F53000-memory.dmp

Filesize
4.6MB

Download
memory/2796-363-0x0000000000AB0000-0x0000000000F53000-memory.dmp

Filesize
4.6MB

Download
memory/2796-275-0x0000000000AB0000-0x0000000000F53000-memory.dmp

Filesize
4.6MB

Download
memory/2796-291-0x0000000000AB0000-0x0000000000F53000-memory.dmp

Filesize
4.6MB

Download
memory/2796-323-0x0000000000AB0000-0x0000000000F53000-memory.dmp

Filesize
4.6MB

Download
memory/2796-394-0x0000000000AB0000-0x0000000000F53000-memory.dmp

Filesize
4.6MB

Download
memory/5264-4102-0x0000000000EC0000-0x0000000001AA5000-memory.dmp

Filesize
11.9MB

Download
memory/5264-29425-0x0000000000EC0000-0x0000000001AA5000-memory.dmp

Filesize
11.9MB

Download
memory/6984-29474-0x0000000000B90000-0x0000000000C54000-memory.dmp

Filesize
784KB

Download
memory/6984-29473-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download