8bdfa3c37749a6ad28e52a1c32d709bcd3f423ffce77f2eb1fbabfad4f1732a1

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-02-2025 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nykfsekawddd.exe
Size

994KB
MD5

fd5f7cb05fed3f0ddf336b4d774233a9
SHA1

38e64f34cd6e401464a9d3433eaba77717544ad4
SHA256

8bdfa3c37749a6ad28e52a1c32d709bcd3f423ffce77f2eb1fbabfad4f1732a1
SHA512

aa660ba760fc12feb886e5b94708e298f7c855e128d4f7c00054f78e014272d69f3c56186bd3a56a4d0d5623bfbe2a1df544941c5a10ca10ea8016e9ff9f6181
SSDEEP

24576:oEPJIUv0nWZZwMAgqYUSE7tohH3iBNs9cc:FP0uAKfE7topcJc

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1028 created 1196	1028	Act.com	21

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeMagnet.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeMagnet.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1028	Act.com

Loads dropped DLL 2 IoCs

pid	Process
2376	cmd.exe
1028	Act.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2780	tasklist.exe
2728	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ChocolateEs	nykfsekawddd.exe
File opened for modification	C:\Windows\RegionRomantic	nykfsekawddd.exe
File opened for modification	C:\Windows\ExteriorMiami	nykfsekawddd.exe
File opened for modification	C:\Windows\AvgSo	nykfsekawddd.exe
File opened for modification	C:\Windows\CowSpecifications	nykfsekawddd.exe
File opened for modification	C:\Windows\BacteriaNomination	nykfsekawddd.exe
File opened for modification	C:\Windows\WbCage	nykfsekawddd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Act.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nykfsekawddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com
1028	Act.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1028	Act.com
1028	Act.com
1028	Act.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1028	Act.com
1028	Act.com
1028	Act.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2376	1844	nykfsekawddd.exe	30
PID 1844 wrote to memory of 2376	1844	nykfsekawddd.exe	30
PID 1844 wrote to memory of 2376	1844	nykfsekawddd.exe	30
PID 1844 wrote to memory of 2376	1844	nykfsekawddd.exe	30
PID 2376 wrote to memory of 2344	2376	cmd.exe	32
PID 2376 wrote to memory of 2344	2376	cmd.exe	32
PID 2376 wrote to memory of 2344	2376	cmd.exe	32
PID 2376 wrote to memory of 2344	2376	cmd.exe	32
PID 2376 wrote to memory of 2780	2376	cmd.exe	33
PID 2376 wrote to memory of 2780	2376	cmd.exe	33
PID 2376 wrote to memory of 2780	2376	cmd.exe	33
PID 2376 wrote to memory of 2780	2376	cmd.exe	33
PID 2376 wrote to memory of 2516	2376	cmd.exe	34
PID 2376 wrote to memory of 2516	2376	cmd.exe	34
PID 2376 wrote to memory of 2516	2376	cmd.exe	34
PID 2376 wrote to memory of 2516	2376	cmd.exe	34
PID 2376 wrote to memory of 2728	2376	cmd.exe	36
PID 2376 wrote to memory of 2728	2376	cmd.exe	36
PID 2376 wrote to memory of 2728	2376	cmd.exe	36
PID 2376 wrote to memory of 2728	2376	cmd.exe	36
PID 2376 wrote to memory of 2688	2376	cmd.exe	37
PID 2376 wrote to memory of 2688	2376	cmd.exe	37
PID 2376 wrote to memory of 2688	2376	cmd.exe	37
PID 2376 wrote to memory of 2688	2376	cmd.exe	37
PID 2376 wrote to memory of 2904	2376	cmd.exe	38
PID 2376 wrote to memory of 2904	2376	cmd.exe	38
PID 2376 wrote to memory of 2904	2376	cmd.exe	38
PID 2376 wrote to memory of 2904	2376	cmd.exe	38
PID 2376 wrote to memory of 2744	2376	cmd.exe	39
PID 2376 wrote to memory of 2744	2376	cmd.exe	39
PID 2376 wrote to memory of 2744	2376	cmd.exe	39
PID 2376 wrote to memory of 2744	2376	cmd.exe	39
PID 2376 wrote to memory of 2324	2376	cmd.exe	40
PID 2376 wrote to memory of 2324	2376	cmd.exe	40
PID 2376 wrote to memory of 2324	2376	cmd.exe	40
PID 2376 wrote to memory of 2324	2376	cmd.exe	40
PID 2376 wrote to memory of 2636	2376	cmd.exe	41
PID 2376 wrote to memory of 2636	2376	cmd.exe	41
PID 2376 wrote to memory of 2636	2376	cmd.exe	41
PID 2376 wrote to memory of 2636	2376	cmd.exe	41
PID 2376 wrote to memory of 2772	2376	cmd.exe	42
PID 2376 wrote to memory of 2772	2376	cmd.exe	42
PID 2376 wrote to memory of 2772	2376	cmd.exe	42
PID 2376 wrote to memory of 2772	2376	cmd.exe	42
PID 2376 wrote to memory of 1028	2376	cmd.exe	43
PID 2376 wrote to memory of 1028	2376	cmd.exe	43
PID 2376 wrote to memory of 1028	2376	cmd.exe	43
PID 2376 wrote to memory of 1028	2376	cmd.exe	43
PID 2376 wrote to memory of 2644	2376	cmd.exe	44
PID 2376 wrote to memory of 2644	2376	cmd.exe	44
PID 2376 wrote to memory of 2644	2376	cmd.exe	44
PID 2376 wrote to memory of 2644	2376	cmd.exe	44
PID 1028 wrote to memory of 2828	1028	Act.com	45
PID 1028 wrote to memory of 2828	1028	Act.com	45
PID 1028 wrote to memory of 2828	1028	Act.com	45
PID 1028 wrote to memory of 2828	1028	Act.com	45
PID 1028 wrote to memory of 2820	1028	Act.com	48
PID 1028 wrote to memory of 2820	1028	Act.com	48
PID 1028 wrote to memory of 2820	1028	Act.com	48
PID 1028 wrote to memory of 2820	1028	Act.com	48
PID 1028 wrote to memory of 2820	1028	Act.com	48
PID 1028 wrote to memory of 2820	1028	Act.com	48
PID 1028 wrote to memory of 2820	1028	Act.com	48
PID 1028 wrote to memory of 2820	1028	Act.com	48

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\nykfsekawddd.exe
  "C:\Users\Admin\AppData\Local\Temp\nykfsekawddd.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c expand Stuff.jpg Stuff.jpg.cmd & Stuff.jpg.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\expand.exe
      expand Stuff.jpg Stuff.jpg.cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:2344
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2780
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2516
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 35158
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Cir.jpg
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "Campaigns" Bob
      4⤵
      System Location Discovery: System Language Discovery
      PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 35158\Act.com + Weapon + Productions + Eggs + Pre + Matching + Casting + Magic + Rand + Lo + Excess 35158\Act.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Burst.jpg + ..\Telecom.jpg + ..\Elementary.jpg + ..\Exclusion.jpg + ..\Adopt.jpg + ..\Heavily.jpg B
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\35158\Act.com
      Act.com B
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\35158\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\35158\RegAsm.exe
        5⤵
        
        PID:2820
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeMagnet.url" & echo URL="C:\Users\Admin\AppData\Local\ByteForge Technologies\CodeMagnet.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeMagnet.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35158\Act.com

Filesize
2KB

MD5
243ec009517ad8291b282ce5c6e0a665

SHA1
3d41a1ba8b0238c76b7301890bf4edea112ef821

SHA256
e9943a9d528f145c0a8bb4661c8ed3510173591e54e0b08d474edd0b5397d533

SHA512
c00860a6042d6385735e8948f5121ec2330937cd2544e2883a0fe8fa57f2bf2146dfe0609d17aacb906ab830eec37d15615b57faa8d73adfd0d25ec5d6effe27

Download Submit
C:\Users\Admin\AppData\Local\Temp\35158\B

Filesize
425KB

MD5
f1a8d6d77c057b3ab8f38c5b7c2387f1

SHA1
bcecfba5d6a4fa3c1db0677ab12ebab68fe490b2

SHA256
d2cf5a8fef5b6ba74ef2107fe0529609ecba6fcc54c0489a813526d11125dbd0

SHA512
3d3bd192dceafb954d4fc13829251372113e6afa22c35768bb8727ee2974fed308cd78bf0dc34b1d658b675e4d4a877d763c95573f7b32593cd24d9f920cc037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adopt.jpg

Filesize
88KB

MD5
04057d108f38f9ffb79cd86e6af59475

SHA1
bf7d4af0c9f816092773e1ed591c0591d65625fb

SHA256
0c6e6a181f0251b986b940a016410652004d70335827e452558f3d19cfb58328

SHA512
377f263f95915644053efc1c1c3c87af9a966e4e58779bde97a353cefc5370bd2d93113e072011aca54283d898bd66f8e39096d7a1ea51fac0a98e510da34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bob

Filesize
2KB

MD5
6107971c59a53f12a126f40b087f299f

SHA1
a43f97fc3d759f7c3b243952ba68a83c25d48260

SHA256
1dac06d580b474ddaab6760531741fb177a85ef06361922af0432302f6e801af

SHA512
6a561411bec887a6e2a45656dd435d127369c9fe1fb35de5ebda6c24d1e57da224100d3d5b8459f7045d94d52872389114d9a8d02ee4515f9e7e983529960886

Download Submit
C:\Users\Admin\AppData\Local\Temp\Burst.jpg

Filesize
69KB

MD5
7974e016cb81041229f9119560aa6f39

SHA1
d252a8659bee388210c581c3d98cfab6ea775e26

SHA256
5536f217ad0cf3b44b865aaf456acffa279e012fcb394d8cfabe280330161358

SHA512
8cbe1f46a4395ac940c859d363f309db5e3dd3e883af17e6ccf76551f4d833c9193ac1e55327a1d91fba7a2938a4636db67b29eabc2d191bd268fe89543bcc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Casting

Filesize
95KB

MD5
a0c07131f9308293672f49db7f294a5d

SHA1
5fb95ccf17cbc0937c61a55ba6f6abe73db296e0

SHA256
3bb83128c44bc854530f950193849d8ea91ebe04287dc4beac21f89a7d2c57b7

SHA512
c68c43fe6b26bf18450820886547b7ff4fa955117c77a5a43f35e4e2e129cc6820442912153534a74380a344c4f3b3a3186c038b8e624e6aee7b6bcc96c04916

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cir.jpg

Filesize
476KB

MD5
d52e138e12a1d5d9c75a1431286169b4

SHA1
cc5901f382ebfc2c0ee0019ab58a8647da7f8c5a

SHA256
2066755d55d409e22ae87b4abc4629d2f0104021eb9557ed9722b095cde89a57

SHA512
0709291a5e67a6b73e196cc953f77d2dc2a07bca9596ff236d9e7ad6199e67e48b6544f7ab628577cbecd857c9ba6e647d07cde5790c1651a0c1cc53c0df83f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eggs

Filesize
77KB

MD5
34e58d29c047fd7a9dd81b328186152b

SHA1
273a6c3827a8c95fb8254c2c7e0a86871503f5f2

SHA256
c4b5e43fa18c8ff9ec04857e2c2fca89f8cc119e091af6efcb30b90855275820

SHA512
5fcc18ec1bedf9b43cc24b0f5a44a2f70d03296ead8bb41a8713a1eaeb7a52a1c74d49a2ae5866aa13af661dccee4d06b8287678b1e378c1e9d8cf0bb5f70990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Elementary.jpg

Filesize
95KB

MD5
87c845543e5e652f4ea9533221b194cd

SHA1
fc65aff8212931200fa3794bd209bcc58dd85538

SHA256
e230f26c2ec0c12a6e214bccc4398acd1dd178aa9288d231fb46775893bed508

SHA512
a329f92ea806854fa52c4837bbc277e158f43100842f64e8408ee696fadb9bca3f92edb63bb5411b9e3ca46d79a1b58e034274b6eaf7a69a4fcad659f1586646

Download Submit
C:\Users\Admin\AppData\Local\Temp\Excess

Filesize
2KB

MD5
6a5af1ae7fcd25b9f5caff2a5f38bf52

SHA1
d270d6def835b24b66daa1a67b58765d6f8967c7

SHA256
3df0c5ea0b23193dc118e533530ce857fb587e41cc77796badc46aa250e4c7a6

SHA512
21a9d1e5eaf3d29a5d9e06a1c3f3417c2ee056427ffdf9f4707c801635e793585996f6ce9d706610e55dde21a10748bf9cbceee456b1c813e6e05d4e69eb4ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exclusion.jpg

Filesize
74KB

MD5
7a500dfa9be5988251051cbe252e66ff

SHA1
5cce00d00a7b3c9ac07ad05fb750a54d79023ff4

SHA256
d1af61f730fdf9e30805ede0e37baa32b3374bd6407779edb8d092b2f73f623f

SHA512
9c2513a0ced30d24796b80794e77cb937075a3f4b664abda3bbcce0b6ed5c2d073029a978e44fd929da3caa8efe3b64daf5c87479d44618c8317c5f64ed50ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heavily.jpg

Filesize
13KB

MD5
6339224d329cec2a81847e89a44f4618

SHA1
3a6a44e13eada4535c9f35d48981c08cba60f442

SHA256
2be352937216d04a3d0323950c3d57ec05e4cefdfa512870a26bc74fd859e63c

SHA512
23f7422e3eb141c6e5b67dfc083f62891410bb18bfa6050be77e13f7de97a2fc991f836c5675b061fd9113fa32a6daad0a8fa2436aab68145933804ef9e2ed0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lo

Filesize
73KB

MD5
6586e58b0f48a7df09d2666a34ec7684

SHA1
d8eb0ebcd44b18077985c7770cefe5a10f01f0de

SHA256
ce4eafb80ef862c426b08df4b22dbc7698f6d047778ab837b1455cffbeeef832

SHA512
25de0941f866440a3f82f506efae2ef51ec1cf61c669e505a15ecf28917276880a82480e48b6966e1e08c1a70935916705dd80ddbbd1b6def9c376b37f2cdd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Magic

Filesize
143KB

MD5
7ae2c95d74693571e4e0d6c90fbd2009

SHA1
75482efbcda20d3244c465b45266e1603f9a2a5d

SHA256
d2d4746b7c1ac41f2b3b49faec9afd6dad63647e3b53beb66d3a7ebb1d4205ad

SHA512
3e04a8925c8749e097216ace6610d73a598e9d3d7103990c2b3714ce48c067de6449b4f81301de00286bd401215c70bcb65198be0ce98576d6d9787419b5204a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Matching

Filesize
107KB

MD5
bbd035fdf177a888bc101d3bfd176925

SHA1
b8468ac78eccf623e58051a1d7e2ff2b461beb2f

SHA256
054ce133652fe32b7479b99f364e44eff8bfce1e36ec75d6a7606e8c0e865b37

SHA512
a802be4fcf95bb4e0914cc9df4d10770a99f66ef77589a99ef9d4b36b4938d19bd1b2624887a1d6dd51ecc653c0c5d374baba5a6aedec26f685f65a5e79f00d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pre

Filesize
73KB

MD5
1ad8f8d25bf8c0ce6ac2f5822d385517

SHA1
4c4932ea74235faf54559342fcbd2b270c7a630e

SHA256
599cae3c6fff221c2c18ee7d3196d195f941714933e7e144c3488a3a098e213c

SHA512
184691d056d2a9a5b81d590754a0c9a901ab6ec4d54c2bb07f5f3ef9cb3e65db2b19a97039302ecc7a2e66d753d6ec2b485f85d7dd7861a94641e5ded33689da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Productions

Filesize
136KB

MD5
8d0c26bbe130ad3497382ca736b1942d

SHA1
327338f75d0eeabe7a9c641bacb85333cc58b4fd

SHA256
e8befd6ea9369bd4a4404dcee2f6418d98429e2adf6fa1bcdde4b04fe40b25a1

SHA512
b916cb33b39021b84243ec343b0392b1aac935ec4a557938e702098d12e03049fe2ee45849c45f187aeee77591d14815f440c3f2ebc7bdd61257b88265ae3527

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rand

Filesize
76KB

MD5
d471d916c99fea83aa2bf98fb5a3bd0f

SHA1
81f13b0e9fc24462679ac84f8551b515b6ef0ed8

SHA256
d441d8dca83f14afa481294eca50a88e824f89717c153dd8a878a57b3686bfc2

SHA512
a79ae45e812b7898a2b5da9334eb9095086b8d76b167413a070c54c20d9e846eae63675c1363e38bd3a34916656053f580c2d4f91de61f61e412455a9d1404d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Telecom.jpg

Filesize
86KB

MD5
e5cee34be21cb1dd9ee5fc176ab8ec4f

SHA1
de71572178bf9c231ba64b7457795fcbbe721192

SHA256
11dc3e8031e403bdbdf465d80b3ce575cb8e229162915e585b35f27b53d33b0f

SHA512
8dca16795793742a33169f9c30c7b6e753bb35103e73cd6cf6e5841cd34250dbf741673571dab12abacba9566866f63aad5adc8acb34d6da655c02e53a06bb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weapon

Filesize
140KB

MD5
406dd20a0810b0401b416d5943920bf0

SHA1
5cc4c0cdab096c73ef0dba54128b8a25167fffc2

SHA256
238572bbd24c372a3d9f642700c5354f37aa8dd7fa21b3c84d6b20ee653458ea

SHA512
613220f106ea40c67de9117bfc92fe9481dc58ac63f538f13b41fd0d23827d72987f3204487442cb71ef542a05717ad86c54c9f0ddb3bb78c8aef7f31a47ba6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\stuff.jpg

Filesize
14KB

MD5
8cd79d74b8117685fb6add84156bae64

SHA1
504d47540b69f5b9f52e71d1133673568c6ae92b

SHA256
3bb54360cf8d15f7d05be65d57cad7b0ffdc07942ae02c0a8a3238fb11964fab

SHA512
a400913d0ab5a617f56777e149b62aa19550d1889e8080774921b3a0377e4d3939260846648057efeb221f827f8a5b4c305d653edc5dfc61ae5ee5743f637fed

Download Submit
\Users\Admin\AppData\Local\Temp\35158\Act.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
\Users\Admin\AppData\Local\Temp\35158\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit