amadey | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

xworm

Version

5.0

enter-sierra.gl.at.ply.gg:55389

Mutex

lzS6Ul7Mo5UcN6CR

Attributes

Install_directory
%AppData%
install_file
Wave.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

2.tcp.eu.ngrok.io:19695

Mutex

gonq3XlXWgiz

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note

ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :B9A4DCAF3E383B51782E6D526AE7E8E989A23D139426991E2F2959EF399EFF017FE5E39AB68C2BFF8825262C2FC73580ACF9BA85F25820BF84643EE4E91C095DC0A3B609BD18E1A253AE072D49185EA8857EC071A260FFD29BE3920D4341722A519D7046CE80C41B59321EF337264670312BEB6E5E8FD4945CCD626DE03B2E020D09CDE02A8A60BAF90463D181ED99F157457EF8106AAD1EFA06EA9C6D6EAFAD4F1660244C6755740D6AE13EDD3F39ED8FAE6E8C468810C635F477AC4DD5A2633E8319A3F4E4BBBDC0D6A360D82D2AE4B5F7FBB4909051149B8BF3A419145C304C7951711EB7AC4D1743D46847BB7587152ED12715396F9A3A9129044ABEA824DD770E4D53FC738253ECE8FA2D92824887098833050A9E99153D4CB425ED0CD372218E10D8193386035497B8A5CAFDB3797FC6E3D5E99BFCAB4B808C3541E64C36FEC3583C764E1AC6EF9F957C8733EC23AA2412098FFCB61F08D8CC79FC862C84DC6945E3667956F99CBF8679CA6B8555A34106EDB03709BA6555BC66A97D8A9ADA04EDEFFFCDAA6286DE574ABF80347E553CF9B6FC50A62E9A9C7D6291D983B4BACA330AEE9BDEB6AB7E8FA518A041FD5EC1C0D203116FEA7000BF9D4999861C23A7AFFF115CD8E84B124E4A0546640CC6CB651D6FD4B3D5E2C779FB32EA10315FAA7B4C8B8356476E03CF6EE4A312313FE36DA20E20C7FA4BA9FC589F5692A99AA540C410467072275E93D7F5EDC6107C222FE5B9C4860E58B4EF369D805F89BECB575E7EF11AF3EE2AFF939C133731676326F1A6FD58A771EB7FDAE5742951BDD0CD45BEA88050F843947650DC0CF019D30C61F16BD3BC6C41EF150D3A823332531B4410F206534EEF87FDD2FC7D34E4F81FA8A7FD98CA43EF26E533B931F1F2546FF0C51BC85B80ACC3E00F5D0CE9223F7BEF24FF46C771D3780A1DBD70E7C7449F7F7D87E1B7733D3964C398026C112688F34FE85B1B493B4E4FA6FD87692A76F7CE6531EEAFCADBFF4F4475B377527190C0A2DCAB737F146F6833E3DB9B0CC90282AF92BA531007DF0908A48D5C10ADD5DC6FDE0442A3AF32B639037C23FDA6BD5CAE55F525844C3419FCDD1B9DA4A606C83D94950EBB8AABEF91FD86D4213BCC12AF67125B4F68A51FD165B6D6331538FC86435023C46664AEEB18DD4BB472282C8157F6565187EDC831EEA8751C1DC203B8759313F55EFB856DC15C9C2B70963AFE280CF0A21E50A4E4AE35003C5D9A72A734F697B5D65478384B443817433EB4B1F82833E9A937DF011BC76E383E76354283F54E920121EEF99EA1CB7E160FF0C4D53403BBFCCB54464FE864BB703609CC3C87723FB7EF7CDA98EE8554CB32F559118BE82D5B056FE843ABF8E1E3F36E4F565E1634393A9708D6402343490033F491F0088A0F509791F93F63BA62EB2093E3BED2F5332814D8F7F0914E0083CA99F9938E790F3386E2DF1BD61DDC88D597510E2A6178F850EB13B201D52B194727FA96DD7DB78FAE0799DA29F502673D0242E78152AAE3CB0B5A83F448DE0C7C9F77AF36281F7D8C129CE05F70006BF936A29230568F03A71C91791A5006709049D936DB96A6288907103CB878BFD4806E14B059A58A4F968053F6489EE6AF0EBB9AF7C3D39AF2AF95E373CCE969C9D42C0B49C2424908999957B3C409A085AF6A7976FB58DE65C7659A69E6D3BC12207E9C0694D92B7528D53F9FEC0AF9EED349CD9B88C7788C71D108FD80871FB71E8E17B610A8D273E85E4079B442B3D803108CE17EAC33E529CE396F7F5648A2E4AC347D591B4F0BEFF931C6AD9445992668A3BD80215C99D6DA7646EA8A1B01F2B0F03E2E0A99AF0669D653462619CEF04EBAA475ADB92231E69CAFB783BF1A370E06C1E85ED55E00FE9849447FF878D05DBA9E60F431627BF2F6A2080C1BF91CF27AC55885BB4606A346D0A34F9A5FAE919ABFAE2AB0FE6D00C8A284D03678BC54B7C7A9C75ED014084B9E52F20374F9697641837BE2D0437EEA01A5244027B4FFC616BADFCCCA5ECF047A8A1C5509FCC80BDF097DB9FE6CA868BD92EBA9F70F239A256E2B63839FD13B43DFBD6EFBAAEDADFB6D7BDF333189392BC3A14E2B02391A03E25D6724A5997FB68E1BE7DFB568FDF660451DACE7E90C7C1FB47DAD3C8430A485196C3BF5C67474C4B5B742C1064FF0C5521604E83A65AB47879AF890D7CC8110067C8B6BA0978D8C9EED345863ECC8489DF979E68D60F1D44E0B28A125186A89346DF128C6426CF6CAB554E022DCDF617D1F82712F8E1715C175A3BBEA1C7E6D26EAF25935038393A1F3871C56B38B22C44ADD2E0F0531FA1B422973F5B8DE6721ACB132F4682494B3F4C0774C8B75C4F4E5

Emails

[email protected]

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

104.251.123.245:23600

Mutex

4119a2e0-4ae4-4843-8534-99af91a2475d

Attributes

encryption_key
DF6316067206E09C1F85138FCEBD56F5D94BF6AE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Startup
subdirectory
SubDir

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://pancakedipyps.click/api

Extracted

Family

redline

Botnet

first

212.56.41.77:1912

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Extracted

Family

redline

Botnet

@glowfy0

91.214.78.86:1912

Extracted

Family

amadey

Version

5.03

Botnet

7c4393

http://185.215.113.217

Attributes

install_dir
f9c76c1660
install_file
corept.exe
strings_key
9808a67f01d2f0720518035acbde7521
url_paths
/CoreOPT/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023e1e-1581.dat	family_umbral
behavioral2/memory/4932-1589-0x0000026E0D180000-0x0000026E0D1CC000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023cc6-10.dat	family_xworm
behavioral2/memory/1832-18-0x0000000000760000-0x00000000007A2000-memory.dmp	family_xworm

Detects Rhadamanthys payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023e38-1735.dat	Rhadamanthys_v8
behavioral2/memory/1384-1740-0x0000000000990000-0x0000000000A11000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1384-1747-0x0000000000990000-0x0000000000A11000-memory.dmp	Rhadamanthys_v8

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023d1e-202.dat	family_quasar
behavioral2/memory/1968-216-0x00000000001F0000-0x0000000000514000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023e10-1725.dat	family_redline
behavioral2/memory/4428-1730-0x0000000000250000-0x00000000002A2000-memory.dmp	family_redline
behavioral2/files/0x0005000000022b07-1845.dat	family_redline
behavioral2/memory/648-1850-0x0000000000B30000-0x0000000000B82000-memory.dmp	family_redline

Redline family
redline
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 1384 created 2580	1384	zeropersca.exe	50
PID 4880 created 3408	4880	Waters.pif	56
PID 4880 created 3408	4880	Waters.pif	56

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023d1b-23.dat	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4936	powershell.exe
116	powershell.exe
1384	powershell.exe
3404	powershell.exe
3908	powershell.exe
4428	powershell.exe
3352	powershell.exe

Downloads MZ/PE file 14 IoCs

flow	pid	Process
109	1872	4363463463464363463463463.exe
147	1872	4363463463464363463463463.exe
40	1872	4363463463464363463463463.exe
40	1872	4363463463464363463463463.exe
40	1872	4363463463464363463463463.exe
40	1872	4363463463464363463463463.exe
40	1872	4363463463464363463463463.exe
40	1872	4363463463464363463463463.exe
94	1872	4363463463464363463463463.exe
94	1872	4363463463464363463463463.exe
94	1872	4363463463464363463463463.exe
94	1872	4363463463464363463463463.exe
139	1872	4363463463464363463463463.exe
89	1872	4363463463464363463463463.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2036	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	uhigdbf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	clamer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	splwow64_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	njrat.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt	Dpose.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7c410475d4d33dd6b97dc1e4dc051b8.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe	l4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Decryptfiles.txt	Dpose.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7c410475d4d33dd6b97dc1e4dc051b8.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe	l4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk	XClient.exe

Executes dropped EXE 28 IoCs

pid	Process
1832	XClient.exe
4228	Discord.exe
2680	Dpose.exe
4384	njrat.exe
1968	Client-built.exe
1980	Server.exe
3656	Wave.exe
276	SrbijaSetupHokej.exe
3908	SrbijaSetupHokej.tmp
5036	uhigdbf.exe
976	random.exe
4392	legs.exe
3024	clamer.exe
3032	legs.exe
928	legs.exe
4308	fseawd.exe
4384	meta.exe
4932	payload.exe
3752	zx.exe
1376	zx.exe
4428	Steanings.exe
1384	zeropersca.exe
2852	l4.exe
4144	l4.exe
4928	splwow64_1.exe
2708	Wave.exe
4316	woik.exe
648	toolwin.exe

Loads dropped DLL 11 IoCs

pid	Process
1376	zx.exe
1376	zx.exe
1376	zx.exe
1376	zx.exe
1376	zx.exe
4144	l4.exe
4144	l4.exe
4144	l4.exe
4144	l4.exe
4144	l4.exe
4144	l4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\Dpose.exe\""	Dpose.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wave = "C:\\Users\\Admin\\AppData\\Roaming\\Wave.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c7c410475d4d33dd6b97dc1e4dc051b8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c7c410475d4d33dd6b97dc1e4dc051b8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Dpose.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Dpose.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Dpose.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Dpose.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
126	discord.com
127	discord.com
171	2.tcp.eu.ngrok.io
39	raw.githubusercontent.com
40	raw.githubusercontent.com
43	2.tcp.eu.ngrok.io
70	2.tcp.eu.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
116	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1376	tasklist.exe
2612	tasklist.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 928	4392	legs.exe	159
PID 4384 set thread context of 3572	4384	meta.exe	167
PID 976 set thread context of 3340	976	random.exe	213

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ViewpictureKingdom	splwow64_1.exe
File opened for modification	C:\Windows\BrandonBlind	splwow64_1.exe
File opened for modification	C:\Windows\IpaqArthur	splwow64_1.exe
File created	C:\Windows\Tasks\Test Task17.job	fseawd.exe
File opened for modification	C:\Windows\HardlyAircraft	splwow64_1.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023e2e-1645.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
516	4392	WerFault.exe	154

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waters.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SrbijaSetupHokej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zeropersca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fseawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SrbijaSetupHokej.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steanings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toolwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpose.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njrat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4216	cmd.exe
8	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1612	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe
3340	schtasks.exe
2480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1384	powershell.exe
1384	powershell.exe
1384	powershell.exe
3404	powershell.exe
3404	powershell.exe
3404	powershell.exe
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
2680	Dpose.exe
3352	powershell.exe
3352	powershell.exe
3352	powershell.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
116	powershell.exe
116	powershell.exe
116	powershell.exe
1384	zeropersca.exe
1384	zeropersca.exe
1384	zeropersca.exe
1384	zeropersca.exe
5048	fontdrvhost.exe
5048	fontdrvhost.exe
5048	fontdrvhost.exe
5048	fontdrvhost.exe
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	4363463463464363463463463.exe
Token: SeDebugPrivilege	1832	XClient.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeIncreaseQuotaPrivilege	1996	wmic.exe
Token: SeSecurityPrivilege	1996	wmic.exe
Token: SeTakeOwnershipPrivilege	1996	wmic.exe
Token: SeLoadDriverPrivilege	1996	wmic.exe
Token: SeSystemProfilePrivilege	1996	wmic.exe
Token: SeSystemtimePrivilege	1996	wmic.exe
Token: SeProfSingleProcessPrivilege	1996	wmic.exe
Token: SeIncBasePriorityPrivilege	1996	wmic.exe
Token: SeCreatePagefilePrivilege	1996	wmic.exe
Token: SeBackupPrivilege	1996	wmic.exe
Token: SeRestorePrivilege	1996	wmic.exe
Token: SeShutdownPrivilege	1996	wmic.exe
Token: SeDebugPrivilege	1996	wmic.exe
Token: SeSystemEnvironmentPrivilege	1996	wmic.exe
Token: SeRemoteShutdownPrivilege	1996	wmic.exe
Token: SeUndockPrivilege	1996	wmic.exe
Token: SeManageVolumePrivilege	1996	wmic.exe
Token: 33	1996	wmic.exe
Token: 34	1996	wmic.exe
Token: 35	1996	wmic.exe
Token: 36	1996	wmic.exe
Token: SeIncreaseQuotaPrivilege	1996	wmic.exe
Token: SeSecurityPrivilege	1996	wmic.exe
Token: SeTakeOwnershipPrivilege	1996	wmic.exe
Token: SeLoadDriverPrivilege	1996	wmic.exe
Token: SeSystemProfilePrivilege	1996	wmic.exe
Token: SeSystemtimePrivilege	1996	wmic.exe
Token: SeProfSingleProcessPrivilege	1996	wmic.exe
Token: SeIncBasePriorityPrivilege	1996	wmic.exe
Token: SeCreatePagefilePrivilege	1996	wmic.exe
Token: SeBackupPrivilege	1996	wmic.exe
Token: SeRestorePrivilege	1996	wmic.exe
Token: SeShutdownPrivilege	1996	wmic.exe
Token: SeDebugPrivilege	1996	wmic.exe
Token: SeSystemEnvironmentPrivilege	1996	wmic.exe
Token: SeRemoteShutdownPrivilege	1996	wmic.exe
Token: SeUndockPrivilege	1996	wmic.exe
Token: SeManageVolumePrivilege	1996	wmic.exe
Token: 33	1996	wmic.exe
Token: 34	1996	wmic.exe
Token: 35	1996	wmic.exe
Token: 36	1996	wmic.exe
Token: SeBackupPrivilege	3984	vssvc.exe
Token: SeRestorePrivilege	3984	vssvc.exe
Token: SeAuditPrivilege	3984	vssvc.exe
Token: SeDebugPrivilege	1968	Client-built.exe
Token: SeDebugPrivilege	1832	XClient.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeDebugPrivilege	2680	Dpose.exe
Token: SeDebugPrivilege	2680	Dpose.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1968	Client-built.exe
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1968	Client-built.exe
4880	Waters.pif
4880	Waters.pif
4880	Waters.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1968	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1832	1872	4363463463464363463463463.exe	97
PID 1872 wrote to memory of 1832	1872	4363463463464363463463463.exe	97
PID 1872 wrote to memory of 4228	1872	4363463463464363463463463.exe	98
PID 1872 wrote to memory of 4228	1872	4363463463464363463463463.exe	98
PID 1872 wrote to memory of 4228	1872	4363463463464363463463463.exe	98
PID 1872 wrote to memory of 2680	1872	4363463463464363463463463.exe	99
PID 1872 wrote to memory of 2680	1872	4363463463464363463463463.exe	99
PID 1872 wrote to memory of 2680	1872	4363463463464363463463463.exe	99
PID 1872 wrote to memory of 4384	1872	4363463463464363463463463.exe	100
PID 1872 wrote to memory of 4384	1872	4363463463464363463463463.exe	100
PID 1872 wrote to memory of 4384	1872	4363463463464363463463463.exe	100
PID 1832 wrote to memory of 1384	1832	XClient.exe	101
PID 1832 wrote to memory of 1384	1832	XClient.exe	101
PID 1832 wrote to memory of 3404	1832	XClient.exe	103
PID 1832 wrote to memory of 3404	1832	XClient.exe	103
PID 1832 wrote to memory of 3908	1832	XClient.exe	105
PID 1832 wrote to memory of 3908	1832	XClient.exe	105
PID 1832 wrote to memory of 4428	1832	XClient.exe	108
PID 1832 wrote to memory of 4428	1832	XClient.exe	108
PID 2680 wrote to memory of 1996	2680	Dpose.exe	110
PID 2680 wrote to memory of 1996	2680	Dpose.exe	110
PID 1872 wrote to memory of 1968	1872	4363463463464363463463463.exe	115
PID 1872 wrote to memory of 1968	1872	4363463463464363463463463.exe	115
PID 1832 wrote to memory of 3016	1832	XClient.exe	116
PID 1832 wrote to memory of 3016	1832	XClient.exe	116
PID 4384 wrote to memory of 1980	4384	njrat.exe	118
PID 4384 wrote to memory of 1980	4384	njrat.exe	118
PID 4384 wrote to memory of 1980	4384	njrat.exe	118
PID 1968 wrote to memory of 3340	1968	Client-built.exe	119
PID 1968 wrote to memory of 3340	1968	Client-built.exe	119
PID 1980 wrote to memory of 2036	1980	Server.exe	131
PID 1980 wrote to memory of 2036	1980	Server.exe	131
PID 1980 wrote to memory of 2036	1980	Server.exe	131
PID 2680 wrote to memory of 4880	2680	Dpose.exe	133
PID 2680 wrote to memory of 4880	2680	Dpose.exe	133
PID 2680 wrote to memory of 4216	2680	Dpose.exe	135
PID 2680 wrote to memory of 4216	2680	Dpose.exe	135
PID 2680 wrote to memory of 4216	2680	Dpose.exe	135
PID 4216 wrote to memory of 8	4216	cmd.exe	137
PID 4216 wrote to memory of 8	4216	cmd.exe	137
PID 4216 wrote to memory of 8	4216	cmd.exe	137
PID 1872 wrote to memory of 276	1872	4363463463464363463463463.exe	148
PID 1872 wrote to memory of 276	1872	4363463463464363463463463.exe	148
PID 1872 wrote to memory of 276	1872	4363463463464363463463463.exe	148
PID 276 wrote to memory of 3908	276	SrbijaSetupHokej.exe	149
PID 276 wrote to memory of 3908	276	SrbijaSetupHokej.exe	149
PID 276 wrote to memory of 3908	276	SrbijaSetupHokej.exe	149
PID 1872 wrote to memory of 5036	1872	4363463463464363463463463.exe	150
PID 1872 wrote to memory of 5036	1872	4363463463464363463463463.exe	150
PID 1872 wrote to memory of 976	1872	4363463463464363463463463.exe	151
PID 1872 wrote to memory of 976	1872	4363463463464363463463463.exe	151
PID 5036 wrote to memory of 224	5036	uhigdbf.exe	152
PID 5036 wrote to memory of 224	5036	uhigdbf.exe	152
PID 1872 wrote to memory of 4392	1872	4363463463464363463463463.exe	154
PID 1872 wrote to memory of 4392	1872	4363463463464363463463463.exe	154
PID 1872 wrote to memory of 4392	1872	4363463463464363463463463.exe	154
PID 224 wrote to memory of 3024	224	cmd.exe	157
PID 224 wrote to memory of 3024	224	cmd.exe	157
PID 4392 wrote to memory of 3032	4392	legs.exe	158
PID 4392 wrote to memory of 3032	4392	legs.exe	158
PID 4392 wrote to memory of 3032	4392	legs.exe	158
PID 4392 wrote to memory of 928	4392	legs.exe	159
PID 4392 wrote to memory of 928	4392	legs.exe	159
PID 4392 wrote to memory of 928	4392	legs.exe	159

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2580
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5048

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wave.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4428
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Wave" /tr "C:\Users\Admin\AppData\Roaming\Wave.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3016
- - C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4228
- - C:\Users\Admin\AppData\Local\Temp\Files\Dpose.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Dpose.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - \??\c:\Windows\system32\wbem\wmic.exe
      c:\uchAjG\uchA\..\..\Windows\uchA\uchA\..\..\system32\uchA\uchA\..\..\wbem\uchA\uchAj\..\..\wmic.exe shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - \??\c:\Windows\system32\wbem\wmic.exe
      c:\MGhINP\MGhI\..\..\Windows\MGhI\MGhI\..\..\system32\MGhI\MGhI\..\..\wbem\MGhI\MGhIN\..\..\wmic.exe shadowcopy delete
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\Dpose.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8
- - C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2036
- - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3340
- - C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Users\Admin\AppData\Local\Temp\is-U3NO2.tmp\SrbijaSetupHokej.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-U3NO2.tmp\SrbijaSetupHokej.tmp" /SL5="$F003E,3939740,937984,C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3908
- - C:\Users\Admin\AppData\Local\Temp\Files\uhigdbf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\uhigdbf.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4308
- - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
      4⤵
      PID:3340
- - C:\Users\Admin\AppData\Local\Temp\Files\legs.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\legs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\Files\legs.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\legs.exe"
      4⤵
      Executes dropped EXE
      PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\Files\legs.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\legs.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 152
      4⤵
      Program crash
      PID:516
- - C:\Users\Admin\AppData\Local\Temp\Files\meta.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\meta.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3572
- - C:\Users\Admin\AppData\Local\Temp\Files\payload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\payload.exe"
    3⤵
    - Executes dropped EXE
    PID:4932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\payload.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4936
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:8
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4284
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:116
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1612
- - C:\Users\Admin\AppData\Local\Temp\Files\zx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zx.exe"
    3⤵
    - Executes dropped EXE
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\Files\zx.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\zx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1376
- - C:\Users\Admin\AppData\Local\Temp\Files\Steanings.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Steanings.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1384
- - C:\Users\Admin\AppData\Local\Temp\Files\l4.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\l4.exe"
    3⤵
    - Executes dropped EXE
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2852_133850853456339229\l4.exe
      C:\Users\Admin\AppData\Local\Temp\Files\l4.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      PID:4144
- - C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1612
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1376
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2612
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 607698
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "MaskBathroomCompositionInjection" Participants
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:652
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
        
        Waters.pif Q
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4880
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
- - C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3464
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4392 -ip 4392
1⤵
PID:4936

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
- Executes dropped EXE
PID:2708

C:\ProgramData\npdmpr\woik.exe
C:\ProgramData\npdmpr\woik.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd2d04a3823d3e21fd5835181caebcaf

SHA1
2507b0e1b5d177811f5df27fc462ca35c194d197

SHA256
29c3c7a21a1b670ace9b6de23ccdca331305c8aa1e806ad2f87ebf9e35b95e30

SHA512
3556cf6c246cc0018d55d4de8b949e5b3898ce09612418cab8527b40b1711b51930b03096271e88876a75a2d59a102efd9720ca20de7dc8fae2bba77e4819114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
39c2ac09b52b0685c7da5b25746d8a64

SHA1
c0ac1559da69dc9ad0496c11ce37ef9b907ea656

SHA256
c582429e23c81918907db9c7f32bef2d32c873f2da84fa450707482408e3a160

SHA512
9a6f4c5944cecdd6cf2114f7db583e4742a93b3c9eec6fd60328585370a8ba2f917f7ce689c0341d2dbf391f58ff34ee0088d9d2158ebb2450c547257da095a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82f6682ddcfc025adbb65c3ab116145f

SHA1
4590665b8969a96ad26f282a4bb56d6079f85f61

SHA256
10a805bf7715d4e0813be69dafbb2a95c1fdd7b700a13641d9f58781dfd6393f

SHA512
bf941a63583fb62ce6ad1c4f163ebae1745159d355b2649ac72fcd2747462b93601b06f9660aa13e182a6ef48c4256eda2650186da9165779e337abcd177e496

Download Submit
C:\Users\Admin\AppData\Local\Temp\170604239850

Filesize
45KB

MD5
116af517f423ba3bb4889d4fffeaa53c

SHA1
80686906b09a8014eab0f95be8b686125e28bd23

SHA256
8121039ad1905c62700b3a8fc6a1fc18196f7cddb1c0efc13583debe9bd3bcf2

SHA512
0ece8cfb78661982972a6f94919343c84d71bc41a78c14733e6281c65df4dbc0c76df732c86ed47c5cd7756ae82325a02fde4a2bde6403f20f71c5ff63d6e5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Filesize
4KB

MD5
d623db0219ab5bd023191ca8b6bba41f

SHA1
e9533c97734b88e4d83950a3c7fa7c3ca167a3c0

SHA256
4380cb3e8c4fdc31f86500dc3a9f0fcfa6e48ce2d448d234c51b8fdff00336b0

SHA512
2e06f49c236d944d0235a4112af6e84431e654267deea768b2ed22112b23dd32536f0459c7d2245beacae69b84d1f41adfcf6e4d7c89c42daab2082c90ce23f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
cbad8ccc75f88cd7c6b5ab3ec70f2e2c

SHA1
b38fe0e24043d3867de1beac829297650c8b1fda

SHA256
4e217e2407d26687d8d2f12ad07d7013a5c0c236db79ab72b402e7fe18b0e987

SHA512
0dec15040dc1b60892ac2330a593891bb5d0e4fdf77075fdacaac9034d53cafebaff4a362236f350ae93cd67ed4a45c1dea8d75b126fc205037780b23322224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe

Filesize
45KB

MD5
9dcd35fe3cafec7a25aa3cdd08ded1f4

SHA1
13f199bfd3f8b2925536144a1b42424675d7c8e4

SHA256
ce4f85d935fe68a1c92469367b945f26c40c71feb656ef844c30a5483dc5c0be

SHA512
9a4293b2f2d0f1b86f116c5560a238ea5910454d5235aedb60695254d7cc2c3b1cd9dd1b890b9f94249ee0ca25a9fb457a66ca52398907a6d5775b0d2e2b70d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Dpose.exe

Filesize
875KB

MD5
331031dc04a856a1f9116494fae27339

SHA1
e363fef9a5bd634b581aabae6710ff18c46e359d

SHA256
1a4b61f07e83bf7dbb860996f3d9c0953d61afb4ed5d39acac7563fd091298dc

SHA512
e7ac6699d7637eb620d4427167564ff92b79b6c420f4fe9725f271d630d3adfee2d56358d90f91d417cbbd4523e3a147c0b8e86082aa562436fed50ccf5b87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe

Filesize
4.5MB

MD5
528b9a26fd19839aeba788171c568311

SHA1
8276a9db275dccad133cc7d48cf0b8d97b91f1e2

SHA256
f84477a25b3fd48faf72484d4d9f86a4152b07baf5bc743656451fe36df2d482

SHA512
255baefe30d50c9cd35654820f0aa59daccd324b631cc1b10a3d906b489f431bba71836bb0558a81df262b49fb893ca26e0029cca6e2c961f907aac2462da438

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Steanings.exe

Filesize
300KB

MD5
9848b927987f298730db70a89574fdad

SHA1
c7c60e246f5025ca90622ca0eca8749452bab43e

SHA256
984bfd0f35280b016c3385527d3eec75afe765bb13c67059d1d2aa31673cec04

SHA512
613b646775e89039ac2107e229269228999cdc6cb691251b2e95dab7e8308c105f132a51ed0fd56cc8c756388956cb375f921142e57936bed35f3c2f41a19cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
237KB

MD5
ac4ef9a196e1fcbf046a1f357d1240a2

SHA1
ab74bd5ef75aea3153da22dda211e08eb0a30c8b

SHA256
3f3d33237e56d547df335c22816af3cde586a66e234e2ea6ea9ab5f90cb4b0a7

SHA512
5c79ed5aad2ca76b1faab75f125d79b46db73ae78b76951d5edd199e3e1d874cdcc1e79e7f70aff362e6cea0b4561a9998daf8db7acb0ec921148a7790747369

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\l4.exe

Filesize
5.9MB

MD5
d68f79c459ee4ae03b76fa5ba151a41f

SHA1
bfa641085d59d58993ba98ac9ee376f898ee5f7b

SHA256
aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6

SHA512
bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\legs.exe

Filesize
358KB

MD5
a2697e928936f05710dfb331f982c917

SHA1
640bd258cf5215728810eafef0e898b5596b5c7c

SHA256
2854e22091c01a1c1a9b654d7305ec7beb0bcc703e161dbef06af7d9c401495b

SHA512
87419562c73bd05d1e8ead691fcdfabcdb56f6676af8cac79aa0c16d8df636e74d477db8185290a4b51afa5a1b2e49a46e9c77afe6355974c3c0c370df3d32b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\meta.exe

Filesize
2.7MB

MD5
3aace51d76b16a60e94636150bd1137e

SHA1
f6f1e069df72735cb940058ddfb7144166f8489b

SHA256
b51004463e8cdfe74c593f1d3e883ff20d53ad6081de7bf46bb3837b86975955

SHA512
95fb1f22ed9454911bfca8ada4c8d0a6cf402de3324b133e1c70afaa272a5b5a54302a0d1eb221999da9343ba90b3cac0b2daecf1879d0b9b40857330a0d0f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe

Filesize
23KB

MD5
8a71e8ebf8c24d8f7b48a29fc023815e

SHA1
3c279527d5f1dba32466fbd19b7d073df291e596

SHA256
36882afaff37f70be8d2566f1b4f8a05764c27305f4809002f1ee2822b6d8ea5

SHA512
258c88e0993258f091b5ce3bd57aae8be0d8f30be0f420aea08bad9a99242e1f246a6c140c933fc088b6ada2b1046f1195c3030593ce1338fb77925452348a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\payload.exe

Filesize
278KB

MD5
4161933db29f115083240097de574bc5

SHA1
219724f70ed21b3729b08076608cdf9551206ee9

SHA256
f56dcf7ccc7c047dade761726c71eea39555ed0bc9a362507856b5dc011a4795

SHA512
07be56c2c28115b64a4471a4d5f02352d3c87223ddfe5e9b89a9df98c8215951dc39bec0585f8f9821a7c81131845dcf5fe90be0524e9ff277c39cf81104c90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
734KB

MD5
98e538d63ec5a23a3acc374236ae20b6

SHA1
f3fec38f80199e346cac912bf8b65249988a2a7e

SHA256
4d8fbc7578dca954407746a1d73e3232cd8db79dccd57acbeef80da369069a91

SHA512
951a750998448cd3653153bdf24705101136305ff4744ee2092952d773121817fa36347cb797586c58d0f3efc9cfa40ae6d9ce6ea5d2e8ec41acf8d9a03b0827

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe

Filesize
1.3MB

MD5
2b01c9b0c69f13da5ee7889a4b17c45e

SHA1
27f0c1ae0ddeddc9efac38bc473476b103fef043

SHA256
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

SHA512
23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe

Filesize
300KB

MD5
5c544cd5437d21e63c9990e42e92ffbf

SHA1
15981a0f2a6078e1c65285f2ff3114b1e2158a64

SHA256
8f33fcc42396a72e93bc42947d8fc659ff691ea154f76babe06626f666aa3926

SHA512
a8e9c15e3db54ae69ca18e07acc14c27298fa4162b6d9e40f87895d1a74267b2797b0137d9fb80c3a8a65f83b0ea071eb7a22d31e7bb99022f712ef8287f0f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\uhigdbf.exe

Filesize
898KB

MD5
eeecdefa939b534bc8f774a15e05ab0f

SHA1
4a20176527706aea33b22f436f6856572a9e4946

SHA256
3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c

SHA512
3253eaebc2b14186131ac2170f8a62fe8271bf20ddf8b1024036fd1f9a00ea2d8d8b79646af9a8476d440374146bec3130591779b083905563146921b969b381

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zeropersca.exe

Filesize
439KB

MD5
54b809ae715bbf1575987141ebc06d9c

SHA1
b3dde84144467b3073cce84e1ef1981cd7949930

SHA256
9a3d5b3bb4061c11f0828bfe358d3bc7f9ac4e62be67aa35cc4e53b5d140cb67

SHA512
e5ead6ece85209e64a51487903fe080b4d2a721583be30d41915d1b695777c86651cf970a3b634ec019a2f0f9966dedafdfa0d63374593de3c95d1086ef9ee87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zx.exe

Filesize
5.6MB

MD5
81358ffecf9c41b4f6702be698e437e4

SHA1
8f1b8b1cf18154eb916e2594b4089034af327f8a

SHA256
d29f12ad00ae702fb9d2fd8518e6aa996e15e0c57136611967fc18088d55a886

SHA512
ecb2ffae3456bdadbeaa2cdf61f1fc1de5c91da26a3986017127bcf356875e2cdc4137179ab32ae36add8beaff3730abcc84d5a95a8ace948520ff15e92bcbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
453KB

MD5
135b0687503cb65f57e494eed9a6f551

SHA1
a4ed81f972c32d3170b5b33e67a41abbd6c1184a

SHA256
acc6551cf9cf2b8292f8f384467920fc633fdcdc4e5431794dd850ae66a8a457

SHA512
9253143306c6733180b0bea3c7463b4ca8d22a970a65eae05f766ced87ed973c0670867f69b8c72d318d93719da712276e64041a8b4269e818e41de113f6e22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
b56d69079d2001c1b2af272774b53a64

SHA1
67ede1c5a71412b11847f79f5a684eabaf00de01

SHA256
f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143

SHA512
7eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
5af784f599437629deea9fe4e8eb4799

SHA1
3c891b920fd2703edd6881117ea035ced5a619f6

SHA256
7e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c

SHA512
4df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
e1ca15cf0597c6743b3876af23a96960

SHA1
301231f7250431bd122b12ed34a8d4e8bb379457

SHA256
990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d

SHA512
7c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
8d6599d7c4897dcd0217070cca074574

SHA1
25eacaaa4c6f89945e97388796a8c85ba6fb01fb

SHA256
a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928

SHA512
e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\api-ms-win-core-file-l1-1-0.dll

Filesize
22KB

MD5
642b29701907e98e2aa7d36eba7d78b8

SHA1
16f46b0e057816f3592f9c0a6671111ea2f35114

SHA256
5d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c

SHA512
1beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
7bc1b8712e266db746914db48b27ef9c

SHA1
c76eb162c23865b3f1bd7978f7979d6ba09ccb60

SHA256
f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9

SHA512
db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
b071e761cea670d89d7ae80e016ce7e6

SHA1
c675be753dbef1624100f16674c2221a20cf07dd

SHA256
63fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e

SHA512
f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37522\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dkfrcb5b.5hs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U3NO2.tmp\SrbijaSetupHokej.tmp

Filesize
2.6MB

MD5
c1f245b6132c60c691b6c82d580c01dd

SHA1
e57c80890d412168525482b877f5968eab188088

SHA256
988f006a8ab95ad735ab271a0b027e1fdb215d3fa4c247fd2fdad52ac5534b77

SHA512
8223a20fdb33dd2e8333ac45711d7d11539baa4401d650e82dc4b95949324740f00834e42b695bd64e7092ae3be1c69ea21c297bba8518605e98bf3590556ffd

Download Submit
memory/276-1502-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/276-1639-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/648-1850-0x0000000000B30000-0x0000000000B82000-memory.dmp

Filesize
328KB

Download
memory/928-1554-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/928-1552-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/976-1528-0x0000000000540000-0x00000000005FE000-memory.dmp

Filesize
760KB

Download
memory/976-1542-0x000000001B250000-0x000000001B2D2000-memory.dmp

Filesize
520KB

Download
memory/1384-1747-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/1384-1742-0x0000000000C90000-0x0000000001090000-memory.dmp

Filesize
4.0MB

Download
memory/1384-1741-0x0000000000C90000-0x0000000001090000-memory.dmp

Filesize
4.0MB

Download
memory/1384-1740-0x0000000000990000-0x0000000000A11000-memory.dmp

Filesize
516KB

Download
memory/1384-1743-0x00007FFE46D30000-0x00007FFE46F25000-memory.dmp

Filesize
2.0MB

Download
memory/1384-1745-0x00000000767D0000-0x00000000769E5000-memory.dmp

Filesize
2.1MB

Download
memory/1384-52-0x000002AB533D0000-0x000002AB533F2000-memory.dmp

Filesize
136KB

Download
memory/1832-17-0x00007FFE27123000-0x00007FFE27125000-memory.dmp

Filesize
8KB

Download
memory/1832-18-0x0000000000760000-0x00000000007A2000-memory.dmp

Filesize
264KB

Download
memory/1832-272-0x000000001B490000-0x000000001B4A0000-memory.dmp

Filesize
64KB

Download
memory/1832-376-0x00007FFE27123000-0x00007FFE27125000-memory.dmp

Filesize
8KB

Download
memory/1832-1490-0x000000001B490000-0x000000001B4A0000-memory.dmp

Filesize
64KB

Download
memory/1872-4-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/1872-3-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/1872-1-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/1872-5-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/1872-0-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/1872-2-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/1968-216-0x00000000001F0000-0x0000000000514000-memory.dmp

Filesize
3.1MB

Download
memory/1968-332-0x000000001BF10000-0x000000001BFC2000-memory.dmp

Filesize
712KB

Download
memory/1968-329-0x000000001BE00000-0x000000001BE50000-memory.dmp

Filesize
320KB

Download
memory/3340-1854-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3340-1853-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3572-1591-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/3572-1587-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3572-1635-0x0000000008530000-0x000000000857C000-memory.dmp

Filesize
304KB

Download
memory/3572-1634-0x00000000083C0000-0x00000000083FC000-memory.dmp

Filesize
240KB

Download
memory/3572-1633-0x0000000008360000-0x0000000008372000-memory.dmp

Filesize
72KB

Download
memory/3572-1632-0x0000000008420000-0x000000000852A000-memory.dmp

Filesize
1.0MB

Download
memory/3572-1631-0x00000000088D0000-0x0000000008EE8000-memory.dmp

Filesize
6.1MB

Download
memory/3572-1590-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/3908-1823-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/3908-1825-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/3908-1821-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/3908-1840-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/3908-1863-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/3908-1861-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/3908-1640-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/3908-1852-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/3908-1754-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/4228-716-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/4228-30-0x0000000000070000-0x0000000000082000-memory.dmp

Filesize
72KB

Download
memory/4392-1544-0x0000000000F70000-0x0000000000FD2000-memory.dmp

Filesize
392KB

Download
memory/4392-1548-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/4428-1730-0x0000000000250000-0x00000000002A2000-memory.dmp

Filesize
328KB

Download
memory/4880-1833-0x00000000043D0000-0x0000000004441000-memory.dmp

Filesize
452KB

Download
memory/4880-1830-0x00000000043D0000-0x0000000004441000-memory.dmp

Filesize
452KB

Download
memory/4880-1831-0x00000000043D0000-0x0000000004441000-memory.dmp

Filesize
452KB

Download
memory/4880-1826-0x00000000043D0000-0x0000000004441000-memory.dmp

Filesize
452KB

Download
memory/4880-1827-0x00000000043D0000-0x0000000004441000-memory.dmp

Filesize
452KB

Download
memory/4880-1828-0x00000000043D0000-0x0000000004441000-memory.dmp

Filesize
452KB

Download
memory/4880-1829-0x00000000043D0000-0x0000000004441000-memory.dmp

Filesize
452KB

Download
memory/4932-1589-0x0000026E0D180000-0x0000026E0D1CC000-memory.dmp

Filesize
304KB

Download
memory/4932-1619-0x0000026E28410000-0x0000026E2842E000-memory.dmp

Filesize
120KB

Download
memory/4932-1615-0x0000026E278E0000-0x0000026E27956000-memory.dmp

Filesize
472KB

Download
memory/4932-1616-0x0000026E27860000-0x0000026E2786A000-memory.dmp

Filesize
40KB

Download
memory/4932-1617-0x0000026E278B0000-0x0000026E278C2000-memory.dmp

Filesize
72KB

Download
memory/5048-1755-0x0000000003520000-0x000000000354C000-memory.dmp

Filesize
176KB

Download
memory/5048-1761-0x00000000010E0000-0x00000000014E0000-memory.dmp

Filesize
4.0MB

Download
memory/5048-1760-0x00000000010E0000-0x00000000014E0000-memory.dmp

Filesize
4.0MB

Download
memory/5048-1752-0x00000000767D0000-0x00000000769E5000-memory.dmp

Filesize
2.1MB

Download
memory/5048-1749-0x00000000010E0000-0x00000000014E0000-memory.dmp

Filesize
4.0MB

Download
memory/5048-1750-0x00007FFE46D30000-0x00007FFE46F25000-memory.dmp

Filesize
2.0MB

Download
memory/5048-1746-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download