amadey | 43979eec990561d1024709380f8d7b97f95156f672f2aa37ebc4806eccf62571

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Flasher.exe
Size

1.9MB
MD5

7175d81d25f930437cbe872da4d6146e
SHA1

aff6402b462e139b998e4afc4cdef7cdb246f788
SHA256

9a3f94eb934151c3114d646d229289b5670a0f99f99393a6f2b692ec5cf9cab3
SHA512

3aa38a22511cc5d5717b2af284d9ba7b1f8228bd603930b9c4853c22f12b87c92c9b49e8b469f75c195b2b5a3f74bb5ca92f0890666bf659d6fef6c3c0f67082
SSDEEP

24576:1dTwms7tp9VZ5Mo2QhG3aMUFgElJkWQezUmops7mwfMZhrS2N6zKnBDGxk8uE+cG:/1et19y+lMLOz49Gxk8Z+cq

Score

10^/10

amadey svcstealer 2128e7 discovery downloader persistence pyinstaller spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.30

Botnet

2128e7

http://185.81.68.156

Attributes

install_dir
f917d25a84
install_file
Gxtuum.exe
strings_key
18df5e065d410729e56d0ce2b95f56d8
url_paths
/jb87ejvjdsS/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects SvcStealer Payload 64 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral4/files/0x000800000002428f-109.dat	family_svcstealer
behavioral4/memory/1464-110-0x00007FF6FC650000-0x00007FF6FC755000-memory.dmp	family_svcstealer
behavioral4/memory/1740-113-0x00007FF6FC650000-0x00007FF6FC755000-memory.dmp	family_svcstealer
behavioral4/memory/5000-125-0x00007FF732100000-0x00007FF732205000-memory.dmp	family_svcstealer
behavioral4/memory/5000-126-0x00007FF732100000-0x00007FF732205000-memory.dmp	family_svcstealer
behavioral4/memory/4380-154-0x00007FF7068E0000-0x00007FF7069E5000-memory.dmp	family_svcstealer
behavioral4/memory/4380-155-0x00007FF7068E0000-0x00007FF7069E5000-memory.dmp	family_svcstealer
behavioral4/memory/2100-162-0x00007FF6DAB60000-0x00007FF6DAC65000-memory.dmp	family_svcstealer
behavioral4/memory/2100-163-0x00007FF6DAB60000-0x00007FF6DAC65000-memory.dmp	family_svcstealer
behavioral4/memory/5208-187-0x00007FF7508C0000-0x00007FF7509C5000-memory.dmp	family_svcstealer
behavioral4/memory/5208-188-0x00007FF7508C0000-0x00007FF7509C5000-memory.dmp	family_svcstealer
behavioral4/memory/5760-195-0x00007FF75B370000-0x00007FF75B475000-memory.dmp	family_svcstealer
behavioral4/memory/5760-196-0x00007FF75B370000-0x00007FF75B475000-memory.dmp	family_svcstealer
behavioral4/memory/864-217-0x00007FF778450000-0x00007FF778555000-memory.dmp	family_svcstealer
behavioral4/memory/3548-224-0x00007FF7998E0000-0x00007FF7999E5000-memory.dmp	family_svcstealer
behavioral4/memory/3548-225-0x00007FF7998E0000-0x00007FF7999E5000-memory.dmp	family_svcstealer
behavioral4/memory/3856-232-0x00007FF726770000-0x00007FF726875000-memory.dmp	family_svcstealer
behavioral4/memory/3856-233-0x00007FF726770000-0x00007FF726875000-memory.dmp	family_svcstealer
behavioral4/memory/2044-240-0x00007FF63C950000-0x00007FF63CA55000-memory.dmp	family_svcstealer
behavioral4/memory/2044-241-0x00007FF63C950000-0x00007FF63CA55000-memory.dmp	family_svcstealer
behavioral4/memory/1488-248-0x00007FF735740000-0x00007FF735845000-memory.dmp	family_svcstealer
behavioral4/memory/1488-249-0x00007FF735740000-0x00007FF735845000-memory.dmp	family_svcstealer
behavioral4/memory/1000-256-0x00007FF780DC0000-0x00007FF780EC5000-memory.dmp	family_svcstealer
behavioral4/memory/1000-257-0x00007FF780DC0000-0x00007FF780EC5000-memory.dmp	family_svcstealer
behavioral4/memory/5392-264-0x00007FF633760000-0x00007FF633865000-memory.dmp	family_svcstealer
behavioral4/memory/4208-360-0x00007FF761C70000-0x00007FF761D75000-memory.dmp	family_svcstealer
behavioral4/memory/4208-361-0x00007FF761C70000-0x00007FF761D75000-memory.dmp	family_svcstealer
behavioral4/memory/1732-367-0x00007FF6BA3D0000-0x00007FF6BA4D5000-memory.dmp	family_svcstealer
behavioral4/memory/1732-368-0x00007FF6BA3D0000-0x00007FF6BA4D5000-memory.dmp	family_svcstealer
behavioral4/memory/4296-374-0x00007FF6E0A80000-0x00007FF6E0B85000-memory.dmp	family_svcstealer
behavioral4/memory/4296-375-0x00007FF6E0A80000-0x00007FF6E0B85000-memory.dmp	family_svcstealer
behavioral4/memory/2288-381-0x00007FF6F9CA0000-0x00007FF6F9DA5000-memory.dmp	family_svcstealer
behavioral4/memory/2288-382-0x00007FF6F9CA0000-0x00007FF6F9DA5000-memory.dmp	family_svcstealer
behavioral4/memory/5036-388-0x00007FF650920000-0x00007FF650A25000-memory.dmp	family_svcstealer
behavioral4/memory/5036-389-0x00007FF650920000-0x00007FF650A25000-memory.dmp	family_svcstealer
behavioral4/memory/4728-395-0x00007FF7B9F80000-0x00007FF7BA085000-memory.dmp	family_svcstealer
behavioral4/memory/4728-396-0x00007FF7B9F80000-0x00007FF7BA085000-memory.dmp	family_svcstealer
behavioral4/memory/4880-402-0x00007FF6CD1F0000-0x00007FF6CD2F5000-memory.dmp	family_svcstealer
behavioral4/memory/4880-403-0x00007FF6CD1F0000-0x00007FF6CD2F5000-memory.dmp	family_svcstealer
behavioral4/memory/2008-415-0x00007FF641150000-0x00007FF641255000-memory.dmp	family_svcstealer
behavioral4/memory/2008-416-0x00007FF641150000-0x00007FF641255000-memory.dmp	family_svcstealer
behavioral4/memory/2540-422-0x00007FF60D5E0000-0x00007FF60D6E5000-memory.dmp	family_svcstealer
behavioral4/memory/2540-423-0x00007FF60D5E0000-0x00007FF60D6E5000-memory.dmp	family_svcstealer
behavioral4/memory/2604-430-0x00007FF732270000-0x00007FF732375000-memory.dmp	family_svcstealer
behavioral4/memory/2604-429-0x00007FF732270000-0x00007FF732375000-memory.dmp	family_svcstealer
behavioral4/memory/6140-489-0x00007FF70E610000-0x00007FF70E715000-memory.dmp	family_svcstealer
behavioral4/memory/6140-490-0x00007FF70E610000-0x00007FF70E715000-memory.dmp	family_svcstealer
behavioral4/memory/4744-496-0x00007FF6E18F0000-0x00007FF6E19F5000-memory.dmp	family_svcstealer
behavioral4/memory/4744-497-0x00007FF6E18F0000-0x00007FF6E19F5000-memory.dmp	family_svcstealer
behavioral4/memory/5464-536-0x00007FF62C180000-0x00007FF62C285000-memory.dmp	family_svcstealer
behavioral4/memory/4652-542-0x00007FF77D6A0000-0x00007FF77D7A5000-memory.dmp	family_svcstealer
behavioral4/memory/4652-543-0x00007FF77D6A0000-0x00007FF77D7A5000-memory.dmp	family_svcstealer
behavioral4/memory/4632-549-0x00007FF6FBD00000-0x00007FF6FBE05000-memory.dmp	family_svcstealer
behavioral4/memory/4632-550-0x00007FF6FBD00000-0x00007FF6FBE05000-memory.dmp	family_svcstealer
behavioral4/memory/4824-620-0x00007FF7F1EF0000-0x00007FF7F1FF5000-memory.dmp	family_svcstealer
behavioral4/memory/4824-619-0x00007FF7F1EF0000-0x00007FF7F1FF5000-memory.dmp	family_svcstealer
behavioral4/memory/5200-638-0x00007FF63E670000-0x00007FF63E775000-memory.dmp	family_svcstealer
behavioral4/memory/5732-644-0x00007FF7F8800000-0x00007FF7F8905000-memory.dmp	family_svcstealer
behavioral4/memory/5732-645-0x00007FF7F8800000-0x00007FF7F8905000-memory.dmp	family_svcstealer
behavioral4/memory/4624-651-0x00007FF62DD30000-0x00007FF62DE35000-memory.dmp	family_svcstealer
behavioral4/memory/4624-652-0x00007FF62DD30000-0x00007FF62DE35000-memory.dmp	family_svcstealer
behavioral4/memory/1860-658-0x00007FF7192E0000-0x00007FF7193E5000-memory.dmp	family_svcstealer
behavioral4/memory/1860-659-0x00007FF7192E0000-0x00007FF7193E5000-memory.dmp	family_svcstealer
behavioral4/memory/616-665-0x00007FF78E150000-0x00007FF78E255000-memory.dmp	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Blocklisted process makes network request 1 IoCs

flow	pid	Process
59	580	rundll32.exe

Downloads MZ/PE file 7 IoCs

flow	pid	Process
14	4496	Gxtuum.exe
14	4496	Gxtuum.exe
14	4496	Gxtuum.exe
58	4496	Gxtuum.exe
58	4496	Gxtuum.exe
60	4908	kjjhg.exe
60	4908	kjjhg.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	kjjhg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Flasher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	fdnwxcx.exe

Executes dropped EXE 64 IoCs

pid	Process
3644	ezezeww.exe
5968	vcpcjo.exe
5604	fdnwxcx.exe
3640	vzycvcxx.exe
4440	vzycvcxx.exe
4644	ezezeww.exe
4640	dfbfceebc.exe
6044	dfbfceebc.exe
4720	svchost.exe
4496	Gxtuum.exe
2340	dfbfceebc.exe
1116	dfbfceebc.exe
1464	dfbfceebc.exe
1740	dfbfceebc.exe
5000	dfbfceebc.exe
4380	dfbfceebc.exe
2100	dfbfceebc.exe
6124	uu.exe
5208	dfbfceebc.exe
5760	dfbfceebc.exe
5784	zz.exe
864	dfbfceebc.exe
3548	dfbfceebc.exe
3856	dfbfceebc.exe
2044	dfbfceebc.exe
1488	dfbfceebc.exe
1000	dfbfceebc.exe
5392	dfbfceebc.exe
2828	zx.exe
3604	zx.exe
4208	dfbfceebc.exe
1732	dfbfceebc.exe
4296	dfbfceebc.exe
2288	dfbfceebc.exe
5036	dfbfceebc.exe
4728	dfbfceebc.exe
4880	dfbfceebc.exe
4884	Gxtuum.exe
2008	dfbfceebc.exe
2540	dfbfceebc.exe
2604	dfbfceebc.exe
4908	kjjhg.exe
6140	dfbfceebc.exe
4744	dfbfceebc.exe
3852	temp_28651.exe
4956	temp_28654.exe
5464	dfbfceebc.exe
4652	dfbfceebc.exe
4632	dfbfceebc.exe
4300	temp_28654.exe
2352	temp_28654.exe
4824	dfbfceebc.exe
1116	7163.tmp.exe
5200	dfbfceebc.exe
5732	dfbfceebc.exe
4624	dfbfceebc.exe
1860	dfbfceebc.exe
616	dfbfceebc.exe
4280	dfbfceebc.exe
4384	dfbfceebc.exe
1740	dfbfceebc.exe
1088	dfbfceebc.exe
112	dfbfceebc.exe
5420	dfbfceebc.exe

Loads dropped DLL 11 IoCs

pid	Process
3604	zx.exe
3604	zx.exe
3604	zx.exe
3604	zx.exe
3604	zx.exe
580	rundll32.exe
2352	temp_28654.exe
2352	temp_28654.exe
2352	temp_28654.exe
2352	temp_28654.exe
2352	temp_28654.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfbfceebc = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezezeww.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfbfceebc = "\"C:\\ProgramData\\dfbfceebc.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfbfceebc = "\"C:\\ProgramData\\dfbfceebc.exe\""	ezezeww.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\Users\\Admin\\AppData\\Roaming\\vzycvcxx.exe"	vzycvcxx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\ProgramData\\svchost.exe"	vzycvcxx.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	fdnwxcx.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral4/files/0x00070000000242c0-270.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vzycvcxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdnwxcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_28651.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vzycvcxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	625C.tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	ezezeww.exe
3644	ezezeww.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe
4908	kjjhg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3396	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3396	Explorer.EXE
3396	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5944 wrote to memory of 3644	5944	Flasher.exe	85
PID 5944 wrote to memory of 3644	5944	Flasher.exe	85
PID 3644 wrote to memory of 3396	3644	ezezeww.exe	56
PID 5944 wrote to memory of 5968	5944	Flasher.exe	86
PID 5944 wrote to memory of 5968	5944	Flasher.exe	86
PID 3396 wrote to memory of 1692	3396	Explorer.EXE	87
PID 3396 wrote to memory of 1692	3396	Explorer.EXE	87
PID 3396 wrote to memory of 5744	3396	Explorer.EXE	88
PID 3396 wrote to memory of 5744	3396	Explorer.EXE	88
PID 3396 wrote to memory of 1812	3396	Explorer.EXE	89
PID 3396 wrote to memory of 1812	3396	Explorer.EXE	89
PID 5944 wrote to memory of 5604	5944	Flasher.exe	93
PID 5944 wrote to memory of 5604	5944	Flasher.exe	93
PID 5944 wrote to memory of 5604	5944	Flasher.exe	93
PID 5944 wrote to memory of 3640	5944	Flasher.exe	94
PID 5944 wrote to memory of 3640	5944	Flasher.exe	94
PID 5944 wrote to memory of 3640	5944	Flasher.exe	94
PID 3396 wrote to memory of 5648	3396	Explorer.EXE	95
PID 3396 wrote to memory of 5648	3396	Explorer.EXE	95
PID 3396 wrote to memory of 1108	3396	Explorer.EXE	97
PID 3396 wrote to memory of 1108	3396	Explorer.EXE	97
PID 5648 wrote to memory of 4440	5648	cmd.exe	99
PID 5648 wrote to memory of 4440	5648	cmd.exe	99
PID 5648 wrote to memory of 4440	5648	cmd.exe	99
PID 5744 wrote to memory of 4644	5744	cmd.exe	100
PID 5744 wrote to memory of 4644	5744	cmd.exe	100
PID 1812 wrote to memory of 4640	1812	cmd.exe	101
PID 1812 wrote to memory of 4640	1812	cmd.exe	101
PID 1692 wrote to memory of 6044	1692	cmd.exe	102
PID 1692 wrote to memory of 6044	1692	cmd.exe	102
PID 1108 wrote to memory of 4720	1108	cmd.exe	103
PID 1108 wrote to memory of 4720	1108	cmd.exe	103
PID 1108 wrote to memory of 4720	1108	cmd.exe	103
PID 5604 wrote to memory of 4496	5604	fdnwxcx.exe	104
PID 5604 wrote to memory of 4496	5604	fdnwxcx.exe	104
PID 5604 wrote to memory of 4496	5604	fdnwxcx.exe	104
PID 3396 wrote to memory of 4936	3396	Explorer.EXE	108
PID 3396 wrote to memory of 4936	3396	Explorer.EXE	108
PID 4936 wrote to memory of 2340	4936	cmd.exe	110
PID 4936 wrote to memory of 2340	4936	cmd.exe	110
PID 3396 wrote to memory of 4272	3396	Explorer.EXE	112
PID 3396 wrote to memory of 4272	3396	Explorer.EXE	112
PID 4272 wrote to memory of 1116	4272	cmd.exe	114
PID 4272 wrote to memory of 1116	4272	cmd.exe	114
PID 3396 wrote to memory of 1080	3396	Explorer.EXE	117
PID 3396 wrote to memory of 1080	3396	Explorer.EXE	117
PID 3396 wrote to memory of 3012	3396	Explorer.EXE	118
PID 3396 wrote to memory of 3012	3396	Explorer.EXE	118
PID 1080 wrote to memory of 1464	1080	cmd.exe	121
PID 1080 wrote to memory of 1464	1080	cmd.exe	121
PID 3012 wrote to memory of 1740	3012	cmd.exe	122
PID 3012 wrote to memory of 1740	3012	cmd.exe	122
PID 3396 wrote to memory of 5548	3396	Explorer.EXE	125
PID 3396 wrote to memory of 5548	3396	Explorer.EXE	125
PID 5548 wrote to memory of 5000	5548	cmd.exe	127
PID 5548 wrote to memory of 5000	5548	cmd.exe	127
PID 3396 wrote to memory of 3920	3396	Explorer.EXE	129
PID 3396 wrote to memory of 3920	3396	Explorer.EXE	129
PID 3920 wrote to memory of 4380	3920	cmd.exe	131
PID 3920 wrote to memory of 4380	3920	cmd.exe	131
PID 3396 wrote to memory of 5996	3396	Explorer.EXE	132
PID 3396 wrote to memory of 5996	3396	Explorer.EXE	132
PID 5996 wrote to memory of 2100	5996	cmd.exe	134
PID 5996 wrote to memory of 2100	5996	cmd.exe	134

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\Flasher.exe
  "C:\Users\Admin\AppData\Local\Temp\Flasher.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5944
- - C:\Users\Admin\AppData\Roaming\ezezeww.exe
    "C:\Users\Admin\AppData\Roaming\ezezeww.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3644
- - C:\Users\Admin\AppData\Roaming\vcpcjo.exe
    "C:\Users\Admin\AppData\Roaming\vcpcjo.exe"
    3⤵
    - Executes dropped EXE
    PID:5968
- - C:\Users\Admin\AppData\Roaming\fdnwxcx.exe
    "C:\Users\Admin\AppData\Roaming\fdnwxcx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5604
  - - C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6124
    - - C:\Users\Admin\AppData\Local\Temp\10000850101\zz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000850101\zz.exe"
        5⤵
        Executes dropped EXE
        
        PID:5784
    - - C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe"
        5⤵
        Executes dropped EXE
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3604
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\7ae14b05c802cd\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:580
    - - C:\Users\Admin\AppData\Local\Temp\10000890101\kjjhg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000890101\kjjhg.exe"
        5⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4908
      - C:\Users\Admin\AppData\Local\Temp\temp_28651.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_28651.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3852
      - C:\Users\Admin\AppData\Local\Temp\temp_28654.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_28654.exe"
        6⤵
        Executes dropped EXE
        
        PID:4956
      - C:\Users\Admin\AppData\Local\Temp\temp_28654.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_28654.exe"
        6⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\temp_28654.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_28654.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2352
- - C:\Users\Admin\AppData\Roaming\vzycvcxx.exe
    "C:\Users\Admin\AppData\Roaming\vzycvcxx.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:6044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ezezeww.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5744
- - C:\Users\Admin\AppData\Roaming\ezezeww.exe
    C:\Users\Admin\AppData\Roaming\ezezeww.exe
    3⤵
    - Executes dropped EXE
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\vzycvcxx.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5648
- - C:\Users\Admin\AppData\Roaming\vzycvcxx.exe
    C:\Users\Admin\AppData\Roaming\vzycvcxx.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\svchost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\ProgramData\svchost.exe
    C:\ProgramData\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5548
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5996
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:792
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4624
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1108
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5820
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4844
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:3856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4936
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5336
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3680
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:1000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5020
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:6084
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:396
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4380
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2872
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:6060
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3260
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4840
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2096
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3104
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3216
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5128
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:6140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1080
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5624
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3448
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1340
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5688
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4824
- C:\Users\Admin\AppData\Local\Temp\7163.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\7163.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4936
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5336
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3068
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3104
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:308
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4964
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5012
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5400
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5940
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3432
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4084
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    - Executes dropped EXE
    PID:5420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4312
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5208
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4632
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5704
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:6048
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4228
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2156
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2684
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1772
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2876
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5480
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1476
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5032
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2956
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1104
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5236
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:1260
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5292
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3656
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5396
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1120
- C:\Users\Admin\AppData\Local\Temp\625C.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\625C.tmp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5276
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5464
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:5916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3516
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2268
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:620
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5256
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5684
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:2412
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:4824
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:5712
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:900
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\dfbfceebc.exe"
  2⤵
  PID:3840
- - C:\ProgramData\dfbfceebc.exe
    C:\ProgramData\dfbfceebc.exe
    3⤵
    PID:756

C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dfbfceebc.cfg

Filesize
18B

MD5
94a602a621475f7f3725540b8d2dd99e

SHA1
a1f0908d13bb8f13122a6f76eee81e45f69371b7

SHA256
5bea34d48353a42b033d0d81ee5202fef077869e0a5b7eb3ba1293b984a96409

SHA512
c22ccbdf591f2ce1c93013a76121bbcff15280c6d9f2f6e91938777d9f47ca76b46e1b15acb1c34a60f9ab15b613447e610fd1e8f87f9b51cb1f9ab0648835b4

Download Submit
C:\ProgramData\dfbfceebc.exe

Filesize
1021KB

MD5
942e285920589ef847f851c6b6bf5f19

SHA1
2e71b51c07d0b5b9c4fbfef187565c77af8164d8

SHA256
32146febb4fdc0f80c8460696c5063d3dcbf1af3989f599b31cba52680cf2aff

SHA512
c4623e113eaa98dcf8a487ebff515f88251892c4d1ffd35959d77811c1e6a959015e3a73dcacae83fadcb1ba1eb86951b4e32fabef05584b18db2fc3705bc8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\088340141004

Filesize
82KB

MD5
47046d5624f4b5c939cc0d561a1c3296

SHA1
338bac448aeabbdff122a2c0d384755c3a537eb2

SHA256
d96da9b3c990940ac74433153d788063e1026eb7fffe16df08da238f65d9e82a

SHA512
a5295030b55c4ac4b1793e5d9c4710bbdd478cc734a7fefe7e6f142b370c6446b8c440ee2e65114fe5e8605cf34957f2fe593787daa5896811d40c3c56bbde27

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe

Filesize
177KB

MD5
4d38d0416a7392711f340e87f22ea4ba

SHA1
85d501d7fd5fc843e96be88caf6c1f1054aa2f28

SHA256
95b64cf5502b24d592c79f2611b76d5d8035c8061c4af6b1ff6800ec2b46442f

SHA512
3a86a6521fb856220875c9bac2c01ce82e7e67e515285273f7687596dc6c169949af8703d835654506c8205bcf6d372403c9ea925c0bf2969f11227d7cacb5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000850101\zz.exe

Filesize
253KB

MD5
5381a870d74ee49586aa9632e93c232b

SHA1
f2ee6d461102d3353077d3d6f08bbda2b8dfb1ed

SHA256
e90f2a5eae99811b65dc284734e0e295708d89bfef9a003b3ab2f8bc42e1fa9c

SHA512
c611262eb7badc08486a6416dd470f14d09c5c86c04076a472d32da52bf2cc21344dd4130f85a83cb25556383528ce57ac94ad0de36cef6a67f1bdb9e87a65a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe

Filesize
5.6MB

MD5
f6d5cc794c2a2eb47b84e1dfc26c988a

SHA1
dd0fd87afef860b482909c08332794aff35c288a

SHA256
631190fc83321193d8cb31f592b33919c9e3fbfa19ce0c29f9e86c1a4c2e5892

SHA512
8cadf6f0b2e75be2d6392aef2526458750e5b9c3a180b9362803ae2b3d75094db5a29dd8db5305a43def16e2cd3ec1c6adafdb4aaa07d5c8f3ca3a6546fa19a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000890101\kjjhg.exe

Filesize
1.3MB

MD5
7649c0971252ffe91d89be9c5e975116

SHA1
fec1eea05dc92f5cab9ccf4f10e9fd3dcaf9d79d

SHA256
401c472ad7425e95b53f52be849016afdd467a4728ac8796ff1a932731b1d3ce

SHA512
fb0697c7857eeb655b3aa5d88f18d22b4ce132f1dbdb767701851776adadd0aa30d597c297ef6556e0f273d66b65ca03194f468915b0f67c32ee890ad4966255

Download Submit
C:\Users\Admin\AppData\Local\Temp\History

Filesize
192KB

MD5
83c468b78a1714944e5becf35401229b

SHA1
5bb1aaf85b2b973e4ba33fa8457aaf71e4987b34

SHA256
da5fdb5a9d869b349244f1ab62d95b0dbd05ac12ff45a6db157da829566a6690

SHA512
795aa24a35781ea1e91cdb1760aef90948a61c0f96f94f20585662bdce627443a702f7b2637472cb595e027b1989cec822959dcad4b121928dbb2f250b2df599

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
b56d69079d2001c1b2af272774b53a64

SHA1
67ede1c5a71412b11847f79f5a684eabaf00de01

SHA256
f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143

SHA512
7eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
5af784f599437629deea9fe4e8eb4799

SHA1
3c891b920fd2703edd6881117ea035ced5a619f6

SHA256
7e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c

SHA512
4df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
e1ca15cf0597c6743b3876af23a96960

SHA1
301231f7250431bd122b12ed34a8d4e8bb379457

SHA256
990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d

SHA512
7c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
8d6599d7c4897dcd0217070cca074574

SHA1
25eacaaa4c6f89945e97388796a8c85ba6fb01fb

SHA256
a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928

SHA512
e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-file-l1-1-0.dll

Filesize
22KB

MD5
642b29701907e98e2aa7d36eba7d78b8

SHA1
16f46b0e057816f3592f9c0a6671111ea2f35114

SHA256
5d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c

SHA512
1beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
7bc1b8712e266db746914db48b27ef9c

SHA1
c76eb162c23865b3f1bd7978f7979d6ba09ccb60

SHA256
f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9

SHA512
db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
b071e761cea670d89d7ae80e016ce7e6

SHA1
c675be753dbef1624100f16674c2221a20cf07dd

SHA256
63fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e

SHA512
f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
1dccf27f2967601ce6666c8611317f03

SHA1
d8246df2ed9ec4a8a719fd4b1db4fd8a71ef679b

SHA256
6a83ab9a413afd74d77a090f52784b0128527bee9cb0a4224c59d5c75fc18387

SHA512
70b96d69d609211f8b9e05fa510ea7d574ae8da3a6498f5c982aee71635b8a749162247055b7ba21a884bfa06c1415b68912c463f0f1b6ffb9049f3532386877

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
19KB

MD5
569a7ac3f6824a04282ff708c629a6d2

SHA1
fc0d78de1075dfd4c1024a72074d09576d4d4181

SHA256
84c579a8263a87991ca1d3aee2845e1c262fb4b849606358062093d08afdc7a2

SHA512
e9cbff82e32540f9230cead9063acb1aceb7ccc9f3338c0b7ad10b0ac70ff5b47c15944d0dce33ea8405554aa9b75de30b26ae2ca55db159d45b6e64bc02a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
623283471b12f1bdb83e25dbafaf9c16

SHA1
ecbba66f4dca89a3faa3e242e30aefac8de02153

SHA256
9ca500775fee9ff69b960d65040b8dc415a2efde2982a9251ee6a3e8de625bc7

SHA512
54b69ffa2c263be4ddadca62fa2867fea6148949d64c2634745db3dcbc1ba0ecf7167f02fa53efd69eaaee81d617d914f370f26ca16ee5850853f70c69e9a61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Roaming\7ae14b05c802cd\clip64.dll

Filesize
124KB

MD5
a3379448f4304fbc3d94ce7dd4f6b3d8

SHA1
ec143bd798f89287a3bfe3cf9038eaed18d68748

SHA256
7dffa0b7cd3c0fc4a20cb1c92fee3504b579950d01f32ac481566e8656b0e8e0

SHA512
fa37460004a3fda4cb59246a5f4e2214a419ebf6ef5baafb5aee39f39de2d32d3d6d7d5d256dc4c9b90388100c92bb09a52c7114ef71ff51a91be82fe0085a30

Download Submit
C:\Users\Admin\AppData\Roaming\ezezeww.exe

Filesize
615KB

MD5
4a29417a8df35479c00de90163d48605

SHA1
0c77f0e769005320a2f1920086d8006262b07cea

SHA256
4709bfc0f1c220009ef45f182f8ae5a3f6844dac62646f1b2da3f43ebfd52db1

SHA512
161e2c5dc4f860841e12da7dfd8f9637d6e91da95122271b74a44fb82c605a4662275fabab3e346d5e984d527530571da32c1014bcacda78a0074d080bce0594

Download Submit
C:\Users\Admin\AppData\Roaming\fdnwxcx.exe

Filesize
429KB

MD5
8b12410737d2ea98450d892a8f838c3f

SHA1
1b60e0e7dc1a46d421db6c876274971f7d9f8944

SHA256
f700d0b50bb04e46842ba6448e91059d4c6499ab4a2500a82871edecb62ef026

SHA512
d3fcce4443b1d922fdd6d1541271cbbc938542424f6fc9b3cd8589f9d78c7654828e0deaa221fe4631a367c860716d2317a62251540f6358a3e3278fc76007dd

Download Submit
C:\Users\Admin\AppData\Roaming\vcpcjo.exe

Filesize
253KB

MD5
f06d851cdd529123efc8d1cab870da81

SHA1
a390c3754d3ac2141a2fd4cf5ebcbf465aa4cf58

SHA256
87e08f435857867edb66e89c3420402430fd334054a746fa81650b2f0a6a510c

SHA512
e947205a06f178428eabab077587640f1bacfef865fe33843bc2ed63d7f876965146424a16223f5c77a07103d28e0e94feeeaacfed62636a596862c981634e43

Download Submit
C:\Users\Admin\AppData\Roaming\vzycvcxx.exe

Filesize
176KB

MD5
3cca4d7501ae251c233d331d77f3060a

SHA1
04a2c3ae8bcec4cce30637d690fe2d0f43b09b44

SHA256
20cbb4516d585a430f0ef5a26e2f3ea9f9902b385e034414d0e1a4ae57b0d285

SHA512
4012da4b846082a025272530261dc0c579924fe51ae7ff18c13d11de9ff7e12ad51dc3f0b5c835d21ad64c4b45358037e121dfc8c513e3c52d91d141536b8b6c

Download Submit
memory/112-701-0x00007FF616C20000-0x00007FF616D25000-memory.dmp

Filesize
1.0MB

Download
memory/112-700-0x00007FF616C20000-0x00007FF616D25000-memory.dmp

Filesize
1.0MB

Download
memory/616-665-0x00007FF78E150000-0x00007FF78E255000-memory.dmp

Filesize
1.0MB

Download
memory/616-666-0x00007FF78E150000-0x00007FF78E255000-memory.dmp

Filesize
1.0MB

Download
memory/864-217-0x00007FF778450000-0x00007FF778555000-memory.dmp

Filesize
1.0MB

Download
memory/1000-257-0x00007FF780DC0000-0x00007FF780EC5000-memory.dmp

Filesize
1.0MB

Download
memory/1000-256-0x00007FF780DC0000-0x00007FF780EC5000-memory.dmp

Filesize
1.0MB

Download
memory/1088-694-0x00007FF778230000-0x00007FF778335000-memory.dmp

Filesize
1.0MB

Download
memory/1088-693-0x00007FF778230000-0x00007FF778335000-memory.dmp

Filesize
1.0MB

Download
memory/1108-742-0x00007FF786510000-0x00007FF786615000-memory.dmp

Filesize
1.0MB

Download
memory/1108-743-0x00007FF786510000-0x00007FF786615000-memory.dmp

Filesize
1.0MB

Download
memory/1116-92-0x00007FF7F16B0000-0x00007FF7F174F000-memory.dmp

Filesize
636KB

Download
memory/1116-91-0x00007FF7F16B0000-0x00007FF7F174F000-memory.dmp

Filesize
636KB

Download
memory/1464-110-0x00007FF6FC650000-0x00007FF6FC755000-memory.dmp

Filesize
1.0MB

Download
memory/1480-728-0x00007FF7B3880000-0x00007FF7B3985000-memory.dmp

Filesize
1.0MB

Download
memory/1480-729-0x00007FF7B3880000-0x00007FF7B3985000-memory.dmp

Filesize
1.0MB

Download
memory/1488-249-0x00007FF735740000-0x00007FF735845000-memory.dmp

Filesize
1.0MB

Download
memory/1488-248-0x00007FF735740000-0x00007FF735845000-memory.dmp

Filesize
1.0MB

Download
memory/1732-367-0x00007FF6BA3D0000-0x00007FF6BA4D5000-memory.dmp

Filesize
1.0MB

Download
memory/1732-368-0x00007FF6BA3D0000-0x00007FF6BA4D5000-memory.dmp

Filesize
1.0MB

Download
memory/1740-687-0x00007FF604990000-0x00007FF604A95000-memory.dmp

Filesize
1.0MB

Download
memory/1740-686-0x00007FF604990000-0x00007FF604A95000-memory.dmp

Filesize
1.0MB

Download
memory/1740-113-0x00007FF6FC650000-0x00007FF6FC755000-memory.dmp

Filesize
1.0MB

Download
memory/1860-659-0x00007FF7192E0000-0x00007FF7193E5000-memory.dmp

Filesize
1.0MB

Download
memory/1860-658-0x00007FF7192E0000-0x00007FF7193E5000-memory.dmp

Filesize
1.0MB

Download
memory/2008-416-0x00007FF641150000-0x00007FF641255000-memory.dmp

Filesize
1.0MB

Download
memory/2008-415-0x00007FF641150000-0x00007FF641255000-memory.dmp

Filesize
1.0MB

Download
memory/2044-240-0x00007FF63C950000-0x00007FF63CA55000-memory.dmp

Filesize
1.0MB

Download
memory/2044-241-0x00007FF63C950000-0x00007FF63CA55000-memory.dmp

Filesize
1.0MB

Download
memory/2100-162-0x00007FF6DAB60000-0x00007FF6DAC65000-memory.dmp

Filesize
1.0MB

Download
memory/2100-163-0x00007FF6DAB60000-0x00007FF6DAC65000-memory.dmp

Filesize
1.0MB

Download
memory/2288-382-0x00007FF6F9CA0000-0x00007FF6F9DA5000-memory.dmp

Filesize
1.0MB

Download
memory/2288-381-0x00007FF6F9CA0000-0x00007FF6F9DA5000-memory.dmp

Filesize
1.0MB

Download
memory/2340-87-0x00007FF7234B0000-0x00007FF72354F000-memory.dmp

Filesize
636KB

Download
memory/2340-86-0x00007FF7234B0000-0x00007FF72354F000-memory.dmp

Filesize
636KB

Download
memory/2540-422-0x00007FF60D5E0000-0x00007FF60D6E5000-memory.dmp

Filesize
1.0MB

Download
memory/2540-423-0x00007FF60D5E0000-0x00007FF60D6E5000-memory.dmp

Filesize
1.0MB

Download
memory/2604-430-0x00007FF732270000-0x00007FF732375000-memory.dmp

Filesize
1.0MB

Download
memory/2604-429-0x00007FF732270000-0x00007FF732375000-memory.dmp

Filesize
1.0MB

Download
memory/3396-139-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-144-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-95-0x0000000003410000-0x00000000034B5000-memory.dmp

Filesize
660KB

Download
memory/3396-133-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-134-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-135-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-84-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/3396-56-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/3396-53-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/3396-36-0x0000000003410000-0x00000000034B5000-memory.dmp

Filesize
660KB

Download
memory/3396-35-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/3396-30-0x0000000003410000-0x00000000034B5000-memory.dmp

Filesize
660KB

Download
memory/3396-148-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-147-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-146-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-145-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-142-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-141-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-143-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-107-0x0000000003410000-0x00000000034B5000-memory.dmp

Filesize
660KB

Download
memory/3396-15-0x0000000003410000-0x00000000034B5000-memory.dmp

Filesize
660KB

Download
memory/3396-27-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/3396-140-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-138-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-29-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/3396-32-0x0000000003410000-0x00000000034B5000-memory.dmp

Filesize
660KB

Download
memory/3396-136-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-137-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/3396-28-0x0000000003410000-0x00000000034B5000-memory.dmp

Filesize
660KB

Download
memory/3396-19-0x0000000003410000-0x00000000034B5000-memory.dmp

Filesize
660KB

Download
memory/3548-224-0x00007FF7998E0000-0x00007FF7999E5000-memory.dmp

Filesize
1.0MB

Download
memory/3548-225-0x00007FF7998E0000-0x00007FF7999E5000-memory.dmp

Filesize
1.0MB

Download
memory/3644-18-0x00007FF6E7550000-0x00007FF6E75EF000-memory.dmp

Filesize
636KB

Download
memory/3644-38-0x00007FF6E7550000-0x00007FF6E75EF000-memory.dmp

Filesize
636KB

Download
memory/3856-232-0x00007FF726770000-0x00007FF726875000-memory.dmp

Filesize
1.0MB

Download
memory/3856-233-0x00007FF726770000-0x00007FF726875000-memory.dmp

Filesize
1.0MB

Download
memory/4208-361-0x00007FF761C70000-0x00007FF761D75000-memory.dmp

Filesize
1.0MB

Download
memory/4208-360-0x00007FF761C70000-0x00007FF761D75000-memory.dmp

Filesize
1.0MB

Download
memory/4280-672-0x00007FF6FFD00000-0x00007FF6FFE05000-memory.dmp

Filesize
1.0MB

Download
memory/4280-673-0x00007FF6FFD00000-0x00007FF6FFE05000-memory.dmp

Filesize
1.0MB

Download
memory/4296-374-0x00007FF6E0A80000-0x00007FF6E0B85000-memory.dmp

Filesize
1.0MB

Download
memory/4296-375-0x00007FF6E0A80000-0x00007FF6E0B85000-memory.dmp

Filesize
1.0MB

Download
memory/4380-155-0x00007FF7068E0000-0x00007FF7069E5000-memory.dmp

Filesize
1.0MB

Download
memory/4380-154-0x00007FF7068E0000-0x00007FF7069E5000-memory.dmp

Filesize
1.0MB

Download
memory/4384-680-0x00007FF63B930000-0x00007FF63BA35000-memory.dmp

Filesize
1.0MB

Download
memory/4384-679-0x00007FF63B930000-0x00007FF63BA35000-memory.dmp

Filesize
1.0MB

Download
memory/4624-651-0x00007FF62DD30000-0x00007FF62DE35000-memory.dmp

Filesize
1.0MB

Download
memory/4624-652-0x00007FF62DD30000-0x00007FF62DE35000-memory.dmp

Filesize
1.0MB

Download
memory/4632-549-0x00007FF6FBD00000-0x00007FF6FBE05000-memory.dmp

Filesize
1.0MB

Download
memory/4632-550-0x00007FF6FBD00000-0x00007FF6FBE05000-memory.dmp

Filesize
1.0MB

Download
memory/4640-61-0x00007FF75CC60000-0x00007FF75CCFF000-memory.dmp

Filesize
636KB

Download
memory/4640-62-0x00007FF75CC60000-0x00007FF75CCFF000-memory.dmp

Filesize
636KB

Download
memory/4648-736-0x00007FF60BBB0000-0x00007FF60BCB5000-memory.dmp

Filesize
1.0MB

Download
memory/4648-735-0x00007FF60BBB0000-0x00007FF60BCB5000-memory.dmp

Filesize
1.0MB

Download
memory/4652-543-0x00007FF77D6A0000-0x00007FF77D7A5000-memory.dmp

Filesize
1.0MB

Download
memory/4652-542-0x00007FF77D6A0000-0x00007FF77D7A5000-memory.dmp

Filesize
1.0MB

Download
memory/4728-395-0x00007FF7B9F80000-0x00007FF7BA085000-memory.dmp

Filesize
1.0MB

Download
memory/4728-396-0x00007FF7B9F80000-0x00007FF7BA085000-memory.dmp

Filesize
1.0MB

Download
memory/4744-496-0x00007FF6E18F0000-0x00007FF6E19F5000-memory.dmp

Filesize
1.0MB

Download
memory/4744-497-0x00007FF6E18F0000-0x00007FF6E19F5000-memory.dmp

Filesize
1.0MB

Download
memory/4800-714-0x00007FF663BF0000-0x00007FF663CF5000-memory.dmp

Filesize
1.0MB

Download
memory/4800-715-0x00007FF663BF0000-0x00007FF663CF5000-memory.dmp

Filesize
1.0MB

Download
memory/4824-620-0x00007FF7F1EF0000-0x00007FF7F1FF5000-memory.dmp

Filesize
1.0MB

Download
memory/4824-619-0x00007FF7F1EF0000-0x00007FF7F1FF5000-memory.dmp

Filesize
1.0MB

Download
memory/4880-402-0x00007FF6CD1F0000-0x00007FF6CD2F5000-memory.dmp

Filesize
1.0MB

Download
memory/4880-403-0x00007FF6CD1F0000-0x00007FF6CD2F5000-memory.dmp

Filesize
1.0MB

Download
memory/5000-125-0x00007FF732100000-0x00007FF732205000-memory.dmp

Filesize
1.0MB

Download
memory/5000-126-0x00007FF732100000-0x00007FF732205000-memory.dmp

Filesize
1.0MB

Download
memory/5036-389-0x00007FF650920000-0x00007FF650A25000-memory.dmp

Filesize
1.0MB

Download
memory/5036-388-0x00007FF650920000-0x00007FF650A25000-memory.dmp

Filesize
1.0MB

Download
memory/5200-638-0x00007FF63E670000-0x00007FF63E775000-memory.dmp

Filesize
1.0MB

Download
memory/5208-187-0x00007FF7508C0000-0x00007FF7509C5000-memory.dmp

Filesize
1.0MB

Download
memory/5208-188-0x00007FF7508C0000-0x00007FF7509C5000-memory.dmp

Filesize
1.0MB

Download
memory/5392-264-0x00007FF633760000-0x00007FF633865000-memory.dmp

Filesize
1.0MB

Download
memory/5420-707-0x00007FF626870000-0x00007FF626975000-memory.dmp

Filesize
1.0MB

Download
memory/5420-708-0x00007FF626870000-0x00007FF626975000-memory.dmp

Filesize
1.0MB

Download
memory/5464-637-0x00007FF62C180000-0x00007FF62C285000-memory.dmp

Filesize
1.0MB

Download
memory/5464-536-0x00007FF62C180000-0x00007FF62C285000-memory.dmp

Filesize
1.0MB

Download
memory/5732-644-0x00007FF7F8800000-0x00007FF7F8905000-memory.dmp

Filesize
1.0MB

Download
memory/5732-645-0x00007FF7F8800000-0x00007FF7F8905000-memory.dmp

Filesize
1.0MB

Download
memory/5760-195-0x00007FF75B370000-0x00007FF75B475000-memory.dmp

Filesize
1.0MB

Download
memory/5760-196-0x00007FF75B370000-0x00007FF75B475000-memory.dmp

Filesize
1.0MB

Download
memory/5968-722-0x00007FF6BB490000-0x00007FF6BB595000-memory.dmp

Filesize
1.0MB

Download
memory/5968-721-0x00007FF6BB490000-0x00007FF6BB595000-memory.dmp

Filesize
1.0MB

Download
memory/6140-489-0x00007FF70E610000-0x00007FF70E715000-memory.dmp

Filesize
1.0MB

Download
memory/6140-490-0x00007FF70E610000-0x00007FF70E715000-memory.dmp

Filesize
1.0MB

Download