amadey | 39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
Size

1.8MB
MD5

5ba503c25d7d0823e31de21e9edf8f5b
SHA1

078221f2d14204426c6b8695a8b85ab06e0e7c58
SHA256

39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891
SHA512

4875357798c7122ec152b707e953f0c15172e156113a6f32f50c3157a30abc122ebb63ccc0fb81d81f20fff6b49824197aa217f3994be85f550e6b34737cd2a0
SSDEEP

24576:4j9kja6vG7NaNuxVIiwSFCj2jnmpAEWOUBzYpallrKbauUjXQ87rJBWuEdgVfyj3:m9/6+NZYiwSFCj0QSbVqbauyPJ8u8m

Score

10^/10

amadey redline xmrig 06-20-24 e76b71 discovery evasion execution infostealer miner persistence pyinstaller spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

06-20-24

91.92.255.143:45786

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe family_redline
behavioral1/memory/3992-113-0x0000000000E90000-0x0000000000EE0000-memory.dmp family_redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe	family_redline
behavioral1/memory/3992-113-0x0000000000E90000-0x0000000000EE0000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 18 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/604-127-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-129-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-126-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-131-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-132-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-130-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-133-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-155-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4648-284-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4648-283-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4648-282-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4648-281-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4648-285-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-286-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4648-288-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4648-289-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-290-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/604-291-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplong.exeaxplong.exeaxplong.exe39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Hkbsse.exeserieta.exe39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exeaxplong.exe0x3fg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Hkbsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	serieta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	0x3fg.exe

Executes dropped EXE 20 IoCs

Processes:

axplong.exelegs.exe0x3fg.exeHkbsse.exeuYtF.exeutyj.exewfbrmcwrltkl.exeserieta.exeHkbsse.exeaxplong.exenatura.exenautr.exeNotepad.exeNotepad.exeNotepad.exeNotepad.exepseaptzkxyms.exeetuamactyjne.exeHkbsse.exeaxplong.exe

pid	process
2096	axplong.exe
2036	legs.exe
4640	0x3fg.exe
3256	Hkbsse.exe
4612	uYtF.exe
3992	utyj.exe
1664	wfbrmcwrltkl.exe
880	serieta.exe
4296	Hkbsse.exe
2568	axplong.exe
3820	natura.exe
4988	nautr.exe
3624	Notepad.exe
2368	Notepad.exe
4408	Notepad.exe
2476	Notepad.exe
1248	pseaptzkxyms.exe
4092	etuamactyjne.exe
816	Hkbsse.exe
416	axplong.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplong.exe

Loads dropped DLL 16 IoCs

Processes:

Notepad.exeNotepad.exe

pid	process
2368	Notepad.exe
2368	Notepad.exe
2368	Notepad.exe
2368	Notepad.exe
2368	Notepad.exe
2368	Notepad.exe
2368	Notepad.exe
2476	Notepad.exe
2476	Notepad.exe
2476	Notepad.exe
2476	Notepad.exe
2476	Notepad.exe
2476	Notepad.exe
2476	Notepad.exe
2476	Notepad.exe
2476	Notepad.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/604-121-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-122-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-127-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-129-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-126-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-124-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-123-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-125-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-131-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-132-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-130-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-133-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-155-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4648-284-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4648-283-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4648-282-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4648-281-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4648-285-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-286-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4648-288-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4648-289-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-290-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/604-291-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hkbsse.exeNotepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uYtF.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000001000\\uYtF.exe"	Hkbsse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\serieta.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\serieta.exe"	Hkbsse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\Notepad.exe"	Notepad.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

3064 powercfg.exe
1000 powercfg.exe
4580 powercfg.exe
3676 powercfg.exe
4064 powercfg.exe
5068 powercfg.exe
1652 powercfg.exe
1252 powercfg.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exeaxplong.exeaxplong.exeaxplong.exe

pid process

648 39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
2096 axplong.exe
2568 axplong.exe
416 axplong.exe

pid	process
3064	powercfg.exe
1000	powercfg.exe
4580	powercfg.exe
3676	powercfg.exe
4064	powercfg.exe
5068	powercfg.exe
1652	powercfg.exe
1252	powercfg.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

legs.exewfbrmcwrltkl.exepseaptzkxyms.exeetuamactyjne.exe

description	pid	process	target process
PID 2036 set thread context of 4532	2036	legs.exe	RegAsm.exe
PID 1664 set thread context of 604	1664	wfbrmcwrltkl.exe	explorer.exe
PID 1248 set thread context of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 4092 set thread context of 4512	4092	etuamactyjne.exe	conhost.exe
PID 4092 set thread context of 4648	4092	etuamactyjne.exe	conhost.exe

Drops file in Windows directory 2 IoCs

Processes:

39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe0x3fg.exe

description ioc process

File created C:\Windows\Tasks\axplong.job 39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
File created C:\Windows\Tasks\Hkbsse.job 0x3fg.exe
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3496 sc.exe
224 sc.exe
3048 sc.exe
388 sc.exe
3380 sc.exe
4652 sc.exe
3640 sc.exe
2892 sc.exe
3816 sc.exe
1128 sc.exe
1460 sc.exe
2804 sc.exe
Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\Notepad.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3152 2036 WerFault.exe legs.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

764 taskkill.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
File created	C:\Windows\Tasks\Hkbsse.job	0x3fg.exe

pid	process
3496	sc.exe
224	sc.exe
3048	sc.exe
388	sc.exe
3380	sc.exe
4652	sc.exe
3640	sc.exe
2892	sc.exe
3816	sc.exe
1128	sc.exe
1460	sc.exe
2804	sc.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Notepad.exe	pyinstaller

pid	pid_target	process	target process
3152	2036	WerFault.exe	legs.exe

pid	process
764	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exeaxplong.exeRegAsm.exeuYtF.exewfbrmcwrltkl.exeaxplong.exenatura.exenautr.exepseaptzkxyms.exeetuamactyjne.execonhost.exe

pid	process
648	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
648	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
2096	axplong.exe
2096	axplong.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4532	RegAsm.exe
4612	uYtF.exe
4612	uYtF.exe
4612	uYtF.exe
4612	uYtF.exe
4612	uYtF.exe
4612	uYtF.exe
4612	uYtF.exe
4612	uYtF.exe
1664	wfbrmcwrltkl.exe
1664	wfbrmcwrltkl.exe
1664	wfbrmcwrltkl.exe
1664	wfbrmcwrltkl.exe
1664	wfbrmcwrltkl.exe
2568	axplong.exe
2568	axplong.exe
3820	natura.exe
4988	nautr.exe
4988	nautr.exe
3820	natura.exe
4988	nautr.exe
4988	nautr.exe
3820	natura.exe
3820	natura.exe
1248	pseaptzkxyms.exe
4092	etuamactyjne.exe
4092	etuamactyjne.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe
4648	conhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

RegAsm.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exetaskkill.execonhost.exeutyj.exe

description	pid	process
Token: SeDebugPrivilege	4532	RegAsm.exe
Token: SeBackupPrivilege	4532	RegAsm.exe
Token: SeSecurityPrivilege	4532	RegAsm.exe
Token: SeSecurityPrivilege	4532	RegAsm.exe
Token: SeSecurityPrivilege	4532	RegAsm.exe
Token: SeSecurityPrivilege	4532	RegAsm.exe
Token: SeShutdownPrivilege	4580	powercfg.exe
Token: SeCreatePagefilePrivilege	4580	powercfg.exe
Token: SeShutdownPrivilege	3064	powercfg.exe
Token: SeCreatePagefilePrivilege	3064	powercfg.exe
Token: SeShutdownPrivilege	1000	powercfg.exe
Token: SeCreatePagefilePrivilege	1000	powercfg.exe
Token: SeShutdownPrivilege	3676	powercfg.exe
Token: SeCreatePagefilePrivilege	3676	powercfg.exe
Token: SeShutdownPrivilege	4064	powercfg.exe
Token: SeCreatePagefilePrivilege	4064	powercfg.exe
Token: SeShutdownPrivilege	5068	powercfg.exe
Token: SeCreatePagefilePrivilege	5068	powercfg.exe
Token: SeShutdownPrivilege	1652	powercfg.exe
Token: SeCreatePagefilePrivilege	1652	powercfg.exe
Token: SeShutdownPrivilege	1252	powercfg.exe
Token: SeCreatePagefilePrivilege	1252	powercfg.exe
Token: SeLockMemoryPrivilege	604	explorer.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeLockMemoryPrivilege	4648	conhost.exe
Token: SeDebugPrivilege	3992	utyj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exeaxplong.exelegs.exe0x3fg.exeHkbsse.exewfbrmcwrltkl.exeserieta.exeNotepad.exeNotepad.execmd.exeNotepad.exepseaptzkxyms.exeetuamactyjne.exe

description	pid	process	target process
PID 648 wrote to memory of 2096	648	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe	axplong.exe
PID 648 wrote to memory of 2096	648	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe	axplong.exe
PID 648 wrote to memory of 2096	648	39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe	axplong.exe
PID 2096 wrote to memory of 2036	2096	axplong.exe	legs.exe
PID 2096 wrote to memory of 2036	2096	axplong.exe	legs.exe
PID 2096 wrote to memory of 2036	2096	axplong.exe	legs.exe
PID 2036 wrote to memory of 4532	2036	legs.exe	RegAsm.exe
PID 2036 wrote to memory of 4532	2036	legs.exe	RegAsm.exe
PID 2036 wrote to memory of 4532	2036	legs.exe	RegAsm.exe
PID 2036 wrote to memory of 4532	2036	legs.exe	RegAsm.exe
PID 2036 wrote to memory of 4532	2036	legs.exe	RegAsm.exe
PID 2036 wrote to memory of 4532	2036	legs.exe	RegAsm.exe
PID 2036 wrote to memory of 4532	2036	legs.exe	RegAsm.exe
PID 2036 wrote to memory of 4532	2036	legs.exe	RegAsm.exe
PID 2096 wrote to memory of 4640	2096	axplong.exe	0x3fg.exe
PID 2096 wrote to memory of 4640	2096	axplong.exe	0x3fg.exe
PID 2096 wrote to memory of 4640	2096	axplong.exe	0x3fg.exe
PID 4640 wrote to memory of 3256	4640	0x3fg.exe	Hkbsse.exe
PID 4640 wrote to memory of 3256	4640	0x3fg.exe	Hkbsse.exe
PID 4640 wrote to memory of 3256	4640	0x3fg.exe	Hkbsse.exe
PID 3256 wrote to memory of 4612	3256	Hkbsse.exe	uYtF.exe
PID 3256 wrote to memory of 4612	3256	Hkbsse.exe	uYtF.exe
PID 3256 wrote to memory of 3992	3256	Hkbsse.exe	utyj.exe
PID 3256 wrote to memory of 3992	3256	Hkbsse.exe	utyj.exe
PID 3256 wrote to memory of 3992	3256	Hkbsse.exe	utyj.exe
PID 1664 wrote to memory of 604	1664	wfbrmcwrltkl.exe	explorer.exe
PID 1664 wrote to memory of 604	1664	wfbrmcwrltkl.exe	explorer.exe
PID 1664 wrote to memory of 604	1664	wfbrmcwrltkl.exe	explorer.exe
PID 1664 wrote to memory of 604	1664	wfbrmcwrltkl.exe	explorer.exe
PID 1664 wrote to memory of 604	1664	wfbrmcwrltkl.exe	explorer.exe
PID 3256 wrote to memory of 880	3256	Hkbsse.exe	serieta.exe
PID 3256 wrote to memory of 880	3256	Hkbsse.exe	serieta.exe
PID 3256 wrote to memory of 880	3256	Hkbsse.exe	serieta.exe
PID 880 wrote to memory of 3820	880	serieta.exe	natura.exe
PID 880 wrote to memory of 3820	880	serieta.exe	natura.exe
PID 880 wrote to memory of 4988	880	serieta.exe	nautr.exe
PID 880 wrote to memory of 4988	880	serieta.exe	nautr.exe
PID 880 wrote to memory of 3624	880	serieta.exe	Notepad.exe
PID 880 wrote to memory of 3624	880	serieta.exe	Notepad.exe
PID 3624 wrote to memory of 2368	3624	Notepad.exe	Notepad.exe
PID 3624 wrote to memory of 2368	3624	Notepad.exe	Notepad.exe
PID 2368 wrote to memory of 4112	2368	Notepad.exe	cmd.exe
PID 2368 wrote to memory of 4112	2368	Notepad.exe	cmd.exe
PID 4112 wrote to memory of 764	4112	cmd.exe	taskkill.exe
PID 4112 wrote to memory of 764	4112	cmd.exe	taskkill.exe
PID 4112 wrote to memory of 4408	4112	cmd.exe	Notepad.exe
PID 4112 wrote to memory of 4408	4112	cmd.exe	Notepad.exe
PID 4408 wrote to memory of 2476	4408	Notepad.exe	Notepad.exe
PID 4408 wrote to memory of 2476	4408	Notepad.exe	Notepad.exe
PID 1248 wrote to memory of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 1248 wrote to memory of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 1248 wrote to memory of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 1248 wrote to memory of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 1248 wrote to memory of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 1248 wrote to memory of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 1248 wrote to memory of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 1248 wrote to memory of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 1248 wrote to memory of 4264	1248	pseaptzkxyms.exe	conhost.exe
PID 4092 wrote to memory of 4512	4092	etuamactyjne.exe	conhost.exe
PID 4092 wrote to memory of 4512	4092	etuamactyjne.exe	conhost.exe
PID 4092 wrote to memory of 4512	4092	etuamactyjne.exe	conhost.exe
PID 4092 wrote to memory of 4512	4092	etuamactyjne.exe	conhost.exe
PID 4092 wrote to memory of 4512	4092	etuamactyjne.exe	conhost.exe
PID 4092 wrote to memory of 4512	4092	etuamactyjne.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe
"C:\Users\Admin\AppData\Local\Temp\39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 240
4⤵
- Program crash
PID:3152

C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe
"C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
"C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4612

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "xjuumoinznsp"
6⤵
- Launches sc.exe
PID:3496

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
6⤵
- Launches sc.exe
PID:224

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:3048

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "xjuumoinznsp"
6⤵
- Launches sc.exe
PID:4652

C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Users\Admin\AppData\Local\Temp\1000005001\serieta.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\serieta.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\natura.exe
"C:\Users\Admin\AppData\Local\Temp\natura.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3820

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "HJUWGNAT"
7⤵
- Launches sc.exe
PID:3640

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "HJUWGNAT" binpath= "C:\ProgramData\agmxykvocxft\etuamactyjne.exe" start= "auto"
7⤵
- Launches sc.exe
PID:3816

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
7⤵
- Launches sc.exe
PID:2804

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "HJUWGNAT"
7⤵
- Launches sc.exe
PID:1460

C:\Users\Admin\AppData\Local\Temp\nautr.exe
"C:\Users\Admin\AppData\Local\Temp\nautr.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OYGYWFTH"
7⤵
- Launches sc.exe
PID:388

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OYGYWFTH" binpath= "C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe" start= "auto"
7⤵
- Launches sc.exe
PID:2892

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
7⤵
- Launches sc.exe
PID:3380

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OYGYWFTH"
7⤵
- Launches sc.exe
PID:1128

C:\Users\Admin\AppData\Local\Temp\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Local\Temp\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat
8⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\system32\taskkill.exe
taskkill /f /im "Notepad.exe"
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Users\Admin\Notepad.exe
"Notepad.exe"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\Notepad.exe
"Notepad.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2036 -ip 2036
1⤵
PID:2628

C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2568

C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe
C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4264

C:\ProgramData\agmxykvocxft\etuamactyjne.exe
C:\ProgramData\agmxykvocxft\etuamactyjne.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4512

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:416

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe
Filesize
297KB

MD5
f135803381618638b68506450fca1797

SHA1
c2311e46f1deb8213cb155ff8a68fac30eb6766c

SHA256
bf38a350365e6dc02b2b906e330c8cea297a1ad89e752c50b4a0a201e79a7600

SHA512
8266101235e6d3d0ee7b1d80cf504b66efa25a3ad9e147d2ece9cf8c60334d9329bf4d56d04ef34913fd2425334bc2e3419cad97cb8118ae5a406fcb410b8e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\serieta.exe
Filesize
12.1MB

MD5
448effb3d85fb89c7f190cb99ffa73fc

SHA1
cbbb99017a213a46791ce3712f1297ba4a1ae72a

SHA256
f8c91e7edae8c63c29dd51becb5c806305c83cf19bc576401a6802f3cd4aed66

SHA512
026d5af0234d577dbc505a90fbedd6ce90a216ca557e527e0b3f66c00474ec8dac6bffd3a3ad6211ecee02ff557e99aa01d97b9626b73f4ced5ee78241461c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe
Filesize
415KB

MD5
c4aeaafc0507785736e000ff7e823f5e

SHA1
b1acdee835f02856985a822fe99921b097ed1519

SHA256
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

SHA512
fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
5ba503c25d7d0823e31de21e9edf8f5b

SHA1
078221f2d14204426c6b8695a8b85ab06e0e7c58

SHA256
39e90ad82edf192636e8d3f8c22fb09992a16cb84d2ad869a22e3e48d752d891

SHA512
4875357798c7122ec152b707e953f0c15172e156113a6f32f50c3157a30abc122ebb63ccc0fb81d81f20fff6b49824197aa217f3994be85f550e6b34737cd2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Notepad.exe
Filesize
7.0MB

MD5
150f7378fd18d19ecc002761fa112de5

SHA1
a5ef247183d14dcd0d9b112306c1965c38720a1e

SHA256
b3bfd7d408a13096897fe8cbaff158cb8ff34f6d2d2269b25a1a268daeef387c

SHA512
dd3739f3e7736c6d6319dbf71346addfdab60d668c84b91d9c87bdf5ee7c6ea085b49a314c52338cb196cceb212067fdbf804da91d9f517a34e1b0978ceebb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\_bz2.pyd
Filesize
82KB

MD5
59d60a559c23202beb622021af29e8a9

SHA1
a405f23916833f1b882f37bdbba2dd799f93ea32

SHA256
706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e

SHA512
2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\_ctypes.pyd
Filesize
122KB

MD5
2a834c3738742d45c0a06d40221cc588

SHA1
606705a593631d6767467fb38f9300d7cd04ab3e

SHA256
f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089

SHA512
924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\_decimal.pyd
Filesize
246KB

MD5
f930b7550574446a015bc602d59b0948

SHA1
4ee6ff8019c6c540525bdd2790fc76385cdd6186

SHA256
3b9ad1d2bc9ec03d37da86135853dac73b3fe851b164fe52265564a81eb8c544

SHA512
10b864975945d6504433554f9ff11b47218caa00f809c6bce00f9e4089b862190a4219f659697a4ba5e5c21edbe1d8d325950921e09371acc4410469bd9189ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\_hashlib.pyd
Filesize
64KB

MD5
b0262bd89a59a3699bfa75c4dcc3ee06

SHA1
eb658849c646a26572dea7f6bfc042cb62fb49dc

SHA256
4adfbbd6366d9b55d902fc54d2b42e7c8c989a83016ed707bd7a302fc3fc7b67

SHA512
2e4b214de3b306e3a16124af434ff8f5ab832aa3eeb1aa0aa9b49b0ada0928dcbb05c57909292fbe3b01126f4cd3fe0dac9cc15eaea5f3844d6e267865b9f7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\_lzma.pyd
Filesize
155KB

MD5
b71dbe0f137ffbda6c3a89d5bcbf1017

SHA1
a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f

SHA256
6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a

SHA512
9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\_socket.pyd
Filesize
81KB

MD5
9c6283cc17f9d86106b706ec4ea77356

SHA1
af4f2f52ce6122f340e5ea1f021f98b1ffd6d5b6

SHA256
5cc62aac52edf87916deb4ebbad9abb58a6a3565b32e7544f672aca305c38027

SHA512
11fd6f570dd78f8ff00be645e47472a96daffa3253e8bd29183bccde3f0746f7e436a106e9a68c57cc05b80a112365441d06cc719d51c906703b428a32c93124

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\_wmi.pyd
Filesize
35KB

MD5
c1654ebebfeeda425eade8b77ca96de5

SHA1
a4a150f1c810077b6e762f689c657227cc4fd257

SHA256
aa1443a715fbf84a84f39bd89707271fc11a77b597d7324ce86fc5cfa56a63a9

SHA512
21705b991e75efd5e59b8431a3b19ae5fcc38a3e7f137a9d52acd24e7f67d61758e48abc1c9c0d4314fa02010a1886c15ead5bca8dca1b1d4ccbfc3c589d342e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\base_library.zip
Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\libcrypto-3.dll
Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\python312.dll
Filesize
6.7MB

MD5
550288a078dffc3430c08da888e70810

SHA1
01b1d31f37fb3fd81d893cc5e4a258e976f5884f

SHA256
789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d

SHA512
7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\select.pyd
Filesize
29KB

MD5
8a273f518973801f3c63d92ad726ec03

SHA1
069fc26b9bd0f6ea3f9b3821ad7c812fd94b021f

SHA256
af358285a7450de6e2e5e7ff074f964d6a257fb41d9eb750146e03c7dda503ca

SHA512
7fedae0573ecb3946ede7d0b809a98acad3d4c95d6c531a40e51a31bdb035badc9f416d8aaa26463784ff2c5e7a0cc2c793d62b5fdb2b8e9fad357f93d3a65f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36242\unicodedata.pyd
Filesize
1.1MB

MD5
04f35d7eec1f6b72bab9daf330fd0d6b

SHA1
ecf0c25ba7adf7624109e2720f2b5930cd2dba65

SHA256
be942308d99cc954931fe6f48ed8cc7a57891ccbe99aae728121bcda1fd929ab

SHA512
3da405e4c1371f4b265e744229dcc149491a112a2b7ea8e518d5945f8c259cad15583f25592b35ec8a344e43007ae00da9673822635ee734d32664f65c9c8d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\natura.exe
Filesize
2.5MB

MD5
c4632a10a964a334e4c4c252283a4256

SHA1
8538000e2e116045f9698e41f9fe1b28eaf86e00

SHA256
a665723cd4b03528486a8128548d7fe825f2ff2e91e9d773ae2d5edb0bdaa8bd

SHA512
947cc709af9b0497dd80ea1c777c7c113f6c0e958aa34847b4b64edbdbe49af11c17e3cc68cbc3e1b86dd0f961f35b0cda12ee95c3e29866fbf5a57aa2f62a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nautr.exe
Filesize
2.5MB

MD5
e0df3f75617bc94f9094d476a2a55ff0

SHA1
6b66cdb4dbe1f05e53d0e0e34b3e2d71b0098e00

SHA256
dd483c5a9e8d886f4189b170cca29d0074352c2d1ee45525d6574e35677a4548

SHA512
099d539cf6548c3421ec1eda1124e5b97dbdaa465d48d1945ddb87bd899d74aaa2e2a1ec9f0743088b05ad48583480c73f368624c9d27e85a4a533eb928f2729

Download Submit
C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
Filesize
2.5MB

MD5
4691a9fe21f8589b793ea16f0d1749f1

SHA1
5c297f97142b7dad1c2d0c6223346bf7bcf2ea82

SHA256
63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904

SHA512
ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386

Download Submit
C:\Users\Admin\activate.bat
Filesize
89B

MD5
d58c7fcb7af4dba94dd8918ef29d5ec3

SHA1
9671c90d94b89d1845c3710d2d5435cdf08ba249

SHA256
44d51facca088638f287e709658abaf3f96e0ae25c0c61c47a9af85e764a29b1

SHA512
3294add7249a6c12ab192d5236060364f1e57c1d093b469530fe793403646e6dc2d5b9afe4032745019ba62902803cf91c8ce894b6795e4f7e5fe9d654790edb

Download Submit
memory/416-297-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/416-299-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/604-131-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-125-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-286-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-127-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-128-0x0000000000EB0000-0x0000000000ED0000-memory.dmp

Filesize
128KB

Download
memory/604-133-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-130-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-132-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-121-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-122-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-155-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-290-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-124-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-126-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-129-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-123-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/604-291-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/648-1-0x0000000077684000-0x0000000077686000-memory.dmp

Filesize
8KB

Download
memory/648-17-0x0000000000730000-0x0000000000BF0000-memory.dmp

Filesize
4.8MB

Download
memory/648-5-0x0000000000730000-0x0000000000BF0000-memory.dmp

Filesize
4.8MB

Download
memory/648-3-0x0000000000730000-0x0000000000BF0000-memory.dmp

Filesize
4.8MB

Download
memory/648-2-0x0000000000731000-0x000000000075F000-memory.dmp

Filesize
184KB

Download
memory/648-0-0x0000000000730000-0x0000000000BF0000-memory.dmp

Filesize
4.8MB

Download
memory/2036-37-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2096-135-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-134-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-294-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-295-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-296-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-255-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-293-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-300-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-287-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-301-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-303-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-114-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-21-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-20-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-19-0x0000000000981000-0x00000000009AF000-memory.dmp

Filesize
184KB

Download
memory/2096-116-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-18-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2096-115-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2568-154-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2568-220-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/3992-113-0x0000000000E90000-0x0000000000EE0000-memory.dmp

Filesize
320KB

Download
memory/3992-222-0x00000000071A0000-0x00000000071F0000-memory.dmp

Filesize
320KB

Download
memory/4264-264-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4264-262-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4264-261-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4264-260-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4264-259-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4264-258-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4512-265-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4512-269-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4512-266-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4512-268-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4512-267-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4512-272-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4532-71-0x00000000085C0000-0x00000000085FC000-memory.dmp

Filesize
240KB

Download
memory/4532-83-0x00000000089C0000-0x0000000008A26000-memory.dmp

Filesize
408KB

Download
memory/4532-38-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4532-39-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/4532-40-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/4532-56-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/4532-101-0x000000000A110000-0x000000000A2D2000-memory.dmp

Filesize
1.8MB

Download
memory/4532-92-0x0000000008AC0000-0x0000000008ADE000-memory.dmp

Filesize
120KB

Download
memory/4532-68-0x0000000008AE0000-0x00000000090F8000-memory.dmp

Filesize
6.1MB

Download
memory/4532-69-0x0000000008610000-0x000000000871A000-memory.dmp

Filesize
1.0MB

Download
memory/4532-91-0x00000000096C0000-0x0000000009736000-memory.dmp

Filesize
472KB

Download
memory/4532-70-0x0000000008560000-0x0000000008572000-memory.dmp

Filesize
72KB

Download
memory/4532-72-0x0000000008720000-0x000000000876C000-memory.dmp

Filesize
304KB

Download
memory/4532-102-0x000000000A810000-0x000000000AD3C000-memory.dmp

Filesize
5.2MB

Download
memory/4648-284-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4648-289-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4648-288-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4648-285-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4648-281-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4648-282-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4648-283-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download