asyncrat | d725785ec3970b75ecb17a7e5ac14d93ce7a54d259dffc74e8222ed8cfb8b6b3

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7v200430
submitted
05-06-2020 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malicious_binary.exe.donotrun.exe
Size

112KB
MD5

61348f2441c23882342e38f89b366d99
SHA1

604504eae8ecb59dfb91c5c7403488b9b95843f8
SHA256

d725785ec3970b75ecb17a7e5ac14d93ce7a54d259dffc74e8222ed8cfb8b6b3
SHA512

5238ebfc7cad76d503a3329b43778c55aac9b784d95a7a060752a381054b40d4528d9ec9a4ad1d14a3c14a40e3091ca3fb7a965dd2736b4b674b2a0946fa3937

Score

10^/10

asyncrat azorult netwire oski raccoon botnet discovery infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.11 Release Build compiled on Fri May 8 14:39:40 2020 Launched at: 2020.06.05 - 09:42:48 GMT Bot_ID: 58B98E61-8F0C-4164-9CA8-CBDF20304A02_Admin Running on a desktop =R=A=C=C=O=O=N= System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.13 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: DJRWGDLZ - Username: Admin - Windows version: NT 6.1 - Product name: Windows 7 Professional - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 2047 MB (472 MB used) - Screen resolution: 1280x720 - Display devices: 0) Standard VGA Graphics Adapter ============

Extracted

Family

asyncrat

Version

0.5.7B

tamera.ug:6970

asdxcvxdfgdnbvrwe.ru:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
5sETivXjVSkYQrZDbnr0EF5GkUKY9RJq
anti_detection
false
autorun
false
bdos
false
delay
Default
host
tamera.ug,asdxcvxdfgdnbvrwe.ru
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1580-67-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/1580-69-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/1580-70-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file

yara_rule
raccoon_log_file

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/384-101-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/384-103-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/384-104-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

xcvndfg.exe580654274898.exebrgdsb.exesvcb.exegenrernes.exeddvc.exeddvc.exe8cziEDlVMJ.exesvcb.exe

pid process

1112 xcvndfg.exe
1608 580654274898.exe
1940 brgdsb.exe
1836 svcb.exe
1288 genrernes.exe
1640 ddvc.exe
1580 ddvc.exe
1776 8cziEDlVMJ.exe
384 svcb.exe

pid	process
1112	xcvndfg.exe
1608	580654274898.exe
1940	brgdsb.exe
1836	svcb.exe
1288	genrernes.exe
1640	ddvc.exe
1580	ddvc.exe
1776	8cziEDlVMJ.exe
384	svcb.exe

Checks QEMU agent file 2 TTPs 12 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

malicious_binary.exe.donotrun.exebrgdsb.exe580654274898.exe8cziEDlVMJ.exe8cziEDlVMJ.exegenrernes.exegenrernes.exemalicious_binary.exe.donotrun.exexcvndfg.exexcvndfg.exe580654274898.exebrgdsb.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	malicious_binary.exe.donotrun.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	brgdsb.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	580654274898.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	8cziEDlVMJ.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	8cziEDlVMJ.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	genrernes.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	genrernes.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	malicious_binary.exe.donotrun.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	xcvndfg.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	xcvndfg.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	580654274898.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	brgdsb.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1556 cmd.exe

pid	process
1556	cmd.exe

Loads dropped DLL 52 IoCs

Processes:

malicious_binary.exe.donotrun.exexcvndfg.exexcvndfg.exebrgdsb.exebrgdsb.exe580654274898.exeddvc.exegenrernes.exegenrernes.exe8cziEDlVMJ.exe8cziEDlVMJ.exesvcb.exe

pid	process
1344	malicious_binary.exe.donotrun.exe
1344	malicious_binary.exe.donotrun.exe
1112	xcvndfg.exe
1776	xcvndfg.exe
1344	malicious_binary.exe.donotrun.exe
1344	malicious_binary.exe.donotrun.exe
1344	malicious_binary.exe.donotrun.exe
1344	malicious_binary.exe.donotrun.exe
1344	malicious_binary.exe.donotrun.exe
1344	malicious_binary.exe.donotrun.exe
1344	malicious_binary.exe.donotrun.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1940	brgdsb.exe
1576	brgdsb.exe
1008	580654274898.exe
1008	580654274898.exe
1008	580654274898.exe
1008	580654274898.exe
1576	brgdsb.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1776	xcvndfg.exe
1640	ddvc.exe
1288	genrernes.exe
1600	genrernes.exe
1576	brgdsb.exe
1576	brgdsb.exe
1576	brgdsb.exe
1576	brgdsb.exe
1576	brgdsb.exe
1576	brgdsb.exe
1576	brgdsb.exe
1576	brgdsb.exe
1576	brgdsb.exe
1576	brgdsb.exe
1776	8cziEDlVMJ.exe
1884	8cziEDlVMJ.exe
1836	svcb.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8cziEDlVMJ.exe580654274898.exegenrernes.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	8cziEDlVMJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\POLYEMBRY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skdehundhomo\\genrernes.vbs"	8cziEDlVMJ.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	580654274898.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\POLYEMBRY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skdehundhomo\\genrernes.vbs"	580654274898.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	genrernes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\POLYEMBRY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skdehundhomo\\genrernes.vbs"	genrernes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

brgdsb.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini brgdsb.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini	brgdsb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

malicious_binary.exe.donotrun.exemalicious_binary.exe.donotrun.exexcvndfg.exexcvndfg.exebrgdsb.exe580654274898.exebrgdsb.exe580654274898.exegenrernes.exegenrernes.exe8cziEDlVMJ.exe8cziEDlVMJ.exe

pid	process
1008	malicious_binary.exe.donotrun.exe
1344	malicious_binary.exe.donotrun.exe
1344	malicious_binary.exe.donotrun.exe
1112	xcvndfg.exe
1776	xcvndfg.exe
1940	brgdsb.exe
1608	580654274898.exe
1576	brgdsb.exe
1008	580654274898.exe
1776	xcvndfg.exe
1576	brgdsb.exe
1288	genrernes.exe
1600	genrernes.exe
1600	genrernes.exe
1776	8cziEDlVMJ.exe
1884	8cziEDlVMJ.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

malicious_binary.exe.donotrun.exexcvndfg.exebrgdsb.exe580654274898.exeddvc.exegenrernes.exe8cziEDlVMJ.exesvcb.exe

description	pid	process	target process
PID 1008 set thread context of 1344	1008	malicious_binary.exe.donotrun.exe	malicious_binary.exe.donotrun.exe
PID 1112 set thread context of 1776	1112	xcvndfg.exe	xcvndfg.exe
PID 1940 set thread context of 1576	1940	brgdsb.exe	brgdsb.exe
PID 1608 set thread context of 1008	1608	580654274898.exe	580654274898.exe
PID 1640 set thread context of 1580	1640	ddvc.exe	ddvc.exe
PID 1288 set thread context of 1600	1288	genrernes.exe	genrernes.exe
PID 1776 set thread context of 1884	1776	8cziEDlVMJ.exe	8cziEDlVMJ.exe
PID 1836 set thread context of 384	1836	svcb.exe	svcb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

malicious_binary.exe.donotrun.exexcvndfg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	malicious_binary.exe.donotrun.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xcvndfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xcvndfg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1848 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1812 timeout.exe
1888 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1888 taskkill.exe

pid	process
1848	schtasks.exe

pid	process
1812	timeout.exe
1888	timeout.exe

pid	process
1888	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

genrernes.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	genrernes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	genrernes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	genrernes.exe

NTFS ADS 1 IoCs

Processes:

malicious_binary.exe.donotrun.exe

description ioc process

File created C:\ProgramData\580654274898.exe:Zone.Identifier malicious_binary.exe.donotrun.exe

description	ioc	process
File created	C:\ProgramData\580654274898.exe:Zone.Identifier	malicious_binary.exe.donotrun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

xcvndfg.exeddvc.exe

pid	process
1776	xcvndfg.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe
1580	ddvc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

malicious_binary.exe.donotrun.exexcvndfg.exebrgdsb.exe580654274898.exegenrernes.exe8cziEDlVMJ.exe

pid process

1008 malicious_binary.exe.donotrun.exe
1112 xcvndfg.exe
1940 brgdsb.exe
1608 580654274898.exe
1288 genrernes.exe
1776 8cziEDlVMJ.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exeddvc.exe

description pid process

Token: SeDebugPrivilege 1888 taskkill.exe
Token: SeDebugPrivilege 1580 ddvc.exe

description	pid	process
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	1580	ddvc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

malicious_binary.exe.donotrun.exexcvndfg.exe580654274898.exebrgdsb.exegenrernes.exeddvc.exe8cziEDlVMJ.exe

pid	process
1008	malicious_binary.exe.donotrun.exe
1112	xcvndfg.exe
1608	580654274898.exe
1940	brgdsb.exe
1288	genrernes.exe
1580	ddvc.exe
1580	ddvc.exe
1776	8cziEDlVMJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

malicious_binary.exe.donotrun.exemalicious_binary.exe.donotrun.exexcvndfg.execmd.exexcvndfg.exebrgdsb.exe580654274898.exe580654274898.exebrgdsb.execmd.exeddvc.exe

description	pid	process	target process
PID 1008 wrote to memory of 1344	1008	malicious_binary.exe.donotrun.exe	malicious_binary.exe.donotrun.exe
PID 1008 wrote to memory of 1344	1008	malicious_binary.exe.donotrun.exe	malicious_binary.exe.donotrun.exe
PID 1008 wrote to memory of 1344	1008	malicious_binary.exe.donotrun.exe	malicious_binary.exe.donotrun.exe
PID 1008 wrote to memory of 1344	1008	malicious_binary.exe.donotrun.exe	malicious_binary.exe.donotrun.exe
PID 1008 wrote to memory of 1344	1008	malicious_binary.exe.donotrun.exe	malicious_binary.exe.donotrun.exe
PID 1344 wrote to memory of 1112	1344	malicious_binary.exe.donotrun.exe	xcvndfg.exe
PID 1344 wrote to memory of 1112	1344	malicious_binary.exe.donotrun.exe	xcvndfg.exe
PID 1344 wrote to memory of 1112	1344	malicious_binary.exe.donotrun.exe	xcvndfg.exe
PID 1344 wrote to memory of 1112	1344	malicious_binary.exe.donotrun.exe	xcvndfg.exe
PID 1112 wrote to memory of 1776	1112	xcvndfg.exe	xcvndfg.exe
PID 1112 wrote to memory of 1776	1112	xcvndfg.exe	xcvndfg.exe
PID 1112 wrote to memory of 1776	1112	xcvndfg.exe	xcvndfg.exe
PID 1112 wrote to memory of 1776	1112	xcvndfg.exe	xcvndfg.exe
PID 1112 wrote to memory of 1776	1112	xcvndfg.exe	xcvndfg.exe
PID 1344 wrote to memory of 1608	1344	malicious_binary.exe.donotrun.exe	580654274898.exe
PID 1344 wrote to memory of 1608	1344	malicious_binary.exe.donotrun.exe	580654274898.exe
PID 1344 wrote to memory of 1608	1344	malicious_binary.exe.donotrun.exe	580654274898.exe
PID 1344 wrote to memory of 1608	1344	malicious_binary.exe.donotrun.exe	580654274898.exe
PID 1344 wrote to memory of 1556	1344	malicious_binary.exe.donotrun.exe	cmd.exe
PID 1344 wrote to memory of 1556	1344	malicious_binary.exe.donotrun.exe	cmd.exe
PID 1344 wrote to memory of 1556	1344	malicious_binary.exe.donotrun.exe	cmd.exe
PID 1344 wrote to memory of 1556	1344	malicious_binary.exe.donotrun.exe	cmd.exe
PID 1556 wrote to memory of 1888	1556	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 1888	1556	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 1888	1556	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 1888	1556	cmd.exe	taskkill.exe
PID 1776 wrote to memory of 1940	1776	xcvndfg.exe	brgdsb.exe
PID 1776 wrote to memory of 1940	1776	xcvndfg.exe	brgdsb.exe
PID 1776 wrote to memory of 1940	1776	xcvndfg.exe	brgdsb.exe
PID 1776 wrote to memory of 1940	1776	xcvndfg.exe	brgdsb.exe
PID 1940 wrote to memory of 1576	1940	brgdsb.exe	brgdsb.exe
PID 1940 wrote to memory of 1576	1940	brgdsb.exe	brgdsb.exe
PID 1940 wrote to memory of 1576	1940	brgdsb.exe	brgdsb.exe
PID 1940 wrote to memory of 1576	1940	brgdsb.exe	brgdsb.exe
PID 1940 wrote to memory of 1576	1940	brgdsb.exe	brgdsb.exe
PID 1608 wrote to memory of 1008	1608	580654274898.exe	580654274898.exe
PID 1608 wrote to memory of 1008	1608	580654274898.exe	580654274898.exe
PID 1608 wrote to memory of 1008	1608	580654274898.exe	580654274898.exe
PID 1608 wrote to memory of 1008	1608	580654274898.exe	580654274898.exe
PID 1608 wrote to memory of 1008	1608	580654274898.exe	580654274898.exe
PID 1008 wrote to memory of 1836	1008	580654274898.exe	svcb.exe
PID 1008 wrote to memory of 1836	1008	580654274898.exe	svcb.exe
PID 1008 wrote to memory of 1836	1008	580654274898.exe	svcb.exe
PID 1008 wrote to memory of 1836	1008	580654274898.exe	svcb.exe
PID 1008 wrote to memory of 1288	1008	580654274898.exe	genrernes.exe
PID 1008 wrote to memory of 1288	1008	580654274898.exe	genrernes.exe
PID 1008 wrote to memory of 1288	1008	580654274898.exe	genrernes.exe
PID 1008 wrote to memory of 1288	1008	580654274898.exe	genrernes.exe
PID 1576 wrote to memory of 1640	1576	brgdsb.exe	ddvc.exe
PID 1576 wrote to memory of 1640	1576	brgdsb.exe	ddvc.exe
PID 1576 wrote to memory of 1640	1576	brgdsb.exe	ddvc.exe
PID 1576 wrote to memory of 1640	1576	brgdsb.exe	ddvc.exe
PID 1776 wrote to memory of 1904	1776	xcvndfg.exe	cmd.exe
PID 1776 wrote to memory of 1904	1776	xcvndfg.exe	cmd.exe
PID 1776 wrote to memory of 1904	1776	xcvndfg.exe	cmd.exe
PID 1776 wrote to memory of 1904	1776	xcvndfg.exe	cmd.exe
PID 1904 wrote to memory of 1812	1904	cmd.exe	timeout.exe
PID 1904 wrote to memory of 1812	1904	cmd.exe	timeout.exe
PID 1904 wrote to memory of 1812	1904	cmd.exe	timeout.exe
PID 1904 wrote to memory of 1812	1904	cmd.exe	timeout.exe
PID 1640 wrote to memory of 1580	1640	ddvc.exe	ddvc.exe
PID 1640 wrote to memory of 1580	1640	ddvc.exe	ddvc.exe
PID 1640 wrote to memory of 1580	1640	ddvc.exe	ddvc.exe
PID 1640 wrote to memory of 1580	1640	ddvc.exe	ddvc.exe

C:\Users\Admin\AppData\Local\Temp\malicious_binary.exe.donotrun.exe
"C:\Users\Admin\AppData\Local\Temp\malicious_binary.exe.donotrun.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\malicious_binary.exe.donotrun.exe
  "C:\Users\Admin\AppData\Local\Temp\malicious_binary.exe.donotrun.exe"
  2⤵
  - Checks QEMU agent file
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\xcvndfg.exe
    "C:\Users\Admin\AppData\Local\Temp\xcvndfg.exe"
    3⤵
    - Executes dropped EXE
    - Checks QEMU agent file
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\xcvndfg.exe
      "C:\Users\Admin\AppData\Local\Temp\xcvndfg.exe"
      4⤵
      Checks QEMU agent file
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\brgdsb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\brgdsb.exe"
        5⤵
        Executes dropped EXE
        Checks QEMU agent file
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Users\Admin\AppData\Local\Temp\brgdsb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\brgdsb.exe"
        6⤵
        Checks QEMU agent file
        Loads dropped DLL
        Drops desktop.ini file(s)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\ddvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ddvc.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\ddvc.exe
        
        "{path}"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\mhlrxxco.inf
        9⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe"
        7⤵
        Executes dropped EXE
        Checks QEMU agent file
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe"
        8⤵
        Checks QEMU agent file
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\brgdsb.exe"
        7⤵
        
        PID:320
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "xcvndfg.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\SysWOW64\timeout.exe
        
        C:\Windows\system32\timeout.exe 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1812
- - C:\ProgramData\580654274898.exe
    "C:\ProgramData\580654274898.exe"
    3⤵
    - Executes dropped EXE
    - Checks QEMU agent file
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\ProgramData\580654274898.exe
      "C:\ProgramData\580654274898.exe"
      4⤵
      Checks QEMU agent file
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\svcb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svcb.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1836
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZUFWQYqGWYqpc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE08E.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\svcb.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        
        PID:384
    - - C:\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe"
        5⤵
        Executes dropped EXE
        Checks QEMU agent file
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:1288
      - C:\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe"
        6⤵
        Checks QEMU agent file
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        
        PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /pid 1344 & erase C:\Users\Admin\AppData\Local\Temp\malicious_binary.exe.donotrun.exe & RD /S /Q C:\\ProgramData\\626798243639588\\* & exit
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /pid 1344
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\580654274898.exe

MD5
a0b18973fa8650d6bfe602d943fecb9a

SHA1
f14ba35c814105dd53b88711ce9e465d53016721

SHA256
898abdb2d9de0344e5b43ac7e4330faeb03d97aa0a3c37e0a37da0ed4d732e9b

SHA512
173d673dd9931eef91552cbf5f995e44360500ace337edcb2bd0c6126c3c8526afcafd19d9716633bccce909da1853772abb205c0ee2f209254d5014d8f2993d

Download Submit
C:\ProgramData\580654274898.exe

MD5
a0b18973fa8650d6bfe602d943fecb9a

SHA1
f14ba35c814105dd53b88711ce9e465d53016721

SHA256
898abdb2d9de0344e5b43ac7e4330faeb03d97aa0a3c37e0a37da0ed4d732e9b

SHA512
173d673dd9931eef91552cbf5f995e44360500ace337edcb2bd0c6126c3c8526afcafd19d9716633bccce909da1853772abb205c0ee2f209254d5014d8f2993d

Download Submit
C:\ProgramData\580654274898.exe

MD5
a0b18973fa8650d6bfe602d943fecb9a

SHA1
f14ba35c814105dd53b88711ce9e465d53016721

SHA256
898abdb2d9de0344e5b43ac7e4330faeb03d97aa0a3c37e0a37da0ed4d732e9b

SHA512
173d673dd9931eef91552cbf5f995e44360500ace337edcb2bd0c6126c3c8526afcafd19d9716633bccce909da1853772abb205c0ee2f209254d5014d8f2993d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_7B15B1C5BB1E8058D3F0EC6C583B6CDF

MD5
988a75a9c3b200d896b8987da33c19ac

SHA1
00463761776fc4050b54d0e08b948477d1f8b818

SHA256
dd677942c6ffa1938abf5340a6f37ac067bfec782864d9d5e917689739d6d4fe

SHA512
1a18ecb988fac522f25cf4849273601f2549f5686bd16225f9e82b66f53547f7c3c64e171560e037c2999c9349ce63f4922d8e2e3c595ce2fe04fb1ea45fa87c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
1c400d233070530c717a810d7f9bc99e

SHA1
fa66c5898f1359c7a0fa4b36ca5292e12e0a12e2

SHA256
58b407b0ddf17fbf78fcb2e2dad4fabaada9bd88641f19941480951a200ae4e0

SHA512
19dd9c72b2fbd97f8015fa7214313a010a088cb4706488097457c14a38f0ee72101b2556cb5371ea77e89978d54ad213fb83b95833c4a7745c8bcc56b0410a75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
3170bd58cb7b0a47a7efe2dfdab196ed

SHA1
7e10ba9fc72721dcff8b5981b0072c631c1eeaaf

SHA256
0991eb837d63570b2e166618d19fa2429aca5b94dfdd19bcdab7ccd91e4030f2

SHA512
76b99726c0e0486a9a86efd3dbd048319518ba7340436981a370ba5ccde63680aef7974aaed95837ce95ff2787cc423deace4e6364fd1135a99953676baa7582

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_7B15B1C5BB1E8058D3F0EC6C583B6CDF

MD5
34a13ad2b9813fa7a7aebf6a6fec61a6

SHA1
e03debf283b63decc8f5b9803ce794e9836c2e20

SHA256
a82703da6480e6c0683d9ac26cd63223db7c72361b1b86cf887bb017fb469313

SHA512
dd21cca398c4214df602e18f0a7bfd3725dda84974239476f77b3e4f412be10c201ce67cb7e0408f791ec2839ea055c6d452fc64a10d12a7dd558cc677b37f55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
16e09a868ff9b289ed50211e8aa37eb3

SHA1
41d74264b48eb46f8d01a3b863aae08e30bc3503

SHA256
515fc4fcb06630487ee2be55cfa16b9b11636fd0722fbf658cc1146effc98ebb

SHA512
f06c9fa805061ce4a5c4dcd1d45ee6b513a0287f151161d12cb743b0705bf6aaaf8c1adadfdffcdcecf273ce89bf59d9195eb6505407c7b551f362b3a6d7eec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G6PZ2T8A\nw[1].exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\brgdsb.exe

MD5
9e563b46e63ca13f7cf03bbd14eaefa5

SHA1
0a6fc61a13c331514fb3eba655c13c07aea63ffb

SHA256
abc6a9b643cf54a291afd18374eba189a336e39e773f09f35b9d347ddacc2796

SHA512
811dc1cc755cf6383335a154d6cffcb1a8d3b344631768677514b26cc587b41e27cf3413746c9d48e5d4445ddbc648b91c2e488dbce2fc4035ca33cc5bfe6163

Download Submit
C:\Users\Admin\AppData\Local\Temp\brgdsb.exe

MD5
9e563b46e63ca13f7cf03bbd14eaefa5

SHA1
0a6fc61a13c331514fb3eba655c13c07aea63ffb

SHA256
abc6a9b643cf54a291afd18374eba189a336e39e773f09f35b9d347ddacc2796

SHA512
811dc1cc755cf6383335a154d6cffcb1a8d3b344631768677514b26cc587b41e27cf3413746c9d48e5d4445ddbc648b91c2e488dbce2fc4035ca33cc5bfe6163

Download Submit
C:\Users\Admin\AppData\Local\Temp\brgdsb.exe

MD5
9e563b46e63ca13f7cf03bbd14eaefa5

SHA1
0a6fc61a13c331514fb3eba655c13c07aea63ffb

SHA256
abc6a9b643cf54a291afd18374eba189a336e39e773f09f35b9d347ddacc2796

SHA512
811dc1cc755cf6383335a154d6cffcb1a8d3b344631768677514b26cc587b41e27cf3413746c9d48e5d4445ddbc648b91c2e488dbce2fc4035ca33cc5bfe6163

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddvc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\svcb.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svcb.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svcb.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE08E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvndfg.exe

MD5
b0734884163fe8c6d226c83d3362a545

SHA1
20543d38521e35320c8a26b66e4ccfd69b6aff9f

SHA256
c993c3db69bb53b38d030aecdc13d2b5263c403d738fafa7d4774acfddac428f

SHA512
fc1aaa136b9457956ea1b986d955923c1fcd78e4c491cc700c0a100f7b555830408d892a81b49159b42710ccc5deb7a5121421af0391448702864b8f246ea345

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvndfg.exe

MD5
b0734884163fe8c6d226c83d3362a545

SHA1
20543d38521e35320c8a26b66e4ccfd69b6aff9f

SHA256
c993c3db69bb53b38d030aecdc13d2b5263c403d738fafa7d4774acfddac428f

SHA512
fc1aaa136b9457956ea1b986d955923c1fcd78e4c491cc700c0a100f7b555830408d892a81b49159b42710ccc5deb7a5121421af0391448702864b8f246ea345

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvndfg.exe

MD5
b0734884163fe8c6d226c83d3362a545

SHA1
20543d38521e35320c8a26b66e4ccfd69b6aff9f

SHA256
c993c3db69bb53b38d030aecdc13d2b5263c403d738fafa7d4774acfddac428f

SHA512
fc1aaa136b9457956ea1b986d955923c1fcd78e4c491cc700c0a100f7b555830408d892a81b49159b42710ccc5deb7a5121421af0391448702864b8f246ea345

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XIQZNX04.txt

MD5
b4b1ac5da3ffa5822dee7bc6e118f58a

SHA1
f32bf799ba49ba4115ee3676ce3e1795dadbbbbc

SHA256
17f32a136c02d332c6e3f7698be1fae9e35a45ebdada9758c26ffd417b68b772

SHA512
af9aa6303fa3a7268b437e4bf36d2ddb894a2d88050299e4624e4838b6f8e6572c9dee64d6541233ab266e6dc2baf7127861f90e36e052aedf60823ccd09ec10

Download Submit
C:\Windows\temp\mhlrxxco.inf

Download Submit
\ProgramData\580654274898.exe

MD5
a0b18973fa8650d6bfe602d943fecb9a

SHA1
f14ba35c814105dd53b88711ce9e465d53016721

SHA256
898abdb2d9de0344e5b43ac7e4330faeb03d97aa0a3c37e0a37da0ed4d732e9b

SHA512
173d673dd9931eef91552cbf5f995e44360500ace337edcb2bd0c6126c3c8526afcafd19d9716633bccce909da1853772abb205c0ee2f209254d5014d8f2993d

Download Submit
\ProgramData\580654274898.exe

MD5
a0b18973fa8650d6bfe602d943fecb9a

SHA1
f14ba35c814105dd53b88711ce9e465d53016721

SHA256
898abdb2d9de0344e5b43ac7e4330faeb03d97aa0a3c37e0a37da0ed4d732e9b

SHA512
173d673dd9931eef91552cbf5f995e44360500ace337edcb2bd0c6126c3c8526afcafd19d9716633bccce909da1853772abb205c0ee2f209254d5014d8f2993d

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe

Download Submit
\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe

Download Submit
\Users\Admin\AppData\Local\Temp\8cziEDlVMJ.exe

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\nss3.dll

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\A777F1E0\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\brgdsb.exe

MD5
9e563b46e63ca13f7cf03bbd14eaefa5

SHA1
0a6fc61a13c331514fb3eba655c13c07aea63ffb

SHA256
abc6a9b643cf54a291afd18374eba189a336e39e773f09f35b9d347ddacc2796

SHA512
811dc1cc755cf6383335a154d6cffcb1a8d3b344631768677514b26cc587b41e27cf3413746c9d48e5d4445ddbc648b91c2e488dbce2fc4035ca33cc5bfe6163

Download Submit
\Users\Admin\AppData\Local\Temp\brgdsb.exe

MD5
9e563b46e63ca13f7cf03bbd14eaefa5

SHA1
0a6fc61a13c331514fb3eba655c13c07aea63ffb

SHA256
abc6a9b643cf54a291afd18374eba189a336e39e773f09f35b9d347ddacc2796

SHA512
811dc1cc755cf6383335a154d6cffcb1a8d3b344631768677514b26cc587b41e27cf3413746c9d48e5d4445ddbc648b91c2e488dbce2fc4035ca33cc5bfe6163

Download Submit
\Users\Admin\AppData\Local\Temp\brgdsb.exe

MD5
9e563b46e63ca13f7cf03bbd14eaefa5

SHA1
0a6fc61a13c331514fb3eba655c13c07aea63ffb

SHA256
abc6a9b643cf54a291afd18374eba189a336e39e773f09f35b9d347ddacc2796

SHA512
811dc1cc755cf6383335a154d6cffcb1a8d3b344631768677514b26cc587b41e27cf3413746c9d48e5d4445ddbc648b91c2e488dbce2fc4035ca33cc5bfe6163

Download Submit
\Users\Admin\AppData\Local\Temp\ddvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ddvc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe

Download Submit
\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe

Download Submit
\Users\Admin\AppData\Local\Temp\skdehundhomo\genrernes.exe

Download Submit
\Users\Admin\AppData\Local\Temp\svcb.exe

Download Submit
\Users\Admin\AppData\Local\Temp\svcb.exe

MD5
9ad87bc472a966629b508a6c155ab530

SHA1
83f350731342353500b15e5365d0d2ad02a94307

SHA256
f0f7f9f3d293065a8554c6b9e4757bf511dd3577636ca1a075e0afd206250e5e

SHA512
8507bb3de1496dd8ad699821219c6b00e0dbc3fb42849e89533be950245a28d77b5ba5b5b78aeea79faf340b210d52b89c8190591cab99f619bdcaf94d5bdfd5

Download Submit
\Users\Admin\AppData\Local\Temp\xcvndfg.exe

MD5
b0734884163fe8c6d226c83d3362a545

SHA1
20543d38521e35320c8a26b66e4ccfd69b6aff9f

SHA256
c993c3db69bb53b38d030aecdc13d2b5263c403d738fafa7d4774acfddac428f

SHA512
fc1aaa136b9457956ea1b986d955923c1fcd78e4c491cc700c0a100f7b555830408d892a81b49159b42710ccc5deb7a5121421af0391448702864b8f246ea345

Download Submit
\Users\Admin\AppData\Local\Temp\xcvndfg.exe

MD5
b0734884163fe8c6d226c83d3362a545

SHA1
20543d38521e35320c8a26b66e4ccfd69b6aff9f

SHA256
c993c3db69bb53b38d030aecdc13d2b5263c403d738fafa7d4774acfddac428f

SHA512
fc1aaa136b9457956ea1b986d955923c1fcd78e4c491cc700c0a100f7b555830408d892a81b49159b42710ccc5deb7a5121421af0391448702864b8f246ea345

Download Submit
\Users\Admin\AppData\Local\Temp\xcvndfg.exe

MD5
b0734884163fe8c6d226c83d3362a545

SHA1
20543d38521e35320c8a26b66e4ccfd69b6aff9f

SHA256
c993c3db69bb53b38d030aecdc13d2b5263c403d738fafa7d4774acfddac428f

SHA512
fc1aaa136b9457956ea1b986d955923c1fcd78e4c491cc700c0a100f7b555830408d892a81b49159b42710ccc5deb7a5121421af0391448702864b8f246ea345

Download Submit
memory/384-101-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/384-103-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/384-104-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1580-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1580-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1580-70-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1640-63-0x0000000000000000-0x0000000000000000-disk.dmp

Download