asyncrat | 2bea53a14d59fc7d772ea805af47b3b8ddddbf201a7e8d9e7ebd7ca422702a30

Analysis

max time kernel
92s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4bc1d711262ca156f8142abfeaee8b4.exe
Size

739KB
MD5

b4bc1d711262ca156f8142abfeaee8b4
SHA1

794f7b394bc77b17585d943fef42c814044d94cd
SHA256

2bea53a14d59fc7d772ea805af47b3b8ddddbf201a7e8d9e7ebd7ca422702a30
SHA512

0eb95a8a099d012bfa71e2359ab8e9a1489afc772b9298832d9faa26fe1391f5b668465b2a982738471cea511998101d278d779af7d7b42deee39e84190507c9

Score

10^/10

asyncrat azorult modiloader raccoon discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4560-76-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral2/memory/4560-78-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/4632-81-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral2/memory/4632-82-0x0000000000403BEE-mapping.dmp	disable_win_def
C:\Windows\temp\vl5di5gt.exe	disable_win_def
C:\Windows\Temp\vl5di5gt.exe	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4492-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4492-67-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2388-137-0x0000000002A70000-0x0000000002ACC000-memory.dmp	modiloader_stage1

ServiceHost packer 74 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/5136-210-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-212-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-214-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-216-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-218-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-220-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-222-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-224-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-226-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-228-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-230-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-232-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-234-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-236-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-238-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-240-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-242-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-244-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-246-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-248-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-250-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-252-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-254-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-256-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-258-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-260-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-262-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-264-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-266-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-268-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-270-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-272-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-274-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-276-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-278-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-280-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-282-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-284-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-286-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-288-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-290-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-293-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-295-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-298-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-300-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-302-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-304-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-307-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-310-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-312-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-314-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-317-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-319-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-323-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-326-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-328-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-331-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-336-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-338-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-340-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-342-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-344-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-346-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/5136-348-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 11 IoCs

Processes:

azchgftrq.exe3G61dx4lIP.exek4JJeAJKEo.exeWDJt5KuyjL.exeH5pf4nQjTO.exe3G61dx4lIP.exeWDJt5KuyjL.exeH5pf4nQjTO.exevl5di5gt.exeozchgftrq.exeazchgftrq.exe

pid	process
808	azchgftrq.exe
2180	3G61dx4lIP.exe
2388	k4JJeAJKEo.exe
2728	WDJt5KuyjL.exe
2948	H5pf4nQjTO.exe
4492	3G61dx4lIP.exe
4560	WDJt5KuyjL.exe
4632	H5pf4nQjTO.exe
3624	vl5di5gt.exe
4884	ozchgftrq.exe
4860	azchgftrq.exe

Loads dropped DLL 6 IoCs

Processes:

b4bc1d711262ca156f8142abfeaee8b4.exe

pid	process
912	b4bc1d711262ca156f8142abfeaee8b4.exe
912	b4bc1d711262ca156f8142abfeaee8b4.exe
912	b4bc1d711262ca156f8142abfeaee8b4.exe
912	b4bc1d711262ca156f8142abfeaee8b4.exe
912	b4bc1d711262ca156f8142abfeaee8b4.exe
912	b4bc1d711262ca156f8142abfeaee8b4.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

H5pf4nQjTO.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	H5pf4nQjTO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	H5pf4nQjTO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

b4bc1d711262ca156f8142abfeaee8b4.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini b4bc1d711262ca156f8142abfeaee8b4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	b4bc1d711262ca156f8142abfeaee8b4.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll	js

Suspicious use of SetThreadContext 5 IoCs

Processes:

b4bc1d711262ca156f8142abfeaee8b4.exe3G61dx4lIP.exeWDJt5KuyjL.exeH5pf4nQjTO.exeazchgftrq.exe

description	pid	process	target process
PID 4760 set thread context of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 2180 set thread context of 4492	2180	3G61dx4lIP.exe	3G61dx4lIP.exe
PID 2728 set thread context of 4560	2728	WDJt5KuyjL.exe	WDJt5KuyjL.exe
PID 2948 set thread context of 4632	2948	H5pf4nQjTO.exe	H5pf4nQjTO.exe
PID 808 set thread context of 4860	808	azchgftrq.exe	azchgftrq.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4532 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4284 taskkill.exe

pid	process
4532	timeout.exe

pid	process
4284	taskkill.exe

Suspicious behavior: EnumeratesProcesses 446 IoCs

Processes:

WDJt5KuyjL.exe

pid	process
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe
4560	WDJt5KuyjL.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

b4bc1d711262ca156f8142abfeaee8b4.exe3G61dx4lIP.exeWDJt5KuyjL.exeH5pf4nQjTO.exeWDJt5KuyjL.exepowershell.exeazchgftrq.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4760	b4bc1d711262ca156f8142abfeaee8b4.exe
Token: SeDebugPrivilege	2180	3G61dx4lIP.exe
Token: SeDebugPrivilege	2728	WDJt5KuyjL.exe
Token: SeDebugPrivilege	2948	H5pf4nQjTO.exe
Token: SeDebugPrivilege	4560	WDJt5KuyjL.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	808	azchgftrq.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	720	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WDJt5KuyjL.exe

pid process

4560 WDJt5KuyjL.exe
4560 WDJt5KuyjL.exe

Suspicious use of WriteProcessMemory 82 IoCs

Processes:

b4bc1d711262ca156f8142abfeaee8b4.exeb4bc1d711262ca156f8142abfeaee8b4.execmd.exe3G61dx4lIP.exeWDJt5KuyjL.exeH5pf4nQjTO.exeWDJt5KuyjL.exeH5pf4nQjTO.exeDllHost.execmd.exe

description	pid	process	target process
PID 4760 wrote to memory of 808	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	azchgftrq.exe
PID 4760 wrote to memory of 808	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	azchgftrq.exe
PID 4760 wrote to memory of 808	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	azchgftrq.exe
PID 4760 wrote to memory of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 4760 wrote to memory of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 4760 wrote to memory of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 4760 wrote to memory of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 4760 wrote to memory of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 4760 wrote to memory of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 4760 wrote to memory of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 4760 wrote to memory of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 4760 wrote to memory of 912	4760	b4bc1d711262ca156f8142abfeaee8b4.exe	b4bc1d711262ca156f8142abfeaee8b4.exe
PID 912 wrote to memory of 2180	912	b4bc1d711262ca156f8142abfeaee8b4.exe	3G61dx4lIP.exe
PID 912 wrote to memory of 2180	912	b4bc1d711262ca156f8142abfeaee8b4.exe	3G61dx4lIP.exe
PID 912 wrote to memory of 2180	912	b4bc1d711262ca156f8142abfeaee8b4.exe	3G61dx4lIP.exe
PID 912 wrote to memory of 2388	912	b4bc1d711262ca156f8142abfeaee8b4.exe	k4JJeAJKEo.exe
PID 912 wrote to memory of 2388	912	b4bc1d711262ca156f8142abfeaee8b4.exe	k4JJeAJKEo.exe
PID 912 wrote to memory of 2388	912	b4bc1d711262ca156f8142abfeaee8b4.exe	k4JJeAJKEo.exe
PID 912 wrote to memory of 2728	912	b4bc1d711262ca156f8142abfeaee8b4.exe	WDJt5KuyjL.exe
PID 912 wrote to memory of 2728	912	b4bc1d711262ca156f8142abfeaee8b4.exe	WDJt5KuyjL.exe
PID 912 wrote to memory of 2728	912	b4bc1d711262ca156f8142abfeaee8b4.exe	WDJt5KuyjL.exe
PID 912 wrote to memory of 2948	912	b4bc1d711262ca156f8142abfeaee8b4.exe	H5pf4nQjTO.exe
PID 912 wrote to memory of 2948	912	b4bc1d711262ca156f8142abfeaee8b4.exe	H5pf4nQjTO.exe
PID 912 wrote to memory of 2948	912	b4bc1d711262ca156f8142abfeaee8b4.exe	H5pf4nQjTO.exe
PID 912 wrote to memory of 3476	912	b4bc1d711262ca156f8142abfeaee8b4.exe	cmd.exe
PID 912 wrote to memory of 3476	912	b4bc1d711262ca156f8142abfeaee8b4.exe	cmd.exe
PID 912 wrote to memory of 3476	912	b4bc1d711262ca156f8142abfeaee8b4.exe	cmd.exe
PID 3476 wrote to memory of 4532	3476	cmd.exe	timeout.exe
PID 3476 wrote to memory of 4532	3476	cmd.exe	timeout.exe
PID 3476 wrote to memory of 4532	3476	cmd.exe	timeout.exe
PID 2180 wrote to memory of 4492	2180	3G61dx4lIP.exe	3G61dx4lIP.exe
PID 2180 wrote to memory of 4492	2180	3G61dx4lIP.exe	3G61dx4lIP.exe
PID 2180 wrote to memory of 4492	2180	3G61dx4lIP.exe	3G61dx4lIP.exe
PID 2180 wrote to memory of 4492	2180	3G61dx4lIP.exe	3G61dx4lIP.exe
PID 2180 wrote to memory of 4492	2180	3G61dx4lIP.exe	3G61dx4lIP.exe
PID 2180 wrote to memory of 4492	2180	3G61dx4lIP.exe	3G61dx4lIP.exe
PID 2180 wrote to memory of 4492	2180	3G61dx4lIP.exe	3G61dx4lIP.exe
PID 2180 wrote to memory of 4492	2180	3G61dx4lIP.exe	3G61dx4lIP.exe
PID 2728 wrote to memory of 4560	2728	WDJt5KuyjL.exe	WDJt5KuyjL.exe
PID 2728 wrote to memory of 4560	2728	WDJt5KuyjL.exe	WDJt5KuyjL.exe
PID 2728 wrote to memory of 4560	2728	WDJt5KuyjL.exe	WDJt5KuyjL.exe
PID 2728 wrote to memory of 4560	2728	WDJt5KuyjL.exe	WDJt5KuyjL.exe
PID 2728 wrote to memory of 4560	2728	WDJt5KuyjL.exe	WDJt5KuyjL.exe
PID 2728 wrote to memory of 4560	2728	WDJt5KuyjL.exe	WDJt5KuyjL.exe
PID 2728 wrote to memory of 4560	2728	WDJt5KuyjL.exe	WDJt5KuyjL.exe
PID 2728 wrote to memory of 4560	2728	WDJt5KuyjL.exe	WDJt5KuyjL.exe
PID 2948 wrote to memory of 4632	2948	H5pf4nQjTO.exe	H5pf4nQjTO.exe
PID 2948 wrote to memory of 4632	2948	H5pf4nQjTO.exe	H5pf4nQjTO.exe
PID 2948 wrote to memory of 4632	2948	H5pf4nQjTO.exe	H5pf4nQjTO.exe
PID 2948 wrote to memory of 4632	2948	H5pf4nQjTO.exe	H5pf4nQjTO.exe
PID 2948 wrote to memory of 4632	2948	H5pf4nQjTO.exe	H5pf4nQjTO.exe
PID 2948 wrote to memory of 4632	2948	H5pf4nQjTO.exe	H5pf4nQjTO.exe
PID 2948 wrote to memory of 4632	2948	H5pf4nQjTO.exe	H5pf4nQjTO.exe
PID 2948 wrote to memory of 4632	2948	H5pf4nQjTO.exe	H5pf4nQjTO.exe
PID 4560 wrote to memory of 2336	4560	WDJt5KuyjL.exe	cmstp.exe
PID 4560 wrote to memory of 2336	4560	WDJt5KuyjL.exe	cmstp.exe
PID 4560 wrote to memory of 2336	4560	WDJt5KuyjL.exe	cmstp.exe
PID 4632 wrote to memory of 200	4632	H5pf4nQjTO.exe	powershell.exe
PID 4632 wrote to memory of 200	4632	H5pf4nQjTO.exe	powershell.exe
PID 4632 wrote to memory of 200	4632	H5pf4nQjTO.exe	powershell.exe
PID 2596 wrote to memory of 5068	2596	DllHost.exe	cmd.exe
PID 2596 wrote to memory of 5068	2596	DllHost.exe	cmd.exe
PID 2596 wrote to memory of 5068	2596	DllHost.exe	cmd.exe
PID 5068 wrote to memory of 3624	5068	cmd.exe	vl5di5gt.exe

C:\Users\Admin\AppData\Local\Temp\b4bc1d711262ca156f8142abfeaee8b4.exe
"C:\Users\Admin\AppData\Local\Temp\b4bc1d711262ca156f8142abfeaee8b4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"
3⤵
- Executes dropped EXE
PID:4884

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
"{path}"
3⤵
- Executes dropped EXE
PID:4860

C:\Users\Admin\AppData\Local\Temp\b4bc1d711262ca156f8142abfeaee8b4.exe
"{path}"
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\3G61dx4lIP.exe
"C:\Users\Admin\AppData\Local\Temp\3G61dx4lIP.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\3G61dx4lIP.exe
"C:\Users\Admin\AppData\Local\Temp\3G61dx4lIP.exe"
4⤵
- Executes dropped EXE
PID:4492

C:\Users\Admin\AppData\Local\Temp\k4JJeAJKEo.exe
"C:\Users\Admin\AppData\Local\Temp\k4JJeAJKEo.exe"
3⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\AppData\Local\Temp\WDJt5KuyjL.exe
"C:\Users\Admin\AppData\Local\Temp\WDJt5KuyjL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\WDJt5KuyjL.exe
"C:\Users\Admin\AppData\Local\Temp\WDJt5KuyjL.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\hlt4dvr5.inf
5⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\H5pf4nQjTO.exe
"C:\Users\Admin\AppData\Local\Temp\H5pf4nQjTO.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\H5pf4nQjTO.exe
"C:\Users\Admin\AppData\Local\Temp\H5pf4nQjTO.exe"
4⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b4bc1d711262ca156f8142abfeaee8b4.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4532

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\vl5di5gt.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\temp\vl5di5gt.exe
C:\Windows\temp\vl5di5gt.exe
3⤵
- Executes dropped EXE
PID:3624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3G61dx4lIP.exe.log
MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H5pf4nQjTO.exe.log
MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WDJt5KuyjL.exe.log
MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
898b1fc10cd4031da6fd642e14382767

SHA1
023543d56bd4ff14dd85f9e4ded070dc93c68d74

SHA256
4fdf81fb79a38d0b6775c98b2814bd841154e90a62d7571556309c23f3bbf407

SHA512
113800c6ae8221d6117a957c752507d59b9bdd4e4109b7394fca91147a5876834c515eafb70a0e368349ab65ef956d9b58dfc06dd5840337be30a3311ef2003c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1fa263a98944a3aeb03331b8ac72f070

SHA1
7fdde85be769a9b6143d11dec33578ff8222a10f

SHA256
a6de3cd56a82f4c81109380fda606d00d39f20e82296effd2ab7c194ffdbe802

SHA512
f0c99de489a2c0e9860432d3d06b26a30a300590bb1c8dda7c9d21a5dd99ee7c20d85a00b6b03be478bfc4a98cde122aa457bcaa3011988738ebdff7bc4dbf5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8ba9e4d238236b80d0b2ee3bb2d56821

SHA1
4fd9b49f2622bc525fe675dda923fc9a793fbc09

SHA256
5320ee6c96a6e02421bba09041759392c6e51d87edbd4354a575d95eed99b93c

SHA512
f283efb545b549b00e36194b3c5f7628d6707aaf7fa3aa338095430af564430bbfa4776ae2ea20f55b8e547df79aa82b3f6f8d314d09cdfc8ed857e4a1f99719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
271e804f185c1f1e190ce62c76130447

SHA1
27383b318319417faa8c1dfa6bf5f457a7f9f70d

SHA256
276bf8a1c44bf6c90e47e163990673a166dce86a6dfa951099d356d13ce1304b

SHA512
4c0941aec1dae966b0160cddd52466777de4f6c7c363a07a8fbaeae555f18928f5a37735f3a4122b3941a7f883b94fe3d72f03e884b37bbdf5610f564922ceae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ecf2d67a3e27a128fa2b03325d058a86

SHA1
4c2b565fd11067ead4a0fa2343722c6697626a1f

SHA256
d24f0dcd062f295b52c1eec95fbefd6a4ace25f73117f10c95802e8f0ed26f6a

SHA512
2e2892f0ee1e207c276304b52214cd184512ea8a57ea874fda13a37f4115771d9b39e975abfcb65b45f09c22805df5b9d84bd70a06bcf9a1b8cca2cdce753367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
81500c2004e9a3cd44441d1d6fdbeff5

SHA1
b26c0b61c27ddeaeaeb54bd4dabab7f2f8fd10d1

SHA256
e6ce44a27a448342188af81694996aae995a32ea1183d157d87ab63162035353

SHA512
565d5e1f6607dd9be3bf11f9af4804b753ca021f367cbdd6ae854016562a773fa000c9016eb41bbe90420962c4c8a08739ccfb507233f213a3aa46bcd439fc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1caa0ba6fe069fa2e42b980fedf80701

SHA1
87ac709a2d05b7edc96681bca5ff4496c4f07cff

SHA256
1ec98daeff5aeaaec0fbaaa14f2b5cc1330b1b667a09cae00fc3659652bb97c5

SHA512
6628dea33b8dd47edf487524fa46852e58e1d63f901aebf7bf4b03f3cb25ef94adcc18c036cb8e91296a15d0d7bdac05fd8210d71f3e41990fed84485c4e5b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f507ea0f2d598d5550fa1633ffcec3c2

SHA1
40ec1d8fb9a68cdeafbe6547dcf2a317c16b6f1d

SHA256
7f90ab370a93d495f8ef35d522e0b5a19896b2c99c5c89a65ae73dd4c81a63f6

SHA512
9074e78f01614db96d69588af7a2cd5cd60294f25414b03a64ce11e3f572e89d02dffc8e18c72468fafd7d88ef4195e2ca710f87d5b84f06483ef654e03575ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ecefcdcc5f892f768c432b299c347db5

SHA1
7e9da90a0214f49dffdee4e11120090afee24767

SHA256
dce643b0efbaa0bc2539c8b2cd52eeee7122c3acb5a0b841a443ac0617bbb69b

SHA512
89631259dae564092949df9bbbb1d8c2bb0859ba0f5df739ca3e06da0e559f56548e17567f3730204711fc63ab1ba54cdf72d50532bfe92500cf3f39e3a0bdcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3834ef17d98f376d27ac634cadd5ad35

SHA1
884cae38a09dac31bbb2837d9c278cd4633e110d

SHA256
b9f6e0d0ef98671c6fb993f396190d402d8ab4ca2b92d681b28970082e05665b

SHA512
dcbb25a31b3f11b6414dd2ff4be3069cf4631e5fd193160e3b20da0f31d2cd39dbc0864a6f73aa87a2f45aa64d0f5373851e51f7f6ec71e9311a8547ba8eade6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0907c0edde5b9661cfc6a32b3ed32707

SHA1
74fa5ea19603b6197b727000ee811b9c55b1eb4b

SHA256
b61573b8eca8254c14f4958e59424e8ef86ccca277738f6c115fa82b24b6babc

SHA512
774432f09337b03608a39de41ed7baea560e7d06c2c703a1e3d96419ebb6c37d1997987fe72032a4808ef5e11ea8e2b563441d7f722c4ee632ce2076156bb426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0907c0edde5b9661cfc6a32b3ed32707

SHA1
74fa5ea19603b6197b727000ee811b9c55b1eb4b

SHA256
b61573b8eca8254c14f4958e59424e8ef86ccca277738f6c115fa82b24b6babc

SHA512
774432f09337b03608a39de41ed7baea560e7d06c2c703a1e3d96419ebb6c37d1997987fe72032a4808ef5e11ea8e2b563441d7f722c4ee632ce2076156bb426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0907c0edde5b9661cfc6a32b3ed32707

SHA1
74fa5ea19603b6197b727000ee811b9c55b1eb4b

SHA256
b61573b8eca8254c14f4958e59424e8ef86ccca277738f6c115fa82b24b6babc

SHA512
774432f09337b03608a39de41ed7baea560e7d06c2c703a1e3d96419ebb6c37d1997987fe72032a4808ef5e11ea8e2b563441d7f722c4ee632ce2076156bb426

Download Submit
C:\Users\Admin\AppData\Local\Temp\3G61dx4lIP.exe
MD5
49ba8ccea19e418fd166e89e46e2897f

SHA1
b5f53a2b58859e60a23a8c1db5e7a17af2aae613

SHA256
ef9d0a47d16301129755a6d9570f1f1bdc167bfee3d6649aad9835366920bf25

SHA512
12c9ffa33c80224f02922414c54c3933431e3ecb469bd5ab0335a43a9124ead99ddaadb6e5ff017544f3bd0bc2928b5a43b1e16d5763f2a8a822233ac8fa59b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3G61dx4lIP.exe
MD5
49ba8ccea19e418fd166e89e46e2897f

SHA1
b5f53a2b58859e60a23a8c1db5e7a17af2aae613

SHA256
ef9d0a47d16301129755a6d9570f1f1bdc167bfee3d6649aad9835366920bf25

SHA512
12c9ffa33c80224f02922414c54c3933431e3ecb469bd5ab0335a43a9124ead99ddaadb6e5ff017544f3bd0bc2928b5a43b1e16d5763f2a8a822233ac8fa59b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3G61dx4lIP.exe
MD5
49ba8ccea19e418fd166e89e46e2897f

SHA1
b5f53a2b58859e60a23a8c1db5e7a17af2aae613

SHA256
ef9d0a47d16301129755a6d9570f1f1bdc167bfee3d6649aad9835366920bf25

SHA512
12c9ffa33c80224f02922414c54c3933431e3ecb469bd5ab0335a43a9124ead99ddaadb6e5ff017544f3bd0bc2928b5a43b1e16d5763f2a8a822233ac8fa59b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\H5pf4nQjTO.exe
MD5
4cf8df527881a65164126227878a5935

SHA1
bfce4adde927b435216944e9248558dc4e86c09d

SHA256
463ca08ac1072947eaa864e2f94e3703b1e9826543e194be0b45e2aa20331872

SHA512
63a8f5ba2033358004519e75a97849c53a1f9604244c9dbf55b0b2f6a27e3841a7f1260b9911b37df88cb9ada91302124f4fa2ca06dc532fd33631d31c99c2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\H5pf4nQjTO.exe
MD5
4cf8df527881a65164126227878a5935

SHA1
bfce4adde927b435216944e9248558dc4e86c09d

SHA256
463ca08ac1072947eaa864e2f94e3703b1e9826543e194be0b45e2aa20331872

SHA512
63a8f5ba2033358004519e75a97849c53a1f9604244c9dbf55b0b2f6a27e3841a7f1260b9911b37df88cb9ada91302124f4fa2ca06dc532fd33631d31c99c2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\H5pf4nQjTO.exe
MD5
4cf8df527881a65164126227878a5935

SHA1
bfce4adde927b435216944e9248558dc4e86c09d

SHA256
463ca08ac1072947eaa864e2f94e3703b1e9826543e194be0b45e2aa20331872

SHA512
63a8f5ba2033358004519e75a97849c53a1f9604244c9dbf55b0b2f6a27e3841a7f1260b9911b37df88cb9ada91302124f4fa2ca06dc532fd33631d31c99c2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WDJt5KuyjL.exe
MD5
db0b8c1100f32aafe63cb885a30cc7e0

SHA1
1930fdd5a98eb2f5307a5a4b5bda535985352d5b

SHA256
9e3de16534dd2d0faa9c5a86276faf3822f7db00d651a0f3d9e337fbb5a47db9

SHA512
ad7f7a1c6b3dbf87da5a3e5a6c4e7d0a2dc7a188cfeb5a01b141ce9c38e5fb4dfd7bf163e99982a0dec9ca873d8153ff0f2fae61432f7c81f93ffb305ce2484e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WDJt5KuyjL.exe
MD5
db0b8c1100f32aafe63cb885a30cc7e0

SHA1
1930fdd5a98eb2f5307a5a4b5bda535985352d5b

SHA256
9e3de16534dd2d0faa9c5a86276faf3822f7db00d651a0f3d9e337fbb5a47db9

SHA512
ad7f7a1c6b3dbf87da5a3e5a6c4e7d0a2dc7a188cfeb5a01b141ce9c38e5fb4dfd7bf163e99982a0dec9ca873d8153ff0f2fae61432f7c81f93ffb305ce2484e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WDJt5KuyjL.exe
MD5
db0b8c1100f32aafe63cb885a30cc7e0

SHA1
1930fdd5a98eb2f5307a5a4b5bda535985352d5b

SHA256
9e3de16534dd2d0faa9c5a86276faf3822f7db00d651a0f3d9e337fbb5a47db9

SHA512
ad7f7a1c6b3dbf87da5a3e5a6c4e7d0a2dc7a188cfeb5a01b141ce9c38e5fb4dfd7bf163e99982a0dec9ca873d8153ff0f2fae61432f7c81f93ffb305ce2484e

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
MD5
b403152a9d1a6e02be9952ff3ea10214

SHA1
74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

SHA256
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

SHA512
0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
MD5
b403152a9d1a6e02be9952ff3ea10214

SHA1
74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

SHA256
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

SHA512
0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
MD5
b403152a9d1a6e02be9952ff3ea10214

SHA1
74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

SHA256
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

SHA512
0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4JJeAJKEo.exe
MD5
1a328017740757e16cb7ac98df27e043

SHA1
90dbd81a477bedf86d2eb96fbbf274bacf606f7f

SHA256
d41ec4b08eee7e5c1d34cdb17e9a9828f1901d90ef8c691a66c21c3fe72fc44b

SHA512
cd9c2d676a904b3ef21c51315af16de831c1a2e5fcc6ef86ab23ad95f7c79661a6eb6fd7fde91d064cf84e031c3f5409a771d90db6708369ac4cf5350d3b5d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\k4JJeAJKEo.exe
MD5
1a328017740757e16cb7ac98df27e043

SHA1
90dbd81a477bedf86d2eb96fbbf274bacf606f7f

SHA256
d41ec4b08eee7e5c1d34cdb17e9a9828f1901d90ef8c691a66c21c3fe72fc44b

SHA512
cd9c2d676a904b3ef21c51315af16de831c1a2e5fcc6ef86ab23ad95f7c79661a6eb6fd7fde91d064cf84e031c3f5409a771d90db6708369ac4cf5350d3b5d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
MD5
d7a52acd99d213cdeb1f91ed193868d0

SHA1
2bdc67502dc92d021ce64e92c7efcbdc6a00ad76

SHA256
b33d85386890e691d20cd76ee9f39b083f54143b597701e3a1687bcf832fb0ca

SHA512
f3f940f44b9f64eec721391e635f5a5fe9f5d1362b16ba7e46831ca39d2d3223d26211da1a72c82daf41e9e20d9f7b7356bbd6bb67c31e26558c34ee39415cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
MD5
d7a52acd99d213cdeb1f91ed193868d0

SHA1
2bdc67502dc92d021ce64e92c7efcbdc6a00ad76

SHA256
b33d85386890e691d20cd76ee9f39b083f54143b597701e3a1687bcf832fb0ca

SHA512
f3f940f44b9f64eec721391e635f5a5fe9f5d1362b16ba7e46831ca39d2d3223d26211da1a72c82daf41e9e20d9f7b7356bbd6bb67c31e26558c34ee39415cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
MD5
d7a52acd99d213cdeb1f91ed193868d0

SHA1
2bdc67502dc92d021ce64e92c7efcbdc6a00ad76

SHA256
b33d85386890e691d20cd76ee9f39b083f54143b597701e3a1687bcf832fb0ca

SHA512
f3f940f44b9f64eec721391e635f5a5fe9f5d1362b16ba7e46831ca39d2d3223d26211da1a72c82daf41e9e20d9f7b7356bbd6bb67c31e26558c34ee39415cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
MD5
d7a52acd99d213cdeb1f91ed193868d0

SHA1
2bdc67502dc92d021ce64e92c7efcbdc6a00ad76

SHA256
b33d85386890e691d20cd76ee9f39b083f54143b597701e3a1687bcf832fb0ca

SHA512
f3f940f44b9f64eec721391e635f5a5fe9f5d1362b16ba7e46831ca39d2d3223d26211da1a72c82daf41e9e20d9f7b7356bbd6bb67c31e26558c34ee39415cb0

Download Submit
C:\Windows\Temp\vl5di5gt.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\hlt4dvr5.inf
MD5
262259a59ece3a5d49464f263b45231a

SHA1
ad83d3c974ef271ef7b06988af7f1688f498edca

SHA256
4b5fb1a9126959de27855df52a2867d93b0dc194d9d184455aadf66e392b38a7

SHA512
300535e5b990a8b712a97592cc4229f00c380897e9d81e1c63768d9b8b4fcf828fb18b8a09b73ec03c93e6812556d77f82432995b20db50a6e1624ca30ed4dd2

Download Submit
C:\Windows\temp\vl5di5gt.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/200-149-0x0000000009100000-0x0000000009101000-memory.dmp

Filesize
4KB

Download
memory/200-100-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/200-103-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/200-101-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/200-180-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/200-148-0x0000000008F40000-0x0000000008F41000-memory.dmp

Filesize
4KB

Download
memory/200-147-0x0000000008DE0000-0x0000000008DE1000-memory.dmp

Filesize
4KB

Download
memory/200-106-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/200-139-0x0000000008E00000-0x0000000008E33000-memory.dmp

Filesize
204KB

Download
memory/200-176-0x0000000007F90000-0x0000000007F91000-memory.dmp

Filesize
4KB

Download
memory/200-99-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/200-98-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/200-97-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/200-96-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/200-107-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/200-115-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/200-92-0x0000000000000000-mapping.dmp

Download
memory/720-142-0x00000212FE7B0000-0x00000212FE7B1000-memory.dmp

Filesize
4KB

Download
memory/720-120-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/720-134-0x00000212FC390000-0x00000212FC391000-memory.dmp

Filesize
4KB

Download
memory/720-118-0x0000000000000000-mapping.dmp

Download
memory/808-17-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/808-13-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/808-10-0x0000000000000000-mapping.dmp

Download
memory/808-108-0x0000000008650000-0x0000000008697000-memory.dmp

Filesize
284KB

Download
memory/912-16-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/912-15-0x000000000043FA56-mapping.dmp

Download
memory/912-14-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/996-181-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/996-171-0x0000000000000000-mapping.dmp

Download
memory/1016-177-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/1016-168-0x0000000000000000-mapping.dmp

Download
memory/1468-157-0x0000000000000000-mapping.dmp

Download
memory/1468-163-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/1980-152-0x0000000000000000-mapping.dmp

Download
memory/1980-158-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-64-0x0000000004C90000-0x0000000004CC9000-memory.dmp

Filesize
228KB

Download
memory/2180-36-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2180-65-0x0000000004E80000-0x0000000004E96000-memory.dmp

Filesize
88KB

Download
memory/2180-32-0x0000000000000000-mapping.dmp

Download
memory/2180-35-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-91-0x0000000000000000-mapping.dmp

Download
memory/2388-204-0x0000000004D10000-0x0000000004D61000-memory.dmp

Filesize
324KB

Download
memory/2388-38-0x0000000000000000-mapping.dmp

Download
memory/2388-137-0x0000000002A70000-0x0000000002ACC000-memory.dmp

Filesize
368KB

Download
memory/2444-160-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/2444-155-0x0000000000000000-mapping.dmp

Download
memory/2728-43-0x0000000000000000-mapping.dmp

Download
memory/2728-48-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2728-47-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-73-0x0000000005280000-0x00000000052BD000-memory.dmp

Filesize
244KB

Download
memory/2748-187-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-179-0x0000000000000000-mapping.dmp

Download
memory/2896-165-0x0000000000000000-mapping.dmp

Download
memory/2896-172-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-75-0x0000000004E60000-0x0000000004E9C000-memory.dmp

Filesize
240KB

Download
memory/2948-58-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2948-49-0x0000000000000000-mapping.dmp

Download
memory/2948-54-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/3476-52-0x0000000000000000-mapping.dmp

Download
memory/3624-110-0x0000000000000000-mapping.dmp

Download
memory/3624-111-0x0000000000000000-mapping.dmp

Download
memory/3624-116-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/3624-114-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/4048-166-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/4048-159-0x0000000000000000-mapping.dmp

Download
memory/4284-119-0x0000000000000000-mapping.dmp

Download
memory/4488-161-0x0000000000000000-mapping.dmp

Download
memory/4488-169-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/4492-70-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4492-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4492-67-0x000000000040C76E-mapping.dmp

Download
memory/4508-186-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/4508-173-0x0000000000000000-mapping.dmp

Download
memory/4532-63-0x0000000000000000-mapping.dmp

Download
memory/4560-80-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4560-78-0x000000000040616E-mapping.dmp

Download
memory/4560-76-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4632-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4632-86-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4632-82-0x0000000000403BEE-mapping.dmp

Download
memory/4708-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-360-0x0000000000417A8B-mapping.dmp

Download
memory/4708-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-8-0x0000000008F60000-0x000000000901A000-memory.dmp

Filesize
744KB

Download
memory/4760-5-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4760-0-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4760-1-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4760-9-0x00000000090C0000-0x00000000090C1000-memory.dmp

Filesize
4KB

Download
memory/4760-7-0x0000000008620000-0x0000000008634000-memory.dmp

Filesize
80KB

Download
memory/4760-6-0x0000000008A30000-0x0000000008A31000-memory.dmp

Filesize
4KB

Download
memory/4760-3-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4760-4-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4860-128-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4860-123-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4860-126-0x000000000041A684-mapping.dmp

Download
memory/4884-349-0x00000000094B0000-0x0000000009509000-memory.dmp

Filesize
356KB

Download
memory/4884-125-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4884-121-0x0000000000000000-mapping.dmp

Download
memory/4884-129-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/4980-151-0x0000000000000000-mapping.dmp

Download
memory/4980-156-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/5012-154-0x00007FF9422B0000-0x00007FF942C9C000-memory.dmp

Filesize
9.9MB

Download
memory/5012-150-0x0000000000000000-mapping.dmp

Download
memory/5068-105-0x0000000000000000-mapping.dmp

Download
memory/5136-286-0x0000000000000000-mapping.dmp

Download
memory/5136-314-0x0000000000000000-mapping.dmp

Download
memory/5136-244-0x0000000000000000-mapping.dmp

Download
memory/5136-246-0x0000000000000000-mapping.dmp

Download
memory/5136-248-0x0000000000000000-mapping.dmp

Download
memory/5136-250-0x0000000000000000-mapping.dmp

Download
memory/5136-252-0x0000000000000000-mapping.dmp

Download
memory/5136-254-0x0000000000000000-mapping.dmp

Download
memory/5136-256-0x0000000000000000-mapping.dmp

Download
memory/5136-258-0x0000000000000000-mapping.dmp

Download
memory/5136-260-0x0000000000000000-mapping.dmp

Download
memory/5136-262-0x0000000000000000-mapping.dmp

Download
memory/5136-264-0x0000000000000000-mapping.dmp

Download
memory/5136-266-0x0000000000000000-mapping.dmp

Download
memory/5136-268-0x0000000000000000-mapping.dmp

Download
memory/5136-270-0x0000000000000000-mapping.dmp

Download
memory/5136-272-0x0000000000000000-mapping.dmp

Download
memory/5136-274-0x0000000000000000-mapping.dmp

Download
memory/5136-276-0x0000000000000000-mapping.dmp

Download
memory/5136-278-0x0000000000000000-mapping.dmp

Download
memory/5136-280-0x0000000000000000-mapping.dmp

Download
memory/5136-282-0x0000000000000000-mapping.dmp

Download
memory/5136-284-0x0000000000000000-mapping.dmp

Download
memory/5136-240-0x0000000000000000-mapping.dmp

Download
memory/5136-288-0x0000000000000000-mapping.dmp

Download
memory/5136-238-0x0000000000000000-mapping.dmp

Download
memory/5136-290-0x0000000000000000-mapping.dmp

Download
memory/5136-293-0x0000000000000000-mapping.dmp

Download
memory/5136-295-0x0000000000000000-mapping.dmp

Download
memory/5136-236-0x0000000000000000-mapping.dmp

Download
memory/5136-298-0x0000000000000000-mapping.dmp

Download
memory/5136-300-0x0000000000000000-mapping.dmp

Download
memory/5136-302-0x0000000000000000-mapping.dmp

Download
memory/5136-304-0x0000000000000000-mapping.dmp

Download
memory/5136-234-0x0000000000000000-mapping.dmp

Download
memory/5136-307-0x0000000000000000-mapping.dmp

Download
memory/5136-232-0x0000000000000000-mapping.dmp

Download
memory/5136-310-0x0000000000000000-mapping.dmp

Download
memory/5136-312-0x0000000000000000-mapping.dmp

Download
memory/5136-242-0x0000000000000000-mapping.dmp

Download
memory/5136-230-0x0000000000000000-mapping.dmp

Download
memory/5136-317-0x0000000000000000-mapping.dmp

Download
memory/5136-228-0x0000000000000000-mapping.dmp

Download
memory/5136-319-0x0000000000000000-mapping.dmp

Download
memory/5136-226-0x0000000000000000-mapping.dmp

Download
memory/5136-323-0x0000000000000000-mapping.dmp

Download
memory/5136-224-0x0000000000000000-mapping.dmp

Download
memory/5136-326-0x0000000000000000-mapping.dmp

Download
memory/5136-328-0x0000000000000000-mapping.dmp

Download
memory/5136-222-0x0000000000000000-mapping.dmp

Download
memory/5136-331-0x0000000000000000-mapping.dmp

Download
memory/5136-220-0x0000000000000000-mapping.dmp

Download
memory/5136-218-0x0000000000000000-mapping.dmp

Download
memory/5136-216-0x0000000000000000-mapping.dmp

Download
memory/5136-336-0x0000000000000000-mapping.dmp

Download
memory/5136-338-0x0000000000000000-mapping.dmp

Download
memory/5136-340-0x0000000000000000-mapping.dmp

Download
memory/5136-342-0x0000000000000000-mapping.dmp

Download
memory/5136-344-0x0000000000000000-mapping.dmp

Download
memory/5136-346-0x0000000000000000-mapping.dmp

Download
memory/5136-214-0x0000000000000000-mapping.dmp

Download
memory/5136-348-0x0000000000000000-mapping.dmp

Download
memory/5136-352-0x0000000000000000-mapping.dmp

Download
memory/5136-354-0x0000000000000000-mapping.dmp

Download
memory/5136-212-0x0000000000000000-mapping.dmp

Download
memory/5136-209-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/5136-210-0x0000000000000000-mapping.dmp

Download
memory/5136-356-0x0000000000000000-mapping.dmp

Download
memory/5136-208-0x0000000000000000-mapping.dmp

Download
memory/5136-207-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/5136-361-0x0000000000000000-mapping.dmp

Download
memory/5136-365-0x0000000000000000-mapping.dmp

Download
memory/5136-367-0x0000000000000000-mapping.dmp

Download
memory/5136-369-0x0000000000000000-mapping.dmp

Download
memory/5136-371-0x0000000000000000-mapping.dmp

Download
memory/5136-373-0x0000000000000000-mapping.dmp

Download
memory/5136-375-0x0000000000000000-mapping.dmp

Download