asyncrat | 344626f3e7a485750075e885b65757b02b336698cb35a31cda60e3ffac22f523

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20201028
submitted
23-12-2020 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
Size

579KB
MD5

115d4ac308403ea6cffaf5d7ff23a501
SHA1

46b94aab4a14e502c3848e545dd7b9aee7d68b1c
SHA256

344626f3e7a485750075e885b65757b02b336698cb35a31cda60e3ffac22f523
SHA512

cb29b8ad23eddcb26002b9638a309d53594281852d2d920eac64d16c7f352d79963e8eb2d465d92df0305eaa395e071e68b4059382862fc1354c7b20588e9bb1

Score

10^/10

asyncrat azorult modiloader oski discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

gfbrice.ac.ug

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/1576-91-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral2/memory/1576-92-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral2/memory/3836-96-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/3836-94-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
C:\Windows\Temp\z02tptb3.exe	disable_win_def
C:\Windows\temp\z02tptb3.exe	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3576-130-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3576-131-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3808-68-0x0000000000640000-0x000000000065B000-memory.dmp	modiloader_stage1

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

oscvjkfd.exeds1.exeds2.exerc.exeac.exeoscvjkfd.exeoscvjkfd.exeds2.exeds2.exeds1.exeac.exez02tptb3.exe

pid	process
2416	oscvjkfd.exe
4008	ds1.exe
3980	ds2.exe
3808	rc.exe
2968	ac.exe
2636	oscvjkfd.exe
2548	oscvjkfd.exe
1516	ds2.exe
1576	ds2.exe
3836	ds1.exe
3576	ac.exe
496	z02tptb3.exe

Loads dropped DLL 8 IoCs

Processes:

SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exeoscvjkfd.exe

pid	process
648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
2548	oscvjkfd.exe
2548	oscvjkfd.exe
2548	oscvjkfd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ds2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ds2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ds2.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\rozX = "C:\\Users\\Admin\\AppData\\Local\\rozX.url"	rc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exeoscvjkfd.exeds2.exeds1.exeac.exe

description	pid	process	target process
PID 1056 set thread context of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 2416 set thread context of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 3980 set thread context of 1576	3980	ds2.exe	ds2.exe
PID 4008 set thread context of 3836	4008	ds1.exe	ds1.exe
PID 2968 set thread context of 3576	2968	ac.exe	ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oscvjkfd.exeSecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	oscvjkfd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2140 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1196 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3740 taskkill.exe
3624 taskkill.exe

pid	process
2140	schtasks.exe

pid	process
1196	timeout.exe

pid	process
3740	taskkill.exe
3624	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exeoscvjkfd.exeds2.exeds1.exe

pid	process
648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
2416	oscvjkfd.exe
2416	oscvjkfd.exe
3980	ds2.exe
3980	ds2.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe
3836	ds1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exeoscvjkfd.exetaskkill.exeds2.exeds1.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
Token: SeDebugPrivilege	2416	oscvjkfd.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	3980	ds2.exe
Token: SeDebugPrivilege	3836	ds1.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeIncreaseQuotaPrivilege	3084	powershell.exe
Token: SeSecurityPrivilege	3084	powershell.exe
Token: SeTakeOwnershipPrivilege	3084	powershell.exe
Token: SeLoadDriverPrivilege	3084	powershell.exe
Token: SeSystemProfilePrivilege	3084	powershell.exe
Token: SeSystemtimePrivilege	3084	powershell.exe
Token: SeProfSingleProcessPrivilege	3084	powershell.exe
Token: SeIncBasePriorityPrivilege	3084	powershell.exe
Token: SeCreatePagefilePrivilege	3084	powershell.exe
Token: SeBackupPrivilege	3084	powershell.exe
Token: SeRestorePrivilege	3084	powershell.exe
Token: SeShutdownPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeSystemEnvironmentPrivilege	3084	powershell.exe
Token: SeRemoteShutdownPrivilege	3084	powershell.exe
Token: SeUndockPrivilege	3084	powershell.exe
Token: SeManageVolumePrivilege	3084	powershell.exe
Token: 33	3084	powershell.exe
Token: 34	3084	powershell.exe
Token: 35	3084	powershell.exe
Token: 36	3084	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeIncreaseQuotaPrivilege	2576	powershell.exe
Token: SeSecurityPrivilege	2576	powershell.exe
Token: SeTakeOwnershipPrivilege	2576	powershell.exe
Token: SeLoadDriverPrivilege	2576	powershell.exe
Token: SeSystemProfilePrivilege	2576	powershell.exe
Token: SeSystemtimePrivilege	2576	powershell.exe
Token: SeProfSingleProcessPrivilege	2576	powershell.exe
Token: SeIncBasePriorityPrivilege	2576	powershell.exe
Token: SeCreatePagefilePrivilege	2576	powershell.exe
Token: SeBackupPrivilege	2576	powershell.exe
Token: SeRestorePrivilege	2576	powershell.exe
Token: SeShutdownPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeSystemEnvironmentPrivilege	2576	powershell.exe
Token: SeRemoteShutdownPrivilege	2576	powershell.exe
Token: SeUndockPrivilege	2576	powershell.exe
Token: SeManageVolumePrivilege	2576	powershell.exe
Token: 33	2576	powershell.exe
Token: 34	2576	powershell.exe
Token: 35	2576	powershell.exe
Token: 36	2576	powershell.exe
Token: SeIncreaseQuotaPrivilege	1308	powershell.exe
Token: SeSecurityPrivilege	1308	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ds1.exe

pid process

3836 ds1.exe
3836 ds1.exe

pid	process
3836	ds1.exe
3836	ds1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exeSecuriteInfo.com.Trojan.InjectNET.14.10717.10992.execmd.exerc.exeoscvjkfd.exeoscvjkfd.execmd.exeds2.exe

description	pid	process	target process
PID 1056 wrote to memory of 2416	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	oscvjkfd.exe
PID 1056 wrote to memory of 2416	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	oscvjkfd.exe
PID 1056 wrote to memory of 2416	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	oscvjkfd.exe
PID 1056 wrote to memory of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 1056 wrote to memory of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 1056 wrote to memory of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 1056 wrote to memory of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 1056 wrote to memory of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 1056 wrote to memory of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 1056 wrote to memory of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 1056 wrote to memory of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 1056 wrote to memory of 648	1056	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
PID 648 wrote to memory of 4008	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	ds1.exe
PID 648 wrote to memory of 4008	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	ds1.exe
PID 648 wrote to memory of 4008	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	ds1.exe
PID 648 wrote to memory of 3980	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	ds2.exe
PID 648 wrote to memory of 3980	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	ds2.exe
PID 648 wrote to memory of 3980	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	ds2.exe
PID 648 wrote to memory of 3808	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	rc.exe
PID 648 wrote to memory of 3808	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	rc.exe
PID 648 wrote to memory of 3808	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	rc.exe
PID 648 wrote to memory of 2968	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	ac.exe
PID 648 wrote to memory of 2968	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	ac.exe
PID 648 wrote to memory of 2968	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	ac.exe
PID 648 wrote to memory of 3212	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	cmd.exe
PID 648 wrote to memory of 3212	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	cmd.exe
PID 648 wrote to memory of 3212	648	SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe	cmd.exe
PID 3212 wrote to memory of 1196	3212	cmd.exe	timeout.exe
PID 3212 wrote to memory of 1196	3212	cmd.exe	timeout.exe
PID 3212 wrote to memory of 1196	3212	cmd.exe	timeout.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 3808 wrote to memory of 1412	3808	rc.exe	ieinstal.exe
PID 2416 wrote to memory of 2636	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2636	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2636	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2416 wrote to memory of 2548	2416	oscvjkfd.exe	oscvjkfd.exe
PID 2548 wrote to memory of 3908	2548	oscvjkfd.exe	cmd.exe
PID 2548 wrote to memory of 3908	2548	oscvjkfd.exe	cmd.exe
PID 2548 wrote to memory of 3908	2548	oscvjkfd.exe	cmd.exe
PID 3908 wrote to memory of 3740	3908	cmd.exe	taskkill.exe
PID 3908 wrote to memory of 3740	3908	cmd.exe	taskkill.exe
PID 3908 wrote to memory of 3740	3908	cmd.exe	taskkill.exe
PID 3980 wrote to memory of 1516	3980	ds2.exe	ds2.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\oscvjkfd.exe
"C:\Users\Admin\AppData\Local\Temp\oscvjkfd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\oscvjkfd.exe
"{path}"
3⤵
- Executes dropped EXE
PID:2636

C:\Users\Admin\AppData\Local\Temp\oscvjkfd.exe
"{path}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2548 & erase C:\Users\Admin\AppData\Local\Temp\oscvjkfd.exe & RD /S /Q C:\\ProgramData\\002650469579013\\* & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2548
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe
"{path}"
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\ds1.exe
"C:\Users\Admin\AppData\Local\Temp\ds1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4008

C:\Users\Admin\AppData\Local\Temp\ds1.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3836

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\cs4q131m.inf
5⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\ds2.exe
"C:\Users\Admin\AppData\Local\Temp\ds2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\ds2.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\AppData\Local\Temp\ds2.exe
"{path}"
4⤵
- Executes dropped EXE
- Windows security modification
PID:1576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Users\Admin\AppData\Local\Temp\rc.exe
"C:\Users\Admin\AppData\Local\Temp\rc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3808

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\ac.exe
"C:\Users\Admin\AppData\Local\Temp\ac.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jpbsDveFV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD775.tmp"
4⤵
- Creates scheduled task(s)
PID:2140

C:\Users\Admin\AppData\Local\Temp\ac.exe
"{path}"
4⤵
- Executes dropped EXE
PID:3576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "SecuriteInfo.com.Trojan.InjectNET.14.10717.10992.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
4⤵
- Delays execution with timeout.exe
PID:1196

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\z02tptb3.exe
2⤵
PID:1840

C:\Windows\temp\z02tptb3.exe
C:\Windows\temp\z02tptb3.exe
3⤵
- Executes dropped EXE
PID:496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ds1.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ds2.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ab5e02fa3751b2af2ab1cfdd412ae751

SHA1
115efd70d126c1240c6896167c3eccb85397593f

SHA256
faf1ee9d7ad92d95495c8d1406cee6491ecc62a20c49e633482d6ddbdae62aa3

SHA512
f112478b76d9097bb09b9a5839956d9ea81fafc56914b39bbe9e07792b0ba7d8069d5d9a753e664861f49fdb79af61513da20eb7fe5c29ee4295ba50a5790789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6d94b06648eb9df475f418de8e62f34e

SHA1
d00d96e5f659bd0a74f3a09522e4b791d635aa3d

SHA256
137a135669f428133d258ae0be33948cf65a1afe9d9d745af37861c35b36a500

SHA512
f6f641f424600ac8d3404a57d8747bdf5028a77f4ea5169e99379b8267a09d6024324b4a05f57ea541d69e83bf88884ee8bb0217148c400ad65db4bebd53cea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c5d8993451c722833ee2332816163379

SHA1
650bd8ce87cdc100cae3c31e3b1e9d46b6cb00ac

SHA256
4ced38eef6ea591cf590b9f29b49ecc3c3cb0a318327f4d3839f8ca3e1740568

SHA512
2556e1883104442e281ea52289c666eb013f043d3339c2481548b91f0f919b5e80dad232186671d4abfa9fcf9bfe8797cf66b04138fdd8f695437485dfbc088c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
28271f8292a65dc33f169f5996de7da3

SHA1
09f93fbf122bd455b780e7d518c6a6811a039248

SHA256
d6b72584877746a0241267d28d8b39523f3b18a7459d8c31aa0410b9b4e63d2e

SHA512
02b27bdcba43f9189559369a138fd56ef9207bc31af65dbcd72c5b3d40daec1e413d86756666aef00ad89d0ee851ab623b79e6cecbc2b64fbf9a2f071349fb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ddddc733809813e4c5512b9592f88585

SHA1
aad7325d2a9197de0dd19ca6efec4c3def389b5a

SHA256
1375ffa11d243351956e5fdd0c69426579bbfea844ef4096a86dabb6e45fd1e8

SHA512
d2ebab5a3ec2b41ee23578f97016e1ffbb6c03e09155be6232e6613cd9e935c7980573a524a9ba330a2a36bf7d58528945e8acc900210d3d46b4902f0d2fc181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ddddc733809813e4c5512b9592f88585

SHA1
aad7325d2a9197de0dd19ca6efec4c3def389b5a

SHA256
1375ffa11d243351956e5fdd0c69426579bbfea844ef4096a86dabb6e45fd1e8

SHA512
d2ebab5a3ec2b41ee23578f97016e1ffbb6c03e09155be6232e6613cd9e935c7980573a524a9ba330a2a36bf7d58528945e8acc900210d3d46b4902f0d2fc181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4ec6482b94b85cab4fce91c301783a2e

SHA1
f4703973b9fe88eec038ad03a116db7ebe92d950

SHA256
608fe7dff1565fca2d362fd74af48be2c9305f9462d4dd2729179c2680b7b5e6

SHA512
f8ff279b5085bf13b8b02d48454a176ef4d8eaabccdbccf7a994d3267d9a6601d9cb34a9e16039de1f7716b59aef3701f440d3c8028f5a6a92a2581811943320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
badd26de4545c463095aadd6b564ffce

SHA1
454d0037b0b6e947642fabbcc6c382f715d068a3

SHA256
8281b33494f66ee1aabca6898685a746136f7b219a29c86a2acbc9286879c74c

SHA512
6cef91adebadcc1b4afb8e3bcf587d0dab81d3b991344d25995d385a61bb694ef4f0a81d3370114f775261052719061543ee1e97d07e4ebfc6620bb81dcee265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0d795aa8fa93e16e32d5db27abb0df13

SHA1
c04aa5fc4ab761ede0c55326266b128857bd81b2

SHA256
2d3cdc702763dee026a06d2c86ce528bdb552b2af08c79272be86d7e2214d3d2

SHA512
de319c3f1642e8ab83acbbc8e407e6e1a5f134be2b48bdb220e429624560ec31014fecaf631131b799dbfbaed928ebf1cbdf97ce6df1e6afb88b1d007b585140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0d795aa8fa93e16e32d5db27abb0df13

SHA1
c04aa5fc4ab761ede0c55326266b128857bd81b2

SHA256
2d3cdc702763dee026a06d2c86ce528bdb552b2af08c79272be86d7e2214d3d2

SHA512
de319c3f1642e8ab83acbbc8e407e6e1a5f134be2b48bdb220e429624560ec31014fecaf631131b799dbfbaed928ebf1cbdf97ce6df1e6afb88b1d007b585140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
06d631e0fede182058d0650f00b5fea5

SHA1
68c0c002093a5d4c3f326c25ab2e9d75498f4a15

SHA256
3b5cb9cf561ebe9741ecc08ad369592f4b85307b1f8a1c777d7db301fffcc255

SHA512
179472f92b896dd7e1028df7d3e9e8981f7de7a5109d609a42c640f0915d31ee7d8795054bf5dd6a2006e8de494753e40c1ca95a4b26f987916a38ed85bf29ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b34ff5e45b2f672ce7b2a66f406d7632

SHA1
7218984e04d5e9bf677df1b6d6cbd51cfefa93e9

SHA256
feb54100a216970e6f0c12788655f8454a3678b5f2007b4a04078f04afc32d77

SHA512
f04a1b17c453d7b8e7d45041ec1297c80b6cb1e134be75a3f60913284bea0f3cc82723606df5cf87ceae6f78d8a69a691197c8a7808325dd2e72602a31c9fd96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
23905159280b949188f4a6b867d25317

SHA1
1be8a84aaa0f0f5d65273a19753ca3ed363eb855

SHA256
e9627b798ecdc97ad3941189489dcf1f8ccdd751a587a56fe7385784d4476919

SHA512
db345de70a78be861f3dfdc3207853e38e0acf4e1e6e16cead45fc52a442247e8ebda3d951cb581c4dcf09d51b0c423d7d05434a0657db62bf07218e87c79d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac.exe
MD5
d48449979ab0c5751e432b6743268ccd

SHA1
8de38007294f06b14ca32f2cc62e9c04490a2890

SHA256
65c8232de44a0edf4ad3419c24fc4aaa82be89fc4af9d0164b3fde64bc258a7e

SHA512
b105bdb9b74ad5208cccd8ac7fe051956ed1440f391019befbb0804720845bea497e164af6f02f440cffb96fdbe10e247d50e67c0f959e9f1414d1230cc86438

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac.exe
MD5
d48449979ab0c5751e432b6743268ccd

SHA1
8de38007294f06b14ca32f2cc62e9c04490a2890

SHA256
65c8232de44a0edf4ad3419c24fc4aaa82be89fc4af9d0164b3fde64bc258a7e

SHA512
b105bdb9b74ad5208cccd8ac7fe051956ed1440f391019befbb0804720845bea497e164af6f02f440cffb96fdbe10e247d50e67c0f959e9f1414d1230cc86438

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac.exe
MD5
d48449979ab0c5751e432b6743268ccd

SHA1
8de38007294f06b14ca32f2cc62e9c04490a2890

SHA256
65c8232de44a0edf4ad3419c24fc4aaa82be89fc4af9d0164b3fde64bc258a7e

SHA512
b105bdb9b74ad5208cccd8ac7fe051956ed1440f391019befbb0804720845bea497e164af6f02f440cffb96fdbe10e247d50e67c0f959e9f1414d1230cc86438

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds1.exe
MD5
a17b2168e387499d984ce735b429c203

SHA1
080bde2af672c6559f34d13d09deff0c19a02ff3

SHA256
063f92b92f5711f274cd75cd9f70ea8f264769d738224dddfec7631c283c4a5d

SHA512
46376cac56c94b2b27e7d51c485f18091fd327d2b41976528265921fe596f25a2c1ed8276ffd9947c7c4836efab24476f95a1a748e722d41176aa001396a0833

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds1.exe
MD5
a17b2168e387499d984ce735b429c203

SHA1
080bde2af672c6559f34d13d09deff0c19a02ff3

SHA256
063f92b92f5711f274cd75cd9f70ea8f264769d738224dddfec7631c283c4a5d

SHA512
46376cac56c94b2b27e7d51c485f18091fd327d2b41976528265921fe596f25a2c1ed8276ffd9947c7c4836efab24476f95a1a748e722d41176aa001396a0833

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds1.exe
MD5
a17b2168e387499d984ce735b429c203

SHA1
080bde2af672c6559f34d13d09deff0c19a02ff3

SHA256
063f92b92f5711f274cd75cd9f70ea8f264769d738224dddfec7631c283c4a5d

SHA512
46376cac56c94b2b27e7d51c485f18091fd327d2b41976528265921fe596f25a2c1ed8276ffd9947c7c4836efab24476f95a1a748e722d41176aa001396a0833

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds2.exe
MD5
909bafa3ad6f8f92a6a3f6e43657766b

SHA1
66e2f6f24f1d1e1a1d51f3a39e0b201396e71cb3

SHA256
877b397265d324ba44a102b1595e6e76e6c418c0d34d66b195ce0e4d53ab8ab8

SHA512
7e863f57146323446e88f3d9b60c9b4f6f67a99feaedaeae39d01956c12e9dac90ca991c169177ff9fb96599ba8c8c02ea2954609c7822fd689cf8f958f07ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds2.exe
MD5
909bafa3ad6f8f92a6a3f6e43657766b

SHA1
66e2f6f24f1d1e1a1d51f3a39e0b201396e71cb3

SHA256
877b397265d324ba44a102b1595e6e76e6c418c0d34d66b195ce0e4d53ab8ab8

SHA512
7e863f57146323446e88f3d9b60c9b4f6f67a99feaedaeae39d01956c12e9dac90ca991c169177ff9fb96599ba8c8c02ea2954609c7822fd689cf8f958f07ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds2.exe
MD5
909bafa3ad6f8f92a6a3f6e43657766b

SHA1
66e2f6f24f1d1e1a1d51f3a39e0b201396e71cb3

SHA256
877b397265d324ba44a102b1595e6e76e6c418c0d34d66b195ce0e4d53ab8ab8

SHA512
7e863f57146323446e88f3d9b60c9b4f6f67a99feaedaeae39d01956c12e9dac90ca991c169177ff9fb96599ba8c8c02ea2954609c7822fd689cf8f958f07ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds2.exe
MD5
909bafa3ad6f8f92a6a3f6e43657766b

SHA1
66e2f6f24f1d1e1a1d51f3a39e0b201396e71cb3

SHA256
877b397265d324ba44a102b1595e6e76e6c418c0d34d66b195ce0e4d53ab8ab8

SHA512
7e863f57146323446e88f3d9b60c9b4f6f67a99feaedaeae39d01956c12e9dac90ca991c169177ff9fb96599ba8c8c02ea2954609c7822fd689cf8f958f07ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oscvjkfd.exe
MD5
0c0166dba45d03d2b7907707fa7dcdaa

SHA1
286cac8b2e883239ae1515dc4ab1e35b9ac38d31

SHA256
cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b

SHA512
e8d364483d200ce13ff60b4eccea8f4970c81d332ede863211c73bb9de96686e4127966c7d89b2622b5d52a6046f64618fc02a1b0f22b527ec6250ac51117203

Download Submit
C:\Users\Admin\AppData\Local\Temp\oscvjkfd.exe
MD5
0c0166dba45d03d2b7907707fa7dcdaa

SHA1
286cac8b2e883239ae1515dc4ab1e35b9ac38d31

SHA256
cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b

SHA512
e8d364483d200ce13ff60b4eccea8f4970c81d332ede863211c73bb9de96686e4127966c7d89b2622b5d52a6046f64618fc02a1b0f22b527ec6250ac51117203

Download Submit
C:\Users\Admin\AppData\Local\Temp\oscvjkfd.exe
MD5
0c0166dba45d03d2b7907707fa7dcdaa

SHA1
286cac8b2e883239ae1515dc4ab1e35b9ac38d31

SHA256
cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b

SHA512
e8d364483d200ce13ff60b4eccea8f4970c81d332ede863211c73bb9de96686e4127966c7d89b2622b5d52a6046f64618fc02a1b0f22b527ec6250ac51117203

Download Submit
C:\Users\Admin\AppData\Local\Temp\oscvjkfd.exe
MD5
0c0166dba45d03d2b7907707fa7dcdaa

SHA1
286cac8b2e883239ae1515dc4ab1e35b9ac38d31

SHA256
cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b

SHA512
e8d364483d200ce13ff60b4eccea8f4970c81d332ede863211c73bb9de96686e4127966c7d89b2622b5d52a6046f64618fc02a1b0f22b527ec6250ac51117203

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc.exe
MD5
a93af1e2096c6baa9909f2aa868666e5

SHA1
1987fc6f967c65723de0ee769af09772578fcff2

SHA256
828bef2c1c478b2cfe831318564d51e27cff0ef0b238f1b1c06b9b0223412400

SHA512
171a2a0ec7b03e41013981e3e1e7bd0e53ff02e60e46765ccf0f678cd0241131306ec9fe760fbfdcbc92ea049aab9d154cbc1dacb724dd6214c61bb4ad930a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc.exe
MD5
a93af1e2096c6baa9909f2aa868666e5

SHA1
1987fc6f967c65723de0ee769af09772578fcff2

SHA256
828bef2c1c478b2cfe831318564d51e27cff0ef0b238f1b1c06b9b0223412400

SHA512
171a2a0ec7b03e41013981e3e1e7bd0e53ff02e60e46765ccf0f678cd0241131306ec9fe760fbfdcbc92ea049aab9d154cbc1dacb724dd6214c61bb4ad930a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD775.tmp
MD5
c08c1759111059cbd4fb20d5a9595225

SHA1
a01d92f54f75e23e0de0ad8fe1b2b05a6ad85c6d

SHA256
b86c772650712c61d926f438b22fd4ec72795cdf526947e8c01d7ce24d407396

SHA512
1bf6f28b7abff5e3b0746182bfba7eb95f10f1c522be36d911df75d2c236348e08739f65dc2a5abc7cf95f815b4a812c6095b70605b72d7c44ad6d4c794e1a6f

Download Submit
C:\Windows\Temp\z02tptb3.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\cs4q131m.inf
MD5
6558b512e8297ccca60c416eddce59a0

SHA1
1e603f47f994ff1bc53dc00ec6769b57eaf60e3b

SHA256
6f883b11a3b4e7cb67ee08ac486acfb0174bb24e6422b98115c353208ec5d463

SHA512
23d855f8c171becbf25a085077b766e1f2e188fce5a35725dc55567395ce38f662165fc4177b0a15d1f0e669ddbbefacc16e047f4f520cd7f130bbc0423ade00

Download Submit
C:\Windows\temp\z02tptb3.exe
MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dll
MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll
MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/496-137-0x0000000000000000-mapping.dmp

Download
memory/496-136-0x0000000000000000-mapping.dmp

Download
memory/496-142-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/496-140-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/648-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-16-0x000000000041A684-mapping.dmp

Download
memory/648-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/904-160-0x0000000000000000-mapping.dmp

Download
memory/904-166-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/1056-8-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/1056-2-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/1056-3-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1056-5-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/1056-6-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1056-7-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1056-10-0x0000000008260000-0x00000000082D1000-memory.dmp

Filesize
452KB

Download
memory/1056-9-0x0000000008110000-0x0000000008114000-memory.dmp

Filesize
16KB

Download
memory/1196-65-0x0000000000000000-mapping.dmp

Download
memory/1308-161-0x0000000000000000-mapping.dmp

Download
memory/1308-167-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/1412-72-0x0000000000000000-mapping.dmp

Download
memory/1412-70-0x0000000000000000-mapping.dmp

Download
memory/1412-74-0x0000000000000000-mapping.dmp

Download
memory/1412-75-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/1412-71-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/1412-69-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/1412-76-0x0000000000000000-mapping.dmp

Download
memory/1576-92-0x0000000000403BEE-mapping.dmp

Download
memory/1576-91-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1576-95-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/1840-127-0x0000000000000000-mapping.dmp

Download
memory/1996-115-0x0000000005080000-0x0000000005181000-memory.dmp

Filesize
1.0MB

Download
memory/1996-107-0x0000000000000000-mapping.dmp

Download
memory/2140-123-0x0000000000000000-mapping.dmp

Download
memory/2220-175-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-168-0x0000000000000000-mapping.dmp

Download
memory/2416-11-0x0000000000000000-mapping.dmp

Download
memory/2416-18-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2416-77-0x0000000008AC0000-0x0000000008B49000-memory.dmp

Filesize
548KB

Download
memory/2416-14-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-80-0x0000000000417A8B-mapping.dmp

Download
memory/2548-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-165-0x0000000000000000-mapping.dmp

Download
memory/2556-171-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-163-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-159-0x0000000000000000-mapping.dmp

Download
memory/2856-179-0x0000000008DA0000-0x0000000008DA1000-memory.dmp

Filesize
4KB

Download
memory/2856-110-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/2856-108-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/2856-106-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/2856-101-0x0000000000000000-mapping.dmp

Download
memory/2856-183-0x0000000008D90000-0x0000000008D91000-memory.dmp

Filesize
4KB

Download
memory/2856-117-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/2856-118-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/2856-119-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/2856-120-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/2856-122-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/2856-124-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/2856-129-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/2856-158-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

Filesize
4KB

Download
memory/2856-149-0x0000000006770000-0x00000000067A3000-memory.dmp

Filesize
204KB

Download
memory/2856-156-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/2856-157-0x0000000008C80000-0x0000000008C81000-memory.dmp

Filesize
4KB

Download
memory/2968-121-0x0000000007020000-0x0000000007083000-memory.dmp

Filesize
396KB

Download
memory/2968-50-0x0000000000000000-mapping.dmp

Download
memory/2968-54-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-55-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3084-146-0x000001AA9A200000-0x000001AA9A201000-memory.dmp

Filesize
4KB

Download
memory/3084-147-0x000001AA9A3B0000-0x000001AA9A3B1000-memory.dmp

Filesize
4KB

Download
memory/3084-145-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/3084-144-0x0000000000000000-mapping.dmp

Download
memory/3212-56-0x0000000000000000-mapping.dmp

Download
memory/3224-164-0x0000000000000000-mapping.dmp

Download
memory/3224-169-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/3576-133-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/3576-131-0x000000000040C76E-mapping.dmp

Download
memory/3576-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3624-141-0x0000000000000000-mapping.dmp

Download
memory/3740-87-0x0000000000000000-mapping.dmp

Download
memory/3808-68-0x0000000000640000-0x000000000065B000-memory.dmp

Filesize
108KB

Download
memory/3808-39-0x0000000000000000-mapping.dmp

Download
memory/3836-94-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3836-96-0x000000000040616E-mapping.dmp

Download
memory/3836-100-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/3908-86-0x0000000000000000-mapping.dmp

Download
memory/3980-89-0x00000000066F0000-0x000000000674C000-memory.dmp

Filesize
368KB

Download
memory/3980-41-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3980-37-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/3980-33-0x0000000000000000-mapping.dmp

Download
memory/4008-38-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/4008-88-0x00000000066E0000-0x000000000673F000-memory.dmp

Filesize
380KB

Download
memory/4008-30-0x0000000000000000-mapping.dmp

Download
memory/4008-34-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/4152-170-0x0000000000000000-mapping.dmp

Download
memory/4152-178-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/4240-182-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/4240-173-0x0000000000000000-mapping.dmp

Download
memory/4340-188-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/4340-176-0x0000000000000000-mapping.dmp

Download
memory/4464-192-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/4464-181-0x0000000000000000-mapping.dmp

Download
memory/4576-194-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/4576-186-0x0000000000000000-mapping.dmp

Download
memory/4736-197-0x00007FFF2BCA0000-0x00007FFF2C68C000-memory.dmp

Filesize
9.9MB

Download
memory/4736-191-0x0000000000000000-mapping.dmp

Download