asyncrat | a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154

Analysis

max time kernel
122s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
30-04-2021 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85f8144cf55f7e208b04daf30a0e753c.exe
Size

1.1MB
MD5

85f8144cf55f7e208b04daf30a0e753c
SHA1

79b31f9e33db670b0fe23a427d2a7964cd42c570
SHA256

a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
SHA512

5972cccacf15624bbd9985e8a44c4037cfaacfc7ad4c3c3d65cf5904ff656698475302520ce10e2bc97c0364e7bc8f3a0e1763584637f65650ab184eb9fb5f28

Score

10^/10

asyncrat azorult oski raccoon 67a1a4d96e0af06ab629d8d5c048c516a37dbc35 discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

oski

malcacnba.ac.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

raccoon

Botnet

67a1a4d96e0af06ab629d8d5c048c516a37dbc35

Attributes

url4cnc
https://tttttt.me/brikitiki

rc4.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 7 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/1764-282-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral2/memory/2864-290-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/2864-296-0x0000000005680000-0x0000000005B7E000-memory.dmp	disable_win_def
C:\Windows\temp\vt4xeehl.exe	disable_win_def
C:\Windows\Temp\vt4xeehl.exe	disable_win_def
behavioral2/memory/4448-353-0x000000000040616E-mapping.dmp	disable_win_def
behavioral2/memory/1908-358-0x0000000000403BEE-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1628-274-0x000000000040C71E-mapping.dmp	asyncrat
behavioral2/memory/3692-309-0x000000000040C71E-mapping.dmp	asyncrat

Downloads MZ/PE file

Executes dropped EXE 26 IoCs

Processes:

VDFgrdbvcdsf.exeFDfgbtgwssdf.exeVDFgrdbvcdsf.exeFDfgbtgwssdf.exeac.exerc.exeds2.exeds1.exezSjqGMJGzM.exeYAuzLl5GfP.exe54wXSa46lD.exeW0K2QX95mp.exerc.exeNetplwiz.exeac.exeac.exeds2.exeYAuzLl5GfP.exeds1.exevt4xeehl.exezSjqGMJGzM.exezSjqGMJGzM.exezSjqGMJGzM.exe54wXSa46lD.exeW0K2QX95mp.exef0icji3t.exe

pid	process
3140	VDFgrdbvcdsf.exe
3144	FDfgbtgwssdf.exe
4032	VDFgrdbvcdsf.exe
3988	FDfgbtgwssdf.exe
3312	ac.exe
1180	rc.exe
3592	ds2.exe
3988	ds1.exe
3908	zSjqGMJGzM.exe
2796	YAuzLl5GfP.exe
3068	54wXSa46lD.exe
1292	W0K2QX95mp.exe
2296	rc.exe
3272	Netplwiz.exe
2404	ac.exe
1628	ac.exe
1764	ds2.exe
3600	YAuzLl5GfP.exe
2864	ds1.exe
2980	vt4xeehl.exe
3856	zSjqGMJGzM.exe
1604	zSjqGMJGzM.exe
3692	zSjqGMJGzM.exe
4448	54wXSa46lD.exe
1908	W0K2QX95mp.exe
3932	f0icji3t.exe

Loads dropped DLL 14 IoCs

Processes:

FDfgbtgwssdf.exeVDFgrdbvcdsf.exe85f8144cf55f7e208b04daf30a0e753c.exeNetplwiz.exe

pid	process
3988	FDfgbtgwssdf.exe
3988	FDfgbtgwssdf.exe
3988	FDfgbtgwssdf.exe
4032	VDFgrdbvcdsf.exe
4032	VDFgrdbvcdsf.exe
4032	VDFgrdbvcdsf.exe
4032	VDFgrdbvcdsf.exe
3124	85f8144cf55f7e208b04daf30a0e753c.exe
3124	85f8144cf55f7e208b04daf30a0e753c.exe
3124	85f8144cf55f7e208b04daf30a0e753c.exe
3124	85f8144cf55f7e208b04daf30a0e753c.exe
3124	85f8144cf55f7e208b04daf30a0e753c.exe
3124	85f8144cf55f7e208b04daf30a0e753c.exe
3272	Netplwiz.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ds2.exeW0K2QX95mp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ds2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ds2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	W0K2QX95mp.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yzsmfc = "C:\\Users\\Public\\Libraries\\cfmszY.url"	rc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

85f8144cf55f7e208b04daf30a0e753c.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\iK0eK1lK3k\desktop.ini 85f8144cf55f7e208b04daf30a0e753c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\iK0eK1lK3k\desktop.ini	85f8144cf55f7e208b04daf30a0e753c.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

85f8144cf55f7e208b04daf30a0e753c.exeVDFgrdbvcdsf.exeFDfgbtgwssdf.exerc.exeac.exeds2.exeYAuzLl5GfP.exeds1.exezSjqGMJGzM.exe54wXSa46lD.exeW0K2QX95mp.exe

description	pid	process	target process
PID 624 set thread context of 3124	624	85f8144cf55f7e208b04daf30a0e753c.exe	85f8144cf55f7e208b04daf30a0e753c.exe
PID 3140 set thread context of 4032	3140	VDFgrdbvcdsf.exe	VDFgrdbvcdsf.exe
PID 3144 set thread context of 3988	3144	FDfgbtgwssdf.exe	FDfgbtgwssdf.exe
PID 1180 set thread context of 2296	1180	rc.exe	rc.exe
PID 3312 set thread context of 1628	3312	ac.exe	ac.exe
PID 3592 set thread context of 1764	3592	ds2.exe	ds2.exe
PID 2796 set thread context of 3600	2796	YAuzLl5GfP.exe	YAuzLl5GfP.exe
PID 3988 set thread context of 2864	3988	ds1.exe	ds1.exe
PID 3908 set thread context of 3692	3908	zSjqGMJGzM.exe	zSjqGMJGzM.exe
PID 3068 set thread context of 4448	3068	54wXSa46lD.exe	54wXSa46lD.exe
PID 1292 set thread context of 1908	1292	W0K2QX95mp.exe	W0K2QX95mp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FDfgbtgwssdf.exeVDFgrdbvcdsf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDfgbtgwssdf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VDFgrdbvcdsf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VDFgrdbvcdsf.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

776 schtasks.exe
1272 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3916 timeout.exe
3932 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

752 taskkill.exe
388 taskkill.exe
4484 taskkill.exe

pid	process
776	schtasks.exe
1272	schtasks.exe

pid	process
3916	timeout.exe
3932	timeout.exe

pid	process
752	taskkill.exe
388	taskkill.exe
4484	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

VDFgrdbvcdsf.exepowershell.exeac.exepowershell.exeds1.exe

pid	process
4032	VDFgrdbvcdsf.exe
4032	VDFgrdbvcdsf.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
3312	ac.exe
3312	ac.exe
2764	powershell.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe
2864	ds1.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

85f8144cf55f7e208b04daf30a0e753c.exeVDFgrdbvcdsf.exeFDfgbtgwssdf.exe

pid process

624 85f8144cf55f7e208b04daf30a0e753c.exe
3140 VDFgrdbvcdsf.exe
3144 FDfgbtgwssdf.exe

pid	process
624	85f8144cf55f7e208b04daf30a0e753c.exe
3140	VDFgrdbvcdsf.exe
3144	FDfgbtgwssdf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exepowershell.exeac.exepowershell.exeds1.exepowershell.exetaskkill.exezSjqGMJGzM.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe54wXSa46lD.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeIncreaseQuotaPrivilege	3140	powershell.exe
Token: SeSecurityPrivilege	3140	powershell.exe
Token: SeTakeOwnershipPrivilege	3140	powershell.exe
Token: SeLoadDriverPrivilege	3140	powershell.exe
Token: SeSystemProfilePrivilege	3140	powershell.exe
Token: SeSystemtimePrivilege	3140	powershell.exe
Token: SeProfSingleProcessPrivilege	3140	powershell.exe
Token: SeIncBasePriorityPrivilege	3140	powershell.exe
Token: SeCreatePagefilePrivilege	3140	powershell.exe
Token: SeBackupPrivilege	3140	powershell.exe
Token: SeRestorePrivilege	3140	powershell.exe
Token: SeShutdownPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeSystemEnvironmentPrivilege	3140	powershell.exe
Token: SeRemoteShutdownPrivilege	3140	powershell.exe
Token: SeUndockPrivilege	3140	powershell.exe
Token: SeManageVolumePrivilege	3140	powershell.exe
Token: 33	3140	powershell.exe
Token: 34	3140	powershell.exe
Token: 35	3140	powershell.exe
Token: 36	3140	powershell.exe
Token: SeDebugPrivilege	3312	ac.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2864	ds1.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	3908	zSjqGMJGzM.exe
Token: SeIncreaseQuotaPrivilege	2988	powershell.exe
Token: SeSecurityPrivilege	2988	powershell.exe
Token: SeTakeOwnershipPrivilege	2988	powershell.exe
Token: SeLoadDriverPrivilege	2988	powershell.exe
Token: SeSystemProfilePrivilege	2988	powershell.exe
Token: SeSystemtimePrivilege	2988	powershell.exe
Token: SeProfSingleProcessPrivilege	2988	powershell.exe
Token: SeIncBasePriorityPrivilege	2988	powershell.exe
Token: SeCreatePagefilePrivilege	2988	powershell.exe
Token: SeBackupPrivilege	2988	powershell.exe
Token: SeRestorePrivilege	2988	powershell.exe
Token: SeShutdownPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeSystemEnvironmentPrivilege	2988	powershell.exe
Token: SeRemoteShutdownPrivilege	2988	powershell.exe
Token: SeUndockPrivilege	2988	powershell.exe
Token: SeManageVolumePrivilege	2988	powershell.exe
Token: 33	2988	powershell.exe
Token: 34	2988	powershell.exe
Token: 35	2988	powershell.exe
Token: 36	2988	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4448	54wXSa46lD.exe
Token: SeDebugPrivilege	2976	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

85f8144cf55f7e208b04daf30a0e753c.exeVDFgrdbvcdsf.exeFDfgbtgwssdf.exeds1.exe54wXSa46lD.exe

pid process

624 85f8144cf55f7e208b04daf30a0e753c.exe
3140 VDFgrdbvcdsf.exe
3144 FDfgbtgwssdf.exe
2864 ds1.exe
2864 ds1.exe
4448 54wXSa46lD.exe
4448 54wXSa46lD.exe

pid	process
624	85f8144cf55f7e208b04daf30a0e753c.exe
3140	VDFgrdbvcdsf.exe
3144	FDfgbtgwssdf.exe
2864	ds1.exe
2864	ds1.exe
4448	54wXSa46lD.exe
4448	54wXSa46lD.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

85f8144cf55f7e208b04daf30a0e753c.exeVDFgrdbvcdsf.exeFDfgbtgwssdf.exeFDfgbtgwssdf.execmd.exeVDFgrdbvcdsf.execmd.exe85f8144cf55f7e208b04daf30a0e753c.execmd.exerc.exe

description	pid	process	target process
PID 624 wrote to memory of 3140	624	85f8144cf55f7e208b04daf30a0e753c.exe	VDFgrdbvcdsf.exe
PID 624 wrote to memory of 3140	624	85f8144cf55f7e208b04daf30a0e753c.exe	VDFgrdbvcdsf.exe
PID 624 wrote to memory of 3140	624	85f8144cf55f7e208b04daf30a0e753c.exe	VDFgrdbvcdsf.exe
PID 624 wrote to memory of 3144	624	85f8144cf55f7e208b04daf30a0e753c.exe	FDfgbtgwssdf.exe
PID 624 wrote to memory of 3144	624	85f8144cf55f7e208b04daf30a0e753c.exe	FDfgbtgwssdf.exe
PID 624 wrote to memory of 3144	624	85f8144cf55f7e208b04daf30a0e753c.exe	FDfgbtgwssdf.exe
PID 624 wrote to memory of 3124	624	85f8144cf55f7e208b04daf30a0e753c.exe	85f8144cf55f7e208b04daf30a0e753c.exe
PID 624 wrote to memory of 3124	624	85f8144cf55f7e208b04daf30a0e753c.exe	85f8144cf55f7e208b04daf30a0e753c.exe
PID 624 wrote to memory of 3124	624	85f8144cf55f7e208b04daf30a0e753c.exe	85f8144cf55f7e208b04daf30a0e753c.exe
PID 624 wrote to memory of 3124	624	85f8144cf55f7e208b04daf30a0e753c.exe	85f8144cf55f7e208b04daf30a0e753c.exe
PID 3140 wrote to memory of 4032	3140	VDFgrdbvcdsf.exe	VDFgrdbvcdsf.exe
PID 3140 wrote to memory of 4032	3140	VDFgrdbvcdsf.exe	VDFgrdbvcdsf.exe
PID 3140 wrote to memory of 4032	3140	VDFgrdbvcdsf.exe	VDFgrdbvcdsf.exe
PID 3140 wrote to memory of 4032	3140	VDFgrdbvcdsf.exe	VDFgrdbvcdsf.exe
PID 3144 wrote to memory of 3988	3144	FDfgbtgwssdf.exe	FDfgbtgwssdf.exe
PID 3144 wrote to memory of 3988	3144	FDfgbtgwssdf.exe	FDfgbtgwssdf.exe
PID 3144 wrote to memory of 3988	3144	FDfgbtgwssdf.exe	FDfgbtgwssdf.exe
PID 3144 wrote to memory of 3988	3144	FDfgbtgwssdf.exe	FDfgbtgwssdf.exe
PID 3988 wrote to memory of 3968	3988	FDfgbtgwssdf.exe	cmd.exe
PID 3988 wrote to memory of 3968	3988	FDfgbtgwssdf.exe	cmd.exe
PID 3988 wrote to memory of 3968	3988	FDfgbtgwssdf.exe	cmd.exe
PID 3968 wrote to memory of 752	3968	cmd.exe	taskkill.exe
PID 3968 wrote to memory of 752	3968	cmd.exe	taskkill.exe
PID 3968 wrote to memory of 752	3968	cmd.exe	taskkill.exe
PID 4032 wrote to memory of 3312	4032	VDFgrdbvcdsf.exe	ac.exe
PID 4032 wrote to memory of 3312	4032	VDFgrdbvcdsf.exe	ac.exe
PID 4032 wrote to memory of 3312	4032	VDFgrdbvcdsf.exe	ac.exe
PID 4032 wrote to memory of 1180	4032	VDFgrdbvcdsf.exe	rc.exe
PID 4032 wrote to memory of 1180	4032	VDFgrdbvcdsf.exe	rc.exe
PID 4032 wrote to memory of 1180	4032	VDFgrdbvcdsf.exe	rc.exe
PID 4032 wrote to memory of 3592	4032	VDFgrdbvcdsf.exe	ds2.exe
PID 4032 wrote to memory of 3592	4032	VDFgrdbvcdsf.exe	ds2.exe
PID 4032 wrote to memory of 3592	4032	VDFgrdbvcdsf.exe	ds2.exe
PID 4032 wrote to memory of 3988	4032	VDFgrdbvcdsf.exe	ds1.exe
PID 4032 wrote to memory of 3988	4032	VDFgrdbvcdsf.exe	ds1.exe
PID 4032 wrote to memory of 3988	4032	VDFgrdbvcdsf.exe	ds1.exe
PID 4032 wrote to memory of 2256	4032	VDFgrdbvcdsf.exe	cmd.exe
PID 4032 wrote to memory of 2256	4032	VDFgrdbvcdsf.exe	cmd.exe
PID 4032 wrote to memory of 2256	4032	VDFgrdbvcdsf.exe	cmd.exe
PID 2256 wrote to memory of 3916	2256	cmd.exe	timeout.exe
PID 2256 wrote to memory of 3916	2256	cmd.exe	timeout.exe
PID 2256 wrote to memory of 3916	2256	cmd.exe	timeout.exe
PID 3124 wrote to memory of 3908	3124	85f8144cf55f7e208b04daf30a0e753c.exe	zSjqGMJGzM.exe
PID 3124 wrote to memory of 3908	3124	85f8144cf55f7e208b04daf30a0e753c.exe	zSjqGMJGzM.exe
PID 3124 wrote to memory of 3908	3124	85f8144cf55f7e208b04daf30a0e753c.exe	zSjqGMJGzM.exe
PID 3124 wrote to memory of 2796	3124	85f8144cf55f7e208b04daf30a0e753c.exe	YAuzLl5GfP.exe
PID 3124 wrote to memory of 2796	3124	85f8144cf55f7e208b04daf30a0e753c.exe	YAuzLl5GfP.exe
PID 3124 wrote to memory of 2796	3124	85f8144cf55f7e208b04daf30a0e753c.exe	YAuzLl5GfP.exe
PID 3124 wrote to memory of 3068	3124	85f8144cf55f7e208b04daf30a0e753c.exe	54wXSa46lD.exe
PID 3124 wrote to memory of 3068	3124	85f8144cf55f7e208b04daf30a0e753c.exe	54wXSa46lD.exe
PID 3124 wrote to memory of 3068	3124	85f8144cf55f7e208b04daf30a0e753c.exe	54wXSa46lD.exe
PID 3124 wrote to memory of 1292	3124	85f8144cf55f7e208b04daf30a0e753c.exe	W0K2QX95mp.exe
PID 3124 wrote to memory of 1292	3124	85f8144cf55f7e208b04daf30a0e753c.exe	W0K2QX95mp.exe
PID 3124 wrote to memory of 1292	3124	85f8144cf55f7e208b04daf30a0e753c.exe	W0K2QX95mp.exe
PID 3124 wrote to memory of 1644	3124	85f8144cf55f7e208b04daf30a0e753c.exe	cmd.exe
PID 3124 wrote to memory of 1644	3124	85f8144cf55f7e208b04daf30a0e753c.exe	cmd.exe
PID 3124 wrote to memory of 1644	3124	85f8144cf55f7e208b04daf30a0e753c.exe	cmd.exe
PID 1644 wrote to memory of 3932	1644	cmd.exe	timeout.exe
PID 1644 wrote to memory of 3932	1644	cmd.exe	timeout.exe
PID 1644 wrote to memory of 3932	1644	cmd.exe	timeout.exe
PID 1180 wrote to memory of 2296	1180	rc.exe	rc.exe
PID 1180 wrote to memory of 2296	1180	rc.exe	rc.exe
PID 1180 wrote to memory of 2296	1180	rc.exe	rc.exe
PID 1180 wrote to memory of 2296	1180	rc.exe	rc.exe

C:\Users\Admin\AppData\Local\Temp\85f8144cf55f7e208b04daf30a0e753c.exe
"C:\Users\Admin\AppData\Local\Temp\85f8144cf55f7e208b04daf30a0e753c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\VDFgrdbvcdsf.exe
  "C:\Users\Admin\AppData\Local\Temp\VDFgrdbvcdsf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\VDFgrdbvcdsf.exe
    "C:\Users\Admin\AppData\Local\Temp\VDFgrdbvcdsf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\ac.exe
      "C:\Users\Admin\AppData\Local\Temp\ac.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3312
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfgjShmvTZXcKv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA44.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:776
    - - C:\Users\Admin\AppData\Local\Temp\ac.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\ac.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\rc.exe
      "C:\Users\Admin\AppData\Local\Temp\rc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\rc.exe
        
        C:\Users\Admin\AppData\Local\Temp\rc.exe
        5⤵
        Executes dropped EXE
        
        PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\stt.bat" "
        5⤵
        
        PID:776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
        6⤵
        
        PID:1916
        
        C:\Windows \System32\Netplwiz.exe
        
        "C:\Windows \System32\Netplwiz.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Cdex.bat
        8⤵
        
        PID:3152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
  - - C:\Users\Admin\AppData\Local\Temp\ds2.exe
      "C:\Users\Admin\AppData\Local\Temp\ds2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\ds2.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        Windows security modification
        
        PID:1764
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\ds1.exe
      "C:\Users\Admin\AppData\Local\Temp\ds1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\ds1.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2864
      - \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\tfjtw3rh.inf
        6⤵
        
        PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "VDFgrdbvcdsf.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\timeout.exe
        
        C:\Windows\system32\timeout.exe 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3916
- C:\Users\Admin\AppData\Local\Temp\FDfgbtgwssdf.exe
  "C:\Users\Admin\AppData\Local\Temp\FDfgbtgwssdf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\FDfgbtgwssdf.exe
    "C:\Users\Admin\AppData\Local\Temp\FDfgbtgwssdf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /pid 3988 & erase C:\Users\Admin\AppData\Local\Temp\FDfgbtgwssdf.exe & RD /S /Q C:\\ProgramData\\410084924212213\\* & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 3988
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
- C:\Users\Admin\AppData\Local\Temp\85f8144cf55f7e208b04daf30a0e753c.exe
  "C:\Users\Admin\AppData\Local\Temp\85f8144cf55f7e208b04daf30a0e753c.exe"
  2⤵
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Users\Admin\AppData\Local\Temp\zSjqGMJGzM.exe
    "C:\Users\Admin\AppData\Local\Temp\zSjqGMJGzM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfgjShmvTZXcKv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBF5.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\zSjqGMJGzM.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\zSjqGMJGzM.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\zSjqGMJGzM.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:3692
- - C:\Users\Admin\AppData\Local\Temp\YAuzLl5GfP.exe
    "C:\Users\Admin\AppData\Local\Temp\YAuzLl5GfP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\YAuzLl5GfP.exe
      C:\Users\Admin\AppData\Local\Temp\YAuzLl5GfP.exe
      4⤵
      Executes dropped EXE
      PID:3600
- - C:\Users\Admin\AppData\Local\Temp\54wXSa46lD.exe
    "C:\Users\Admin\AppData\Local\Temp\54wXSa46lD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\54wXSa46lD.exe
      "{path}"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4448
    - - \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\ntlvekbz.inf
        5⤵
        
        PID:4556
- - C:\Users\Admin\AppData\Local\Temp\W0K2QX95mp.exe
    "C:\Users\Admin\AppData\Local\Temp\W0K2QX95mp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\W0K2QX95mp.exe
      "{path}"
      4⤵
      Executes dropped EXE
      Windows security modification
      PID:1908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\85f8144cf55f7e208b04daf30a0e753c.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:3932

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\vt4xeehl.exe
  2⤵
  PID:3476
- - C:\Windows\temp\vt4xeehl.exe
    C:\Windows\temp\vt4xeehl.exe
    3⤵
    - Executes dropped EXE
    PID:2980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3384
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\f0icji3t.exe
  2⤵
  PID:3348
- - C:\Windows\temp\f0icji3t.exe
    C:\Windows\temp\f0icji3t.exe
    3⤵
    - Executes dropped EXE
    PID:3932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      PID:5084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      PID:384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      PID:4740
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      PID:3472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      PID:4960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      PID:4184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      PID:4004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      PID:3272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      PID:1596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      PID:4328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      PID:5144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      PID:5308
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5
1bb646991edbab6373e156a732ec4957

SHA1
db26b4b7608edf8d3b03e9fc8e65ea94b6fe51e4

SHA256
c66911de3f0a1dd3a62a2ff6bb2dc6cff01e4870e6e8997ebb16ac438320781c

SHA512
809a4a1b4b3d4570efc2a1536a18531f66eaaac197f68bcb9cd7310cc0a5ac371c8e492e3b63d881b05bf1391679abd91d44dd228bce7bca08ede7baba1766dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5
6f35ab945241081ce340010f70a9febc

SHA1
30f8669c00894a74e08465706479af92f32a4cc7

SHA256
c89e9c49b9126c7d470a58d4ea37c7b7fdf5d60bd955e93d4403f669c8a79ac7

SHA512
4eb49692b5932ada2960bdcefcbe29cccd4e79195e9006965a81289c2dae4ee113a7200418e3340e296ec758380bcfdd3edc2b2cc93250cae572d683dcfd8e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
7033adcdceef2520521477b094e52cc7

SHA1
6dbdc3aba745a40a79f2eb659f2b427aaf5ff62e

SHA256
bb10a63597ebc56a9c5e558c7b5bed8c1dde4856f7604ab987998d10eda3ac4e

SHA512
af9249bd6a64e28d1b03ce962618ce2a7e5a55dc57d1dbc8efcf2e4142e74f40e58b144952981c3a86771a9fd207e73986130edf7b7dfde2495347e284e8287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ac.exe.log

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ds1.exe.log

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\Yzsmfcqhhlzbfrgnpklihxziwthhrjz[1]

MD5
2e284e5f9dd293ce04c94251b15177b8

SHA1
3cf98f9f6ea6a0deaf9ad608f44f132ed33f084a

SHA256
62ed05c4b6c5c95bd8b68e531f1d53b56ebac95749aa5f4d0fd2527c3dc7e36b

SHA512
04413a65eec3f0424e42d5bcdbff8af6425073c08f027ad9a1981e9824de91d639c22d83edab573c0c64ad07d95a9052bf123d2c3f761051198b3894622221f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\S503I86N.cookie

MD5
c4e6a4a5913547a4aa5e894a2beef55a

SHA1
f9d6e8ba618a32ef8bc24a426f65d2cb6434df8e

SHA256
c89fb30953b35a4bd9546a69367b3753c52c2d1ac1dc976bd3fd84ce152f38ea

SHA512
a264aed0b2c4c58926a1ec2864436edd45ff598f0e45149fd5aa9a5434ba83857d54ae8b4c8ee4efb00b27b3572ad504d0dcfca2f92e1f9b58c73b8cade670d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6e812271420dfd47411e86661636febd

SHA1
42314a186ee876a51cdc00ccd8cda70f3413352b

SHA256
d9df6e39de177da1d9de2aac8a1345aaab0c78f9ba7c24a79b364b71319a8b62

SHA512
cbc43237fe9f76bf70e14ec543ba0c687916572a4aa32bd9ee043f5e15109d78451f078a8a7523f055b7f30efaf4e8aa548df1ae566e5a3244c82a11b89c9bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\54wXSa46lD.exe

MD5
5af92f78e6b00eff95b14018a5dda8fc

SHA1
5c02ecdd931eff5c66856cd13286cdb8f3172a23

SHA256
6cbfb1c60567bc22a202ba90c7a6cd377a133ae17b34dc5bef7d4e4808a66b8b

SHA512
d3f6632c7e9f2f7d57ac79c7b0c34ec243a927c3c98c542f9bd66e540981d1b7aafdcc01ac68ccfee820be5f8ef00b59c110afd25a622d205c51290eeb072d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\54wXSa46lD.exe

MD5
5af92f78e6b00eff95b14018a5dda8fc

SHA1
5c02ecdd931eff5c66856cd13286cdb8f3172a23

SHA256
6cbfb1c60567bc22a202ba90c7a6cd377a133ae17b34dc5bef7d4e4808a66b8b

SHA512
d3f6632c7e9f2f7d57ac79c7b0c34ec243a927c3c98c542f9bd66e540981d1b7aafdcc01ac68ccfee820be5f8ef00b59c110afd25a622d205c51290eeb072d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDfgbtgwssdf.exe

MD5
cef7c1b1844c7fd3c3692bc8bad713f4

SHA1
162d51f28d7231f88b4e686bf2dc2e6c17b13867

SHA256
42230602b4fff2f505dc7f6c37732717e61edcb86184944e36e258aad9c6e8d2

SHA512
9300803a802f3e8b7e85a2646db4e0f46e8ff276014b390c3565a5ee61b89dcf5c90d54337c2bfdb432e61779a03228ab9984d38c48f0279cfe62e4cfee22e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDfgbtgwssdf.exe

MD5
cef7c1b1844c7fd3c3692bc8bad713f4

SHA1
162d51f28d7231f88b4e686bf2dc2e6c17b13867

SHA256
42230602b4fff2f505dc7f6c37732717e61edcb86184944e36e258aad9c6e8d2

SHA512
9300803a802f3e8b7e85a2646db4e0f46e8ff276014b390c3565a5ee61b89dcf5c90d54337c2bfdb432e61779a03228ab9984d38c48f0279cfe62e4cfee22e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDfgbtgwssdf.exe

MD5
cef7c1b1844c7fd3c3692bc8bad713f4

SHA1
162d51f28d7231f88b4e686bf2dc2e6c17b13867

SHA256
42230602b4fff2f505dc7f6c37732717e61edcb86184944e36e258aad9c6e8d2

SHA512
9300803a802f3e8b7e85a2646db4e0f46e8ff276014b390c3565a5ee61b89dcf5c90d54337c2bfdb432e61779a03228ab9984d38c48f0279cfe62e4cfee22e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDFgrdbvcdsf.exe

MD5
c8ec2be7bf8005fa2aa5a96f9cce5a18

SHA1
7c27aecadaf236a4b3c028113242700a9abac579

SHA256
73dfe6bf48ce6fb61c6e1421d676c37fd785bc4e6a1c7627735e0ba7a3775ca8

SHA512
ffb6a83e4fa167db7f319384d0e5ef51a4e0bfebe3900020f1decf8d9171a69888472a1c9cf7037872a3d5350f96d1d80b2e028717d9a14f7117916d41642b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDFgrdbvcdsf.exe

MD5
c8ec2be7bf8005fa2aa5a96f9cce5a18

SHA1
7c27aecadaf236a4b3c028113242700a9abac579

SHA256
73dfe6bf48ce6fb61c6e1421d676c37fd785bc4e6a1c7627735e0ba7a3775ca8

SHA512
ffb6a83e4fa167db7f319384d0e5ef51a4e0bfebe3900020f1decf8d9171a69888472a1c9cf7037872a3d5350f96d1d80b2e028717d9a14f7117916d41642b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDFgrdbvcdsf.exe

MD5
c8ec2be7bf8005fa2aa5a96f9cce5a18

SHA1
7c27aecadaf236a4b3c028113242700a9abac579

SHA256
73dfe6bf48ce6fb61c6e1421d676c37fd785bc4e6a1c7627735e0ba7a3775ca8

SHA512
ffb6a83e4fa167db7f319384d0e5ef51a4e0bfebe3900020f1decf8d9171a69888472a1c9cf7037872a3d5350f96d1d80b2e028717d9a14f7117916d41642b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0K2QX95mp.exe

MD5
3cdb00a25552429b06fb3be209614149

SHA1
7ecad79254adcd96c426ce99a22c12121fa220ca

SHA256
99de1acdd89d08fe0cc39b096ba36dc9149206bfbad5d4b12fa5f1bc462adb4c

SHA512
6a8a0b5bde09206f4246683f7de8065498f3f5f0786158ad64ce4aec0276344544f22ecfa9a7803e91b36efaadd702ccaaec818ed9538434a1df5611ea539623

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0K2QX95mp.exe

MD5
3cdb00a25552429b06fb3be209614149

SHA1
7ecad79254adcd96c426ce99a22c12121fa220ca

SHA256
99de1acdd89d08fe0cc39b096ba36dc9149206bfbad5d4b12fa5f1bc462adb4c

SHA512
6a8a0b5bde09206f4246683f7de8065498f3f5f0786158ad64ce4aec0276344544f22ecfa9a7803e91b36efaadd702ccaaec818ed9538434a1df5611ea539623

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAuzLl5GfP.exe

MD5
e1d12a9c20844533f411f44a11c8ebd7

SHA1
6486bee5805be89084fc6286a43af065a93af310

SHA256
3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc

SHA512
3048f1495b213d58c9732d8253798d5d029906da0f6eeffb5dee50cadfe659b18043dee227fb4b524af5427621d8b2e93c09b1812b10cb1f4b963343d79abb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAuzLl5GfP.exe

MD5
e1d12a9c20844533f411f44a11c8ebd7

SHA1
6486bee5805be89084fc6286a43af065a93af310

SHA256
3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc

SHA512
3048f1495b213d58c9732d8253798d5d029906da0f6eeffb5dee50cadfe659b18043dee227fb4b524af5427621d8b2e93c09b1812b10cb1f4b963343d79abb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAuzLl5GfP.exe

MD5
e1d12a9c20844533f411f44a11c8ebd7

SHA1
6486bee5805be89084fc6286a43af065a93af310

SHA256
3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc

SHA512
3048f1495b213d58c9732d8253798d5d029906da0f6eeffb5dee50cadfe659b18043dee227fb4b524af5427621d8b2e93c09b1812b10cb1f4b963343d79abb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac.exe

MD5
6a61a028d6282029c5899a3ffcc84e60

SHA1
2b4cc8dc5d1993eb2851755e4b41325d204815d6

SHA256
d42beb6c20833eaed3d603706c03ae2a620f95a4a2fe0eea239636c97575ca24

SHA512
edc8fd2e1c2c14bb392c75259b61ee5d37278c086186dd1bdfa3907675d6ac2df8720c0ee18c20a9cfb3fd9097dc4129d58ba7d8576e2e9e7eb2bd8736939bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac.exe

MD5
6a61a028d6282029c5899a3ffcc84e60

SHA1
2b4cc8dc5d1993eb2851755e4b41325d204815d6

SHA256
d42beb6c20833eaed3d603706c03ae2a620f95a4a2fe0eea239636c97575ca24

SHA512
edc8fd2e1c2c14bb392c75259b61ee5d37278c086186dd1bdfa3907675d6ac2df8720c0ee18c20a9cfb3fd9097dc4129d58ba7d8576e2e9e7eb2bd8736939bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac.exe

MD5
6a61a028d6282029c5899a3ffcc84e60

SHA1
2b4cc8dc5d1993eb2851755e4b41325d204815d6

SHA256
d42beb6c20833eaed3d603706c03ae2a620f95a4a2fe0eea239636c97575ca24

SHA512
edc8fd2e1c2c14bb392c75259b61ee5d37278c086186dd1bdfa3907675d6ac2df8720c0ee18c20a9cfb3fd9097dc4129d58ba7d8576e2e9e7eb2bd8736939bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac.exe

MD5
6a61a028d6282029c5899a3ffcc84e60

SHA1
2b4cc8dc5d1993eb2851755e4b41325d204815d6

SHA256
d42beb6c20833eaed3d603706c03ae2a620f95a4a2fe0eea239636c97575ca24

SHA512
edc8fd2e1c2c14bb392c75259b61ee5d37278c086186dd1bdfa3907675d6ac2df8720c0ee18c20a9cfb3fd9097dc4129d58ba7d8576e2e9e7eb2bd8736939bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds1.exe

MD5
5af92f78e6b00eff95b14018a5dda8fc

SHA1
5c02ecdd931eff5c66856cd13286cdb8f3172a23

SHA256
6cbfb1c60567bc22a202ba90c7a6cd377a133ae17b34dc5bef7d4e4808a66b8b

SHA512
d3f6632c7e9f2f7d57ac79c7b0c34ec243a927c3c98c542f9bd66e540981d1b7aafdcc01ac68ccfee820be5f8ef00b59c110afd25a622d205c51290eeb072d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds1.exe

MD5
5af92f78e6b00eff95b14018a5dda8fc

SHA1
5c02ecdd931eff5c66856cd13286cdb8f3172a23

SHA256
6cbfb1c60567bc22a202ba90c7a6cd377a133ae17b34dc5bef7d4e4808a66b8b

SHA512
d3f6632c7e9f2f7d57ac79c7b0c34ec243a927c3c98c542f9bd66e540981d1b7aafdcc01ac68ccfee820be5f8ef00b59c110afd25a622d205c51290eeb072d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds1.exe

MD5
5af92f78e6b00eff95b14018a5dda8fc

SHA1
5c02ecdd931eff5c66856cd13286cdb8f3172a23

SHA256
6cbfb1c60567bc22a202ba90c7a6cd377a133ae17b34dc5bef7d4e4808a66b8b

SHA512
d3f6632c7e9f2f7d57ac79c7b0c34ec243a927c3c98c542f9bd66e540981d1b7aafdcc01ac68ccfee820be5f8ef00b59c110afd25a622d205c51290eeb072d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds2.exe

MD5
3cdb00a25552429b06fb3be209614149

SHA1
7ecad79254adcd96c426ce99a22c12121fa220ca

SHA256
99de1acdd89d08fe0cc39b096ba36dc9149206bfbad5d4b12fa5f1bc462adb4c

SHA512
6a8a0b5bde09206f4246683f7de8065498f3f5f0786158ad64ce4aec0276344544f22ecfa9a7803e91b36efaadd702ccaaec818ed9538434a1df5611ea539623

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds2.exe

MD5
3cdb00a25552429b06fb3be209614149

SHA1
7ecad79254adcd96c426ce99a22c12121fa220ca

SHA256
99de1acdd89d08fe0cc39b096ba36dc9149206bfbad5d4b12fa5f1bc462adb4c

SHA512
6a8a0b5bde09206f4246683f7de8065498f3f5f0786158ad64ce4aec0276344544f22ecfa9a7803e91b36efaadd702ccaaec818ed9538434a1df5611ea539623

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds2.exe

MD5
3cdb00a25552429b06fb3be209614149

SHA1
7ecad79254adcd96c426ce99a22c12121fa220ca

SHA256
99de1acdd89d08fe0cc39b096ba36dc9149206bfbad5d4b12fa5f1bc462adb4c

SHA512
6a8a0b5bde09206f4246683f7de8065498f3f5f0786158ad64ce4aec0276344544f22ecfa9a7803e91b36efaadd702ccaaec818ed9538434a1df5611ea539623

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc.exe

MD5
e1d12a9c20844533f411f44a11c8ebd7

SHA1
6486bee5805be89084fc6286a43af065a93af310

SHA256
3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc

SHA512
3048f1495b213d58c9732d8253798d5d029906da0f6eeffb5dee50cadfe659b18043dee227fb4b524af5427621d8b2e93c09b1812b10cb1f4b963343d79abb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc.exe

MD5
e1d12a9c20844533f411f44a11c8ebd7

SHA1
6486bee5805be89084fc6286a43af065a93af310

SHA256
3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc

SHA512
3048f1495b213d58c9732d8253798d5d029906da0f6eeffb5dee50cadfe659b18043dee227fb4b524af5427621d8b2e93c09b1812b10cb1f4b963343d79abb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc.exe

MD5
e1d12a9c20844533f411f44a11c8ebd7

SHA1
6486bee5805be89084fc6286a43af065a93af310

SHA256
3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc

SHA512
3048f1495b213d58c9732d8253798d5d029906da0f6eeffb5dee50cadfe659b18043dee227fb4b524af5427621d8b2e93c09b1812b10cb1f4b963343d79abb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA44.tmp

MD5
cf29eda7d544e26be1b593995c2b476b

SHA1
e729c570ce4f22370f52eda71f139420dc88dc4a

SHA256
2c784ae445ebd0358b573c403fdcef7d3e44ce657a8755c473165e1d09e8da99

SHA512
b25ba67860dd6029cdea84bf8607fe1ee3c947c34a21033f3e624dd2cbe8abcceb9ea3e04b2276024ac9d1d04feafa6ab3a2b4a023a7bade224cb2ef89768561

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFBF5.tmp

MD5
cf29eda7d544e26be1b593995c2b476b

SHA1
e729c570ce4f22370f52eda71f139420dc88dc4a

SHA256
2c784ae445ebd0358b573c403fdcef7d3e44ce657a8755c473165e1d09e8da99

SHA512
b25ba67860dd6029cdea84bf8607fe1ee3c947c34a21033f3e624dd2cbe8abcceb9ea3e04b2276024ac9d1d04feafa6ab3a2b4a023a7bade224cb2ef89768561

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSjqGMJGzM.exe

MD5
6a61a028d6282029c5899a3ffcc84e60

SHA1
2b4cc8dc5d1993eb2851755e4b41325d204815d6

SHA256
d42beb6c20833eaed3d603706c03ae2a620f95a4a2fe0eea239636c97575ca24

SHA512
edc8fd2e1c2c14bb392c75259b61ee5d37278c086186dd1bdfa3907675d6ac2df8720c0ee18c20a9cfb3fd9097dc4129d58ba7d8576e2e9e7eb2bd8736939bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSjqGMJGzM.exe

MD5
6a61a028d6282029c5899a3ffcc84e60

SHA1
2b4cc8dc5d1993eb2851755e4b41325d204815d6

SHA256
d42beb6c20833eaed3d603706c03ae2a620f95a4a2fe0eea239636c97575ca24

SHA512
edc8fd2e1c2c14bb392c75259b61ee5d37278c086186dd1bdfa3907675d6ac2df8720c0ee18c20a9cfb3fd9097dc4129d58ba7d8576e2e9e7eb2bd8736939bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSjqGMJGzM.exe

MD5
6a61a028d6282029c5899a3ffcc84e60

SHA1
2b4cc8dc5d1993eb2851755e4b41325d204815d6

SHA256
d42beb6c20833eaed3d603706c03ae2a620f95a4a2fe0eea239636c97575ca24

SHA512
edc8fd2e1c2c14bb392c75259b61ee5d37278c086186dd1bdfa3907675d6ac2df8720c0ee18c20a9cfb3fd9097dc4129d58ba7d8576e2e9e7eb2bd8736939bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSjqGMJGzM.exe

MD5
6a61a028d6282029c5899a3ffcc84e60

SHA1
2b4cc8dc5d1993eb2851755e4b41325d204815d6

SHA256
d42beb6c20833eaed3d603706c03ae2a620f95a4a2fe0eea239636c97575ca24

SHA512
edc8fd2e1c2c14bb392c75259b61ee5d37278c086186dd1bdfa3907675d6ac2df8720c0ee18c20a9cfb3fd9097dc4129d58ba7d8576e2e9e7eb2bd8736939bbe

Download Submit
C:\Users\Public\Cdex.bat

MD5
84de6cf0b720db43f85d95204a2c1902

SHA1
c87c4c1f3ad9f28968c46a89c4fff8bdb867b006

SHA256
bc4baad4a7983c54c1764b0aa57f12d536ce506253c82e06dd98e17bbb5f77ee

SHA512
5fd018b5f72797a64934f8f35d4510ef95c235442a807d476e7fd3c14eaa854c1a3092332edbdd1028f8954ab28acb5aab8720a74226cfcfab3cb3a7772a64b7

Download Submit
C:\Users\Public\NETUTILS.dll

MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
C:\Users\Public\Netplwiz.exe

MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Users\Public\PXOR.bat

MD5
0d8aef656413642f55e0902cc5df5e6f

SHA1
73ec56d08bd9b3c45d55c97bd1c1286b77c8ff49

SHA256
670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11

SHA512
efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876

Download Submit
C:\Users\Public\stt.bat

MD5
8a850253c31df9a7e1c00c80df2630d5

SHA1
e3da74081b027a3b591488b28da22742bcfe8495

SHA256
8fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35

SHA512
30510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1

Download Submit
C:\Windows \System32\Netplwiz.exe

MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Windows \System32\netutils.dll

MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
C:\Windows\Temp\vt4xeehl.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\tfjtw3rh.inf

MD5
c6f745a51446735aa0ae3e6943a40c30

SHA1
7cce56e9627cba172a372414cc792beaf23dab36

SHA256
68ae93e9738b6f5472eec7718d30c33b511c0951fa58a75aad052d5e8ee69d9f

SHA512
2fa3fdf6a0e3a2e4cc1a6cdf7ea01d2ca3d0c94e228e01a7bb8fc1860b3906d2a0365f21eb35eda06e5f94a6d78b6a5ef8581907d4d89f8d77a822a193878a87

Download Submit
C:\Windows\temp\vt4xeehl.exe

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll

MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll

MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll

MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll

MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\mozglue.dll

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\nss3.dll

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Windows \System32\NETUTILS.dll

MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
memory/384-364-0x0000000000000000-mapping.dmp

Download
memory/388-302-0x0000000000000000-mapping.dmp

Download
memory/624-116-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/624-129-0x0000000002CA0000-0x0000000002CA7000-memory.dmp

Filesize
28KB

Download
memory/752-147-0x0000000000000000-mapping.dmp

Download
memory/776-271-0x0000000000000000-mapping.dmp

Download
memory/776-243-0x0000000000000000-mapping.dmp

Download
memory/1180-313-0x0000000000000000-mapping.dmp

Download
memory/1180-237-0x00000000028A0000-0x00000000028BA000-memory.dmp

Filesize
104KB

Download
memory/1180-323-0x000002040C863000-0x000002040C865000-memory.dmp

Filesize
8KB

Download
memory/1180-322-0x000002040C860000-0x000002040C862000-memory.dmp

Filesize
8KB

Download
memory/1180-166-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/1180-162-0x0000000000000000-mapping.dmp

Download
memory/1272-305-0x0000000000000000-mapping.dmp

Download
memory/1292-223-0x0000000000000000-mapping.dmp

Download
memory/1292-234-0x0000000005640000-0x0000000005B3E000-memory.dmp

Filesize
5.0MB

Download
memory/1628-281-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1628-274-0x000000000040C71E-mapping.dmp

Download
memory/1640-351-0x000001E1235E6000-0x000001E1235E8000-memory.dmp

Filesize
8KB

Download
memory/1640-329-0x000001E1235E0000-0x000001E1235E2000-memory.dmp

Filesize
8KB

Download
memory/1640-316-0x0000000000000000-mapping.dmp

Download
memory/1640-337-0x000001E1235E3000-0x000001E1235E5000-memory.dmp

Filesize
8KB

Download
memory/1644-224-0x0000000000000000-mapping.dmp

Download
memory/1764-282-0x0000000000403BEE-mapping.dmp

Download
memory/1908-358-0x0000000000403BEE-mapping.dmp

Download
memory/1916-245-0x0000000000000000-mapping.dmp

Download
memory/1980-342-0x000001282FB33000-0x000001282FB35000-memory.dmp

Filesize
8KB

Download
memory/1980-317-0x0000000000000000-mapping.dmp

Download
memory/1980-341-0x000001282FB30000-0x000001282FB32000-memory.dmp

Filesize
8KB

Download
memory/2256-188-0x0000000000000000-mapping.dmp

Download
memory/2296-251-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2296-241-0x0000000000428EEC-mapping.dmp

Download
memory/2296-240-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2764-288-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/2764-284-0x0000000000000000-mapping.dmp

Download
memory/2764-331-0x0000000004703000-0x0000000004704000-memory.dmp

Filesize
4KB

Download
memory/2764-321-0x000000007F950000-0x000000007F951000-memory.dmp

Filesize
4KB

Download
memory/2764-289-0x0000000004702000-0x0000000004703000-memory.dmp

Filesize
4KB

Download
memory/2796-211-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2796-208-0x0000000000000000-mapping.dmp

Download
memory/2856-318-0x0000000000000000-mapping.dmp

Download
memory/2856-346-0x000001E55ED73000-0x000001E55ED75000-memory.dmp

Filesize
8KB

Download
memory/2856-292-0x0000000000000000-mapping.dmp

Download
memory/2856-343-0x000001E55ED70000-0x000001E55ED72000-memory.dmp

Filesize
8KB

Download
memory/2864-290-0x000000000040616E-mapping.dmp

Download
memory/2864-296-0x0000000005680000-0x0000000005B7E000-memory.dmp

Filesize
5.0MB

Download
memory/2864-295-0x0000000005680000-0x0000000005B7E000-memory.dmp

Filesize
5.0MB

Download
memory/2976-359-0x0000000000000000-mapping.dmp

Download
memory/2980-299-0x0000000000000000-mapping.dmp

Download
memory/2988-310-0x000002C67CB70000-0x000002C67CB72000-memory.dmp

Filesize
8KB

Download
memory/2988-311-0x000002C67CB73000-0x000002C67CB75000-memory.dmp

Filesize
8KB

Download
memory/2988-312-0x000002C67CB76000-0x000002C67CB78000-memory.dmp

Filesize
8KB

Download
memory/2988-303-0x0000000000000000-mapping.dmp

Download
memory/3068-221-0x0000000005730000-0x0000000005C2E000-memory.dmp

Filesize
5.0MB

Download
memory/3068-212-0x0000000000000000-mapping.dmp

Download
memory/3124-142-0x0000000000550000-0x00000000005FE000-memory.dmp

Filesize
696KB

Download
memory/3124-141-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3124-132-0x000000000043DC5B-mapping.dmp

Download
memory/3140-270-0x0000026FEB3C6000-0x0000026FEB3C8000-memory.dmp

Filesize
8KB

Download
memory/3140-117-0x0000000000000000-mapping.dmp

Download
memory/3140-127-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3140-256-0x0000000000000000-mapping.dmp

Download
memory/3140-261-0x0000026FEBA20000-0x0000026FEBA21000-memory.dmp

Filesize
4KB

Download
memory/3140-265-0x0000026FEC710000-0x0000026FEC711000-memory.dmp

Filesize
4KB

Download
memory/3140-268-0x0000026FEB3C0000-0x0000026FEB3C2000-memory.dmp

Filesize
8KB

Download
memory/3140-269-0x0000026FEB3C3000-0x0000026FEB3C5000-memory.dmp

Filesize
8KB

Download
memory/3144-120-0x0000000000000000-mapping.dmp

Download
memory/3144-128-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/3152-254-0x0000000000000000-mapping.dmp

Download
memory/3272-249-0x0000000000000000-mapping.dmp

Download
memory/3312-161-0x0000000008450000-0x0000000008451000-memory.dmp

Filesize
4KB

Download
memory/3312-160-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3312-159-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/3312-158-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3312-157-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3312-165-0x0000000005160000-0x000000000516E000-memory.dmp

Filesize
56KB

Download
memory/3312-155-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3312-152-0x0000000000000000-mapping.dmp

Download
memory/3348-360-0x0000000000000000-mapping.dmp

Download
memory/3384-315-0x0000000000000000-mapping.dmp

Download
memory/3384-328-0x0000019829EB3000-0x0000019829EB5000-memory.dmp

Filesize
8KB

Download
memory/3384-327-0x0000019829EB0000-0x0000019829EB2000-memory.dmp

Filesize
8KB

Download
memory/3472-366-0x0000000000000000-mapping.dmp

Download
memory/3476-298-0x0000000000000000-mapping.dmp

Download
memory/3592-176-0x0000000004CD0000-0x00000000051CE000-memory.dmp

Filesize
5.0MB

Download
memory/3592-171-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/3592-168-0x0000000000000000-mapping.dmp

Download
memory/3600-285-0x0000000000428EEC-mapping.dmp

Download
memory/3600-287-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3692-352-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/3692-309-0x000000000040C71E-mapping.dmp

Download
memory/3908-205-0x00000000052D0000-0x00000000057CE000-memory.dmp

Filesize
5.0MB

Download
memory/3908-197-0x0000000000000000-mapping.dmp

Download
memory/3916-193-0x0000000000000000-mapping.dmp

Download
memory/3924-357-0x000001A6219A6000-0x000001A6219A8000-memory.dmp

Filesize
8KB

Download
memory/3924-326-0x000001A6219A3000-0x000001A6219A5000-memory.dmp

Filesize
8KB

Download
memory/3924-324-0x000001A6219A0000-0x000001A6219A2000-memory.dmp

Filesize
8KB

Download
memory/3924-314-0x0000000000000000-mapping.dmp

Download
memory/3932-361-0x0000000000000000-mapping.dmp

Download
memory/3932-231-0x0000000000000000-mapping.dmp

Download
memory/3968-146-0x0000000000000000-mapping.dmp

Download
memory/3988-139-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/3988-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-134-0x0000000000417A8B-mapping.dmp

Download
memory/3988-195-0x0000000004940000-0x0000000004E3E000-memory.dmp

Filesize
5.0MB

Download
memory/3988-186-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/3988-183-0x0000000000000000-mapping.dmp

Download
memory/4004-369-0x0000000000000000-mapping.dmp

Download
memory/4032-133-0x000000000041A684-mapping.dmp

Download
memory/4032-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4032-140-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/4180-332-0x000001EB72D30000-0x000001EB72D32000-memory.dmp

Filesize
8KB

Download
memory/4180-334-0x000001EB72D33000-0x000001EB72D35000-memory.dmp

Filesize
8KB

Download
memory/4180-356-0x000001EB72D36000-0x000001EB72D38000-memory.dmp

Filesize
8KB

Download
memory/4180-319-0x0000000000000000-mapping.dmp

Download
memory/4184-368-0x0000000000000000-mapping.dmp

Download
memory/4272-320-0x0000000000000000-mapping.dmp

Download
memory/4272-335-0x0000029E8A943000-0x0000029E8A945000-memory.dmp

Filesize
8KB

Download
memory/4272-333-0x0000029E8A940000-0x0000029E8A942000-memory.dmp

Filesize
8KB

Download
memory/4372-339-0x000001406BA13000-0x000001406BA15000-memory.dmp

Filesize
8KB

Download
memory/4372-338-0x000001406BA10000-0x000001406BA12000-memory.dmp

Filesize
8KB

Download
memory/4372-325-0x0000000000000000-mapping.dmp

Download
memory/4448-353-0x000000000040616E-mapping.dmp

Download
memory/4448-355-0x0000000005120000-0x000000000561E000-memory.dmp

Filesize
5.0MB

Download
memory/4464-330-0x0000000000000000-mapping.dmp

Download
memory/4464-345-0x0000016E3B643000-0x0000016E3B645000-memory.dmp

Filesize
8KB

Download
memory/4464-344-0x0000016E3B640000-0x0000016E3B642000-memory.dmp

Filesize
8KB

Download
memory/4484-363-0x0000000000000000-mapping.dmp

Download
memory/4556-354-0x0000000000000000-mapping.dmp

Download
memory/4624-347-0x000001D821000000-0x000001D821002000-memory.dmp

Filesize
8KB

Download
memory/4624-348-0x000001D821003000-0x000001D821005000-memory.dmp

Filesize
8KB

Download
memory/4624-336-0x0000000000000000-mapping.dmp

Download
memory/4740-365-0x0000000000000000-mapping.dmp

Download
memory/4764-349-0x000001DA76500000-0x000001DA76502000-memory.dmp

Filesize
8KB

Download
memory/4764-340-0x0000000000000000-mapping.dmp

Download
memory/4764-350-0x000001DA76503000-0x000001DA76505000-memory.dmp

Filesize
8KB

Download
memory/4960-367-0x0000000000000000-mapping.dmp

Download
memory/5084-362-0x0000000000000000-mapping.dmp

Download