raccoon | b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c

Analysis

max time kernel
128s
max time network
165s
platform
windows10_x64
resource
win10v20210408
submitted
20-08-2021 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b817002c69c6315e116f14d6fe64151577999eb773842.exe
Size

150KB
MD5

e77188581c0cb93c5821999d39d979e2
SHA1

a11e5624e493ef524fffad14ec2488b00ff601c9
SHA256

b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c
SHA512

41ae5252a62ed2cc0f108059e6d6b496f6e9451bb3398137310b5d9907128aedbcf8c3c656522c52f68e392cfac641e7b42fc61c82506a6ba6b6d654b71de1c8

Score

10^/10

raccoon redline smokeloader xmrig 777 fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion infostealer miner spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

redline

Botnet

777

51.254.68.139:8067

Extracted

Family

raccoon

Botnet

fe582536ec580228180f270f7cb80a867860e010

Attributes

url4cnc
https://telete.in/xylichanjk

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\106D.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\106D.exe	family_redline
behavioral2/memory/1108-143-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/1108-144-0x0000000000418F6E-mapping.dmp	family_redline
behavioral2/memory/1108-154-0x0000000005560000-0x0000000005B66000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\6CE3.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\6CE3.exe	family_redline
behavioral2/memory/4220-264-0x0000000004B30000-0x0000000004B4C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

531.exe106D.exe156F.exe156F.exeAudioDriver.exeAudioCodec.exenote3dll.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exe534F.exeAudioCodec.exeAudioCodec.exe6CE3.exe7437.exe

pid	process
3264	531.exe
4172	106D.exe
508	156F.exe
1108	156F.exe
3228	AudioDriver.exe
4372	AudioCodec.exe
4392	note3dll.exe
4596	AudioCodec.exe
196	AudioCodec.exe
936	AudioCodec.exe
4012	AudioCodec.exe
4568	AudioCodec.exe
1544	AudioCodec.exe
2136	AudioCodec.exe
1120	AudioCodec.exe
3168	AudioCodec.exe
4576	534F.exe
1728	AudioCodec.exe
3040	AudioCodec.exe
5048	6CE3.exe
684	7437.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6CE3.exe106D.exe534F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6CE3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	106D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	106D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	534F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	534F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6CE3.exe

Deletes itself 1 IoCs

Processes:

pid process

3048
Drops startup file 1 IoCs

Processes:

AudioDriver.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk AudioDriver.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3048

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	AudioDriver.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\106D.exe	themida
C:\Users\Admin\AppData\Local\Temp\106D.exe	themida
behavioral2/memory/4172-130-0x0000000000010000-0x0000000000011000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\534F.exe	themida
C:\Users\Admin\AppData\Local\Temp\534F.exe	themida
behavioral2/memory/4576-206-0x0000000000DF0000-0x0000000000DF1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\6CE3.exe	themida
C:\Users\Admin\AppData\Local\Temp\6CE3.exe	themida
behavioral2/memory/5048-223-0x0000000000FB0000-0x0000000000FB1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\A6E2.exe	themida
C:\Users\Admin\AppData\Local\Temp\A6E2.exe	themida
behavioral2/memory/488-256-0x0000000000B40000-0x0000000000B41000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

106D.exe534F.exe6CE3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	106D.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	534F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6CE3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

Processes:

106D.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exeAudioCodec.exe534F.exeAudioCodec.exeAudioCodec.exe6CE3.exe

pid	process
4172	106D.exe
4372	AudioCodec.exe
4372	AudioCodec.exe
4596	AudioCodec.exe
4596	AudioCodec.exe
196	AudioCodec.exe
196	AudioCodec.exe
936	AudioCodec.exe
936	AudioCodec.exe
4012	AudioCodec.exe
4012	AudioCodec.exe
4568	AudioCodec.exe
4568	AudioCodec.exe
1544	AudioCodec.exe
1544	AudioCodec.exe
2136	AudioCodec.exe
2136	AudioCodec.exe
1120	AudioCodec.exe
1120	AudioCodec.exe
3168	AudioCodec.exe
3168	AudioCodec.exe
4576	534F.exe
1728	AudioCodec.exe
1728	AudioCodec.exe
3040	AudioCodec.exe
3040	AudioCodec.exe
5048	6CE3.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe156F.exe

description	pid	process	target process
PID 4648 set thread context of 4256	4648	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 508 set thread context of 1108	508	156F.exe	156F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
648	684	WerFault.exe	7437.exe
2624	684	WerFault.exe	7437.exe
1012	684	WerFault.exe	7437.exe
2008	684	WerFault.exe	7437.exe
4932	684	WerFault.exe	7437.exe
4472	684	WerFault.exe	7437.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b817002c69c6315e116f14d6fe64151577999eb773842.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b817002c69c6315e116f14d6fe64151577999eb773842.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b817002c69c6315e116f14d6fe64151577999eb773842.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

AudioDriver.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AudioDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	AudioDriver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe

pid	process
4256	b817002c69c6315e116f14d6fe64151577999eb773842.exe
4256	b817002c69c6315e116f14d6fe64151577999eb773842.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe

pid process

4256 b817002c69c6315e116f14d6fe64151577999eb773842.exe

pid	process
3048

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

106D.exe156F.exenote3dll.exe534F.exe6CE3.exe

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	4172	106D.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	1108	156F.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeLockMemoryPrivilege	4392	note3dll.exe
Token: SeLockMemoryPrivilege	4392	note3dll.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	4576	534F.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	5048	6CE3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

531.exe

pid process

3264 531.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3048

pid	process
3048

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

b817002c69c6315e116f14d6fe64151577999eb773842.exe156F.exe156F.exeAudioDriver.exe

description	pid	process	target process
PID 4648 wrote to memory of 4256	4648	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 4648 wrote to memory of 4256	4648	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 4648 wrote to memory of 4256	4648	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 4648 wrote to memory of 4256	4648	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 4648 wrote to memory of 4256	4648	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 4648 wrote to memory of 4256	4648	b817002c69c6315e116f14d6fe64151577999eb773842.exe	b817002c69c6315e116f14d6fe64151577999eb773842.exe
PID 3048 wrote to memory of 3264	3048		531.exe
PID 3048 wrote to memory of 3264	3048		531.exe
PID 3048 wrote to memory of 3264	3048		531.exe
PID 3048 wrote to memory of 4172	3048		106D.exe
PID 3048 wrote to memory of 4172	3048		106D.exe
PID 3048 wrote to memory of 4172	3048		106D.exe
PID 3048 wrote to memory of 508	3048		156F.exe
PID 3048 wrote to memory of 508	3048		156F.exe
PID 3048 wrote to memory of 508	3048		156F.exe
PID 508 wrote to memory of 1108	508	156F.exe	156F.exe
PID 508 wrote to memory of 1108	508	156F.exe	156F.exe
PID 508 wrote to memory of 1108	508	156F.exe	156F.exe
PID 508 wrote to memory of 1108	508	156F.exe	156F.exe
PID 508 wrote to memory of 1108	508	156F.exe	156F.exe
PID 508 wrote to memory of 1108	508	156F.exe	156F.exe
PID 508 wrote to memory of 1108	508	156F.exe	156F.exe
PID 508 wrote to memory of 1108	508	156F.exe	156F.exe
PID 1108 wrote to memory of 3228	1108	156F.exe	AudioDriver.exe
PID 1108 wrote to memory of 3228	1108	156F.exe	AudioDriver.exe
PID 1108 wrote to memory of 3228	1108	156F.exe	AudioDriver.exe
PID 3228 wrote to memory of 4372	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 4372	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 4392	3228	AudioDriver.exe	note3dll.exe
PID 3228 wrote to memory of 4392	3228	AudioDriver.exe	note3dll.exe
PID 3228 wrote to memory of 4596	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 4596	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 196	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 196	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 936	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 936	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 4012	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 4012	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 4568	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 4568	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 1544	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 1544	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 2136	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 2136	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 1120	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 1120	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 3168	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 3168	3228	AudioDriver.exe	AudioCodec.exe
PID 3048 wrote to memory of 4576	3048		534F.exe
PID 3048 wrote to memory of 4576	3048		534F.exe
PID 3048 wrote to memory of 4576	3048		534F.exe
PID 3228 wrote to memory of 1728	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 1728	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 3040	3228	AudioDriver.exe	AudioCodec.exe
PID 3228 wrote to memory of 3040	3228	AudioDriver.exe	AudioCodec.exe
PID 3048 wrote to memory of 5048	3048		6CE3.exe
PID 3048 wrote to memory of 5048	3048		6CE3.exe
PID 3048 wrote to memory of 5048	3048		6CE3.exe
PID 3048 wrote to memory of 684	3048		7437.exe
PID 3048 wrote to memory of 684	3048		7437.exe
PID 3048 wrote to memory of 684	3048		7437.exe

C:\Users\Admin\AppData\Local\Temp\b817002c69c6315e116f14d6fe64151577999eb773842.exe
"C:\Users\Admin\AppData\Local\Temp\b817002c69c6315e116f14d6fe64151577999eb773842.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\b817002c69c6315e116f14d6fe64151577999eb773842.exe
"C:\Users\Admin\AppData\Local\Temp\b817002c69c6315e116f14d6fe64151577999eb773842.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4256

C:\Users\Admin\AppData\Local\Temp\531.exe
C:\Users\Admin\AppData\Local\Temp\531.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3264

C:\Users\Admin\AppData\Local\Temp\106D.exe
C:\Users\Admin\AppData\Local\Temp\106D.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Users\Admin\AppData\Local\Temp\156F.exe
C:\Users\Admin\AppData\Local\Temp\156F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\156F.exe
C:\Users\Admin\AppData\Local\Temp\156F.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\AudioDriver.exe
"C:\Users\Admin\AppData\Local\Temp\AudioDriver.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3228

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4372

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4596

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:196

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:936

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4012

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4568

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1544

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2136

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1120

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3168

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1728

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3040

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
PID:4880

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
PID:4760

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
PID:1612

C:\ProgramData\Data\AudioCodec.exe
-a kawpow -o rvn.2miners.com:6060 -u RL6KtheBvGYZGNxMmF8ZF1ZdH8VVvSXgmM.rig -p x
4⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\534F.exe
C:\Users\Admin\AppData\Local\Temp\534F.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Users\Admin\AppData\Local\Temp\6CE3.exe
C:\Users\Admin\AppData\Local\Temp\6CE3.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Users\Admin\AppData\Local\Temp\7437.exe
C:\Users\Admin\AppData\Local\Temp\7437.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 732
2⤵
- Program crash
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 744
2⤵
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 768
2⤵
- Program crash
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 880
2⤵
- Program crash
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1176
2⤵
- Program crash
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 668
2⤵
- Program crash
PID:4472

C:\Users\Admin\AppData\Local\Temp\7C18.exe
C:\Users\Admin\AppData\Local\Temp\7C18.exe
1⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\A6E2.exe
C:\Users\Admin\AppData\Local\Temp\A6E2.exe
1⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\BF2D.exe
C:\Users\Admin\AppData\Local\Temp\BF2D.exe
1⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\CA4A.exe
C:\Users\Admin\AppData\Local\Temp\CA4A.exe
1⤵
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
cc15615c33ebbf04c03eb860ce04d674

SHA1
8e646a0932b4c15a32520bb5290fca89f34eeb3f

SHA256
b9b87ff09a0eaf5335682a40f9392eb2468edaf65d8feb561f258a291d784f43

SHA512
ccb138a1100809e80452aa75bc9b4719c596d33f26f0e56bb33879fd541be6435348b82a7f89261381e544746f56ffd11e8277f407ad78ae110e87cfa19a2ee1

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
85f25980b7b418d26e4ad0adb8c1a21d

SHA1
04372b59e85593d43e2381bea97f39f681777dd7

SHA256
06c85dad7b973a147068f5083839cab6ba771d79242aae9b5f06896b86c275d3

SHA512
775204c8368f1c9dad82ccd9cfae28eb8660218ba8aaafb648d798c74879719cc9d43619271a72a46995394dd8ee7c33c7cafad354e111b12b2e4350573b085c

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
a23617c04a4ed88688fb8ef75cd49fab

SHA1
4b7b2c6e75aa6e6a9341b4212c35a1ca7b26ed56

SHA256
fbf9583b42d6b946eecabd102224fe0db0b7fedba1972a8537bf07fdf04e8199

SHA512
a1d158e7f11b7d9a400653286c9b532a3d231dc13f77646622be6c9dfee339a299b90fde87ca56fb01eceb9611340efe79280f91fdd33048e75048eb98fb0217

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
3c043880aec4c623923f1a9be64c9996

SHA1
b42966d902e07ecd2f613f3617f75bb31430189a

SHA256
e29a36031bb0e45886b753a42958f514b295469b4227e6ce6e3f4b80a00470b6

SHA512
4b6472aecafd43653063ac44d8c2a983c1623e2b5154fd7f804434a2a33ea7226ff018b8ceba231814bad6850514896645496aea673b9b57fdd79d41ac6f2881

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
07e2dddac12e28d898fc85b5a5e77dd0

SHA1
53fbe8c8820db71c20ea047eb6219390202dc8b5

SHA256
955a105eaadddd8de045b5dedefb820faa432e147d64eb7f7ea3b4c427b174b8

SHA512
2b3d22ffa547636f332ff9f4ed10abe491ad58e22991b837bba2d4e1285d628c892c5b6031ca4b85aaaf750534b8afafe084aa9f5d229c44c69050f22b5a7158

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
ad393d1d169da3840422d29d81a14ae8

SHA1
e541360faf12b5d503a5fe048ade2c2da9c4a135

SHA256
48368258e5f3662eaf97c58ba55f9efe3ef5c3149ef28c21c6cd365e17dc4ebe

SHA512
8af13026b5d932095858f08369866014cbf9554c412cccfc0feacaac4ff89bf8c9d0be0ec834c94def6978724afd5bdc471c5144c9fb08a1e31f2cd84544fc0c

Download Submit
C:\ProgramData\Data\AudioCodec.exe
MD5
3668d0f8a4830acf73f05df88790dae6

SHA1
29dadd17025dc1e35870c0d958149cbf4a0c7ee3

SHA256
d8073a6334eac5fc155b7c3082a95310dacabaab6932211db7cea34a86c8ad5a

SHA512
565b55a9a4981a6f7bd683d81ebc2066b4ba1a85029c7546ac2a177c08cb64b9423ec885d1604a6100cbb9b75a443fbb73a3daa811f468556c1b3e3e58b7111a

Download Submit
C:\ProgramData\Systemd\config.json
MD5
fa1d69a92278c02bde09e56f53f17e7c

SHA1
18bf7aeb76a9dab8dfbc54fd6c44c9c31ab96c6a

SHA256
b7530d98b7fbfaf91eaf37c184adf3d2f0d7fe0be0161f94cf01a66a8b8334c2

SHA512
86260deb08d8e17cab9aa84c156988343ac567b45a9b437a67443983d5143e5979ee775ba01a33cdad57d87ab6fd4dca56489df4da2b9a529202dad5a26c93e2

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
0b85eae86038116041ecc8d24ba2fadb

SHA1
bcfeff8a7b42e8836b7dea9f6d594e14f6b25cec

SHA256
cd0dcc3d3aab1dc613cd5b1ea4d3a066ab20768c60babb1a4e79df9da9144218

SHA512
ef0b17ae8d533c209491358f09826ea7b0cb5e5d7a435b80f574916624070036d5fcf30eb35c0d5c33b49c134f471734efdaef5154de51b1ce600b4fe51b9744

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
0b85eae86038116041ecc8d24ba2fadb

SHA1
bcfeff8a7b42e8836b7dea9f6d594e14f6b25cec

SHA256
cd0dcc3d3aab1dc613cd5b1ea4d3a066ab20768c60babb1a4e79df9da9144218

SHA512
ef0b17ae8d533c209491358f09826ea7b0cb5e5d7a435b80f574916624070036d5fcf30eb35c0d5c33b49c134f471734efdaef5154de51b1ce600b4fe51b9744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\156F.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\106D.exe
MD5
8c69181e218d120c2222c285f73f3434

SHA1
f6d61590fcc225b16dae79d689bb2d73c27f49f5

SHA256
646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d

SHA512
a67a2af0b9760c214baa78e307d2c3b786c210d7d02525840d2e7e673b456b312e016a22e3428304045d4ad99d51228c283eddeaf8b726502ee84431c98ed7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\106D.exe
MD5
8c69181e218d120c2222c285f73f3434

SHA1
f6d61590fcc225b16dae79d689bb2d73c27f49f5

SHA256
646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d

SHA512
a67a2af0b9760c214baa78e307d2c3b786c210d7d02525840d2e7e673b456b312e016a22e3428304045d4ad99d51228c283eddeaf8b726502ee84431c98ed7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\156F.exe
MD5
2846ad734c304a80d4200a86533ccf00

SHA1
6faa75e815c17245e574dd914966d5f531427dad

SHA256
770da1ece99e04a602eb75b9dd90e58b4880d42acb4c1b189421720d446b02a1

SHA512
7b9dffd65a941b3587d568d2714a72041a7ac62bfe919a079b99f8dd659289b7bb1e6e1c2b9873c7b8b09c24ba4eef66d126313576f7f4f487269c14228ae80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\156F.exe
MD5
2846ad734c304a80d4200a86533ccf00

SHA1
6faa75e815c17245e574dd914966d5f531427dad

SHA256
770da1ece99e04a602eb75b9dd90e58b4880d42acb4c1b189421720d446b02a1

SHA512
7b9dffd65a941b3587d568d2714a72041a7ac62bfe919a079b99f8dd659289b7bb1e6e1c2b9873c7b8b09c24ba4eef66d126313576f7f4f487269c14228ae80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\156F.exe
MD5
2846ad734c304a80d4200a86533ccf00

SHA1
6faa75e815c17245e574dd914966d5f531427dad

SHA256
770da1ece99e04a602eb75b9dd90e58b4880d42acb4c1b189421720d446b02a1

SHA512
7b9dffd65a941b3587d568d2714a72041a7ac62bfe919a079b99f8dd659289b7bb1e6e1c2b9873c7b8b09c24ba4eef66d126313576f7f4f487269c14228ae80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\531.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\531.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\534F.exe
MD5
cc078e133d1c8a2a07dbb784463a5390

SHA1
5eccaa99757c4201d90d7904f546952039e747d6

SHA256
1fa26edc32e7af8d9de8ecbe2e68f8307a3d936dabe730af6976e73a2528c388

SHA512
cd9edd7b858a81a4a46b8831c94a7abcaa74754c5a5a52689843b44fca4455d74767cf4f85c45f4ef2f2011fd17282c51f5110fefa60ea94c95e836c72283b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\534F.exe
MD5
cc078e133d1c8a2a07dbb784463a5390

SHA1
5eccaa99757c4201d90d7904f546952039e747d6

SHA256
1fa26edc32e7af8d9de8ecbe2e68f8307a3d936dabe730af6976e73a2528c388

SHA512
cd9edd7b858a81a4a46b8831c94a7abcaa74754c5a5a52689843b44fca4455d74767cf4f85c45f4ef2f2011fd17282c51f5110fefa60ea94c95e836c72283b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CE3.exe
MD5
07fd20f2ef24f16c0d0ce1bea427ff02

SHA1
212f5d0cb59ed1626c1c687ccef54b88d11aab22

SHA256
f5d0012b834951cde77890781dcb8e3787377f7682777eb4fb29185682e8d92c

SHA512
6307f379adde919841336a98c034efd9cba9caec791a9d2b0d8ec531a39d818b35a9a107650029e580c54efd9a1a799d3c56dfab721a8b068238901ee9ada909

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CE3.exe
MD5
07fd20f2ef24f16c0d0ce1bea427ff02

SHA1
212f5d0cb59ed1626c1c687ccef54b88d11aab22

SHA256
f5d0012b834951cde77890781dcb8e3787377f7682777eb4fb29185682e8d92c

SHA512
6307f379adde919841336a98c034efd9cba9caec791a9d2b0d8ec531a39d818b35a9a107650029e580c54efd9a1a799d3c56dfab721a8b068238901ee9ada909

Download Submit
C:\Users\Admin\AppData\Local\Temp\7437.exe
MD5
8f5840ed3d0afcd582700adbb02ac00e

SHA1
0ce0b3e5e61fd328e37cebf47029f36f29582a32

SHA256
ec75f6425faec59679a112ddf3cfa69acdd45afeb46806067ebc52b4acc6332e

SHA512
700fe17a8bec9a34c2582c7abbbeda2750cda87f9cb3f6913b61b8f42d4c4b520fd52ea95c0a98d0072fa682f7823e03fc2a00854827d22ffba582d1b723ac27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7437.exe
MD5
8f5840ed3d0afcd582700adbb02ac00e

SHA1
0ce0b3e5e61fd328e37cebf47029f36f29582a32

SHA256
ec75f6425faec59679a112ddf3cfa69acdd45afeb46806067ebc52b4acc6332e

SHA512
700fe17a8bec9a34c2582c7abbbeda2750cda87f9cb3f6913b61b8f42d4c4b520fd52ea95c0a98d0072fa682f7823e03fc2a00854827d22ffba582d1b723ac27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C18.exe
MD5
d89443e3bc2fc8605e467ec0597b635f

SHA1
741bbced5cca825914c68f93be93ce927b61ef4f

SHA256
5d745fa3e32482728c1f2ad6e28263d9061345a6a05a9cf290098ad4864990d2

SHA512
b5cc6076488af3f07666ef2fbb3c868948c3620e301a098749210cdc7dbc80e640061aa024c181c60f98f503b96195238183aff75d4020ce83b962132f793f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C18.exe
MD5
d89443e3bc2fc8605e467ec0597b635f

SHA1
741bbced5cca825914c68f93be93ce927b61ef4f

SHA256
5d745fa3e32482728c1f2ad6e28263d9061345a6a05a9cf290098ad4864990d2

SHA512
b5cc6076488af3f07666ef2fbb3c868948c3620e301a098749210cdc7dbc80e640061aa024c181c60f98f503b96195238183aff75d4020ce83b962132f793f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6E2.exe
MD5
44dc3130f089718a02b53aceeb7b8980

SHA1
66fe679d4960f1f6a395a40e1a2e64025cafbddb

SHA256
b71e691b4023157ca65c44f764ffc4c2ba1263ad634b4a4acc17b1c249b1d5f9

SHA512
5a4413be7b9e3e232084e6429594610dbb7a8b3b97071da714b24ff9445e41a26c0ba4392e437d8a09894d27707dcb9bf1c2a65f27561a644d3ff44507da97d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6E2.exe
MD5
ce0aadaef4b77999ac2f475361841770

SHA1
4fa10fc93ae72aa2832f6c8f9160f481219f009d

SHA256
a013ca0dd7deeb71fe7e6f388aca8293989ba44f5b44ddc011ec038510c9cc0d

SHA512
7217eebd248e651c0571de32790c9f7cef706bf579507ade81ce9031c77aa75b6c9f569e169deab277819b687566e1bdb18a0a3f093412eb99e4ff703be52258

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioDriver.exe
MD5
5ddf0a162b4926bf3b3f6a36f0f0b340

SHA1
9810a28fbcd8a8cdd4f7ae4ea7ad1c888f02ba95

SHA256
dafce32f7db8c54d2f424b33885d87012f454aeb6fb9ed95502884544b7ccda3

SHA512
f91ccccc91733291ee712f66e42520f7742cce0e5ea097d816fe2e5b372a698256c256f0bf8daf6f6f4a1e8cc438dae561e9a288d2d66709de844645dbf5e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AudioDriver.exe
MD5
5ddf0a162b4926bf3b3f6a36f0f0b340

SHA1
9810a28fbcd8a8cdd4f7ae4ea7ad1c888f02ba95

SHA256
dafce32f7db8c54d2f424b33885d87012f454aeb6fb9ed95502884544b7ccda3

SHA512
f91ccccc91733291ee712f66e42520f7742cce0e5ea097d816fe2e5b372a698256c256f0bf8daf6f6f4a1e8cc438dae561e9a288d2d66709de844645dbf5e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF2D.exe
MD5
7cf2af3a5b5f6df3e2b5aee02504022b

SHA1
19d4481ead548df3982e7e2d17265724af8b92e6

SHA256
010ec844c209e11b7eec52cebdc39b6464952079eee052e3e2241ad0009ff44a

SHA512
3e13f85c2af5026833e7b46399773125da0a81e2a72f61ec6e7e498224357aeec58dc17f438edcf91173dc9264dd180d733df5abd6589b386560e4255667b0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF2D.exe
MD5
7cf2af3a5b5f6df3e2b5aee02504022b

SHA1
19d4481ead548df3982e7e2d17265724af8b92e6

SHA256
010ec844c209e11b7eec52cebdc39b6464952079eee052e3e2241ad0009ff44a

SHA512
3e13f85c2af5026833e7b46399773125da0a81e2a72f61ec6e7e498224357aeec58dc17f438edcf91173dc9264dd180d733df5abd6589b386560e4255667b0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA4A.exe
MD5
6cac46f77a08178ac8ba3186cc83051a

SHA1
43db8ad4f6334e7309ad6947d5b8d6b44f86efb1

SHA256
5b447482fcc1ef9939b7144b1ded517067afe56f0ea984ae132086dade2dae30

SHA512
42c8bed4d7104104431bf517490b8fa2ac67cf9d9e9e1ba14d5a06b8d2cd97891fba3af64e39872360ec0ecaf804f93b64b1b28733ae939402b0e9e37875a42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA4A.exe
MD5
6cac46f77a08178ac8ba3186cc83051a

SHA1
43db8ad4f6334e7309ad6947d5b8d6b44f86efb1

SHA256
5b447482fcc1ef9939b7144b1ded517067afe56f0ea984ae132086dade2dae30

SHA512
42c8bed4d7104104431bf517490b8fa2ac67cf9d9e9e1ba14d5a06b8d2cd97891fba3af64e39872360ec0ecaf804f93b64b1b28733ae939402b0e9e37875a42f

Download Submit
memory/196-184-0x0000000000000000-mapping.dmp

Download
memory/488-245-0x0000000000000000-mapping.dmp

Download
memory/488-271-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/488-259-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/488-256-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/508-127-0x0000000000000000-mapping.dmp

Download
memory/508-133-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/508-137-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/508-139-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/508-130-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/508-138-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/684-222-0x0000000000000000-mapping.dmp

Download
memory/684-247-0x0000000000400000-0x0000000002CFA000-memory.dmp

Filesize
41.0MB

Download
memory/684-244-0x0000000004930000-0x00000000049BF000-memory.dmp

Filesize
572KB

Download
memory/936-186-0x0000000000000000-mapping.dmp

Download
memory/1108-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1108-144-0x0000000000418F6E-mapping.dmp

Download
memory/1108-154-0x0000000005560000-0x0000000005B66000-memory.dmp

Filesize
6.0MB

Download
memory/1108-164-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/1120-197-0x0000000000000000-mapping.dmp

Download
memory/1544-192-0x0000000000000000-mapping.dmp

Download
memory/1612-252-0x0000000000000000-mapping.dmp

Download
memory/1728-214-0x0000000000000000-mapping.dmp

Download
memory/1752-276-0x0000000000000000-mapping.dmp

Download
memory/1752-291-0x0000000004D90000-0x000000000528E000-memory.dmp

Filesize
5.0MB

Download
memory/2136-194-0x0000000000000000-mapping.dmp

Download
memory/3040-217-0x0000000000000000-mapping.dmp

Download
memory/3048-117-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/3168-200-0x0000000000000000-mapping.dmp

Download
memory/3228-169-0x0000000000000000-mapping.dmp

Download
memory/3264-118-0x0000000000000000-mapping.dmp

Download
memory/4012-188-0x0000000000000000-mapping.dmp

Download
memory/4172-142-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/4172-155-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/4172-130-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/4172-135-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4172-136-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4172-156-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/4172-158-0x0000000006980000-0x0000000006981000-memory.dmp

Filesize
4KB

Download
memory/4172-141-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4172-140-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4172-126-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4172-123-0x0000000000000000-mapping.dmp

Download
memory/4172-134-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/4220-264-0x0000000004B30000-0x0000000004B4C000-memory.dmp

Filesize
112KB

Download
memory/4220-234-0x0000000000000000-mapping.dmp

Download
memory/4220-284-0x0000000007434000-0x0000000007436000-memory.dmp

Filesize
8KB

Download
memory/4220-273-0x0000000007432000-0x0000000007433000-memory.dmp

Filesize
4KB

Download
memory/4220-274-0x0000000007433000-0x0000000007434000-memory.dmp

Filesize
4KB

Download
memory/4220-268-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/4220-263-0x0000000000400000-0x0000000002CCD000-memory.dmp

Filesize
40.8MB

Download
memory/4220-261-0x0000000002D40000-0x0000000002E8A000-memory.dmp

Filesize
1.3MB

Download
memory/4256-116-0x0000000000402FAB-mapping.dmp

Download
memory/4256-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4372-172-0x0000000000000000-mapping.dmp

Download
memory/4372-180-0x00007FFA78650000-0x00007FFA78652000-memory.dmp

Filesize
8KB

Download
memory/4392-198-0x000002D7D3040000-0x000002D7D3060000-memory.dmp

Filesize
128KB

Download
memory/4392-196-0x000002D7D3020000-0x000002D7D3040000-memory.dmp

Filesize
128KB

Download
memory/4392-182-0x000002D7D2EB0000-0x000002D7D2ED0000-memory.dmp

Filesize
128KB

Download
memory/4392-175-0x0000000000000000-mapping.dmp

Download
memory/4392-178-0x000002D7D2E80000-0x000002D7D2EA0000-memory.dmp

Filesize
128KB

Download
memory/4436-293-0x0000000000000000-mapping.dmp

Download
memory/4568-190-0x0000000000000000-mapping.dmp

Download
memory/4576-213-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4576-211-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4576-206-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4576-202-0x0000000000000000-mapping.dmp

Download
memory/4576-212-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4596-181-0x0000000000000000-mapping.dmp

Download
memory/4648-114-0x0000000002DA0000-0x0000000002DAA000-memory.dmp

Filesize
40KB

Download
memory/4760-242-0x0000000000000000-mapping.dmp

Download
memory/4880-236-0x0000000000000000-mapping.dmp

Download
memory/4948-289-0x0000000000000000-mapping.dmp

Download
memory/5048-232-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/5048-219-0x0000000000000000-mapping.dmp

Download
memory/5048-224-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/5048-223-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download