redline | ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
28-09-2021 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
Size

233KB
MD5

333a6446b4e4f947dd83b3c2ca0af182
SHA1

d4b0ea9943dc7711834c1afda20b39bd14bfaca6
SHA256

ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9
SHA512

60ab9dbf78475d87c91e25ff5e42cfc74592388ed7f8119d4d43dd2a3db7ce0304b6c23bfdaa2e017bf5c5257747e2c63a5198dd285302a96d770b1f920ea89e

Score

10^/10

redline servhelper smokeloader xmrig 777777 backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Extracted

Family

redline

Botnet

777777

193.56.146.60:18243

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-192-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2204-193-0x000000000041C5D2-mapping.dmp	family_redline

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe	Nirsoft

Executes dropped EXE 13 IoCs

Processes:

BA13.exeCCC2.exeCCC2.tmpCCC2.exeCCC2.tmpDFDD.exeaudiograph.exeEE84.exeAdvancedRun.exeAdvancedRun.exeEE84.exehisafjchisafjc

pid	process
3956	BA13.exe
3648	CCC2.exe
3168	CCC2.tmp
1636	CCC2.exe
1856	CCC2.tmp
2076	DFDD.exe
2796	audiograph.exe
3756	EE84.exe
3672	AdvancedRun.exe
3560	AdvancedRun.exe
2204	EE84.exe
4300	hisafjc
4468	hisafjc

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BA13.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BA13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BA13.exe

Deletes itself 1 IoCs

Processes:

pid process

3016
Loads dropped DLL 1 IoCs

Processes:

audiograph.exe

pid process

2796 audiograph.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3016

pid	process
2796	audiograph.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BA13.exe	themida
behavioral1/memory/3956-122-0x0000000000ED0000-0x0000000000ED1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\BA13.exe	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

EE84.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	EE84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	EE84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	EE84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	EE84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	EE84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\EE84.exe = "0"	EE84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	EE84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	EE84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	EE84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	EE84.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

BA13.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BA13.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BA13.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

BA13.exeEE84.exe

pid	process
3956	BA13.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe
3756	EE84.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exeEE84.exehisafjc

description	pid	process	target process
PID 4060 set thread context of 508	4060	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
PID 3756 set thread context of 2204	3756	EE84.exe	EE84.exe
PID 4300 set thread context of 4468	4300	hisafjc	hisafjc

Drops file in Windows directory 9 IoCs

Processes:

WerFault.exepowershell.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

736 3756 WerFault.exe EE84.exe

pid	pid_target	process	target process
736	3756	WerFault.exe	EE84.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

hisafjcec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hisafjc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hisafjc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hisafjc

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4580 reg.exe
Runs net.exe

pid	process
4580	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe

pid	process
508	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
508	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

612
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exehisafjc

pid process

508 ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
4468 hisafjc

pid	process
3016

pid	process
612

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BA13.exeEE84.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	3956	BA13.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	3756	EE84.exe
Token: SeDebugPrivilege	3672	AdvancedRun.exe
Token: SeImpersonatePrivilege	3672	AdvancedRun.exe
Token: SeDebugPrivilege	3560	AdvancedRun.exe
Token: SeImpersonatePrivilege	3560	AdvancedRun.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeRestorePrivilege	736	WerFault.exe
Token: SeBackupPrivilege	736	WerFault.exe
Token: SeBackupPrivilege	736	WerFault.exe
Token: SeDebugPrivilege	736	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

CCC2.tmp

pid process

3016
3016
1856 CCC2.tmp
3016
3016
3016
3016
3016
3016
3016
3016
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

3016
3016
3016
3016

pid	process
3016
3016
1856	CCC2.tmp
3016
3016
3016
3016
3016
3016
3016
3016

pid	process
3016
3016
3016
3016

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exeCCC2.exeCCC2.tmpCCC2.exeCCC2.tmpEE84.exeAdvancedRun.exeDFDD.exepowershell.execsc.exehisafjc

description	pid	process	target process
PID 4060 wrote to memory of 508	4060	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
PID 4060 wrote to memory of 508	4060	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
PID 4060 wrote to memory of 508	4060	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
PID 4060 wrote to memory of 508	4060	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
PID 4060 wrote to memory of 508	4060	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
PID 4060 wrote to memory of 508	4060	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe	ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
PID 3016 wrote to memory of 3956	3016		BA13.exe
PID 3016 wrote to memory of 3956	3016		BA13.exe
PID 3016 wrote to memory of 3956	3016		BA13.exe
PID 3016 wrote to memory of 3648	3016		CCC2.exe
PID 3016 wrote to memory of 3648	3016		CCC2.exe
PID 3016 wrote to memory of 3648	3016		CCC2.exe
PID 3648 wrote to memory of 3168	3648	CCC2.exe	CCC2.tmp
PID 3648 wrote to memory of 3168	3648	CCC2.exe	CCC2.tmp
PID 3648 wrote to memory of 3168	3648	CCC2.exe	CCC2.tmp
PID 3168 wrote to memory of 1636	3168	CCC2.tmp	CCC2.exe
PID 3168 wrote to memory of 1636	3168	CCC2.tmp	CCC2.exe
PID 3168 wrote to memory of 1636	3168	CCC2.tmp	CCC2.exe
PID 1636 wrote to memory of 1856	1636	CCC2.exe	CCC2.tmp
PID 1636 wrote to memory of 1856	1636	CCC2.exe	CCC2.tmp
PID 1636 wrote to memory of 1856	1636	CCC2.exe	CCC2.tmp
PID 3016 wrote to memory of 2076	3016		DFDD.exe
PID 3016 wrote to memory of 2076	3016		DFDD.exe
PID 3016 wrote to memory of 2076	3016		DFDD.exe
PID 1856 wrote to memory of 2796	1856	CCC2.tmp	audiograph.exe
PID 1856 wrote to memory of 2796	1856	CCC2.tmp	audiograph.exe
PID 1856 wrote to memory of 2796	1856	CCC2.tmp	audiograph.exe
PID 3016 wrote to memory of 3756	3016		EE84.exe
PID 3016 wrote to memory of 3756	3016		EE84.exe
PID 3016 wrote to memory of 3756	3016		EE84.exe
PID 3756 wrote to memory of 3672	3756	EE84.exe	AdvancedRun.exe
PID 3756 wrote to memory of 3672	3756	EE84.exe	AdvancedRun.exe
PID 3756 wrote to memory of 3672	3756	EE84.exe	AdvancedRun.exe
PID 3672 wrote to memory of 3560	3672	AdvancedRun.exe	AdvancedRun.exe
PID 3672 wrote to memory of 3560	3672	AdvancedRun.exe	AdvancedRun.exe
PID 3672 wrote to memory of 3560	3672	AdvancedRun.exe	AdvancedRun.exe
PID 3756 wrote to memory of 2848	3756	EE84.exe	powershell.exe
PID 3756 wrote to memory of 2848	3756	EE84.exe	powershell.exe
PID 3756 wrote to memory of 2848	3756	EE84.exe	powershell.exe
PID 3756 wrote to memory of 2204	3756	EE84.exe	EE84.exe
PID 3756 wrote to memory of 2204	3756	EE84.exe	EE84.exe
PID 3756 wrote to memory of 2204	3756	EE84.exe	EE84.exe
PID 3756 wrote to memory of 2204	3756	EE84.exe	EE84.exe
PID 3756 wrote to memory of 2204	3756	EE84.exe	EE84.exe
PID 3756 wrote to memory of 2204	3756	EE84.exe	EE84.exe
PID 3756 wrote to memory of 2204	3756	EE84.exe	EE84.exe
PID 3756 wrote to memory of 2204	3756	EE84.exe	EE84.exe
PID 2076 wrote to memory of 3644	2076	DFDD.exe	powershell.exe
PID 2076 wrote to memory of 3644	2076	DFDD.exe	powershell.exe
PID 2076 wrote to memory of 3644	2076	DFDD.exe	powershell.exe
PID 3644 wrote to memory of 4280	3644	powershell.exe	csc.exe
PID 3644 wrote to memory of 4280	3644	powershell.exe	csc.exe
PID 3644 wrote to memory of 4280	3644	powershell.exe	csc.exe
PID 4280 wrote to memory of 4368	4280	csc.exe	cvtres.exe
PID 4280 wrote to memory of 4368	4280	csc.exe	cvtres.exe
PID 4280 wrote to memory of 4368	4280	csc.exe	cvtres.exe
PID 3644 wrote to memory of 4812	3644	powershell.exe	powershell.exe
PID 3644 wrote to memory of 4812	3644	powershell.exe	powershell.exe
PID 3644 wrote to memory of 4812	3644	powershell.exe	powershell.exe
PID 4300 wrote to memory of 4468	4300	hisafjc	hisafjc
PID 4300 wrote to memory of 4468	4300	hisafjc	hisafjc
PID 4300 wrote to memory of 4468	4300	hisafjc	hisafjc
PID 4300 wrote to memory of 4468	4300	hisafjc	hisafjc
PID 4300 wrote to memory of 4468	4300	hisafjc	hisafjc

C:\Users\Admin\AppData\Local\Temp\ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
"C:\Users\Admin\AppData\Local\Temp\ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe
  "C:\Users\Admin\AppData\Local\Temp\ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:508

C:\Users\Admin\AppData\Local\Temp\BA13.exe
C:\Users\Admin\AppData\Local\Temp\BA13.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Users\Admin\AppData\Local\Temp\CCC2.exe
C:\Users\Admin\AppData\Local\Temp\CCC2.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Local\Temp\is-TJ81M.tmp\CCC2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TJ81M.tmp\CCC2.tmp" /SL5="$5005E,4275279,831488,C:\Users\Admin\AppData\Local\Temp\CCC2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\CCC2.exe
    "C:\Users\Admin\AppData\Local\Temp\CCC2.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\is-S518V.tmp\CCC2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-S518V.tmp\CCC2.tmp" /SL5="$6005E,4275279,831488,C:\Users\Admin\AppData\Local\Temp\CCC2.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Users\Admin\AppData\Roaming\Audio Graph Wrapper for Windows\audiograph.exe
        
        "C:\Users\Admin\AppData\Roaming\Audio Graph Wrapper for Windows\audiograph.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2796

C:\Users\Admin\AppData\Local\Temp\DFDD.exe
C:\Users\Admin\AppData\Local\Temp\DFDD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjpunges\cjpunges.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DBF.tmp" "c:\Users\Admin\AppData\Local\Temp\cjpunges\CSC14BE0F16F01249AC923F51B6FC23EB.TMP"
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:4580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:4868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:852
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:5024
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:5092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:5112
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:2952
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4312

C:\Users\Admin\AppData\Local\Temp\EE84.exe
C:\Users\Admin\AppData\Local\Temp\EE84.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe" /SpecialRun 4101d8 3672
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EE84.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\EE84.exe
  "C:\Users\Admin\AppData\Local\Temp\EE84.exe"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 2200
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:736

C:\Users\Admin\AppData\Roaming\hisafjc
C:\Users\Admin\AppData\Roaming\hisafjc
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Roaming\hisafjc
  C:\Users\Admin\AppData\Roaming\hisafjc
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
f3068198b62b4b70404ec46694d632be

SHA1
7b0b31ae227cf2a78cb751573a9d07f755104ea0

SHA256
bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

SHA512
ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d222ef6-fc93-452f-8910-98b4bcd5dc15\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA13.exe

MD5
cbc8c5fe6710e15b85661e2da6d06960

SHA1
d4c069f8315ef4880576b3c7acb84f8cbcead3a7

SHA256
f289ff2858796ca5999bdc68e7c74673654df78df46d3ad04c66f20ec56baa30

SHA512
70d3b5417f3f9ba72f3ae970ad283f96d68a8db27074b8b12274401f8420b8ec552333b185c5c678a1139bd80fec796c887d8fe43827c0d80d1974c5b29539a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA13.exe

MD5
cbc8c5fe6710e15b85661e2da6d06960

SHA1
d4c069f8315ef4880576b3c7acb84f8cbcead3a7

SHA256
f289ff2858796ca5999bdc68e7c74673654df78df46d3ad04c66f20ec56baa30

SHA512
70d3b5417f3f9ba72f3ae970ad283f96d68a8db27074b8b12274401f8420b8ec552333b185c5c678a1139bd80fec796c887d8fe43827c0d80d1974c5b29539a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCC2.exe

MD5
d4a42868a646f41edc6e324c3b029b65

SHA1
a3f871a58b41687e3b564d91fd8fffbcf69666f7

SHA256
b104ce9abfbd3be5a54562021dfb0d6da960d5389c6aa102cbec1df70d872f48

SHA512
fcfdaa3978d1771595ecf2f89b24499e58088a73b268b1a6959bdc9bc40647fa8f4e6217fa29c144d0572ecfebc73e1ff68ee2030314cdd1a5bb1850dee7f5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCC2.exe

MD5
d4a42868a646f41edc6e324c3b029b65

SHA1
a3f871a58b41687e3b564d91fd8fffbcf69666f7

SHA256
b104ce9abfbd3be5a54562021dfb0d6da960d5389c6aa102cbec1df70d872f48

SHA512
fcfdaa3978d1771595ecf2f89b24499e58088a73b268b1a6959bdc9bc40647fa8f4e6217fa29c144d0572ecfebc73e1ff68ee2030314cdd1a5bb1850dee7f5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCC2.exe

MD5
d4a42868a646f41edc6e324c3b029b65

SHA1
a3f871a58b41687e3b564d91fd8fffbcf69666f7

SHA256
b104ce9abfbd3be5a54562021dfb0d6da960d5389c6aa102cbec1df70d872f48

SHA512
fcfdaa3978d1771595ecf2f89b24499e58088a73b268b1a6959bdc9bc40647fa8f4e6217fa29c144d0572ecfebc73e1ff68ee2030314cdd1a5bb1850dee7f5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFDD.exe

MD5
06168639560dbc309cbd3223417b42df

SHA1
da1435de6d43b8b34bbb8ab7f09136c312243da3

SHA256
8ffc1e154d0945dd7ffb226134e840f08b42c197a615caf6ae269378dd6b5157

SHA512
0d2af991973e828d4186e4e4e95cbbc6bbfba19f11e9a497daaf028546e6cc498f0dfa47b6ae7ec4a42908036184e49a775bd031a4d639da1e61f3d73008970a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFDD.exe

MD5
06168639560dbc309cbd3223417b42df

SHA1
da1435de6d43b8b34bbb8ab7f09136c312243da3

SHA256
8ffc1e154d0945dd7ffb226134e840f08b42c197a615caf6ae269378dd6b5157

SHA512
0d2af991973e828d4186e4e4e95cbbc6bbfba19f11e9a497daaf028546e6cc498f0dfa47b6ae7ec4a42908036184e49a775bd031a4d639da1e61f3d73008970a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE84.exe

MD5
f459e7228b6ecd7b58332fe5bc60a62d

SHA1
65b3388f35c274130d21b75c2d00a365c1db1e3b

SHA256
8cd8437429a62c8586f58046687af34d81b16d5b3b7bea3b30e15c51b6e4c40d

SHA512
23371cd6467eb3e242d28dffc9397b365e6f786bac3840130f5e1fa4ec8b449298f4efc11714fb83ff18b02eff2a7b7cd02f3cdefe8e736fd3a6d9e241f6fee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE84.exe

MD5
f459e7228b6ecd7b58332fe5bc60a62d

SHA1
65b3388f35c274130d21b75c2d00a365c1db1e3b

SHA256
8cd8437429a62c8586f58046687af34d81b16d5b3b7bea3b30e15c51b6e4c40d

SHA512
23371cd6467eb3e242d28dffc9397b365e6f786bac3840130f5e1fa4ec8b449298f4efc11714fb83ff18b02eff2a7b7cd02f3cdefe8e736fd3a6d9e241f6fee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE84.exe

MD5
f459e7228b6ecd7b58332fe5bc60a62d

SHA1
65b3388f35c274130d21b75c2d00a365c1db1e3b

SHA256
8cd8437429a62c8586f58046687af34d81b16d5b3b7bea3b30e15c51b6e4c40d

SHA512
23371cd6467eb3e242d28dffc9397b365e6f786bac3840130f5e1fa4ec8b449298f4efc11714fb83ff18b02eff2a7b7cd02f3cdefe8e736fd3a6d9e241f6fee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DBF.tmp

MD5
a03d3f989a1249e5dafa5202d0819b0f

SHA1
bc4015efffd15c5c9312dbde3e5fa4c203be3b4e

SHA256
66cc94acc866caba8fe9a04c24082c84a955500d8d7f71ceb5b9b48190ef4106

SHA512
15d43ac8bad532db65e3fb7514633fe2deaef98ecdcc079c8eebde1fa72c048be1982a98c17e52ec3d95b5a9749e39a7e55882fed115a5e236b47ab78f8bf6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjpunges\cjpunges.dll

MD5
11948093cb22ac703a8bc833f01cd657

SHA1
9efbc000075e3f322c6eb5cb8c5a57ad4ec8d365

SHA256
b05ee841847b5fa5796bc9518ff23dda67d1114b153d709c810294e67b3aeb6e

SHA512
80bdc75c99478c6572051ddf8b39aebbeb6fb2ee7a597cab9b7182bdecc58652b689aedeb5482a25c8dd17e484b70fe5d8378d88487c595c2b54f59516f534fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
794bf0ae26a7efb0c516cf4a7692c501

SHA1
c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

SHA256
97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

SHA512
20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S518V.tmp\CCC2.tmp

MD5
f5dc262e88d6fe9f42ded8cbd73b0d54

SHA1
7604f4ade4b1a51a8eb2899008997461448fce64

SHA256
1cf022442940894c83168075a49a7bddefaea4dc97c68d87e1c41747e33da292

SHA512
6945786de41b35a62c7c835e968ee458ef4aeb0e24778f01c6adc88e9745792c3b2c786e9d519d248f4126b9831ed5d74e18d92e4b7bcdcdfe56ba03c1e63ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJ81M.tmp\CCC2.tmp

MD5
f5dc262e88d6fe9f42ded8cbd73b0d54

SHA1
7604f4ade4b1a51a8eb2899008997461448fce64

SHA256
1cf022442940894c83168075a49a7bddefaea4dc97c68d87e1c41747e33da292

SHA512
6945786de41b35a62c7c835e968ee458ef4aeb0e24778f01c6adc88e9745792c3b2c786e9d519d248f4126b9831ed5d74e18d92e4b7bcdcdfe56ba03c1e63ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Audio Graph Wrapper for Windows\AUTHORS.txt

MD5
94a79694c4630f6bf73a24c5ab4c39f6

SHA1
64b621bdccac078f77ab13a8f49336c57498a586

SHA256
ea991dba5f8d5686f1b325af53b850334e5847f7b80cf30647499d2b4e7bfb35

SHA512
6c13e0bcc6c22ab17b3bcc8ec3903879d44d0fcd95574d056e8a088bc53c51a3016352bdafc65e10efdc837364117032e0506442519177a7226eee73d3d0993c

Download Submit
C:\Users\Admin\AppData\Roaming\Audio Graph Wrapper for Windows\audiograph.exe

MD5
371c458da10980a37c39c7543c99b781

SHA1
2a441e9bba2ba4c208a037f5f3e9c0efcb6cea19

SHA256
1308d51085ff450e0cf4134d1e0d577411afcf07dc39f30267ec42da51b3aa56

SHA512
d76813a4031ebef70048fb2b1cd4edefab0e1736960a6cefc562e5e259108cd279893e3e211a1a737a0eb871e3c98fba9704f79de3145dab0675e2dc7fdb18be

Download Submit
C:\Users\Admin\AppData\Roaming\Audio Graph Wrapper for Windows\audiograph.exe

MD5
371c458da10980a37c39c7543c99b781

SHA1
2a441e9bba2ba4c208a037f5f3e9c0efcb6cea19

SHA256
1308d51085ff450e0cf4134d1e0d577411afcf07dc39f30267ec42da51b3aa56

SHA512
d76813a4031ebef70048fb2b1cd4edefab0e1736960a6cefc562e5e259108cd279893e3e211a1a737a0eb871e3c98fba9704f79de3145dab0675e2dc7fdb18be

Download Submit
C:\Users\Admin\AppData\Roaming\Audio Graph Wrapper for Windows\j2gss.dll

MD5
7b4afe52f267ec39a849ef94a6504965

SHA1
74219ebbf7389b181895f277068335d0b3ae32a6

SHA256
a8fec53b67697f2dcd49575db374a7acf41299da98a4bf915ca0fcf13f41605f

SHA512
6aff6d24a436b6fa014a1d38cde9b6af739014b0861095d487afee04e6f2df7facf2349003b16535775f05f7288f2fa21191df3cc61ad59ddf954dd179a660a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Audio Graph Wrapper for Windows\Audio Graph Wrapper for Windows.lnk

MD5
e945f8557ef5781e341c992411d0fee3

SHA1
c22809900839e385c24853d5cfa487301d4b91c3

SHA256
d6407ee104f0ecaac4f9acfb878a2d9bf37bdcf55650ba6a9aea51872032e0df

SHA512
880de10c221d9000ea20e4eb6166d5f29110c1ae319a46f6679c8b62cdab18345b138c26688ae2e37042cc5743d5ba5d493b436fdfc361bc4b1036a0af4c77b6

Download Submit
C:\Users\Admin\AppData\Roaming\hisafjc

MD5
333a6446b4e4f947dd83b3c2ca0af182

SHA1
d4b0ea9943dc7711834c1afda20b39bd14bfaca6

SHA256
ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9

SHA512
60ab9dbf78475d87c91e25ff5e42cfc74592388ed7f8119d4d43dd2a3db7ce0304b6c23bfdaa2e017bf5c5257747e2c63a5198dd285302a96d770b1f920ea89e

Download Submit
C:\Users\Admin\AppData\Roaming\hisafjc

MD5
333a6446b4e4f947dd83b3c2ca0af182

SHA1
d4b0ea9943dc7711834c1afda20b39bd14bfaca6

SHA256
ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9

SHA512
60ab9dbf78475d87c91e25ff5e42cfc74592388ed7f8119d4d43dd2a3db7ce0304b6c23bfdaa2e017bf5c5257747e2c63a5198dd285302a96d770b1f920ea89e

Download Submit
C:\Users\Admin\AppData\Roaming\hisafjc

MD5
333a6446b4e4f947dd83b3c2ca0af182

SHA1
d4b0ea9943dc7711834c1afda20b39bd14bfaca6

SHA256
ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9

SHA512
60ab9dbf78475d87c91e25ff5e42cfc74592388ed7f8119d4d43dd2a3db7ce0304b6c23bfdaa2e017bf5c5257747e2c63a5198dd285302a96d770b1f920ea89e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjpunges\CSC14BE0F16F01249AC923F51B6FC23EB.TMP

MD5
ab9812d94465a393e988278182c3e4dc

SHA1
4338a01b710ec68e1b5c21a99ede8ed2c2b9c278

SHA256
0ba5a45f0111e13ec57b23d77cda21c7747dc61ad47fbb5852d79e762f2d5f0c

SHA512
071c0dc1e37cecdb5b203bf6d7907df74c4e4e0a44407870c3f8389c60ec47ff1d444fbd3c1388292543a686fe8b4a2d68f3b075c23637720bde9abdd16db816

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjpunges\cjpunges.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjpunges\cjpunges.cmdline

MD5
6890df211e6c766da1811d05fc0de495

SHA1
8e2c275dcd0321e4d594129f342e19a6e8d119f1

SHA256
8b135824c186a9e70f9c1c7cb1656e0756daa7e44f546a5a407a2ff33c0e91f9

SHA512
b0fdeb42d432fa3c552d8e722b6a57d85aa881520c6dc533b66ff1bc1344493638ac5c5ac30ac091c5d9fdadc55ca2f8ded78270d7338a8d4d4a560d1ce563b8

Download Submit
\??\c:\users\admin\appdata\local\temp\is-tj81m.tmp\ccc2.tmp

MD5
f5dc262e88d6fe9f42ded8cbd73b0d54

SHA1
7604f4ade4b1a51a8eb2899008997461448fce64

SHA256
1cf022442940894c83168075a49a7bddefaea4dc97c68d87e1c41747e33da292

SHA512
6945786de41b35a62c7c835e968ee458ef4aeb0e24778f01c6adc88e9745792c3b2c786e9d519d248f4126b9831ed5d74e18d92e4b7bcdcdfe56ba03c1e63ee4

Download Submit
\Users\Admin\AppData\Roaming\Audio Graph Wrapper for Windows\j2gss.dll

MD5
7b4afe52f267ec39a849ef94a6504965

SHA1
74219ebbf7389b181895f277068335d0b3ae32a6

SHA256
a8fec53b67697f2dcd49575db374a7acf41299da98a4bf915ca0fcf13f41605f

SHA512
6aff6d24a436b6fa014a1d38cde9b6af739014b0861095d487afee04e6f2df7facf2349003b16535775f05f7288f2fa21191df3cc61ad59ddf954dd179a660a1

Download Submit
memory/508-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/508-116-0x0000000000402FA5-mapping.dmp

Download
memory/636-770-0x0000000000000000-mapping.dmp

Download
memory/636-781-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/636-782-0x0000000007402000-0x0000000007403000-memory.dmp

Filesize
4KB

Download
memory/636-808-0x000000007F650000-0x000000007F651000-memory.dmp

Filesize
4KB

Download
memory/852-1358-0x0000000000000000-mapping.dmp

Download
memory/1524-1393-0x0000000000000000-mapping.dmp

Download
memory/1636-138-0x0000000000000000-mapping.dmp

Download
memory/1636-142-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1856-143-0x0000000000000000-mapping.dmp

Download
memory/1856-145-0x0000000000800000-0x000000000094A000-memory.dmp

Filesize
1.3MB

Download
memory/2076-146-0x0000000000000000-mapping.dmp

Download
memory/2076-184-0x0000000005964000-0x0000000005965000-memory.dmp

Filesize
4KB

Download
memory/2076-164-0x0000000005D80000-0x000000000617F000-memory.dmp

Filesize
4.0MB

Download
memory/2076-168-0x00000000016D0000-0x0000000001AD2000-memory.dmp

Filesize
4.0MB

Download
memory/2076-169-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2076-172-0x0000000005963000-0x0000000005964000-memory.dmp

Filesize
4KB

Download
memory/2076-173-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/2076-170-0x0000000005962000-0x0000000005963000-memory.dmp

Filesize
4KB

Download
memory/2076-182-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/2076-176-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/2204-193-0x000000000041C5D2-mapping.dmp

Download
memory/2204-192-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2204-215-0x0000000005330000-0x0000000005936000-memory.dmp

Filesize
6.0MB

Download
memory/2796-149-0x0000000000000000-mapping.dmp

Download
memory/2796-1313-0x0000000008B04000-0x0000000008B05000-memory.dmp

Filesize
4KB

Download
memory/2796-1312-0x0000000008B03000-0x0000000008B04000-memory.dmp

Filesize
4KB

Download
memory/2796-1308-0x0000000003240000-0x0000000006340000-memory.dmp

Filesize
49.0MB

Download
memory/2796-1311-0x0000000008B02000-0x0000000008B03000-memory.dmp

Filesize
4KB

Download
memory/2796-1310-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/2848-209-0x0000000006762000-0x0000000006763000-memory.dmp

Filesize
4KB

Download
memory/2848-244-0x000000007EDE0000-0x000000007EDE1000-memory.dmp

Filesize
4KB

Download
memory/2848-194-0x0000000006650000-0x0000000006651000-memory.dmp

Filesize
4KB

Download
memory/2848-189-0x0000000000000000-mapping.dmp

Download
memory/2848-196-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/2848-208-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/2848-241-0x00000000089A0000-0x00000000089D3000-memory.dmp

Filesize
204KB

Download
memory/2848-260-0x0000000006763000-0x0000000006764000-memory.dmp

Filesize
4KB

Download
memory/2952-1363-0x0000000000000000-mapping.dmp

Download
memory/3016-780-0x0000000001510000-0x0000000001526000-memory.dmp

Filesize
88KB

Download
memory/3016-117-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

Filesize
88KB

Download
memory/3168-137-0x0000000000720000-0x00000000007CE000-memory.dmp

Filesize
696KB

Download
memory/3168-135-0x0000000000000000-mapping.dmp

Download
memory/3560-185-0x0000000000000000-mapping.dmp

Download
memory/3644-211-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/3644-321-0x0000000006713000-0x0000000006714000-memory.dmp

Filesize
4KB

Download
memory/3644-222-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/3644-237-0x0000000009200000-0x0000000009201000-memory.dmp

Filesize
4KB

Download
memory/3644-219-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/3644-216-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/3644-242-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/3644-1426-0x000000007EC10000-0x000000007EC11000-memory.dmp

Filesize
4KB

Download
memory/3644-198-0x0000000000000000-mapping.dmp

Download
memory/3644-213-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/3644-212-0x0000000006712000-0x0000000006713000-memory.dmp

Filesize
4KB

Download
memory/3648-130-0x0000000000000000-mapping.dmp

Download
memory/3648-134-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3672-178-0x0000000000000000-mapping.dmp

Download
memory/3756-171-0x0000000005590000-0x0000000005609000-memory.dmp

Filesize
484KB

Download
memory/3756-155-0x0000000000000000-mapping.dmp

Download
memory/3756-174-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/3756-166-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3756-165-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/3756-160-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3908-1364-0x0000000000000000-mapping.dmp

Download
memory/3956-125-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/3956-177-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/3956-121-0x00000000772E0000-0x000000007746E000-memory.dmp

Filesize
1.6MB

Download
memory/3956-186-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/3956-128-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/3956-127-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/3956-126-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3956-163-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/3956-157-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/3956-124-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/3956-129-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/3956-161-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/3956-118-0x0000000000000000-mapping.dmp

Download
memory/3956-122-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4060-114-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4280-256-0x0000000000000000-mapping.dmp

Download
memory/4312-1394-0x0000000000000000-mapping.dmp

Download
memory/4368-275-0x0000000000000000-mapping.dmp

Download
memory/4468-527-0x0000000000402FA5-mapping.dmp

Download
memory/4572-1314-0x0000000000000000-mapping.dmp

Download
memory/4580-1315-0x0000000000000000-mapping.dmp

Download
memory/4604-1316-0x0000000000000000-mapping.dmp

Download
memory/4708-1023-0x0000000000000000-mapping.dmp

Download
memory/4708-1132-0x000000007F2F0000-0x000000007F2F1000-memory.dmp

Filesize
4KB

Download
memory/4708-1038-0x00000000065D0000-0x00000000065D1000-memory.dmp

Filesize
4KB

Download
memory/4708-1039-0x00000000065D2000-0x00000000065D3000-memory.dmp

Filesize
4KB

Download
memory/4812-366-0x0000000000000000-mapping.dmp

Download
memory/4812-436-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/4812-438-0x0000000007322000-0x0000000007323000-memory.dmp

Filesize
4KB

Download
memory/4812-550-0x000000007E1E0000-0x000000007E1E1000-memory.dmp

Filesize
4KB

Download
memory/4868-1353-0x0000000000000000-mapping.dmp

Download
memory/4900-1354-0x0000000000000000-mapping.dmp

Download
memory/4960-1357-0x0000000000000000-mapping.dmp

Download
memory/5024-1359-0x0000000000000000-mapping.dmp

Download
memory/5080-1360-0x0000000000000000-mapping.dmp

Download
memory/5092-1361-0x0000000000000000-mapping.dmp

Download
memory/5112-1362-0x0000000000000000-mapping.dmp

Download