Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    02-10-2021 18:43

General

  • Target

    ab444e67d59822e2db238c4eb8e99d04.exe

  • Size

    193KB

  • MD5

    ab444e67d59822e2db238c4eb8e99d04

  • SHA1

    8acd24cb9543babc8e9c22f2aafd39e0430a4602

  • SHA256

    a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce

  • SHA512

    fc2cd599f4ef10f0f5a1d0db8de316b07076ed8323abc2fd099a40cb97fec0a46f35d7bbb1513435738f1c6bca0fb21b6998ea7b0658124fca95262106c80e73

Malware Config

Extracted

Family

raccoon

Botnet

�u'h�Y�����&s҈���Kcc,d�6�1�>�-�

Attributes
  • url4cnc

    �cb{K^�WXP�۸��fB:O�٩٭w<n'�>�+�d�?�]�e?$g����k�J��6�:������$Q

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

mix02.10

C2

185.215.113.15:6043

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

    suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

  • suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1

    suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1

  • suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2

    suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab444e67d59822e2db238c4eb8e99d04.exe
    "C:\Users\Admin\AppData\Local\Temp\ab444e67d59822e2db238c4eb8e99d04.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe
        "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3732
          • C:\Windows\SysWOW64\timeout.exe
            timeout /T 10 /NOBREAK
            5⤵
            • Delays execution with timeout.exe
            PID:3012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe" /mix
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe
        "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe" /mix
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Users\Admin\AppData\Local\Temp\File.exe
          "C:\Users\Admin\AppData\Local\Temp\File.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Users\Admin\AppData\Local\Temp\pigpen\kelpie.exe
            "C:\Users\Admin\AppData\Local\Temp\pigpen\kelpie.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1304
            • C:\Windows\SysWOW64\dllhost.exe
              dllhost.exe
              6⤵
                PID:4048
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c cmd < Rivederla.sldx
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1452
                • C:\Windows\SysWOW64\cmd.exe
                  cmd
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:412
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr /V /R "^aOROvJzUjvvRrAnkxWTqxczDSakEvmxODKzodbkPMiFVEfmoYTgheyJXchWrbPbMwIgzidUWKrghPnZDSrFDk$" Prende.sldx
                    8⤵
                      PID:2100
                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
                      Grazia.exe.com B
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:664
                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
                        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com B
                        9⤵
                        • Executes dropped EXE
                        • Checks processor information in registry
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:1564
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qtpkiylfnmw.vbs"
                          10⤵
                            PID:1180
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hjuorknudcc.vbs"
                            10⤵
                            • Blocklisted process makes network request
                            PID:2644
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1
                        8⤵
                        • Runs ping.exe
                        PID:3860
                • C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe
                  "C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe"
                  5⤵
                  • Executes dropped EXE
                  • Checks BIOS information in registry
                  • Drops startup file
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  PID:3168
                  • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
                    "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
                    6⤵
                    • Executes dropped EXE
                    • Checks BIOS information in registry
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: AddClipboardFormatListener
                    PID:2640
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3756
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 4
                  5⤵
                  • Delays execution with timeout.exe
                  PID:4024
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\05511100778.exe" /mix
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2020
            • C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\05511100778.exe
              "C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\05511100778.exe" /mix
              3⤵
              • Executes dropped EXE
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:2368
              • C:\Users\Admin\AppData\Roaming\sliders\monns.exe
                monns.exe
                4⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3688
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c taskkill /im "ab444e67d59822e2db238c4eb8e99d04.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ab444e67d59822e2db238c4eb8e99d04.exe" & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2528
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im "ab444e67d59822e2db238c4eb8e99d04.exe" /f
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3784

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Virtualization/Sandbox Evasion

        1
        T1497

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Query Registry

        4
        T1012

        Virtualization/Sandbox Evasion

        1
        T1497

        System Information Discovery

        4
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        3
        T1005

        Command and Control

        Web Service

        1
        T1102

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\File.exe
          MD5

          c70150d4634ccf7bb7733ebdb4072f0f

          SHA1

          3f7c3eaf46bf63aaa8562ebbfcea2d7aae2a495c

          SHA256

          d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3

          SHA512

          1fb77b0d40e8571cc68663bb05466fcf183a096ca0a32e11ab8ad3ca0ad2d8209c78de05e8390eb01869fad625e82996a045945ad6dcb3ad7049913a7b319adf

        • C:\Users\Admin\AppData\Local\Temp\File.exe
          MD5

          c70150d4634ccf7bb7733ebdb4072f0f

          SHA1

          3f7c3eaf46bf63aaa8562ebbfcea2d7aae2a495c

          SHA256

          d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3

          SHA512

          1fb77b0d40e8571cc68663bb05466fcf183a096ca0a32e11ab8ad3ca0ad2d8209c78de05e8390eb01869fad625e82996a045945ad6dcb3ad7049913a7b319adf

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B
          MD5

          13dadc1bbc7fd49cf05d59507ec6c7f3

          SHA1

          4eb11c17cd38f22596556f6a0b8c651eee854a02

          SHA256

          9d9f8008c09e3796b8b27d130868d6f3f82da6ade4ebe997f855899f84bca55e

          SHA512

          05511c513749718ae6dc8417a285e572d64270a8e47aecaf7ec2276205300a98c863511fc328d2922429edaa15f08cc2f0b1ed68959980e6d29988f27659f531

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grazia.exe.com
          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hai.sldx
          MD5

          13dadc1bbc7fd49cf05d59507ec6c7f3

          SHA1

          4eb11c17cd38f22596556f6a0b8c651eee854a02

          SHA256

          9d9f8008c09e3796b8b27d130868d6f3f82da6ade4ebe997f855899f84bca55e

          SHA512

          05511c513749718ae6dc8417a285e572d64270a8e47aecaf7ec2276205300a98c863511fc328d2922429edaa15f08cc2f0b1ed68959980e6d29988f27659f531

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prende.sldx
          MD5

          f1b7b2303aacc91dec698dd99e89dafb

          SHA1

          4ed4b23ca6c5716b868252b06529901f5402671e

          SHA256

          c4299f690a3f25f3635727de6686055378481e9b2cf306fe568ed3c117f7e654

          SHA512

          dc129ea101f4a202d90cfb68a1a4ae8253e97acb5b803514d691d903fa95c2e077b1c717c408ef7a4c5ee4ffe8af86179904a391d531a71a3dd969c54aab096e

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rivederla.sldx
          MD5

          ab53f0c081651dc7e3f8b06f614243dd

          SHA1

          deba5728d0a03342d36a67a4aea7397a55fca2fa

          SHA256

          19c5ff96f3c60e406faf60193addd84954557fdc65274d4e107023d2d2bd72a2

          SHA512

          82fc950783fd7736679200fdfb483a8229760dc541515e82483a93cec81743da2cf921344892fedb850894aa79efe698ec566f9dd27eb4d54a482d679cf76ae9

        • C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\JMDDHB~1.ZIP
          MD5

          4c85b17ee95b178e3965f03918215864

          SHA1

          4586efd0aa1a140c2b55d6505f38b608e5ad2593

          SHA256

          a6afe8737af6d7334e89eacc20e5f721acd89ab9871e4131fb6a3c10832fffc0

          SHA512

          f90b5e46f0b9699a38ecc6c3ad2f11125a01b2340ac950fd4f58838cc15cb504c6a2f8569a7d72df27928290456f05c02f5365ce80aa95e039e788c131bb179d

        • C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\TLCPXU~1.ZIP
          MD5

          7a569f5b352255a1fa4b0b2cacc5b621

          SHA1

          4aea7044ea8a489874987d138bb438f7be5c1a5e

          SHA256

          ab30224e14df2e505a6861e75c0458fca0a8598cd58ea1b838ad1adadfac88b7

          SHA512

          df2a282037941ca4de159548fdf82ba075caf14e89c2f7245e8a9cfd5fe18a8214407e444a270882e564654ac9dbd44d15e3d49617ed981992fcd75fedff20a5

        • C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\_Files\_INFOR~1.TXT
          MD5

          36f8bfe1f02ff155094a9a72ccccb5de

          SHA1

          5890e8bba68f4cf14871b11ea70f2d2210c119c9

          SHA256

          b924bda98bf2c4fa4ca61a77015ac6f2fa296b907938b5435bd278cc46277ec0

          SHA512

          2a39ac87c0cac664714cd13ce146081b0dc313ff1715f1f84a1d7030dd11c0045c9f649d4c94034b893105a9273218d434840578e97da73bb056fa7a71f80c12

        • C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\_Files\_SCREE~1.JPE
          MD5

          cac07341e2ce6adb46c6706825d6a532

          SHA1

          19aacdb107547191298648dae1f5f156a07d4893

          SHA256

          4b613a430eb97f8638844cf7c40bd5c97b5a1b07b67d4ac53fff1388942a3e73

          SHA512

          f7417571d7414fdd639a17e4dda8b170f3b6c5052cdb27ddd6928b5fc38c9cd50eb02040b238b590178affa9c56e415814976cc81652760d7ce48c7a640f8574

        • C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\files_\SCREEN~1.JPG
          MD5

          cac07341e2ce6adb46c6706825d6a532

          SHA1

          19aacdb107547191298648dae1f5f156a07d4893

          SHA256

          4b613a430eb97f8638844cf7c40bd5c97b5a1b07b67d4ac53fff1388942a3e73

          SHA512

          f7417571d7414fdd639a17e4dda8b170f3b6c5052cdb27ddd6928b5fc38c9cd50eb02040b238b590178affa9c56e415814976cc81652760d7ce48c7a640f8574

        • C:\Users\Admin\AppData\Local\Temp\ZfgIhAXfZr\files_\SYSTEM~1.TXT
          MD5

          36f8bfe1f02ff155094a9a72ccccb5de

          SHA1

          5890e8bba68f4cf14871b11ea70f2d2210c119c9

          SHA256

          b924bda98bf2c4fa4ca61a77015ac6f2fa296b907938b5435bd278cc46277ec0

          SHA512

          2a39ac87c0cac664714cd13ce146081b0dc313ff1715f1f84a1d7030dd11c0045c9f649d4c94034b893105a9273218d434840578e97da73bb056fa7a71f80c12

        • C:\Users\Admin\AppData\Local\Temp\hjuorknudcc.vbs
          MD5

          d82e668d10b4502a911074b80aed9a18

          SHA1

          7ab8b0872428d08c3cd6a677b10cb2b68ade1f8a

          SHA256

          e27c2839a3073a324c7cfa64ec99a62475918715a0642c84213a475ebfeed351

          SHA512

          8442b2e69c8440dbf98cb27159c1ccd56ecf72fb1240dfae5abfc82518d5aca7ed402d70aec62b84286f473dce693b782ccc3fec9744fec590f4bbd7cb193e09

        • C:\Users\Admin\AppData\Local\Temp\pigpen\kelpie.exe
          MD5

          0714921b3968a977be00e12d70c6c5a9

          SHA1

          acc84ae5775e26a8b8c885ced2cdc9868ac58aea

          SHA256

          9a9c345460f7741e3ddffdc093d1c70338232d82142605c86326a48492c66e5a

          SHA512

          e205a3e883d6108ec7a0b65f4aaa4bfa55c3e023eff1047f3bd1ffe6740a73385c9cb58fb17b6524ff8fc161a6e7982718ca9f251f1ab847077af0e2455be9b3

        • C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe
          MD5

          1f31a1eb55a532e737ec5cacfcc373a9

          SHA1

          8bac46ed886b331c32c097899f03835fd1b7cca2

          SHA256

          74be7559fd36d07b55efab58a63ca29eef7b7044d86b2e064c7b05b88264e315

          SHA512

          8f2ad0ab3d94935f0cf6b099b6f76227080bf26d27b35b09c74f7b17f0b8f09086c0da52c9e6098cd75dd0b5cd4d7d743fefefee03fb7fa05a97163c310a73dd

        • C:\Users\Admin\AppData\Local\Temp\pigpen\poteye.exe
          MD5

          1f31a1eb55a532e737ec5cacfcc373a9

          SHA1

          8bac46ed886b331c32c097899f03835fd1b7cca2

          SHA256

          74be7559fd36d07b55efab58a63ca29eef7b7044d86b2e064c7b05b88264e315

          SHA512

          8f2ad0ab3d94935f0cf6b099b6f76227080bf26d27b35b09c74f7b17f0b8f09086c0da52c9e6098cd75dd0b5cd4d7d743fefefee03fb7fa05a97163c310a73dd

        • C:\Users\Admin\AppData\Local\Temp\qtpkiylfnmw.vbs
          MD5

          400af9d5195befc63b590cc2c7186b4c

          SHA1

          167cd191fed9f3ac735c3549e000a62d776e4e77

          SHA256

          27593eb654670d69d59c2e8d476b40a96eb82b05069bd3c0682f31a703936479

          SHA512

          044d121928cc7ae2a1829e6336a42a7f149ea45cb00c5437776a03df1fceef75728fe3ad67752e6a4265f7783c5f869a9fdd29c647ceacc48a731e8f46cc3bdb

        • C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\05511100778.exe
          MD5

          5d9cad4c941eb45397dbcd597559a253

          SHA1

          a4549b4c2afe2cecaa1ed65ed319af9dbc09e571

          SHA256

          97e446bfcdbbb95194cc7ad82d37caa9ffb358c2e3cf17d181959c4fe1edcfe9

          SHA512

          212b6d2512837bbbbd49e1fa7bef4eee27fe573f052768e5002b2b623db8c25300df5c93012ce3f599dd3eb7296ed82aae4e9b80792a5a548f5a60bf72967253

        • C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe
          MD5

          0f64ddd766bc02d60538e1c0fe754b40

          SHA1

          602601fb918e937f3d0cde16a9bd0259401c8dd8

          SHA256

          63d9d211e1fae3e169ecd91e81e7ce5f10c43c35a2194340cbd85341dc323c4f

          SHA512

          9e2b0e7cc6a867eb84783f0a4424ff5fdb276e87c598436c7afe23111421414a0c4f775dba4c48885f93ebd2ea84a77194b526e0972f048b5243d2496a2653de

        • C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\96807984957.exe
          MD5

          0f64ddd766bc02d60538e1c0fe754b40

          SHA1

          602601fb918e937f3d0cde16a9bd0259401c8dd8

          SHA256

          63d9d211e1fae3e169ecd91e81e7ce5f10c43c35a2194340cbd85341dc323c4f

          SHA512

          9e2b0e7cc6a867eb84783f0a4424ff5fdb276e87c598436c7afe23111421414a0c4f775dba4c48885f93ebd2ea84a77194b526e0972f048b5243d2496a2653de

        • C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe
          MD5

          5a0ea4aab5f283b5c7d234322e04c6ce

          SHA1

          33509a78863b9bd7385054aa5bc92b8ce4f1ab5f

          SHA256

          2d090e48369efcdbebf9df5aed96857cd442509bb5f59e171f2b1b3cf1a56361

          SHA512

          8f150303c90231188c72dacb873fc5b71c42f0730f75bfe61a388457329bae8985c86b83e5088e2a6813fcda0a383fb1e96cec49b8510d1700412c585438aaec

        • C:\Users\Admin\AppData\Local\Temp\{nfrl-G6MzG-4QWw-Hnr28}\97712561087.exe
          MD5

          5a0ea4aab5f283b5c7d234322e04c6ce

          SHA1

          33509a78863b9bd7385054aa5bc92b8ce4f1ab5f

          SHA256

          2d090e48369efcdbebf9df5aed96857cd442509bb5f59e171f2b1b3cf1a56361

          SHA512

          8f150303c90231188c72dacb873fc5b71c42f0730f75bfe61a388457329bae8985c86b83e5088e2a6813fcda0a383fb1e96cec49b8510d1700412c585438aaec

        • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
          MD5

          1f31a1eb55a532e737ec5cacfcc373a9

          SHA1

          8bac46ed886b331c32c097899f03835fd1b7cca2

          SHA256

          74be7559fd36d07b55efab58a63ca29eef7b7044d86b2e064c7b05b88264e315

          SHA512

          8f2ad0ab3d94935f0cf6b099b6f76227080bf26d27b35b09c74f7b17f0b8f09086c0da52c9e6098cd75dd0b5cd4d7d743fefefee03fb7fa05a97163c310a73dd

        • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
          MD5

          1f31a1eb55a532e737ec5cacfcc373a9

          SHA1

          8bac46ed886b331c32c097899f03835fd1b7cca2

          SHA256

          74be7559fd36d07b55efab58a63ca29eef7b7044d86b2e064c7b05b88264e315

          SHA512

          8f2ad0ab3d94935f0cf6b099b6f76227080bf26d27b35b09c74f7b17f0b8f09086c0da52c9e6098cd75dd0b5cd4d7d743fefefee03fb7fa05a97163c310a73dd

        • C:\Users\Admin\AppData\Roaming\sliders\monns.exe
          MD5

          296c65cf3f705fcbf5fa32e68b235254

          SHA1

          5fb360cf5969c11f973e0a92032b3db654db27dd

          SHA256

          9b8f03568ef32309cb28cf14f59480810da80fb9545edb107dddfb7a48f9a3bc

          SHA512

          6b94bfb141c4d01cb8baa62dc6c8a6031fd14388cb3d07889de4a5305678645916fa4229c28d5a282b544b2bd225a91b29b34240ded8735f960133d6decdd395

        • C:\Users\Admin\AppData\Roaming\sliders\monns.exe
          MD5

          296c65cf3f705fcbf5fa32e68b235254

          SHA1

          5fb360cf5969c11f973e0a92032b3db654db27dd

          SHA256

          9b8f03568ef32309cb28cf14f59480810da80fb9545edb107dddfb7a48f9a3bc

          SHA512

          6b94bfb141c4d01cb8baa62dc6c8a6031fd14388cb3d07889de4a5305678645916fa4229c28d5a282b544b2bd225a91b29b34240ded8735f960133d6decdd395

        • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\freebl3.dll
          MD5

          60acd24430204ad2dc7f148b8cfe9bdc

          SHA1

          989f377b9117d7cb21cbe92a4117f88f9c7693d9

          SHA256

          9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

          SHA512

          626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

        • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\mozglue.dll
          MD5

          eae9273f8cdcf9321c6c37c244773139

          SHA1

          8378e2a2f3635574c106eea8419b5eb00b8489b0

          SHA256

          a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

          SHA512

          06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

        • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\nss3.dll
          MD5

          02cc7b8ee30056d5912de54f1bdfc219

          SHA1

          a6923da95705fb81e368ae48f93d28522ef552fb

          SHA256

          1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

          SHA512

          0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

        • \Users\Admin\AppData\LocalLow\nU9pY0gT8d\softokn3.dll
          MD5

          4e8df049f3459fa94ab6ad387f3561ac

          SHA1

          06ed392bc29ad9d5fc05ee254c2625fd65925114

          SHA256

          25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

          SHA512

          3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

        • \Users\Admin\AppData\LocalLow\sqlite3.dll
          MD5

          f964811b68f9f1487c2b41e1aef576ce

          SHA1

          b423959793f14b1416bc3b7051bed58a1034025f

          SHA256

          83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

          SHA512

          565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

        • \Users\Admin\AppData\Local\Temp\nsk3A9F.tmp\UAC.dll
          MD5

          adb29e6b186daa765dc750128649b63d

          SHA1

          160cbdc4cb0ac2c142d361df138c537aa7e708c9

          SHA256

          2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

          SHA512

          b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

        • memory/412-186-0x0000000000000000-mapping.dmp
        • memory/664-190-0x0000000000000000-mapping.dmp
        • memory/664-114-0x0000000000830000-0x000000000085F000-memory.dmp
          Filesize

          188KB

        • memory/664-115-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/1040-116-0x0000000000000000-mapping.dmp
        • memory/1172-117-0x0000000000000000-mapping.dmp
        • memory/1172-124-0x0000000000AF0000-0x0000000000B7E000-memory.dmp
          Filesize

          568KB

        • memory/1172-125-0x0000000000400000-0x00000000008B0000-memory.dmp
          Filesize

          4.7MB

        • memory/1180-201-0x0000000000000000-mapping.dmp
        • memory/1304-170-0x0000000000000000-mapping.dmp
        • memory/1324-120-0x0000000000000000-mapping.dmp
        • memory/1452-183-0x0000000000000000-mapping.dmp
        • memory/1564-197-0x0000000000000000-mapping.dmp
        • memory/1664-132-0x0000000000B20000-0x0000000000B66000-memory.dmp
          Filesize

          280KB

        • memory/1664-133-0x0000000000400000-0x0000000000885000-memory.dmp
          Filesize

          4.5MB

        • memory/1664-121-0x0000000000000000-mapping.dmp
        • memory/2020-126-0x0000000000000000-mapping.dmp
        • memory/2100-187-0x0000000000000000-mapping.dmp
        • memory/2368-127-0x0000000000000000-mapping.dmp
        • memory/2368-134-0x0000000000B30000-0x0000000000BFF000-memory.dmp
          Filesize

          828KB

        • memory/2368-135-0x0000000000400000-0x00000000008CD000-memory.dmp
          Filesize

          4.8MB

        • memory/2528-129-0x0000000000000000-mapping.dmp
        • memory/2640-199-0x00007FF647B50000-0x00007FF6484B6000-memory.dmp
          Filesize

          9.4MB

        • memory/2640-194-0x0000000000000000-mapping.dmp
        • memory/2644-203-0x0000000000000000-mapping.dmp
        • memory/2644-165-0x0000000000000000-mapping.dmp
        • memory/3012-144-0x0000000000000000-mapping.dmp
        • memory/3168-178-0x0000000000000000-mapping.dmp
        • memory/3168-184-0x00007FF70E990000-0x00007FF70F2F6000-memory.dmp
          Filesize

          9.4MB

        • memory/3688-159-0x0000000006A80000-0x0000000006A81000-memory.dmp
          Filesize

          4KB

        • memory/3688-152-0x0000000002812000-0x0000000002813000-memory.dmp
          Filesize

          4KB

        • memory/3688-147-0x00000000022E0000-0x00000000022FF000-memory.dmp
          Filesize

          124KB

        • memory/3688-161-0x0000000007270000-0x0000000007271000-memory.dmp
          Filesize

          4KB

        • memory/3688-148-0x0000000004B90000-0x0000000004B91000-memory.dmp
          Filesize

          4KB

        • memory/3688-160-0x0000000006C50000-0x0000000006C51000-memory.dmp
          Filesize

          4KB

        • memory/3688-163-0x0000000007570000-0x0000000007571000-memory.dmp
          Filesize

          4KB

        • memory/3688-149-0x0000000002640000-0x000000000265E000-memory.dmp
          Filesize

          120KB

        • memory/3688-164-0x0000000007600000-0x0000000007601000-memory.dmp
          Filesize

          4KB

        • memory/3688-158-0x0000000005250000-0x0000000005251000-memory.dmp
          Filesize

          4KB

        • memory/3688-140-0x0000000000000000-mapping.dmp
        • memory/3688-145-0x00000000001C0000-0x00000000001F0000-memory.dmp
          Filesize

          192KB

        • memory/3688-157-0x00000000051D0000-0x00000000051D1000-memory.dmp
          Filesize

          4KB

        • memory/3688-156-0x0000000002814000-0x0000000002816000-memory.dmp
          Filesize

          8KB

        • memory/3688-155-0x00000000050C0000-0x00000000050C1000-memory.dmp
          Filesize

          4KB

        • memory/3688-154-0x0000000005090000-0x0000000005091000-memory.dmp
          Filesize

          4KB

        • memory/3688-150-0x00000000056A0000-0x00000000056A1000-memory.dmp
          Filesize

          4KB

        • memory/3688-146-0x0000000000400000-0x0000000000469000-memory.dmp
          Filesize

          420KB

        • memory/3688-151-0x0000000002810000-0x0000000002811000-memory.dmp
          Filesize

          4KB

        • memory/3688-162-0x0000000007390000-0x0000000007391000-memory.dmp
          Filesize

          4KB

        • memory/3688-153-0x0000000002813000-0x0000000002814000-memory.dmp
          Filesize

          4KB

        • memory/3732-143-0x0000000000000000-mapping.dmp
        • memory/3756-167-0x0000000000000000-mapping.dmp
        • memory/3784-130-0x0000000000000000-mapping.dmp
        • memory/3860-193-0x0000000000000000-mapping.dmp
        • memory/4024-179-0x0000000000000000-mapping.dmp
        • memory/4048-182-0x0000000000000000-mapping.dmp