asyncrat | 1c4b98c8316dc6822d7fec7ffd30e1d1070b4981d5d19d3e23abcfcfb5b26322

Analysis

max time kernel
30s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proxys_CG/Proxy_Scrape.exe
Size

27.3MB
MD5

5ce779c2c9652041aecf26eba68b5ae8
SHA1

b6fb791025d150dd032169e47b91e218cd3d047d
SHA256

909ead44e10fab229813da2813b7a268bdfc3f262e7dfc0eaed0a9ae5b265d12
SHA512

8bc042e4e724cdfe75c073511307c5d0fb5c479796d172f53da74e70ccc2dd00da0207b32d3ca4958c9b7ea93bc5a9000582b9cef0d3d784b5dc5a2289b03361
SSDEEP

393216:PWI7KzlGt0Yx3SRfBKP+ni4zhavd3vhytubv8:PJ0I3QfBKmaVJPbU

Score

10^/10

asyncrat stormkitty xworm default rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

vfggfhd.servemp3.com:4444

Mutex

swTfenM3uXIVcBaq

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5984178452:AAG6gENrQhQhIMDZBJkIZ8WStQLjakgKSsk/sendMessage?chat_id=5529838804

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 7 IoCs

resource	yara_rule
behavioral1/files/0x00030000000230a7-138.dat	family_stormkitty
behavioral1/files/0x00030000000230a7-143.dat	family_stormkitty
behavioral1/files/0x00030000000230a7-144.dat	family_stormkitty
behavioral1/files/0x0001000000023107-183.dat	family_stormkitty
behavioral1/files/0x0001000000023107-188.dat	family_stormkitty
behavioral1/files/0x0001000000023107-189.dat	family_stormkitty
behavioral1/memory/4788-190-0x0000000000CE0000-0x0000000000D10000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/files/0x00030000000230a7-138.dat	asyncrat
behavioral1/files/0x00030000000230a7-143.dat	asyncrat
behavioral1/files/0x00030000000230a7-144.dat	asyncrat
behavioral1/files/0x0001000000023107-183.dat	asyncrat
behavioral1/files/0x0001000000023107-188.dat	asyncrat
behavioral1/files/0x0001000000023107-189.dat	asyncrat
behavioral1/memory/4788-190-0x0000000000CE0000-0x0000000000D10000-memory.dmp	asyncrat
behavioral1/memory/4948-215-0x000000001AED0000-0x000000001AEE0000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Proxy_Scrape.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Proxy_Scrape.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proxy.exe	proxy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proxy.exe	proxy.exe

Executes dropped EXE 5 IoCs

pid	Process
2296	Proxy_Scrape.exe
4948	proxy.exe
4132	PROXYS.EXE
4788	WORLD.EXE
3108	ProxyS.exe

Loads dropped DLL 14 IoCs

pid	Process
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe
3108	ProxyS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	WORLD.EXE
File created	C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	WORLD.EXE
File created	C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	WORLD.EXE
File created	C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	WORLD.EXE
File created	C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	WORLD.EXE
File created	C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	WORLD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	WORLD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4252	powershell.exe
4252	powershell.exe
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE
4788	WORLD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4788	WORLD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4252	3952	Proxy_Scrape.exe	79
PID 3952 wrote to memory of 4252	3952	Proxy_Scrape.exe	79
PID 3952 wrote to memory of 4252	3952	Proxy_Scrape.exe	79
PID 3952 wrote to memory of 2296	3952	Proxy_Scrape.exe	82
PID 3952 wrote to memory of 2296	3952	Proxy_Scrape.exe	82
PID 3952 wrote to memory of 2296	3952	Proxy_Scrape.exe	82
PID 3952 wrote to memory of 4948	3952	Proxy_Scrape.exe	83
PID 3952 wrote to memory of 4948	3952	Proxy_Scrape.exe	83
PID 2296 wrote to memory of 4132	2296	Proxy_Scrape.exe	84
PID 2296 wrote to memory of 4132	2296	Proxy_Scrape.exe	84
PID 2296 wrote to memory of 4788	2296	Proxy_Scrape.exe	85
PID 2296 wrote to memory of 4788	2296	Proxy_Scrape.exe	85
PID 2296 wrote to memory of 4788	2296	Proxy_Scrape.exe	85
PID 4132 wrote to memory of 3108	4132	PROXYS.EXE	87
PID 4132 wrote to memory of 3108	4132	PROXYS.EXE	87
PID 3108 wrote to memory of 2016	3108	ProxyS.exe	88
PID 3108 wrote to memory of 2016	3108	ProxyS.exe	88

C:\Users\Admin\AppData\Local\Temp\Proxys_CG\Proxy_Scrape.exe
"C:\Users\Admin\AppData\Local\Temp\Proxys_CG\Proxy_Scrape.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAaAB4ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAYgBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABlAGwAZQBnAHIAYQBtACAAQABYAFQAaQBnAGUAZQByAF8AYwBoAGEAbgBuAGUAbAAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAeQBnAGgAIwA+AA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Users\Admin\AppData\Local\Temp\Proxy_Scrape.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxy_Scrape.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\PROXYS.EXE
    "C:\Users\Admin\AppData\Local\Temp\PROXYS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\ProxyS.exe
      "C:\Users\Admin\AppData\Local\Temp\PROXYS.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2016
- - C:\Users\Admin\AppData\Local\Temp\WORLD.EXE
    "C:\Users\Admin\AppData\Local\Temp\WORLD.EXE"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- C:\Users\Admin\AppData\Local\Temp\proxy.exe
  "C:\Users\Admin\AppData\Local\Temp\proxy.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
84KB

MD5
7f2bba8a38712d00907f6e37f0ce6028

SHA1
e22227fc0fd45afdcf6c5d31a1cebffee22dfc32

SHA256
cd04ebe932b2cb2fd7f01c25412bddd77b476fa47d0aff69a04a27d3bfe4b37b

SHA512
ca46ceaf1b6683e6d505edbe33b1d36f2940a72fc34f42fa4aa0928f918d836803113bf9a404657ec3a65bc4e40ed13117ad48457a048c82599db37f98b68af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
124KB

MD5
38d9d8ed2b7df64790150a2a523fd3b9

SHA1
a629c8e76136fa5678c758351e2dcff5324f51e7

SHA256
11daef02afe45d9f3987bab5c2b6ef75b2b6f6f79704c45675d532f090f14b8b

SHA512
7a37a98bb9824680e3f0030e0db795f9eab1cc4d2b6605e4f6c37d432b4de0642481dd7b6c6f0e53264f2d940b4800555ab0d84145d7de35f4a65a26ca100fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
75ed91d3b7a40eca5b32a13b90191ead

SHA1
320bd4b6116f735d8508382738e50ba8862b8029

SHA256
202535a5ceb0bf70c2046639a3884c24f2cccb1bd92827e61b5a7a663d9399ba

SHA512
0eb81335c97842233751e7b4c0d6581accaf00a86f3e06fe35b2c80bd6badf83a321eaf4a449a31238ed3f60aa09890769bf54775cd7efd5112255842e1582c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
159KB

MD5
ad02ea81a127a401f4df84c082f3cce6

SHA1
9c6c851c52f331d17a33936c9aad8dcef2542709

SHA256
4213fbb6936ad3eac1e1ba28f10e15719176bc3a59ff01ddc6828dd7eee52132

SHA512
cdccd9e5fffc2a2836f7677985d63c0a8a90fc91f1d98a0f2355c11141e21ecd564bbbfba87e717ac80f784a68b6f43430476fbd72cec9820c691df6612ffd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

Filesize
29KB

MD5
f9718fe21174d8428f022aaf60bf92da

SHA1
db7e85eaa7c795792050af43d47518ca7fa7878a

SHA256
95e1c419e08d8ab229b8c64d51fd301cd9d75a659dfc05e75b0317ca0a4f22e3

SHA512
000929c994446f22e4f11a011c21b7401bbe8b3b1a624b80a4eeb818f94190b3db2782b00e477e548814caea5234d4de5a8a766d72365c26654d655ec4546be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
78KB

MD5
0a6c6fd7697e4c3757014fa6bf6dd615

SHA1
f14f79831b8b16a7b31f4c7f698317c023d446f9

SHA256
a611e9b4f4e5fe67e945b771d79cf15c48441ecfa11ce186cec9bf233dc20c0d

SHA512
f5fcfede06f0f81229b946f803b6e292fd0c909191f3c2a82ca317ff7c2e08d1ea98aa2d11ec85edd5449994a2a7c61318a15d47806cd761e25739494f3e18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
152KB

MD5
3baf56d4e63a800fcaf2cc98fc120709

SHA1
2a33341eda4b4549452b6db9b259f8ae6ec9c806

SHA256
d7610dd6be63aada4fe1895b64bbac961840257c6988e1f68bbf3d8e486b5a45

SHA512
e48899ed5581fe9f45c02219d62e0acbc92906af5b7a3b7d9be1bb28b41f5cfdb0d3496abc6d0c1a809bb80d2a49c5a456d34e4667995fb88ef8aca6958881dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
28KB

MD5
196c4d2f8bdc9e9d2dbcce866050684c

SHA1
1166c85c761d8188c45d9cc7441abfe8a7071132

SHA256
cd31f9f557d57a6909186940eafe483c37de9a7251e604644a747c7ec26b7823

SHA512
cb9a02530721482f0ff912ca65dae94f6930676e2390cb5523f99452174622d7e2e70cafaf46e053f0c3dfc314edc8c2f4fd3bc7ea888be81e83ff40d3a30e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
1.1MB

MD5
684ae6992f55ad6c64588367e42f44f7

SHA1
66d8868286924ada60966a620dffe87b2c978711

SHA256
91834e28cc0acbd966dc6d323b95113e0050301b7cd6cd4abe43390f2bbddb34

SHA512
70453ee98cbf6365aa7a326520cdad438d6a1d6f463da6180cb5e20708647951831d232b577be50a16825912a9e40386c64a9987e3265fc870cddd918b31614c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PROXYS.EXE

Filesize
27.0MB

MD5
8c98097d9e4be6b28b7905b112ace013

SHA1
0aca2e7cdacb9e5381af9bafe5c178153e7153a2

SHA256
312ee7bc18071439c78712241ea2ed5504e4441043098bb0c942e68d6dc28ce5

SHA512
e2dbbcafc0453ff6b70807dc51c086f1d58288973786b6c6aafa0d9de7c1d9a2047384563d362dce30fe6f270ca252d34cee453663b647c2ed64f51e6cbd5c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PROXYS.EXE

Filesize
27.0MB

MD5
8c98097d9e4be6b28b7905b112ace013

SHA1
0aca2e7cdacb9e5381af9bafe5c178153e7153a2

SHA256
312ee7bc18071439c78712241ea2ed5504e4441043098bb0c942e68d6dc28ce5

SHA512
e2dbbcafc0453ff6b70807dc51c086f1d58288973786b6c6aafa0d9de7c1d9a2047384563d362dce30fe6f270ca252d34cee453663b647c2ed64f51e6cbd5c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PROXYS.EXE

Filesize
27.0MB

MD5
8c98097d9e4be6b28b7905b112ace013

SHA1
0aca2e7cdacb9e5381af9bafe5c178153e7153a2

SHA256
312ee7bc18071439c78712241ea2ed5504e4441043098bb0c942e68d6dc28ce5

SHA512
e2dbbcafc0453ff6b70807dc51c086f1d58288973786b6c6aafa0d9de7c1d9a2047384563d362dce30fe6f270ca252d34cee453663b647c2ed64f51e6cbd5c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxy_Scrape.exe

Filesize
27.2MB

MD5
8e58b20983897c7af5b5e0defc9fcc9b

SHA1
b82c7dd8ba4e5abacb9f4a0db091ef252a2ce6ac

SHA256
da10847ce1fc60976026e27aed6879f224aad363b5b03f87fe626464cc999a7f

SHA512
b217d59d8d38b0958a3166de7f3f27f3dbff6b3795370e1a5a1a16c2fa1d614d9f70d53e8a274d7294d583b61bfcd8312c6ac624eae750403608e160e2ec614f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxy_Scrape.exe

Filesize
27.2MB

MD5
8e58b20983897c7af5b5e0defc9fcc9b

SHA1
b82c7dd8ba4e5abacb9f4a0db091ef252a2ce6ac

SHA256
da10847ce1fc60976026e27aed6879f224aad363b5b03f87fe626464cc999a7f

SHA512
b217d59d8d38b0958a3166de7f3f27f3dbff6b3795370e1a5a1a16c2fa1d614d9f70d53e8a274d7294d583b61bfcd8312c6ac624eae750403608e160e2ec614f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxy_Scrape.exe

Filesize
27.2MB

MD5
8e58b20983897c7af5b5e0defc9fcc9b

SHA1
b82c7dd8ba4e5abacb9f4a0db091ef252a2ce6ac

SHA256
da10847ce1fc60976026e27aed6879f224aad363b5b03f87fe626464cc999a7f

SHA512
b217d59d8d38b0958a3166de7f3f27f3dbff6b3795370e1a5a1a16c2fa1d614d9f70d53e8a274d7294d583b61bfcd8312c6ac624eae750403608e160e2ec614f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WORLD.EXE

Filesize
170KB

MD5
46146595bd566247d308857770b7c2cd

SHA1
7ed48b51034dbb30f8f5581189c08a5494480f67

SHA256
4364cbfdfdcbb28927716eac10fa5615a169859d6fb7b36dd1b3e4c7a8ca332a

SHA512
a9c31e0d7afed2e4608b821fec63ea3c20efc81fb1b323380899f2456f36963ff01381e4da043f6e5314829693250e236804c090ff08d4322a9c8269be7a311a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WORLD.EXE

Filesize
170KB

MD5
46146595bd566247d308857770b7c2cd

SHA1
7ed48b51034dbb30f8f5581189c08a5494480f67

SHA256
4364cbfdfdcbb28927716eac10fa5615a169859d6fb7b36dd1b3e4c7a8ca332a

SHA512
a9c31e0d7afed2e4608b821fec63ea3c20efc81fb1b323380899f2456f36963ff01381e4da043f6e5314829693250e236804c090ff08d4322a9c8269be7a311a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WORLD.EXE

Filesize
170KB

MD5
46146595bd566247d308857770b7c2cd

SHA1
7ed48b51034dbb30f8f5581189c08a5494480f67

SHA256
4364cbfdfdcbb28927716eac10fa5615a169859d6fb7b36dd1b3e4c7a8ca332a

SHA512
a9c31e0d7afed2e4608b821fec63ea3c20efc81fb1b323380899f2456f36963ff01381e4da043f6e5314829693250e236804c090ff08d4322a9c8269be7a311a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uarnkbcw.gvh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\ProxyS.exe

Filesize
12.6MB

MD5
1de7b7c0fcc0d5ce3d55952fe70f7e8b

SHA1
b14ba02a502462c28ac3db224777208efaae6d56

SHA256
594f41ec5f7809a5cd56fcde51063c91a83c52a6d1047d963d939cbf9df1890e

SHA512
dca645fadb01ad3a0045798108c5cfd8c9f65c69149a6bd49d3777d51b030b8d3bb3dde95551a60c8e7324e8f5d5742af1e35b9677210edf51410edb39d779d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\_bz2.pyd

Filesize
84KB

MD5
7f2bba8a38712d00907f6e37f0ce6028

SHA1
e22227fc0fd45afdcf6c5d31a1cebffee22dfc32

SHA256
cd04ebe932b2cb2fd7f01c25412bddd77b476fa47d0aff69a04a27d3bfe4b37b

SHA512
ca46ceaf1b6683e6d505edbe33b1d36f2940a72fc34f42fa4aa0928f918d836803113bf9a404657ec3a65bc4e40ed13117ad48457a048c82599db37f98b68af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\_ctypes.pyd

Filesize
124KB

MD5
38d9d8ed2b7df64790150a2a523fd3b9

SHA1
a629c8e76136fa5678c758351e2dcff5324f51e7

SHA256
11daef02afe45d9f3987bab5c2b6ef75b2b6f6f79704c45675d532f090f14b8b

SHA512
7a37a98bb9824680e3f0030e0db795f9eab1cc4d2b6605e4f6c37d432b4de0642481dd7b6c6f0e53264f2d940b4800555ab0d84145d7de35f4a65a26ca100fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\_hashlib.pyd

Filesize
63KB

MD5
75ed91d3b7a40eca5b32a13b90191ead

SHA1
320bd4b6116f735d8508382738e50ba8862b8029

SHA256
202535a5ceb0bf70c2046639a3884c24f2cccb1bd92827e61b5a7a663d9399ba

SHA512
0eb81335c97842233751e7b4c0d6581accaf00a86f3e06fe35b2c80bd6badf83a321eaf4a449a31238ed3f60aa09890769bf54775cd7efd5112255842e1582c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\_lzma.pyd

Filesize
159KB

MD5
ad02ea81a127a401f4df84c082f3cce6

SHA1
9c6c851c52f331d17a33936c9aad8dcef2542709

SHA256
4213fbb6936ad3eac1e1ba28f10e15719176bc3a59ff01ddc6828dd7eee52132

SHA512
cdccd9e5fffc2a2836f7677985d63c0a8a90fc91f1d98a0f2355c11141e21ecd564bbbfba87e717ac80f784a68b6f43430476fbd72cec9820c691df6612ffd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\_queue.pyd

Filesize
29KB

MD5
f9718fe21174d8428f022aaf60bf92da

SHA1
db7e85eaa7c795792050af43d47518ca7fa7878a

SHA256
95e1c419e08d8ab229b8c64d51fd301cd9d75a659dfc05e75b0317ca0a4f22e3

SHA512
000929c994446f22e4f11a011c21b7401bbe8b3b1a624b80a4eeb818f94190b3db2782b00e477e548814caea5234d4de5a8a766d72365c26654d655ec4546be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\_socket.pyd

Filesize
78KB

MD5
0a6c6fd7697e4c3757014fa6bf6dd615

SHA1
f14f79831b8b16a7b31f4c7f698317c023d446f9

SHA256
a611e9b4f4e5fe67e945b771d79cf15c48441ecfa11ce186cec9bf233dc20c0d

SHA512
f5fcfede06f0f81229b946f803b6e292fd0c909191f3c2a82ca317ff7c2e08d1ea98aa2d11ec85edd5449994a2a7c61318a15d47806cd761e25739494f3e18e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\_ssl.pyd

Filesize
152KB

MD5
3baf56d4e63a800fcaf2cc98fc120709

SHA1
2a33341eda4b4549452b6db9b259f8ae6ec9c806

SHA256
d7610dd6be63aada4fe1895b64bbac961840257c6988e1f68bbf3d8e486b5a45

SHA512
e48899ed5581fe9f45c02219d62e0acbc92906af5b7a3b7d9be1bb28b41f5cfdb0d3496abc6d0c1a809bb80d2a49c5a456d34e4667995fb88ef8aca6958881dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\python39.dll

Filesize
4.3MB

MD5
19e6d310c1bd0578d468a888d3ec0e3d

SHA1
32561ad9b89dc9e9a086569780890ad10337e698

SHA256
f4609ec3bbcc74ed9257e3440ec15adf3061f7162a89e4e9a370e1c2273370a1

SHA512
4a8332c22a40a170ea83fc8cfd5b8a0ed0df1d59fd22ebe10088ba0be78cc0e91a537d7085549a4d06204cbe77e83154a812daed885c25aa4b4cb4aca5b9cc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\python39.dll

Filesize
4.3MB

MD5
19e6d310c1bd0578d468a888d3ec0e3d

SHA1
32561ad9b89dc9e9a086569780890ad10337e698

SHA256
f4609ec3bbcc74ed9257e3440ec15adf3061f7162a89e4e9a370e1c2273370a1

SHA512
4a8332c22a40a170ea83fc8cfd5b8a0ed0df1d59fd22ebe10088ba0be78cc0e91a537d7085549a4d06204cbe77e83154a812daed885c25aa4b4cb4aca5b9cc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\select.pyd

Filesize
28KB

MD5
196c4d2f8bdc9e9d2dbcce866050684c

SHA1
1166c85c761d8188c45d9cc7441abfe8a7071132

SHA256
cd31f9f557d57a6909186940eafe483c37de9a7251e604644a747c7ec26b7823

SHA512
cb9a02530721482f0ff912ca65dae94f6930676e2390cb5523f99452174622d7e2e70cafaf46e053f0c3dfc314edc8c2f4fd3bc7ea888be81e83ff40d3a30e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\unicodedata.pyd

Filesize
1.1MB

MD5
684ae6992f55ad6c64588367e42f44f7

SHA1
66d8868286924ada60966a620dffe87b2c978711

SHA256
91834e28cc0acbd966dc6d323b95113e0050301b7cd6cd4abe43390f2bbddb34

SHA512
70453ee98cbf6365aa7a326520cdad438d6a1d6f463da6180cb5e20708647951831d232b577be50a16825912a9e40386c64a9987e3265fc870cddd918b31614c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4132_133263991809301398\vcruntime140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\proxy.exe

Filesize
40KB

MD5
7f024363d61f8090e2a1ed586e4e0dd1

SHA1
0dbbb02b82f5ceedfcdceaa828adc0949ae6d70a

SHA256
914266592f318e5cab5ff3ff02f90e9b8d0100a04fb88234ee9151534272bf36

SHA512
adfa8a04a42a2b3a88db0c5bd27f64a484277c85c4ef99e39351dce62908b72d8f3502c8136efb2f1b29fa183d2688576aa817b709aa98107c2c904c809f256e

Download Submit
C:\Users\Admin\AppData\Local\Temp\proxy.exe

Filesize
40KB

MD5
7f024363d61f8090e2a1ed586e4e0dd1

SHA1
0dbbb02b82f5ceedfcdceaa828adc0949ae6d70a

SHA256
914266592f318e5cab5ff3ff02f90e9b8d0100a04fb88234ee9151534272bf36

SHA512
adfa8a04a42a2b3a88db0c5bd27f64a484277c85c4ef99e39351dce62908b72d8f3502c8136efb2f1b29fa183d2688576aa817b709aa98107c2c904c809f256e

Download Submit
C:\Users\Admin\AppData\Local\Temp\proxy.exe

Filesize
40KB

MD5
7f024363d61f8090e2a1ed586e4e0dd1

SHA1
0dbbb02b82f5ceedfcdceaa828adc0949ae6d70a

SHA256
914266592f318e5cab5ff3ff02f90e9b8d0100a04fb88234ee9151534272bf36

SHA512
adfa8a04a42a2b3a88db0c5bd27f64a484277c85c4ef99e39351dce62908b72d8f3502c8136efb2f1b29fa183d2688576aa817b709aa98107c2c904c809f256e

Download Submit
C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\System\Process.txt

Filesize
4KB

MD5
6bc779ad324081c4481c3b6eb4fabc02

SHA1
32af465539755b7c923424e922722ab6a6a1a395

SHA256
d6e70b38dc3a5b07baf803057ce38c803fb1ce792b4b501dded05f0fc8ffff37

SHA512
02322d3372e3fea771a836849f1f1838b555731f223972655880fc1b975a5791f515e6b5ba6b81fc0e2be4eb9b01abea5e138749a9d57b27a2627343432309c6

Download Submit
memory/4252-140-0x0000000005060000-0x0000000005082000-memory.dmp

Filesize
136KB

Download
memory/4252-139-0x0000000005110000-0x0000000005738000-memory.dmp

Filesize
6.2MB

Download
memory/4252-158-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4252-156-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/4252-174-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/4252-134-0x0000000004A80000-0x0000000004AB6000-memory.dmp

Filesize
216KB

Download
memory/4252-251-0x0000000007440000-0x00000000074D2000-memory.dmp

Filesize
584KB

Download
memory/4252-153-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4252-250-0x0000000008310000-0x00000000088B4000-memory.dmp

Filesize
5.6MB

Download
memory/4252-157-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/4252-247-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/4252-249-0x0000000006530000-0x000000000654A000-memory.dmp

Filesize
104KB

Download
memory/4252-248-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4788-216-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/4788-255-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/4788-190-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/4788-401-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/4948-159-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/4948-254-0x000000001AED0000-0x000000001AEE0000-memory.dmp

Filesize
64KB

Download
memory/4948-215-0x000000001AED0000-0x000000001AEE0000-memory.dmp

Filesize
64KB

Download