asyncrat | 1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05

Analysis

max time kernel
300s
max time network
302s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
12-02-2024 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe
Size

170KB
MD5

902c4b980384894283b534c3d8972a5f
SHA1

8c05e7d329f359b7fbe4648dfe59872f530cd12e
SHA256

1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05
SHA512

fc446e5d24f11c7d4fc64eb018d3c2e8e728bc2e1372fd5cf76caf6ba09d5666a5291684ce120f3c4c40191584fa9785f916b1b62f91cbe40a6d1eb129133431
SSDEEP

3072:fpMb0SXiEmLCpYbz8/UVS7OiJIvVO77NSYZA7kO0IDm:fp0VXTECObAUO7DUD

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.ldhy
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0849ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.7

Botnet

655507914130aa0fe72362726c206a7c

https://t.me/newagev

https://steamcommunity.com/profiles/76561199631487327

Attributes

profile_id_v2
655507914130aa0fe72362726c206a7c

Extracted

Family

redline

Botnet

Exodus

93.123.39.68:1334

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

93.123.39.68:4449

Mutex

kszghixltbdczq

Attributes

delay
1
install
true
install_file
chromeupdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3284-74-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral2/memory/3284-73-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral2/memory/2340-72-0x00000000005E0000-0x0000000000611000-memory.dmp	family_vidar_v7
behavioral2/memory/3284-68-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral2/memory/3284-105-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral2/memory/2316-185-0x0000000002D20000-0x0000000002E20000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4348-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1716-27-0x0000000002150000-0x000000000226B000-memory.dmp	family_djvu
behavioral2/memory/4348-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4348-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4348-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4348-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-88-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-90-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-91-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-98-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4968-100-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8117.exe	family_redline
behavioral2/memory/4972-166-0x0000000000110000-0x000000000012E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8117.exe	family_sectoprat
behavioral2/memory/4972-166-0x0000000000110000-0x000000000012E000-memory.dmp	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe	family_sectoprat
behavioral2/memory/4580-311-0x00000000028B0000-0x00000000048B0000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\adasda.exe	family_asyncrat
C:\Users\Admin\AppData\Local\Temp\adasda.exe	family_asyncrat

Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

3032
Drops startup file 1 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe

pid	process
3032

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	RegAsm.exe

Executes dropped EXE 25 IoCs

Processes:

D457.exeE485.exeE485.exeE485.exeE485.exebuild2.exebuild2.exebuild3.exebuild3.exe6F9F.exe7CB1.exe8117.exedrfwabgqemu-ga.exemstsca.exeadasda.exeasdjijjjjj.exechromeupdate.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
4064	D457.exe
1716	E485.exe
4348	E485.exe
988	E485.exe
4968	E485.exe
2340	build2.exe
3284	build2.exe
4036	build3.exe
2604	build3.exe
1696	6F9F.exe
4580	7CB1.exe
4972	8117.exe
2316	drfwabg
3820	qemu-ga.exe
4560	mstsca.exe
2080	adasda.exe
2356	asdjijjjjj.exe
4860	chromeupdate.exe
1760	mstsca.exe
648	mstsca.exe
3164	mstsca.exe
3548	mstsca.exe
532	mstsca.exe
592	mstsca.exe
4560	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4380 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4380	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

E485.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d53fe415-ed9d-45e9-928d-2e095abf95da\\E485.exe\" --AutoStart"	E485.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.2ip.ua
24 api.2ip.ua
35 api.2ip.ua

flow	ioc
22	api.2ip.ua
24	api.2ip.ua
35	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

Processes:

E485.exeE485.exebuild2.exebuild3.exe7CB1.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 1716 set thread context of 4348	1716	E485.exe	E485.exe
PID 988 set thread context of 4968	988	E485.exe	E485.exe
PID 2340 set thread context of 3284	2340	build2.exe	build2.exe
PID 4036 set thread context of 2604	4036	build3.exe	build3.exe
PID 4580 set thread context of 816	4580	7CB1.exe	RegAsm.exe
PID 4560 set thread context of 1760	4560	mstsca.exe	mstsca.exe
PID 648 set thread context of 3164	648	mstsca.exe	mstsca.exe
PID 3548 set thread context of 532	3548	mstsca.exe	mstsca.exe
PID 592 set thread context of 4560	592	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4828 3284 WerFault.exe build2.exe

pid	pid_target	process	target process
4828	3284	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exeD457.exedrfwabg

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D457.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	drfwabg
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	drfwabg
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D457.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	drfwabg
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D457.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1112 schtasks.exe
1624 schtasks.exe
500 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4932 timeout.exe

pid	process
1112	schtasks.exe
1624	schtasks.exe
500	schtasks.exe

pid	process
4932	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe

pid	process
520	1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe
520	1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exeD457.exedrfwabg

pid process

520 1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe
4064 D457.exe
2316 drfwabg

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8117.exeRegAsm.exeadasda.exechromeupdate.exe

description	pid	process
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeDebugPrivilege	4972	8117.exe
Token: SeDebugPrivilege	816	RegAsm.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeDebugPrivilege	2080	adasda.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeDebugPrivilege	4860	chromeupdate.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chromeupdate.exe

pid process

4860 chromeupdate.exe

pid	process
4860	chromeupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E485.exeE485.exeE485.exeE485.exebuild2.exebuild3.exebuild3.exe

description	pid	process	target process
PID 3032 wrote to memory of 4064	3032		D457.exe
PID 3032 wrote to memory of 4064	3032		D457.exe
PID 3032 wrote to memory of 4064	3032		D457.exe
PID 3032 wrote to memory of 1716	3032		E485.exe
PID 3032 wrote to memory of 1716	3032		E485.exe
PID 3032 wrote to memory of 1716	3032		E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 1716 wrote to memory of 4348	1716	E485.exe	E485.exe
PID 4348 wrote to memory of 4380	4348	E485.exe	icacls.exe
PID 4348 wrote to memory of 4380	4348	E485.exe	icacls.exe
PID 4348 wrote to memory of 4380	4348	E485.exe	icacls.exe
PID 4348 wrote to memory of 988	4348	E485.exe	E485.exe
PID 4348 wrote to memory of 988	4348	E485.exe	E485.exe
PID 4348 wrote to memory of 988	4348	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 988 wrote to memory of 4968	988	E485.exe	E485.exe
PID 4968 wrote to memory of 2340	4968	E485.exe	build2.exe
PID 4968 wrote to memory of 2340	4968	E485.exe	build2.exe
PID 4968 wrote to memory of 2340	4968	E485.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 2340 wrote to memory of 3284	2340	build2.exe	build2.exe
PID 4968 wrote to memory of 4036	4968	E485.exe	build3.exe
PID 4968 wrote to memory of 4036	4968	E485.exe	build3.exe
PID 4968 wrote to memory of 4036	4968	E485.exe	build3.exe
PID 4036 wrote to memory of 2604	4036	build3.exe	build3.exe
PID 4036 wrote to memory of 2604	4036	build3.exe	build3.exe
PID 4036 wrote to memory of 2604	4036	build3.exe	build3.exe
PID 4036 wrote to memory of 2604	4036	build3.exe	build3.exe
PID 4036 wrote to memory of 2604	4036	build3.exe	build3.exe
PID 4036 wrote to memory of 2604	4036	build3.exe	build3.exe
PID 4036 wrote to memory of 2604	4036	build3.exe	build3.exe
PID 4036 wrote to memory of 2604	4036	build3.exe	build3.exe
PID 4036 wrote to memory of 2604	4036	build3.exe	build3.exe
PID 2604 wrote to memory of 1112	2604	build3.exe	schtasks.exe
PID 2604 wrote to memory of 1112	2604	build3.exe	schtasks.exe
PID 2604 wrote to memory of 1112	2604	build3.exe	schtasks.exe
PID 3032 wrote to memory of 1696	3032		6F9F.exe
PID 3032 wrote to memory of 1696	3032		6F9F.exe
PID 3032 wrote to memory of 1696	3032		6F9F.exe
PID 3032 wrote to memory of 2356	3032		asdjijjjjj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe
"C:\Users\Admin\AppData\Local\Temp\1216f48b727c93df1945ecca6261c637f7860520b213e7f9582e33b1c969fe05.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:520

C:\Users\Admin\AppData\Local\Temp\D457.exe
C:\Users\Admin\AppData\Local\Temp\D457.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4064

C:\Users\Admin\AppData\Local\Temp\E485.exe
C:\Users\Admin\AppData\Local\Temp\E485.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d53fe415-ed9d-45e9-928d-2e095abf95da" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:4380

C:\Users\Admin\AppData\Local\Temp\E485.exe
"C:\Users\Admin\AppData\Local\Temp\E485.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\E485.exe
C:\Users\Admin\AppData\Local\Temp\E485.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\E485.exe
"C:\Users\Admin\AppData\Local\Temp\E485.exe" --Admin IsNotAutoStart IsNotTask
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build2.exe
"C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build2.exe
"C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build2.exe"
3⤵
- Executes dropped EXE
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 2056
4⤵
- Program crash
PID:4828

C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build3.exe
"C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build3.exe
"C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:1112

C:\Users\Admin\AppData\Local\Temp\6F9F.exe
C:\Users\Admin\AppData\Local\Temp\6F9F.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\77AF.bat" "
1⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\7CB1.exe
C:\Users\Admin\AppData\Local\Temp\7CB1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
3⤵
- Executes dropped EXE
PID:3820

C:\Users\Admin\AppData\Local\Temp\8117.exe
C:\Users\Admin\AppData\Local\Temp\8117.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe
"C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe"
2⤵
- Executes dropped EXE
PID:2356

C:\Users\Admin\AppData\Local\Temp\adasda.exe
"C:\Users\Admin\AppData\Local\Temp\adasda.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB6E.tmp.bat""
3⤵
PID:2660

C:\Users\Admin\AppData\Roaming\chromeupdate.exe
"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit
3⤵
PID:1500

C:\Users\Admin\AppData\Roaming\drfwabg
C:\Users\Admin\AppData\Roaming\drfwabg
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2316

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4560

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1760

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'
1⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:4932

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:500

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:648

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3548

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:532

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:592

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
f6d38556e96bdb48719f20d3648283c0

SHA1
669b2a387561e11322bfb9a3824671860512ab40

SHA256
45a081b2a78d7804f147e4e9e7f362737d40bda2f17f8119dc4fc5645cd0e609

SHA512
6103203deb0ddf8307bf1ba06a81f200babcc73b228168b1a3c3309d4b01680c51c627921db0b43b8025ec4b91489a7a8574cccf786299850c387dba0e7f8190

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
5a3ede3d73fef2c307e2ad7985f78798

SHA1
b7f021365ff2c9a48c00c9795ac0fc99e1b430e4

SHA256
f5696b6ab7b2d80095f5b8bbb1c6de6ec72b1cbc953c21f88e82b577b0a40c50

SHA512
6874bdb257aec8d5e8a2d5d86539d4c738c85eb7ff6d712776a984476d0a4bd94bb70359f835896db1a66d85309629a63a7af7e6acf103db5b292a3a9f50b57c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
40795a8513edc3ae7f7cca9a14f72873

SHA1
16a8978ed4d65a03a51b6d151a643edcfc046f52

SHA256
5aa152298ac2abb0f562367957238e462ca0dce189cfa8fde7fbbcc939966f85

SHA512
6f65ce22e2714a2ff9338e6de62a7ec40a3b4216c1291f323d71ecff3d35ff58165d2cf9b8418938f1c3d44e5b48a8f27fd54b48ba0bdf985c42a63b6d320e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F9F.exe
Filesize
702KB

MD5
cc22efead582d42627ed902c6f959b49

SHA1
879c9b32d483437fb854c1ee0d2d0b7c7422d464

SHA256
b5ec12a134a2c29f47e872b54202e0c2ee3828ed7003d3a9b9475bc23b330a93

SHA512
fda343abdb98e1d29d527d08b31a5f6aeb41a33051693e73a458638ff39f2a99e9eb88d438190467f382e077e3d4533380920a81cdc93b517961c379d1234102

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F9F.exe
Filesize
210KB

MD5
f85cfff83b958eb1d9b2835d550788c7

SHA1
9907ebe009e942ba38684728b7e4ba03b4ac5056

SHA256
2cd84266ba8bd0fe1543e2240eb3efc407f15017cac0cb924e5038803d11c128

SHA512
6cc5c184f45b103474c0493dde918f7ab6edc83d5ea891dba297975345fe8aa6aee0d95960d29aa4d042ece073a3ca66bb26eacdf75d8202aa7434be39b72cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB1.exe
Filesize
76KB

MD5
797d0c9e9a321549fa944dc7abe0cd61

SHA1
ef71c290633ac37b90020be87c82af2420a8a63b

SHA256
6e2acc1ea686e5f7c2b9642431609bd725d5c4395c78e4ea98a0cd0f9c58f50f

SHA512
085419268ccdc06ac0b12bb37f04e49db9ee6f8b9fa2d01e1b1b43cdfe29ac65b22e6e6c48c749d356d44cc0623d3245d79db033d48f49417dbf14510a8d5498

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB1.exe
Filesize
36KB

MD5
7a94592b248dcf0dc677a81848f52eea

SHA1
6437bb501943cd76595ec3a216088fcebdae874f

SHA256
4f05bafab62730fa9ee5aa8b908ce2546368e9ebbf1e78c5b46584b402f0aa33

SHA512
7456864f0eefe9f51eab45593bfba537bf734e22577f2ba2d8e244c114f196b94ab7ca8c6d109fb4214325f23d58c95d7a68d41c167b18904ccbfad10c51d31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8117.exe
Filesize
95KB

MD5
57935225dcb95b6ed9894d5d5e8b46a8

SHA1
1daf36a8db0b79be94a41d27183e4904a1340990

SHA256
79d7b0f170471f44ed6c07ddb4c4c9bb20c97235aef23ac052e692cb558a156d

SHA512
1b6362bdb7f6b177773357f5fe8e7d7ee44716fd8e63e663e446f4e204af581491d05345c12cd9cca91fd249383817da21ef2241011cdc251b7e299560ea48c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D457.exe
Filesize
3KB

MD5
27df3c82a1f637cd873950bdf6afd6fd

SHA1
f0988e7bd218c1d8c8365c240688ea01c2cd1514

SHA256
c265022fa364a25616a7f9c0b2f00ff97d4ab339838829db17c06abbd64d2c65

SHA512
ae6e133fd5c6e69a4c6354e04a8301989c840d9d95760449b817b62bf34f53dbdc6a9641d8039a14b33dc2a74bc703dfebb096bbcae44dc30a7db8776af1e43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D457.exe
Filesize
1KB

MD5
3ad3e318b575c8641621c07d93232e47

SHA1
fd9068d4e1b25486b08d50a22cfbc79267b09c46

SHA256
f55d58159ef5666e753d409687d28cb495bf7811c2b954470265960c33b0037e

SHA512
71f04a0f945dd1c1769ed30e9e6673539e173a290220bf2fa9b5c6eea412ac09802750f051c4d5330e467d449558bf3deb57b38bdf81c7f8b4c157c489892188

Download Submit
C:\Users\Admin\AppData\Local\Temp\E485.exe
Filesize
411KB

MD5
2320cfbc2a730f9cf82ffce72de9965b

SHA1
8af7b236d05042059de7fc7eebb4d92879a1c681

SHA256
fb52c154319bde6297939766a63016813538ee176fe9888589c7aafd292fddf1

SHA512
53bfa801f4ce92389f7c5603d55887802097a72f436878843871925e8a54aacd7934c7fe7f7434a860ce92b5b72013366965b96f8dcc98235c2e7b532798b8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E485.exe
Filesize
472KB

MD5
3b0cd5b7812f2035ab4c56a097c061a5

SHA1
3996dd74f8be7a6c8406a612fdde826291fdd862

SHA256
2907da4fbd99d32e6bd82c5337eef1dda7006e53e3842c998e2d374cb384aeac

SHA512
8b9d26c522262d5b70d2f3f989bf0856a3bdbaa9a5d573b58733d3fa195c1c254bc85a37b2342d5dcb56441375953ba933a3ed2b0c4eecf7ebc3bfccfde9296b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E485.exe
Filesize
282KB

MD5
19602e086faac9b47d9428aa634dc865

SHA1
a863bbe27c820fd8bd8af7ee15a5604666202f70

SHA256
4779a0f26df884505408f98badb705bbc4ceaaf60547112ac5039d462ac9a37e

SHA512
c33f753dd7b322d84601e325956dc8dea04271234164295e749df045d475412b440ba344e2c38ada8bc40e8a85e5b51aeed0280aff475721e0c7534155e88cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\E485.exe
Filesize
112KB

MD5
5a945181b5ce651275282006354a55a9

SHA1
0f9f5bd390e4c325b006ce0d6a7a7560f9e0ab5a

SHA256
c9c42184c5a868e29cf57b1885a46b3e32b6836f446695ee30db5e4495abf3b3

SHA512
c72130a2fffc2f7873b6f0b6c5054ff552ea7041296a112c2ec9b012f322b14f1298415683edbf68f062ab83b4e9525006b0b7951708d721eee5756f0881c88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E485.exe
Filesize
293KB

MD5
6d9bd2bd58677121f6f7c85b76017fcb

SHA1
accd8a9f3155b1949bceb8b1bacb11cdce28567c

SHA256
10b158ed6c8a960430893eac0429bf7f6ba4e36f1066c7d30b77a067ee9c76df

SHA512
83751276af78e2efa049298db2751f3b150721b89ba7842bed1e834ace358b2a567320445d1c5cf2ad661ed4bee929ded2b399a793b3fe4f39a06b2e2391ba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\adasda.exe
Filesize
73KB

MD5
25b6389bbaa746df85d53714d4a6d477

SHA1
86e6443e902f180f32fb434e06ecf45d484582e3

SHA256
4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56

SHA512
6ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\adasda.exe
Filesize
29KB

MD5
3fa546a9e097d2f09b426ab2a4ec1645

SHA1
6e77316597e32182587932d3c05d74870739eada

SHA256
c21687a0f146d9d4d359cb8e604f295dec966e5407e2942840f9aa16d019b01a

SHA512
7945f3d897fcb4165d9d057c75413bddf444275bd2a983b9fc8c434b4e9c0014adb892b6345a1b017604773c7d39a5aff92e3040df2fcff583f9b0dc5d855e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe
Filesize
82KB

MD5
0b08d54db81ab6f6bbc41b9f813be7c9

SHA1
636e163ef5759b6a52a5c74cacb0eb88011dc2e9

SHA256
65179b9381cfa0e5d1141dff52f4260e1a890720e75acfc3a1a34d383937230b

SHA512
2a8b4e62959f3d8e021de231d56659a42bd41d90c88c631b3e2ebedfcb5a0b55f167ea3c1c5be284a19e48b6a49233ae45998115a8f0574ae2e3c31212cf9cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdjijjjjj.exe
Filesize
64KB

MD5
205d0fef775481ff26af10cc95829fde

SHA1
bd4fb174ff0fd430c5083b23cf74b026d1a10333

SHA256
ab69523632861d0a1e283b6af2d91a673271eaeec6dff4d8c4820c91eea7f27b

SHA512
df30374bd7824a503116958a5988fef1fdbd9a7a5127e55d737b5085e4d1a54c3de69e34163ab836f9e49fe2c3bfcf306755870a02f3bbc4a4b08c2e0750b698

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B71.tmp
Filesize
1KB

MD5
0a9f118066fa5a2dd17e8a13a6b7bd80

SHA1
637412b0e94520052c2fdd8d7b1efbf335d7c2be

SHA256
c8662ae5a72380a0a23a5491309dc8fd39977202ed5f416138bc9a4a9d9e3506

SHA512
336d680428972076138f82e497fa1f04d9e0b27891eb8c7bbc7674b14707aca4e730018bad1786fb63bafa717e71fc159920e1a7d396ae13dc7b10c8a0680273

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B87.tmp
Filesize
24KB

MD5
2cd0c96fd8f0d1b60ddee4617ebcffb9

SHA1
03307afc53f3425909dd38fabe5e377d28855fd4

SHA256
a0a2521cf04c25985ba9c286cf61440a66930858e64aae97c961bfdf695c840b

SHA512
e24b525b776edbf174d7317bd2248eca7213f97a67bf66c4a3640b657bf97b1ed94659cb4c74ace16155db1ee79d3468dc1c26cdbe62242adb2a5010bd72d327

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9BB2.tmp
Filesize
1KB

MD5
886ea491d36b71da904ebc9b13a397b3

SHA1
bb10e92ea75cd145d1930fc53b6bdcf7863efa40

SHA256
b9d44c40bfb3feba632d254963e0ec5e3a4c61200024129d6873e76d8e899dc2

SHA512
4f82794dfffc17f07242ab5e9543020b5bfdd105ad238d008c913598979b7a4549f00cb614eb67ace6ec5d55e296706a0ab081d7f3caec895492b297520e9c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB6E.tmp.bat
Filesize
156B

MD5
4ff76a8fc8d5a147493fe7adeea66bfa

SHA1
868d514d2754f375af9625542ffc7aa09317098a

SHA256
2674b7630d4b382cad12b51507f50eee3fd959bb4f209589b2afa497b2424c04

SHA512
68476ccd412cb14879cdde58cf0c8352986245521f55dadd3c2f817e8b0c03cf587b968e042f6bb08fc6a47a14cd1a23d50a681d8beab3302341f8b82883fb85

Download Submit
C:\Users\Admin\AppData\Local\d53fe415-ed9d-45e9-928d-2e095abf95da\E485.exe
Filesize
92KB

MD5
a7d6df3b94123a76c6afc3f491889f94

SHA1
0ed42f3079f3eee6dac734e769c49ed39999878f

SHA256
002e04237df44e8db63dbada1390bb0ba0284bd9e867dda3607b2a8cae02f9fc

SHA512
4ac951218607402b113b4ebdff1f218e4f227ee615b1b7f2157e9198e2601bd7615e67e33645db1040f7f680023cc29f920e158bd5307202f646786522b58ca8

Download Submit
C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build2.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build2.exe
Filesize
122KB

MD5
0a0289a238b85a76ee4a6550d44345bb

SHA1
51ee58dd26c81890173bef077697ce506fe68e8c

SHA256
0af4a9828d63d77236a721e31ebf975a4fc5c76a5f9fb1947ee60706f0cb7d76

SHA512
adf476c59e59a841d4908108461caa40887d6c995ff6709494599bbaba8d17079f1f32499c94ed94cfe8ef62c12935c5f9969da14d872fea5afbc91146ed65b7

Download Submit
C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build2.exe
Filesize
108KB

MD5
0442ee9587525ecec7637adfc8c35d11

SHA1
c9a7c510730e12cc9dcc3f953e0678657bf345a9

SHA256
d334e99693fcdf47f5b387ab62acf6e54806af21a997866c81e0f4679c290b8c

SHA512
2d88eccb3272efaf410ef04edd1442224153d4dbe29487eed42dc97dff1306bcb42ed6bf9cad4d377a076605ab318a8ca82326848a5f00322c026a34081bff03

Download Submit
C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\f854229d-9cb0-4ba5-8d68-5dcd0093f75a\build3.exe
Filesize
256KB

MD5
164bc11a628ff1722c833c8e2642aca5

SHA1
56d2d17695a85b876b736933a7f1cd5cf2acfdb1

SHA256
e76e2fa66070991fff3747fd12185ec795651b8506f290a3f1214b0eab40d330

SHA512
099d1715e47a2c4ea346b432f186ffb6fcd94f9ec6b28ffcf5047a57b686a0135e765db75150ac14420cb9285fb02c8d390751b239a2a9446219da587a89ce9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
61KB

MD5
f2055ed9feb2cf03d4605d1e0b8508ae

SHA1
4e8c64cf6bd9b02d9a02228de5bc421807b6d0bd

SHA256
50a8125b945ab904a198dc8b458681a1a5c1469076f0e81c543d3738413582a6

SHA512
e8f2b1aad83329b6333f9f027293c15073f61ced1e164cdf70dc2c3e70165eccfa083ae12ed72be94fe17312801b08b731c11acf47800188e506655cf09a0de4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
29KB

MD5
4692c5ef2a8af95d34f12003689c955c

SHA1
f908f1c6e5fd43f1c862a534e0c23d91d6a9d575

SHA256
d482be126508dcc260d129b3971cfb9eca3524b473e5c444e08cf9ff40e8601f

SHA512
07160de572cad2b064bb78cbfc4101ac680a12b3e1df76859160635c62302f1cf255f93b18b2d2863f5f9d491d92f350286caca524e8f086d682354ed25fb04f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
1KB

MD5
d35c806c95b926208b06f305860de044

SHA1
fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b

SHA256
722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061

SHA512
cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\drfwabg
Filesize
96KB

MD5
09faf6a1ef40d08fd191e11a08f9c5fa

SHA1
faebb8558e03a9fef84c370b5e10479fc65e19ac

SHA256
3eb2aad23fdb7772cece01bdaee97bdcda9f90fb885544fc32bf5beff445a366

SHA512
b7b8015c1264e508ace4944e76a19d0240ef00a7a2d77695048d4ee8f255ada5d09c0069dcd7446a1bff8442f51109874e8d29352797937b6dfa9cbb9c90b663

Download Submit
C:\Users\Admin\AppData\Roaming\drfwabg
Filesize
57KB

MD5
6615394606b7668a4d9c13a34af4226d

SHA1
1855a207df3b235dd6e10587e856d0add5245a26

SHA256
49c3a6e540a736add3f6be9c25f1612378402c44dbbe4bb2ac0df3e30bfaff3e

SHA512
416075d2a015ac17afdf35aa4b82102ee4bb6c07d2ea00fa9c5f8b15c8094bad0787786b6b490a30b77b6a9e020eac225ebb4b8bf2a8c0f223d1b10eb134607b

Download Submit
memory/520-2-0x0000000002C00000-0x0000000002C0B000-memory.dmp

Filesize
44KB

Download
memory/520-1-0x0000000002C20000-0x0000000002D20000-memory.dmp

Filesize
1024KB

Download
memory/520-3-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/520-5-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/816-170-0x0000000004FA0000-0x0000000004FEB000-memory.dmp

Filesize
300KB

Download
memory/816-163-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/816-155-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/816-173-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download
memory/816-168-0x0000000004F60000-0x0000000004F9E000-memory.dmp

Filesize
248KB

Download
memory/816-174-0x0000000005DC0000-0x0000000005E36000-memory.dmp

Filesize
472KB

Download
memory/816-193-0x00000000711E0000-0x00000000718CE000-memory.dmp

Filesize
6.9MB

Download
memory/816-161-0x0000000005530000-0x0000000005B36000-memory.dmp

Filesize
6.0MB

Download
memory/816-171-0x00000000711E0000-0x00000000718CE000-memory.dmp

Filesize
6.9MB

Download
memory/816-165-0x0000000005030000-0x000000000513A000-memory.dmp

Filesize
1.0MB

Download
memory/816-179-0x0000000008670000-0x0000000008B9C000-memory.dmp

Filesize
5.2MB

Download
memory/816-178-0x0000000007F70000-0x0000000008132000-memory.dmp

Filesize
1.8MB

Download
memory/816-177-0x0000000006CD0000-0x0000000006D20000-memory.dmp

Filesize
320KB

Download
memory/816-175-0x0000000005EE0000-0x0000000005F72000-memory.dmp

Filesize
584KB

Download
memory/816-176-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/988-46-0x0000000002180000-0x0000000002218000-memory.dmp

Filesize
608KB

Download
memory/1696-132-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1696-129-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1696-130-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1696-134-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/1696-133-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1696-127-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1696-131-0x00000000012C0000-0x00000000020EB000-memory.dmp

Filesize
14.2MB

Download
memory/1696-128-0x00000000012C0000-0x00000000020EB000-memory.dmp

Filesize
14.2MB

Download
memory/1696-126-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1696-140-0x00000000012C0000-0x00000000020EB000-memory.dmp

Filesize
14.2MB

Download
memory/1716-24-0x00000000020B0000-0x0000000002143000-memory.dmp

Filesize
588KB

Download
memory/1716-27-0x0000000002150000-0x000000000226B000-memory.dmp

Filesize
1.1MB

Download
memory/2080-288-0x0000000000C40000-0x0000000000C58000-memory.dmp

Filesize
96KB

Download
memory/2080-290-0x00007FFA04170000-0x00007FFA04B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-291-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/2080-309-0x00007FFA04170000-0x00007FFA04B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2080-307-0x00007FFA20C60000-0x00007FFA20E3B000-memory.dmp

Filesize
1.9MB

Download
memory/2080-301-0x00007FFA20C60000-0x00007FFA20E3B000-memory.dmp

Filesize
1.9MB

Download
memory/2316-185-0x0000000002D20000-0x0000000002E20000-memory.dmp

Filesize
1024KB

Download
memory/2316-194-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/2316-299-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/2340-72-0x00000000005E0000-0x0000000000611000-memory.dmp

Filesize
196KB

Download
memory/2340-71-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/2356-320-0x0000000000B00000-0x0000000000BAE000-memory.dmp

Filesize
696KB

Download
memory/2604-117-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2604-115-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2604-110-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3032-44-0x0000000002E10000-0x0000000002E26000-memory.dmp

Filesize
88KB

Download
memory/3032-296-0x0000000003520000-0x0000000003536000-memory.dmp

Filesize
88KB

Download
memory/3032-4-0x00000000014B0000-0x00000000014C6000-memory.dmp

Filesize
88KB

Download
memory/3284-68-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/3284-105-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/3284-73-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/3284-74-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/3820-323-0x00007FFA04170000-0x00007FFA04B5C000-memory.dmp

Filesize
9.9MB

Download
memory/3820-192-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/3820-197-0x00007FFA04170000-0x00007FFA04B5C000-memory.dmp

Filesize
9.9MB

Download
memory/4036-114-0x0000000000850000-0x0000000000854000-memory.dmp

Filesize
16KB

Download
memory/4036-111-0x0000000000A30000-0x0000000000B30000-memory.dmp

Filesize
1024KB

Download
memory/4064-16-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/4064-48-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4064-17-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4348-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4348-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4348-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4348-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4348-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4560-334-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

Filesize
1024KB

Download
memory/4580-151-0x00000000027B0000-0x000000000284A000-memory.dmp

Filesize
616KB

Download
memory/4580-145-0x0000000004CF0000-0x0000000004D8C000-memory.dmp

Filesize
624KB

Download
memory/4580-162-0x00000000711E0000-0x00000000718CE000-memory.dmp

Filesize
6.9MB

Download
memory/4580-146-0x00000000711E0000-0x00000000718CE000-memory.dmp

Filesize
6.9MB

Download
memory/4580-149-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/4580-311-0x00000000028B0000-0x00000000048B0000-memory.dmp

Filesize
32.0MB

Download
memory/4580-148-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/4580-147-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/4580-152-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/4580-150-0x0000000004D90000-0x000000000528E000-memory.dmp

Filesize
5.0MB

Download
memory/4580-167-0x00000000028B0000-0x00000000048B0000-memory.dmp

Filesize
32.0MB

Download
memory/4860-317-0x00007FFA04170000-0x00007FFA04B5C000-memory.dmp

Filesize
9.9MB

Download
memory/4860-318-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/4860-337-0x00007FFA04170000-0x00007FFA04B5C000-memory.dmp

Filesize
9.9MB

Download
memory/4860-319-0x00007FFA20C60000-0x00007FFA20E3B000-memory.dmp

Filesize
1.9MB

Download
memory/4968-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4968-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4968-100-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4968-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4968-90-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4968-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4968-98-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4968-91-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4968-88-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4968-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4972-166-0x0000000000110000-0x000000000012E000-memory.dmp

Filesize
120KB

Download
memory/4972-169-0x00000000711E0000-0x00000000718CE000-memory.dmp

Filesize
6.9MB

Download
memory/4972-172-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4972-302-0x00000000711E0000-0x00000000718CE000-memory.dmp

Filesize
6.9MB

Download