Malware Analysis Report

2024-08-06 13:15

Sample ID 240616-jw1tsszcnp
Target kam.exe
SHA256 d4a0b8345dc0ecb03f2fae12c101019c7777a8d9eff66cc6bb8bc48086e44537
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4a0b8345dc0ecb03f2fae12c101019c7777a8d9eff66cc6bb8bc48086e44537

Threat Level: Known bad

The file kam.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

Suspicious use of NtCreateUserProcessOtherParentProcess

AsyncRat

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Process Discovery
T1057
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 08:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 08:01

Reported

2024-06-16 08:04

Platform

win7-20240220-en

Max time kernel

120s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1980 created 1192 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\Explorer.EXE
PID 1980 created 1192 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\Explorer.EXE

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cogitate.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cogitate.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\kam.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\kam.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\kam.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\kam.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2740 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2740 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2740 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2740 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2740 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2740 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2740 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2740 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif
PID 2740 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif
PID 2740 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif
PID 2740 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif
PID 2740 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2740 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2740 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2740 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1980 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 1980 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\kam.exe

"C:\Users\Admin\AppData\Local\Temp\kam.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Emotions Emotions.cmd & Emotions.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 238610

C:\Windows\SysWOW64\findstr.exe

findstr /V "MaskBathroomsCompoundInjection" Participants

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Strictly + Activated + Presenting 238610\I

C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif

238610\Sur.pif 238610\I

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cogitate.url" & echo URL="C:\Users\Admin\AppData\Local\Neural Nexus Innovations\Cogitate.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cogitate.url" & exit

C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 wyTKUHhhnlUmHdzj.wyTKUHhhnlUmHdzj udp
US 8.8.8.8:53 ghdsasync.duckdns.org udp
US 12.202.180.114:8797 ghdsasync.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 b8efe71888c718825eedec892ca1bd7f
SHA1 f98a1f312f985499db1485587c94cbf165df159b
SHA256 d18a39a5074d035312f6a54c171761d0e3b6be374dc61a80d5f6b214b2e4c1e1
SHA512 2e248a07b1cf92bce355f7a3adcb2e664ad83cd96b9526feafd9ef51e76d4f064d9e57811e9761359f184d9b246fdb9b437a406b729f58af3c1285f949ffb3e5

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 31050816b2f450a717786d075367899e
SHA1 a7ade2bf93708934b9e276fce3aa2323a25e007d
SHA256 4a6fcc7e68d22a69db4735d3900f3ea63f767d67218610afd43ea8f1af9b4fb5
SHA512 d588927f8fdcc0e7468a5a2839537cb3a4f2ff7d942c63eb8b20e53ccdf9dba63a394bc75e67f0395b5525382cb33eb81bcb55995b29b9d7e357361900c332b6

C:\Users\Admin\AppData\Local\Temp\Richmond

MD5 03f94b7674e2838d189557505ed74b05
SHA1 b5eefe2b74dc8c9cede24163598b1b45ffe3f2b5
SHA256 6d985b6f483de86298bbd7a95681af16f63f289750a6070c026c897b7f6fba82
SHA512 f7ad2ab0d6b9dd57fe41cda9df7917e22894029d294446de5148b422243902be0acb8d608528684e433b0ff16c6a97c6bfdb815400db1d930acd5b33efe7bfb6

C:\Users\Admin\AppData\Local\Temp\Alot

MD5 9b22c69136d0b4e85fd3c1114b8f1fe0
SHA1 8d9fdb0dbdd388f007553c5a06ad74ba5ef8510a
SHA256 cb0c96eff5c2da592d3258a95f710f163474163d37215d841982f7675e55c7b7
SHA512 3c7251326ad96c447c69bb16f5f291baf2c1b7ea9fae8a91a565f7616610c65973024481a498825c7e2eeb329f2a858135b2b8c184bbef7622f3caedc15d35fd

C:\Users\Admin\AppData\Local\Temp\Genre

MD5 642e407ab533fc309228b10029f5fff7
SHA1 880cac2c55fc2d3be5f0d0a2258342af201cae58
SHA256 ce1cfc40b038362e3ce6484df5d4c3fd56df931e0c852c9b3a69d5f2d199348f
SHA512 89b0679e0ab84c656951b6a96a7411946ba4ecc495ecae1858bd80c6d0a77866db76d0eff009025207812919aecce5562585401910559b94ed1af7f0a02d0b63

C:\Users\Admin\AppData\Local\Temp\Fight

MD5 2e8bfe507ddd3bde6a8b059884bdf640
SHA1 e18dd2352bee2a31bca30a8bf00628862d144fbd
SHA256 e12dfc79107a35131c3643d2f0182db3e7e18ad3a61d14f290840204fd224409
SHA512 3bef0530c64b4b8b0c91e18309eb00bd08d8250414c8f74b078d375c2511f0970d8655b55963f71c2486096425f352f39b902493426ccfd868348ac8ecf70c35

C:\Users\Admin\AppData\Local\Temp\Violence

MD5 b577d598756b7cfc590354a8eba2fea2
SHA1 a25f802762f24d932f1bf407ff9f456171ad2de8
SHA256 7ca4f9ee40abea1483e8e69d8cdcb3025d80a7fb7cb136ab454863ddc979d751
SHA512 d95a988a172d30a3a669ec696ef906c096d08148f63d37fa35734df9d557f89c8e758f5019a487aae4e3c0b1e5373820fec6a1f06496523845592174d284e16c

C:\Users\Admin\AppData\Local\Temp\Lcd

MD5 14b17b7c17b7218353813748f258bedd
SHA1 beff95fe54548a062202aea546358a727c0c8e5b
SHA256 a5022c193acbbf2c66de8437ea38591a8588edf69b57878ea459bfcfcb8890a7
SHA512 a21de57377a93d9b18b1b322615076d1fed7a450a321e0f047b4c78cb7edcb78c7b6f4614095afd7850f2793701f6613d6c3b827b7342b7d17e87d1e442809ce

C:\Users\Admin\AppData\Local\Temp\Quebec

MD5 a0d9b3c3e8cf3837d7914fc0f6e18bf7
SHA1 0e8c0ac4fda7f6a269bc5c1d84a0d9105ea62b51
SHA256 306624a2d9bfddb5fe8cb7ce33f4d8ee19159824d8f52f906e0069c55ba26d7b
SHA512 191711823759dcb016439172246e838ee28d4e2f1d8d544c8515750c5eb785255e24ecea81c10163c28141ab440159598f0c1b4c1b8b4de396c3f1c2d225abb1

C:\Users\Admin\AppData\Local\Temp\Buck

MD5 5f6af0dcc9f7226f78c452c96abe0922
SHA1 19331d33545c1146790a4de585042e572948c557
SHA256 d0b473e5c8b86b04f963863dccb863ccf309a566605ac058132d80719d7558fa
SHA512 6cb31b18ee58591fb8065e80f1ebb3e2bc0ee4effed80dee80269f20bf2f571d1570cfdd1af3a92343eae86cacfbf45da2f5b27415b669237ec4a151b4665852

C:\Users\Admin\AppData\Local\Temp\Double

MD5 a6b3217be6124855f1d6aa3e9a90608e
SHA1 f6496dd25963699a8449247bf00b4f499bdde017
SHA256 61baf0bc3a01eb3a09c490f24b658b3bda7698fa945aa0033b2a912b97726f28
SHA512 585cbcbe1afe3c607977680bb72495173a13ee7b0dfe3c406750a64c0a74c7256ddaac28645bdce93102833fdc82992b435b2ce2f624a98aab3e9aeb9dfdc6f9

C:\Users\Admin\AppData\Local\Temp\Tokyo

MD5 bb316f1498bbe533f0d909eb8138f6d1
SHA1 41e290539f0c6c18bef5e08f1ce8c1e661c1e0f6
SHA256 a0f0d12d17245499122f9d6e5745be86a70d4caffb22d5e725882ec48eb224fd
SHA512 130f044d4db94f04dd960024ca274cb011213e93062dedd1f562f78b5e4114460f3526258121794bb0a6347cfc3ecf27128be67ce956375382757df708891efc

C:\Users\Admin\AppData\Local\Temp\Seek

MD5 9b55982cfda525f2aeb23cf9151e156e
SHA1 b6a6fdd487adb330e7e78583954a4fcbd4f4990c
SHA256 69e43b483d5c6a47373acad51403959cda099a00d8fc390bd108c33d53ff5245
SHA512 2b6ac6a20ed44ee7a0a3f9197b9afb1215f32c8a447fb578cf51e4c3b9fe578ac3d68d04d3962dd9a18171fb40333a989f74ce070c52bc54b34c9769516a4ab1

C:\Users\Admin\AppData\Local\Temp\Hay

MD5 434230ef946610ea10fc643f866d4168
SHA1 0c26eb797d2ecb2072d2cac7bb285fce00320e31
SHA256 c857d48269e11517b30d4d12809d9815a82846a0a2c51fcb82c1c51611eb323f
SHA512 b9d76e547fee57be5c577e2f49055470cf9ea4c996731b19b4d243439df6e312a8456aa7d5ba5dc3b95b3b6d75a6a9a6a0f16a894229c1f21510ac6171686809

C:\Users\Admin\AppData\Local\Temp\Portraits

MD5 c300998ee9dcda93d7e96d409ce144b5
SHA1 b068b92038f7ad06ad9f82999e96c2436b824617
SHA256 140821f251108dab089a84b0a7c4d3ff2e5a5af80abe8a1292fb0701ccc76984
SHA512 c89d06fab6b20744f4b685fd424aa56c34605c49568735a22945be5d745586d842daeb5642ea3d7221eaabd12cd752f35b5af5c0bfc2e87429f788405c0636cd

C:\Users\Admin\AppData\Local\Temp\Studios

MD5 0503324cfbed691a1e076ddd210e3dc5
SHA1 ffd93c5b2f001bae86caadb1bbfa5db3ada16b0e
SHA256 1f2f2563e6f3406f339a69dd51e0c68356a0ed502b5194a951a3870bcd5652be
SHA512 aaa16782230368ec38c913618177af38ac97a88d5ddcc9babe4b9a4711554dc3a265c7f0009836cc302607fce6f95b570d61d77af8637b9322bdacd30f13248f

C:\Users\Admin\AppData\Local\Temp\Referring

MD5 29824445bd5ddad35f17f6101381dad5
SHA1 cb3f1ebd56fb581205e44d7878eb957074d4dfdf
SHA256 32062a3886008ba83ffde02d17b4449228c520d18b25e7acdc5a5307b5e05aed
SHA512 f9265dd58514f724aa0ac65ce82848f7ed7d5a634882dbce0ad0f40dd0652da1899bd2768ef1104eedf067efdd5b756cd997bd6b17ef3deacda882e4ab03c885

C:\Users\Admin\AppData\Local\Temp\Sn

MD5 7b2c6916aa73ce52f0fec37c04da9a5f
SHA1 edfc7cd94852da566139ebc5ceb3fd1e79a0fcd5
SHA256 9e84c205d9aa75fc3815bb11062184bb899a1c7ad4ecb5f898fb3a7c1e953d0a
SHA512 b9986bf167ca339ddb5a880290f19d8caa16eab201ea994bf614556c93ce26158b89d4710bd144600cc5284d52913ea54070e4a060023f51ebdd3527255fcbb5

C:\Users\Admin\AppData\Local\Temp\Tags

MD5 8a6708b59f4ff2af447f06389e206aaa
SHA1 54314332e9c9141ca9f986b58209b0d803de1dc1
SHA256 1128f8fe26f8681680bcfd07e16dedaa0ef9f060a030fbe0d694ac03ea1f4353
SHA512 636d46a189a373a7e235cc10f10690dfac95d625b392afd5d29c8fcf2e065edcff9a2c4a3005662eb65b4c878ca77d1b26a9237f28241e63eb44b7c8f7f1fdf6

C:\Users\Admin\AppData\Local\Temp\Consecutive

MD5 9a07b9274f426cc107fe78071ec65fbb
SHA1 ad798e0818cd5e0a1ef0c3496b776e270d8378df
SHA256 cb83f6fbdb336f0c814f8f38a4ca41394661c32aefc529fdc58b5e9cdb82e227
SHA512 8bb60ef1b62eb41669c5e8d83163d0824489bf4b6b55b5610db18745e5a3195346b3c2870934bef1d5515855d7ee0f9dcc28e946a2a51986cfab6502abf2cfa9

C:\Users\Admin\AppData\Local\Temp\Kde

MD5 6a4ef437d8019aa5b0b7c3df82faef23
SHA1 4d3791d7a341422fc17f71d9bb2d48c7efe39212
SHA256 78007fdab6cc27e96fdddc4fd95dbf97f64957a75729b073dcabd65522775dd2
SHA512 9e77979d29c9388b9a116b7ba4e4be4ae8455f86eb7c4e4e92abf895a28e00d0067716f2f9cf6e4e01216522578e3d971770273dbdbfe09b5bc4a3d4cd69e0bb

C:\Users\Admin\AppData\Local\Temp\Older

MD5 b12acd0eaaf79c7f0a182cb6af43c268
SHA1 32ca7698c6ef244f15e92963073c4c381143fcdc
SHA256 66f983eb74e469d008583d7c817a9bd3c82abb5449d81eccfad03c0cd945eb3f
SHA512 9a9a0279e6fa14d1aba4bd56a77fe3746c7392c59a24b055749795c5ee9436cce9f07822451d3def51d72cff7fcabcccfde3807d01827613795c09c7edcf00ec

C:\Users\Admin\AppData\Local\Temp\Race

MD5 54dd562235901b0b1b72d1cf73351ab2
SHA1 2b629d746a7fa309f6b02e6f21813bd0122e9514
SHA256 9e29198255e15e3387419ba904abbb10291c080fed998ebcbeb10f204949377b
SHA512 8c9454a634dfa17533b7af2b1edb256377025b7d964ea718045c7cf4b5d307ad52622528cb7bb428ac0e096d59d03e5b05aa499383f309a8617bc72d1078b45f

C:\Users\Admin\AppData\Local\Temp\Cruises

MD5 53fb4ffd722597e1f467373a13d7c553
SHA1 e844bdc6bf624dd4dbbab5390cebe5faa6c7c550
SHA256 d63a7d9bd4adadb5694b5a6e8a6e8c25cbe92e09605cb7fadf89bedd5987833f
SHA512 643393d9b4f8f16e86d37d21fb4e459a36d81259fecc5142083b85960271b1e7104982c50b19234b762382b6f16cddf939cbdd19769e44252056249a59d0e82e

C:\Users\Admin\AppData\Local\Temp\Chad

MD5 cbe54af4ed04aa5cf830db9e55a15018
SHA1 714cc478dc8e02c634110f0032ddfa64079d29a5
SHA256 d431744fb582a2afc58ace50153b87b884ae531aa1975ab5316c8a3c7f053352
SHA512 01c1782b6e231295db116bbffbb7aa28bc65c682b39ca2257afc677425f05f24b291f78f2cfc15dbfdec5b78005c2823567df6586219914c0af75b5d8dd25527

C:\Users\Admin\AppData\Local\Temp\Instance

MD5 679cc5f5a52352acb623b53827ce6b4e
SHA1 f638eb16fdd591dc883db01233496de5a3883f96
SHA256 58ceea0f7908bc14c983f80f2025337d07984a064dbc78e7c179f28297181846
SHA512 4be2a9b71875ff2c2d956d3ae22556cd71a900008d5616b755b740cb8c9435512f39db08eefedf40c430fac642b7e5ae52535f7d56cc775dd2a00f12ac78a29a

C:\Users\Admin\AppData\Local\Temp\Favourite

MD5 59aec738d0ba49f48fa12aebe6bf3f86
SHA1 5917146f0dca3d5f4864ca50f014b75392b91308
SHA256 c74a7b8b48b782cadd7273957b9075cb97e27587e20f9a50a6cbb322ec81f6d9
SHA512 ba8c843e7ce71be90d488ea88063e01c5f6bded6e2519b29f7db0035875d501b8136054a34b3c828c78711c5996b70d88ceb81656a7ce65ad3a4c4b2d84aa9a0

C:\Users\Admin\AppData\Local\Temp\Strictly

MD5 b6f746085da587385f61ab5ddf64059f
SHA1 1b2020b754a56643c022c0f59bc02de2a4b9f744
SHA256 0855653c199851c83a40423c8db963d5e046962f11e5a75381ffefc2539f8b7a
SHA512 eeaea95e7fedcd914bf359d932edd965f6800b4df73b5bb1838eab82f4a29754a2c6ed683b0279e648149cc456c8c58e31034ba1b8151c5518f70a075d0ba97a

C:\Users\Admin\AppData\Local\Temp\Activated

MD5 43ffc96a01df6d9900fed2261e9fe953
SHA1 57ffed0dd950b1a2dcbd4485d33f50d0a276080a
SHA256 3fd680f57c2b4b374ad34fff49fe01df86849ecfd945543d2c2c28f09b4126b4
SHA512 f69051af0b71fb1618779c9b599a42dd997191967e93e5782db28e98ef2e3d8ccfc041b1d7f550afc10b32948b50ee849c7b58f2a0c52f89b8c92dec7872b8f0

C:\Users\Admin\AppData\Local\Temp\Presenting

MD5 11e25a246364bfb6c8c6d2cda728c674
SHA1 cc4ef212351df06243b71d262f5704e93ce73e78
SHA256 24f3f4c83799ddcde20c5d21c480ccdb2f82e7763ee05f9be97e795b3234ff4a
SHA512 4e9af1db4c329c18ace0b2aee2e0c0522e4766eb9a69d3227526901fb84982a9aa64a45c5e668f7fb2be125ab71c62cb6ae2e20de3479be778d5545e67b8fa79

\Users\Admin\AppData\Local\Temp\238610\Sur.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\238610\I

MD5 958e4d09dbbd33527fef2c623f5d42e5
SHA1 37ff696c4282330d8056aa2d90f8dff8ab0b581f
SHA256 a2558dfee982bc455c1cdc0da881d7668914874ac1ee1d7858b70d7b7aecea61
SHA512 c99f7ea3abd60d957394d84971b520fd6208d2ea8c21f7de443e6d45ba05202c85c84a3057b21ec22566613ed55aa13b1700f354a59f3993c1ae725193284dac

\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2948-602-0x0000000000090000-0x00000000000A2000-memory.dmp

memory/2948-604-0x0000000000090000-0x00000000000A2000-memory.dmp

memory/2948-605-0x0000000000090000-0x00000000000A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 08:01

Reported

2024-06-16 08:04

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

144s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3400 created 3448 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\Explorer.EXE
PID 3400 created 3448 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kam.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cogitate.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cogitate.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\kam.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\kam.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\kam.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4064 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4064 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4064 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4064 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4064 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4064 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif
PID 4064 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif
PID 4064 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif
PID 4064 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4064 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4064 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3400 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 3400 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 3400 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 3400 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe
PID 3400 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\kam.exe

"C:\Users\Admin\AppData\Local\Temp\kam.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Emotions Emotions.cmd & Emotions.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 238610

C:\Windows\SysWOW64\findstr.exe

findstr /V "MaskBathroomsCompoundInjection" Participants

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Strictly + Activated + Presenting 238610\I

C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif

238610\Sur.pif 238610\I

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cogitate.url" & echo URL="C:\Users\Admin\AppData\Local\Neural Nexus Innovations\Cogitate.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cogitate.url" & exit

C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 wyTKUHhhnlUmHdzj.wyTKUHhhnlUmHdzj udp
US 8.8.8.8:53 ghdsasync.duckdns.org udp
US 8.8.8.8:53 ghdsasync.duckdns.org udp
US 8.8.8.8:53 ghdsasync.duckdns.org udp
US 8.8.8.8:53 ghdsasync.duckdns.org udp
US 8.8.8.8:53 ghdsasync.duckdns.org udp

Files

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 b8efe71888c718825eedec892ca1bd7f
SHA1 f98a1f312f985499db1485587c94cbf165df159b
SHA256 d18a39a5074d035312f6a54c171761d0e3b6be374dc61a80d5f6b214b2e4c1e1
SHA512 2e248a07b1cf92bce355f7a3adcb2e664ad83cd96b9526feafd9ef51e76d4f064d9e57811e9761359f184d9b246fdb9b437a406b729f58af3c1285f949ffb3e5

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 31050816b2f450a717786d075367899e
SHA1 a7ade2bf93708934b9e276fce3aa2323a25e007d
SHA256 4a6fcc7e68d22a69db4735d3900f3ea63f767d67218610afd43ea8f1af9b4fb5
SHA512 d588927f8fdcc0e7468a5a2839537cb3a4f2ff7d942c63eb8b20e53ccdf9dba63a394bc75e67f0395b5525382cb33eb81bcb55995b29b9d7e357361900c332b6

C:\Users\Admin\AppData\Local\Temp\Richmond

MD5 03f94b7674e2838d189557505ed74b05
SHA1 b5eefe2b74dc8c9cede24163598b1b45ffe3f2b5
SHA256 6d985b6f483de86298bbd7a95681af16f63f289750a6070c026c897b7f6fba82
SHA512 f7ad2ab0d6b9dd57fe41cda9df7917e22894029d294446de5148b422243902be0acb8d608528684e433b0ff16c6a97c6bfdb815400db1d930acd5b33efe7bfb6

C:\Users\Admin\AppData\Local\Temp\Alot

MD5 9b22c69136d0b4e85fd3c1114b8f1fe0
SHA1 8d9fdb0dbdd388f007553c5a06ad74ba5ef8510a
SHA256 cb0c96eff5c2da592d3258a95f710f163474163d37215d841982f7675e55c7b7
SHA512 3c7251326ad96c447c69bb16f5f291baf2c1b7ea9fae8a91a565f7616610c65973024481a498825c7e2eeb329f2a858135b2b8c184bbef7622f3caedc15d35fd

C:\Users\Admin\AppData\Local\Temp\Genre

MD5 642e407ab533fc309228b10029f5fff7
SHA1 880cac2c55fc2d3be5f0d0a2258342af201cae58
SHA256 ce1cfc40b038362e3ce6484df5d4c3fd56df931e0c852c9b3a69d5f2d199348f
SHA512 89b0679e0ab84c656951b6a96a7411946ba4ecc495ecae1858bd80c6d0a77866db76d0eff009025207812919aecce5562585401910559b94ed1af7f0a02d0b63

C:\Users\Admin\AppData\Local\Temp\Fight

MD5 2e8bfe507ddd3bde6a8b059884bdf640
SHA1 e18dd2352bee2a31bca30a8bf00628862d144fbd
SHA256 e12dfc79107a35131c3643d2f0182db3e7e18ad3a61d14f290840204fd224409
SHA512 3bef0530c64b4b8b0c91e18309eb00bd08d8250414c8f74b078d375c2511f0970d8655b55963f71c2486096425f352f39b902493426ccfd868348ac8ecf70c35

C:\Users\Admin\AppData\Local\Temp\Violence

MD5 b577d598756b7cfc590354a8eba2fea2
SHA1 a25f802762f24d932f1bf407ff9f456171ad2de8
SHA256 7ca4f9ee40abea1483e8e69d8cdcb3025d80a7fb7cb136ab454863ddc979d751
SHA512 d95a988a172d30a3a669ec696ef906c096d08148f63d37fa35734df9d557f89c8e758f5019a487aae4e3c0b1e5373820fec6a1f06496523845592174d284e16c

C:\Users\Admin\AppData\Local\Temp\Lcd

MD5 14b17b7c17b7218353813748f258bedd
SHA1 beff95fe54548a062202aea546358a727c0c8e5b
SHA256 a5022c193acbbf2c66de8437ea38591a8588edf69b57878ea459bfcfcb8890a7
SHA512 a21de57377a93d9b18b1b322615076d1fed7a450a321e0f047b4c78cb7edcb78c7b6f4614095afd7850f2793701f6613d6c3b827b7342b7d17e87d1e442809ce

C:\Users\Admin\AppData\Local\Temp\Quebec

MD5 a0d9b3c3e8cf3837d7914fc0f6e18bf7
SHA1 0e8c0ac4fda7f6a269bc5c1d84a0d9105ea62b51
SHA256 306624a2d9bfddb5fe8cb7ce33f4d8ee19159824d8f52f906e0069c55ba26d7b
SHA512 191711823759dcb016439172246e838ee28d4e2f1d8d544c8515750c5eb785255e24ecea81c10163c28141ab440159598f0c1b4c1b8b4de396c3f1c2d225abb1

C:\Users\Admin\AppData\Local\Temp\Buck

MD5 5f6af0dcc9f7226f78c452c96abe0922
SHA1 19331d33545c1146790a4de585042e572948c557
SHA256 d0b473e5c8b86b04f963863dccb863ccf309a566605ac058132d80719d7558fa
SHA512 6cb31b18ee58591fb8065e80f1ebb3e2bc0ee4effed80dee80269f20bf2f571d1570cfdd1af3a92343eae86cacfbf45da2f5b27415b669237ec4a151b4665852

C:\Users\Admin\AppData\Local\Temp\Double

MD5 a6b3217be6124855f1d6aa3e9a90608e
SHA1 f6496dd25963699a8449247bf00b4f499bdde017
SHA256 61baf0bc3a01eb3a09c490f24b658b3bda7698fa945aa0033b2a912b97726f28
SHA512 585cbcbe1afe3c607977680bb72495173a13ee7b0dfe3c406750a64c0a74c7256ddaac28645bdce93102833fdc82992b435b2ce2f624a98aab3e9aeb9dfdc6f9

C:\Users\Admin\AppData\Local\Temp\Instance

MD5 679cc5f5a52352acb623b53827ce6b4e
SHA1 f638eb16fdd591dc883db01233496de5a3883f96
SHA256 58ceea0f7908bc14c983f80f2025337d07984a064dbc78e7c179f28297181846
SHA512 4be2a9b71875ff2c2d956d3ae22556cd71a900008d5616b755b740cb8c9435512f39db08eefedf40c430fac642b7e5ae52535f7d56cc775dd2a00f12ac78a29a

C:\Users\Admin\AppData\Local\Temp\Favourite

MD5 59aec738d0ba49f48fa12aebe6bf3f86
SHA1 5917146f0dca3d5f4864ca50f014b75392b91308
SHA256 c74a7b8b48b782cadd7273957b9075cb97e27587e20f9a50a6cbb322ec81f6d9
SHA512 ba8c843e7ce71be90d488ea88063e01c5f6bded6e2519b29f7db0035875d501b8136054a34b3c828c78711c5996b70d88ceb81656a7ce65ad3a4c4b2d84aa9a0

C:\Users\Admin\AppData\Local\Temp\Seek

MD5 9b55982cfda525f2aeb23cf9151e156e
SHA1 b6a6fdd487adb330e7e78583954a4fcbd4f4990c
SHA256 69e43b483d5c6a47373acad51403959cda099a00d8fc390bd108c33d53ff5245
SHA512 2b6ac6a20ed44ee7a0a3f9197b9afb1215f32c8a447fb578cf51e4c3b9fe578ac3d68d04d3962dd9a18171fb40333a989f74ce070c52bc54b34c9769516a4ab1

C:\Users\Admin\AppData\Local\Temp\Tokyo

MD5 bb316f1498bbe533f0d909eb8138f6d1
SHA1 41e290539f0c6c18bef5e08f1ce8c1e661c1e0f6
SHA256 a0f0d12d17245499122f9d6e5745be86a70d4caffb22d5e725882ec48eb224fd
SHA512 130f044d4db94f04dd960024ca274cb011213e93062dedd1f562f78b5e4114460f3526258121794bb0a6347cfc3ecf27128be67ce956375382757df708891efc

C:\Users\Admin\AppData\Local\Temp\Chad

MD5 cbe54af4ed04aa5cf830db9e55a15018
SHA1 714cc478dc8e02c634110f0032ddfa64079d29a5
SHA256 d431744fb582a2afc58ace50153b87b884ae531aa1975ab5316c8a3c7f053352
SHA512 01c1782b6e231295db116bbffbb7aa28bc65c682b39ca2257afc677425f05f24b291f78f2cfc15dbfdec5b78005c2823567df6586219914c0af75b5d8dd25527

C:\Users\Admin\AppData\Local\Temp\Cruises

MD5 53fb4ffd722597e1f467373a13d7c553
SHA1 e844bdc6bf624dd4dbbab5390cebe5faa6c7c550
SHA256 d63a7d9bd4adadb5694b5a6e8a6e8c25cbe92e09605cb7fadf89bedd5987833f
SHA512 643393d9b4f8f16e86d37d21fb4e459a36d81259fecc5142083b85960271b1e7104982c50b19234b762382b6f16cddf939cbdd19769e44252056249a59d0e82e

C:\Users\Admin\AppData\Local\Temp\Race

MD5 54dd562235901b0b1b72d1cf73351ab2
SHA1 2b629d746a7fa309f6b02e6f21813bd0122e9514
SHA256 9e29198255e15e3387419ba904abbb10291c080fed998ebcbeb10f204949377b
SHA512 8c9454a634dfa17533b7af2b1edb256377025b7d964ea718045c7cf4b5d307ad52622528cb7bb428ac0e096d59d03e5b05aa499383f309a8617bc72d1078b45f

C:\Users\Admin\AppData\Local\Temp\Consecutive

MD5 9a07b9274f426cc107fe78071ec65fbb
SHA1 ad798e0818cd5e0a1ef0c3496b776e270d8378df
SHA256 cb83f6fbdb336f0c814f8f38a4ca41394661c32aefc529fdc58b5e9cdb82e227
SHA512 8bb60ef1b62eb41669c5e8d83163d0824489bf4b6b55b5610db18745e5a3195346b3c2870934bef1d5515855d7ee0f9dcc28e946a2a51986cfab6502abf2cfa9

C:\Users\Admin\AppData\Local\Temp\Kde

MD5 6a4ef437d8019aa5b0b7c3df82faef23
SHA1 4d3791d7a341422fc17f71d9bb2d48c7efe39212
SHA256 78007fdab6cc27e96fdddc4fd95dbf97f64957a75729b073dcabd65522775dd2
SHA512 9e77979d29c9388b9a116b7ba4e4be4ae8455f86eb7c4e4e92abf895a28e00d0067716f2f9cf6e4e01216522578e3d971770273dbdbfe09b5bc4a3d4cd69e0bb

C:\Users\Admin\AppData\Local\Temp\Older

MD5 b12acd0eaaf79c7f0a182cb6af43c268
SHA1 32ca7698c6ef244f15e92963073c4c381143fcdc
SHA256 66f983eb74e469d008583d7c817a9bd3c82abb5449d81eccfad03c0cd945eb3f
SHA512 9a9a0279e6fa14d1aba4bd56a77fe3746c7392c59a24b055749795c5ee9436cce9f07822451d3def51d72cff7fcabcccfde3807d01827613795c09c7edcf00ec

C:\Users\Admin\AppData\Local\Temp\Hay

MD5 434230ef946610ea10fc643f866d4168
SHA1 0c26eb797d2ecb2072d2cac7bb285fce00320e31
SHA256 c857d48269e11517b30d4d12809d9815a82846a0a2c51fcb82c1c51611eb323f
SHA512 b9d76e547fee57be5c577e2f49055470cf9ea4c996731b19b4d243439df6e312a8456aa7d5ba5dc3b95b3b6d75a6a9a6a0f16a894229c1f21510ac6171686809

C:\Users\Admin\AppData\Local\Temp\Tags

MD5 8a6708b59f4ff2af447f06389e206aaa
SHA1 54314332e9c9141ca9f986b58209b0d803de1dc1
SHA256 1128f8fe26f8681680bcfd07e16dedaa0ef9f060a030fbe0d694ac03ea1f4353
SHA512 636d46a189a373a7e235cc10f10690dfac95d625b392afd5d29c8fcf2e065edcff9a2c4a3005662eb65b4c878ca77d1b26a9237f28241e63eb44b7c8f7f1fdf6

C:\Users\Admin\AppData\Local\Temp\Sn

MD5 7b2c6916aa73ce52f0fec37c04da9a5f
SHA1 edfc7cd94852da566139ebc5ceb3fd1e79a0fcd5
SHA256 9e84c205d9aa75fc3815bb11062184bb899a1c7ad4ecb5f898fb3a7c1e953d0a
SHA512 b9986bf167ca339ddb5a880290f19d8caa16eab201ea994bf614556c93ce26158b89d4710bd144600cc5284d52913ea54070e4a060023f51ebdd3527255fcbb5

C:\Users\Admin\AppData\Local\Temp\Referring

MD5 29824445bd5ddad35f17f6101381dad5
SHA1 cb3f1ebd56fb581205e44d7878eb957074d4dfdf
SHA256 32062a3886008ba83ffde02d17b4449228c520d18b25e7acdc5a5307b5e05aed
SHA512 f9265dd58514f724aa0ac65ce82848f7ed7d5a634882dbce0ad0f40dd0652da1899bd2768ef1104eedf067efdd5b756cd997bd6b17ef3deacda882e4ab03c885

C:\Users\Admin\AppData\Local\Temp\Studios

MD5 0503324cfbed691a1e076ddd210e3dc5
SHA1 ffd93c5b2f001bae86caadb1bbfa5db3ada16b0e
SHA256 1f2f2563e6f3406f339a69dd51e0c68356a0ed502b5194a951a3870bcd5652be
SHA512 aaa16782230368ec38c913618177af38ac97a88d5ddcc9babe4b9a4711554dc3a265c7f0009836cc302607fce6f95b570d61d77af8637b9322bdacd30f13248f

C:\Users\Admin\AppData\Local\Temp\Portraits

MD5 c300998ee9dcda93d7e96d409ce144b5
SHA1 b068b92038f7ad06ad9f82999e96c2436b824617
SHA256 140821f251108dab089a84b0a7c4d3ff2e5a5af80abe8a1292fb0701ccc76984
SHA512 c89d06fab6b20744f4b685fd424aa56c34605c49568735a22945be5d745586d842daeb5642ea3d7221eaabd12cd752f35b5af5c0bfc2e87429f788405c0636cd

C:\Users\Admin\AppData\Local\Temp\Strictly

MD5 b6f746085da587385f61ab5ddf64059f
SHA1 1b2020b754a56643c022c0f59bc02de2a4b9f744
SHA256 0855653c199851c83a40423c8db963d5e046962f11e5a75381ffefc2539f8b7a
SHA512 eeaea95e7fedcd914bf359d932edd965f6800b4df73b5bb1838eab82f4a29754a2c6ed683b0279e648149cc456c8c58e31034ba1b8151c5518f70a075d0ba97a

C:\Users\Admin\AppData\Local\Temp\Activated

MD5 43ffc96a01df6d9900fed2261e9fe953
SHA1 57ffed0dd950b1a2dcbd4485d33f50d0a276080a
SHA256 3fd680f57c2b4b374ad34fff49fe01df86849ecfd945543d2c2c28f09b4126b4
SHA512 f69051af0b71fb1618779c9b599a42dd997191967e93e5782db28e98ef2e3d8ccfc041b1d7f550afc10b32948b50ee849c7b58f2a0c52f89b8c92dec7872b8f0

C:\Users\Admin\AppData\Local\Temp\Presenting

MD5 11e25a246364bfb6c8c6d2cda728c674
SHA1 cc4ef212351df06243b71d262f5704e93ce73e78
SHA256 24f3f4c83799ddcde20c5d21c480ccdb2f82e7763ee05f9be97e795b3234ff4a
SHA512 4e9af1db4c329c18ace0b2aee2e0c0522e4766eb9a69d3227526901fb84982a9aa64a45c5e668f7fb2be125ab71c62cb6ae2e20de3479be778d5545e67b8fa79

C:\Users\Admin\AppData\Local\Temp\238610\Sur.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\238610\I

MD5 958e4d09dbbd33527fef2c623f5d42e5
SHA1 37ff696c4282330d8056aa2d90f8dff8ab0b581f
SHA256 a2558dfee982bc455c1cdc0da881d7668914874ac1ee1d7858b70d7b7aecea61
SHA512 c99f7ea3abd60d957394d84971b520fd6208d2ea8c21f7de443e6d45ba05202c85c84a3057b21ec22566613ed55aa13b1700f354a59f3993c1ae725193284dac

memory/4376-598-0x0000000000700000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\238610\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2