agenttesla | 0b232cd5b3cd6d2ba6d618a0bb68711901d2746be6dbdc67df1242459e0e5c5a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rfq.exe
Size

3.5MB
MD5

16169512f2e05c8e01449e52ea10b525
SHA1

0724ad3ada6f7b87d0be9fe051da3e50449d9775
SHA256

0b232cd5b3cd6d2ba6d618a0bb68711901d2746be6dbdc67df1242459e0e5c5a
SHA512

7487faa357cdf96653d84d4b028725fa8650614bf6801ca61c78f2a4f42f8ac288172ae5eaa52365143aaf7edb9fd62ebdc40a6e578b897875eb682f8e299611
SSDEEP

98304:7trbTA1R2DHQaFMlXIolnL8eckZ6uWvBN3:hc1zC8YolnrckZ7K3

Score

10^/10

agenttesla redline foz credential_access discovery execution infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Extracted

Family

redline

Botnet

FOZ

212.162.149.53:2049

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000173ab-46.dat	family_redline
behavioral1/memory/2620-67-0x0000000000880000-0x00000000008D2000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
892	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk	server_BTC.exe

Executes dropped EXE 37 IoCs

pid	Process
472	Process not Found
2084	alg.exe
2172	server_BTC.exe
2868	neworigin.exe
2620	build.exe
2612	mscorsvw.exe
2212	mscorsvw.exe
1924	elevation_service.exe
1800	GROOVE.EXE
2884	maintenanceservice.exe
352	OSE.EXE
2472	TrojanAIbot.exe
2292	mscorsvw.exe
1784	mscorsvw.exe
1532	mscorsvw.exe
1776	mscorsvw.exe
372	mscorsvw.exe
2180	mscorsvw.exe
2448	mscorsvw.exe
868	mscorsvw.exe
2624	mscorsvw.exe
2428	mscorsvw.exe
2956	mscorsvw.exe
444	mscorsvw.exe
1236	mscorsvw.exe
344	mscorsvw.exe
2152	mscorsvw.exe
1780	mscorsvw.exe
2760	mscorsvw.exe
2308	mscorsvw.exe
1624	mscorsvw.exe
2656	mscorsvw.exe
1676	mscorsvw.exe
3052	mscorsvw.exe
1760	mscorsvw.exe
308	mscorsvw.exe
572	mscorsvw.exe

Loads dropped DLL 8 IoCs

pid	Process
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2172	server_BTC.exe
2620	build.exe
2620	build.exe
2620	build.exe
2620	build.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fdfa6196a4d605c0.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 2504	2424	rfq.exe	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	svchost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neworigin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanAIbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server_BTC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2280	timeout.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1780	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2472	TrojanAIbot.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2868	neworigin.exe
2868	neworigin.exe
892	powershell.exe
2620	build.exe
2620	build.exe
2620	build.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2424	rfq.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2504	svchost.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeDebugPrivilege	2868	neworigin.exe
Token: SeDebugPrivilege	2172	server_BTC.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2472	TrojanAIbot.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeDebugPrivilege	2084	alg.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeDebugPrivilege	2620	build.exe
Token: SeDebugPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe
Token: SeDebugPrivilege	2212	mscorsvw.exe
Token: SeShutdownPrivilege	2612	mscorsvw.exe
Token: SeShutdownPrivilege	2212	mscorsvw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	neworigin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2504	2424	rfq.exe	30
PID 2424 wrote to memory of 2504	2424	rfq.exe	30
PID 2424 wrote to memory of 2504	2424	rfq.exe	30
PID 2424 wrote to memory of 2504	2424	rfq.exe	30
PID 2424 wrote to memory of 2504	2424	rfq.exe	30
PID 2504 wrote to memory of 2172	2504	svchost.exe	32
PID 2504 wrote to memory of 2172	2504	svchost.exe	32
PID 2504 wrote to memory of 2172	2504	svchost.exe	32
PID 2504 wrote to memory of 2172	2504	svchost.exe	32
PID 2504 wrote to memory of 2868	2504	svchost.exe	33
PID 2504 wrote to memory of 2868	2504	svchost.exe	33
PID 2504 wrote to memory of 2868	2504	svchost.exe	33
PID 2504 wrote to memory of 2868	2504	svchost.exe	33
PID 2504 wrote to memory of 2620	2504	svchost.exe	34
PID 2504 wrote to memory of 2620	2504	svchost.exe	34
PID 2504 wrote to memory of 2620	2504	svchost.exe	34
PID 2504 wrote to memory of 2620	2504	svchost.exe	34
PID 2172 wrote to memory of 892	2172	server_BTC.exe	43
PID 2172 wrote to memory of 892	2172	server_BTC.exe	43
PID 2172 wrote to memory of 892	2172	server_BTC.exe	43
PID 2172 wrote to memory of 892	2172	server_BTC.exe	43
PID 2172 wrote to memory of 1780	2172	server_BTC.exe	44
PID 2172 wrote to memory of 1780	2172	server_BTC.exe	44
PID 2172 wrote to memory of 1780	2172	server_BTC.exe	44
PID 2172 wrote to memory of 1780	2172	server_BTC.exe	44
PID 2172 wrote to memory of 2472	2172	server_BTC.exe	47
PID 2172 wrote to memory of 2472	2172	server_BTC.exe	47
PID 2172 wrote to memory of 2472	2172	server_BTC.exe	47
PID 2172 wrote to memory of 2472	2172	server_BTC.exe	47
PID 2172 wrote to memory of 1852	2172	server_BTC.exe	48
PID 2172 wrote to memory of 1852	2172	server_BTC.exe	48
PID 2172 wrote to memory of 1852	2172	server_BTC.exe	48
PID 2172 wrote to memory of 1852	2172	server_BTC.exe	48
PID 1852 wrote to memory of 2280	1852	cmd.exe	50
PID 1852 wrote to memory of 2280	1852	cmd.exe	50
PID 1852 wrote to memory of 2280	1852	cmd.exe	50
PID 1852 wrote to memory of 2280	1852	cmd.exe	50
PID 2612 wrote to memory of 2292	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 2292	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 2292	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 2292	2612	mscorsvw.exe	51
PID 2612 wrote to memory of 1784	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 1784	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 1784	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 1784	2612	mscorsvw.exe	52
PID 2612 wrote to memory of 1532	2612	mscorsvw.exe	53
PID 2612 wrote to memory of 1532	2612	mscorsvw.exe	53
PID 2612 wrote to memory of 1532	2612	mscorsvw.exe	53
PID 2612 wrote to memory of 1532	2612	mscorsvw.exe	53
PID 2612 wrote to memory of 1776	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 1776	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 1776	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 1776	2612	mscorsvw.exe	54
PID 2612 wrote to memory of 372	2612	mscorsvw.exe	55
PID 2612 wrote to memory of 372	2612	mscorsvw.exe	55
PID 2612 wrote to memory of 372	2612	mscorsvw.exe	55
PID 2612 wrote to memory of 372	2612	mscorsvw.exe	55
PID 2612 wrote to memory of 2180	2612	mscorsvw.exe	56
PID 2612 wrote to memory of 2180	2612	mscorsvw.exe	56
PID 2612 wrote to memory of 2180	2612	mscorsvw.exe	56
PID 2612 wrote to memory of 2180	2612	mscorsvw.exe	56
PID 2612 wrote to memory of 2448	2612	mscorsvw.exe	57
PID 2612 wrote to memory of 2448	2612	mscorsvw.exe	57
PID 2612 wrote to memory of 2448	2612	mscorsvw.exe	57

C:\Users\Admin\AppData\Local\Temp\rfq.exe
"C:\Users\Admin\AppData\Local\Temp\rfq.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\rfq.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\server_BTC.exe
    "C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:892
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 17:33 /du 23:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1780
  - - C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
      "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD01B.tmp.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2280
- - C:\Users\Admin\AppData\Local\Temp\neworigin.exe
    "C:\Users\Admin\AppData\Local\Temp\neworigin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 244 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 23c -NGENProcess 1e8 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 1e0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 24c -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 23c -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 264 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 238 -NGENProcess 1e8 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 26c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 238 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 270 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 27c -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 268 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 280 -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 268 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 270 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 26c -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 29c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a0 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1800

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2884

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.2MB

MD5
62de3f9e72ec2dc94487468f028c34eb

SHA1
c9539f7752618c84dc0346c26fc87f392ca9bc37

SHA256
d38a0bab094217ed6b3920ac642d1f7f5ac075b3bab441749c7855dd2e23d99d

SHA512
97a397a789069ec8f969f0850d3248c05511ced154c418032578baafad17b73a09e8a5b3e1f637d1ff2bd5e50d8f37e7cf88be23acec9ae63c5064079f338668

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
744ecf6d69af0cbf33d4551612e312be

SHA1
fd62a359502b32a7a94ee653d5447dcaf30728c0

SHA256
5c5f76cc193d2e54a0ca180e9454144ac49228f0c2e0c47e2117369c17120399

SHA512
15f95a6b38f1d612df06270bd856daba47bbe6955855edd2fae8dccc170eeed715a7e7e29c4311e05b0fe6c9ddf6beb186bbc0b9d382fff1d3bf6f332f6f3b57

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
f659856bbafbcab22764d55f4610f25f

SHA1
eaa98aeb26f818a5bbd56c05dc1a92481a16ed2c

SHA256
62b5d3a3ef3544d6e1313271f4d857a3e637746cab2936ed090eded5c36643cd

SHA512
06aaf02c5c266ee5abda9a0856d2ef17f436281ec033acb20ca1762a127a7143958e40b658da9b582f523bb372e122dbf4216f69b417e1c23919bc63b6300675

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
83279ed001098f00f7033b9ab289e1dc

SHA1
7e6abe860cd9cd96b44d526e1fade9271695e33e

SHA256
3e7b6981f575237db0d1f901247e89646cb7dd7c79a63a18175fe5845df10645

SHA512
c72f9818fc1f68c95974f90ab686605acb6c9bd49b7eba53942db6d0fe52730f9f2c526eb43f2fe9bc9be0d3f7eecd8537de95b3c84dc759a5b7dc102050add0

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
abd6143bfb8129f817f120fb170bf870

SHA1
7186f11289bd2864b611bae693ef0eb261601892

SHA256
846fc4ebd378afb2d673c4b52714401bbea7c01f0630eab66416dd4d004dabaf

SHA512
7964092cf25f6075771dbd38e45bbc6c8652d1fdeb851e7ff152b7e7e478e74be1a7dcdea360775bc5d9dbe0a73953ee8cd4004dc3effdfbe87676190e2b094c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e8e71c24831fa6ed776ebffedfb7d69d

SHA1
55379c8a6396928f2beade704b56b5fd2cb387d7

SHA256
984d05ba7da4c07b7d41bca29eafe5dee4322b5c522bc1f424ee573703d4709d

SHA512
22a53e3c34c32774c24b904f9544adea2c5b883040f37e6ff13919a4cc4575b324569e43914797c9801e37beace215fde7151c0752ab12fbec8ac2cc00a9ef6d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
e5f6eed98eae504c59f5e34db0f40dbf

SHA1
f7551ff9cafe8af2c011a15066ccfbe595be64e6

SHA256
b8ff0bd4b7ea9131f5a3903250e9019c884f75a78c8aca629fc81fccf59de1ac

SHA512
fceeebafb59ece7e03f8d9fd3246cee189ea885d5b3c652559b12c62291e5e7f9a07c44e14430895a87248e11b7f35943f7d3af3caca7489e9a4663882b97ce0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
06024fe36da74f7d9df2da72e46ad711

SHA1
4c40bb5ae3bff6641a99da831827329d4a1d7e33

SHA256
187bd6ea5016d4972b4ceed33783da206c0b8ea06d754a28935eb937778c9b7e

SHA512
2d7b10bcb315921ef193f59d157b0db1b2eaa1e58723666d81a6d485a2f360036aded5a0a8c78874d5ed7d815fb72df1e0b8d96417064721a42e0f075c1a29c4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
84ffe4bf1079ad76ebe132d11bb4bf2b

SHA1
e1a69eab75b13dfeb1232938be164e7da0a5347e

SHA256
6877126730614747b073ad2a3dfc7ffc1187055906244888919ca9dd87c0ca5c

SHA512
1aa25786dc0447470867c768347208fcbd8e1988e81ec92f67318ace82529740d994eb53c5520fe15c4576f6ceb0b8feae5e86392f391130bbfaa2afc24bc2f2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
63c6243044457a3002b85c61a6333a97

SHA1
c29c37d01e1c1bfc513811619bfcd27af290d19e

SHA256
6ac7a7f0d217fca0a6b63302c87c2a8857820afa57c79df58fd2af83c121a7b6

SHA512
747644653dca3ec4cd3ba8b2cddc4f35754736c3b8cad299d3667df2e7643af3e652c7768d2aa14ed6566ae2875d99f55d114ebd407aa4cf13e304f5069f7bbf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
2576c64d6f2765d4168804b3f12f315b

SHA1
f9c85e9f82a11e18804d19d823ecfc909aff0ab7

SHA256
947c98674c283c32e0abe9ba1322778918c87c855a788f6ad4bd06d11855b064

SHA512
6d2e6ba73786e11233221fc486ee45012d22ee1d8bbca0a6fc65df3ec947c1d2ae930a9cce10ffe06249c9150c8f691110626b7ccd3d9239a84946e6ae83f872

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
fa74becd29678bca789ea759e7a8852d

SHA1
75c55b8101188ed4b50483d170a3d6b59528a220

SHA256
aec6ecaa377313fbe85946ab5d144585679d3ec0cdeebaa684c1fdbd184285f4

SHA512
40bec641691c4ec1e8979f147755e609d78c5b826e7534a891c5b7d9f5f3d55e5787b8080deaa1e7bda14c9f35ea57a35dab5e4bb70997c9478b13b02a11ed85

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c3c837ac906bd3c87fb95d1cb6d109e6

SHA1
bf4b60495dd95c9a766acedd5a2ea0484b9b5ced

SHA256
eb73d4dad9e23a3ae784cfc8cdb5ffc7f65c7b1593b3ced25f2119c6229a4e87

SHA512
52980eef10c846f1fb5a9220b1c246e59b993dd6649f22427da85044fef15375fd67a3ded2e9c0ce39a4bf5a9f93f0e7c31d185679ea74fc40acc4c875c226de

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
95d67deedbabbeac0723490dce390df5

SHA1
0b18ab41af549f12788b76e2fbd96edf05fb3a0f

SHA256
871c32b551fbeaf13a9605fde613b4ef42fc10130f39cfaef59048e73f46d750

SHA512
0161ebceb1e641c75901bcf496d69e7e0bc3de2333866db1b6272a205e14302cd7ee7d0927795a4be6d818a8f2a2abb971f54908429d8e2d110cf5184a0421a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\neworigin.exe

Filesize
244KB

MD5
d6a4cf0966d24c1ea836ba9a899751e5

SHA1
392d68c000137b8039155df6bb331d643909e7e7

SHA256
dc441006cb45c2cfac6c521f6cd4c16860615d21081563bd9e368de6f7e8ab6b

SHA512
9fa7aa65b4a0414596d8fd3e7d75a09740a5a6c3db8262f00cb66cd4c8b43d17658c42179422ae0127913deb854db7ed02621d0eeb8ddff1fac221a8e0d1ca35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD01B.tmp.cmd

Filesize
162B

MD5
eb56491cac13b2e9656b33b46acccc40

SHA1
1312b022fb94169a0862bfc346e7ab209784a425

SHA256
95b307ab9540cb320f11166edb874166785958aa5f278ba56e9ccd93e4244e5d

SHA512
0b15f54a2975a64102695e619520a5f24052f19728696fcafca5c34b618dc0d9b2da950ac49841e4cdd195d864a3c34c073d3f556bf66156f043bf44e87becfe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
d30617096dcf095ba4e11c223e92f527

SHA1
b6dd63e383df89e735bdab7b7517ba23f6d8a0d1

SHA256
29e8b3edf41fe67e437dad4c383602b1bf40f905b33a158778a9ab8df0bb886a

SHA512
69925aa74b3983fe18e17167bccc020d0db5b20a56c0df8932d2064a039adb3c5cfdd17514af3c4d606ee5da9902b56b5b3073d7c927a584d9e9bed6ffc96b4f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
4fc1b7d3e69dd59549f8690d9a3a301c

SHA1
6e2ebde91831f713c2212eea4e45dba71396eb14

SHA256
2dfe4060da47c2f38fc823410b0de688a68df5541c8decbdd0a94731c781bac8

SHA512
cecfaeb8fbb263318f720cd6c1112dd2d6526fd031c320190eb2e83cc3513a8e74c2fd28c373c357d2a230d165f40367cbfb366d6d45ab68d9656ccea265aba0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
4cca89abad1f229a57b83cfea5c001e2

SHA1
feb43de62e4145776fa1845b2a4ec82e0393a814

SHA256
a2fbe7f568fb4455068480fed0217cbfab76aebbc7ae641a14c1bb7f9f5ec3bf

SHA512
7a85ce3ef9687f607f95b5198051cc65cc7b9136fc00e5e58013735798a734d8da10db27f3cc860f01befae381350b2a3a51751ca94a65115fc009f3db5b5936

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
300KB

MD5
3b6501feef6196f24163313a9f27dbfd

SHA1
20d60478d3c161c3cacb870aac06be1b43719228

SHA256
0576191c50a1b6afbcaa5cb0512df5b6a8b9bef9739e5308f8e2e965bf9b0fc5

SHA512
338e2c450a0b1c5dfea3cd3662051ce231a53388bc2a6097347f14d3a59257ce3734d934db1992676882b5f4f6a102c7e15b142434575b8970658b4833d23676

Download Submit
\Users\Admin\AppData\Local\Temp\server_BTC.exe

Filesize
226KB

MD5
50d015016f20da0905fd5b37d7834823

SHA1
6c39c84acf3616a12ae179715a3369c4e3543541

SHA256
36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5

SHA512
55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
ae8b600f2eee023544821055ea6f63cd

SHA1
b86695a4e39755da74a91f86a0d8bc3168a0daea

SHA256
84d76ca5e7c35970ecde263d7e37dc3805a2d30a0cfe8a95755a472c0dc89312

SHA512
5d98a2621dc2b365b792f0428df645c23fbb2c4003b7385dd541ff83e84025970bb6a7cee2b3780bd3d6dab007cd7e120b9196296e5f435ec7b82e958e727a4a

Download Submit
memory/308-604-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/308-619-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/344-472-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/344-482-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/352-125-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/352-132-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/352-363-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/372-364-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/372-376-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/444-467-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/444-456-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/572-622-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/572-616-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/868-420-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/868-407-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1236-470-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1532-345-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1532-349-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1624-548-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1624-535-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1676-570-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1676-561-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1760-594-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1760-588-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1776-372-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1776-355-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1780-501-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1780-515-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1784-336-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1784-332-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1800-105-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1800-108-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1800-344-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1800-100-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1924-95-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1924-89-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1924-97-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1924-331-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2084-26-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2084-33-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2084-38-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2084-276-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2152-494-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2152-491-0x0000000003DC0000-0x0000000003E7A000-memory.dmp

Filesize
744KB

Download
memory/2172-68-0x0000000001240000-0x000000000127E000-memory.dmp

Filesize
248KB

Download
memory/2180-384-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2180-396-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2212-80-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2212-73-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2212-74-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2212-311-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2292-319-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2292-323-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2308-525-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2308-539-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2424-2-0x00000000047F0000-0x0000000004FF0000-memory.dmp

Filesize
8.0MB

Download
memory/2428-431-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2428-436-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2448-408-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2448-395-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2472-177-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/2504-51-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2504-3-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2504-5-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2504-6-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2504-7-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2504-14-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2612-307-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2612-64-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2612-57-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2612-62-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2620-625-0x00000000055E0000-0x0000000005717000-memory.dmp

Filesize
1.2MB

Download
memory/2620-626-0x00000000055E0000-0x0000000005717000-memory.dmp

Filesize
1.2MB

Download
memory/2620-567-0x0000000005ED0000-0x0000000006007000-memory.dmp

Filesize
1.2MB

Download
memory/2620-566-0x0000000005ED0000-0x0000000006007000-memory.dmp

Filesize
1.2MB

Download
memory/2620-67-0x0000000000880000-0x00000000008D2000-memory.dmp

Filesize
328KB

Download
memory/2624-419-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2624-432-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2656-562-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2760-514-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2760-536-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2868-66-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/2884-116-0x0000000001030000-0x0000000001090000-memory.dmp

Filesize
384KB

Download
memory/2884-110-0x0000000001030000-0x0000000001090000-memory.dmp

Filesize
384KB

Download
memory/2884-119-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2884-121-0x0000000001030000-0x0000000001090000-memory.dmp

Filesize
384KB

Download
memory/2884-123-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2956-448-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2956-444-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3052-579-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3052-591-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download