asyncrat | c5d1c57f289c7f9f692ad7971b08ec1392082eda028916ff33c27da1c8c3326b

Analysis

max time kernel
136s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
05-01-2021 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NON_DISC.EXE
Size

948KB
MD5

5a26073186d5cd797817ab71676082c1
SHA1

eba609ba96514ea94b9bf91f24ecf4b450c3faaf
SHA256

52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396
SHA512

79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Score

10^/10

asyncrat evasion persistence rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

hpdndbnb.duckdns.org:3040

hpdndbnb.duckdns.org:2020

hpdndbnb.duckdns.org:4040

gpmaw.duckdns.org:3040

gpmaw.duckdns.org:2020

gpmaw.duckdns.org:4040

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
8pSblfEIKGwvU0W68bmEKGa3zB2hqd4t
anti_detection
false
autorun
true
bdos
false
delay
Default
host
hpdndbnb.duckdns.org,gpmaw.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
3040,2020,4040
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NON_DISC.EXEDfnder windows.exeaoxxsd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NON_DISC.EXE\""	NON_DISC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Dfnder windows.exe\""	Dfnder windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\aoxxsd.exe\""	aoxxsd.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Async RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral3/memory/1704-31-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral3/memory/1704-32-0x000000000040C79E-mapping.dmp	asyncrat
behavioral3/memory/1704-34-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral3/memory/1704-33-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral3/memory/520-134-0x000000000040C79E-mapping.dmp	asyncrat
behavioral3/memory/520-136-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral3/memory/520-137-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral3/memory/520-145-0x0000000000720000-0x000000000073B000-memory.dmp	asyncrat

Executes dropped EXE 8 IoCs

Processes:

Dfnder windows.exeDfnder windows.exeaoxxsd.exeaoxxsd.exeaoxxsd.exeaoxxsd.exeaoxxsd.exeaoxxsd.exe

pid process

1956 Dfnder windows.exe
520 Dfnder windows.exe
1260 aoxxsd.exe
2036 aoxxsd.exe
528 aoxxsd.exe
1956 aoxxsd.exe
1352 aoxxsd.exe
308 aoxxsd.exe

pid	process
1956	Dfnder windows.exe
520	Dfnder windows.exe
1260	aoxxsd.exe
2036	aoxxsd.exe
528	aoxxsd.exe
1956	aoxxsd.exe
1352	aoxxsd.exe
308	aoxxsd.exe

Drops startup file 6 IoCs

Processes:

aoxxsd.exeNON_DISC.EXEDfnder windows.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoxxsd.exe	aoxxsd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE	NON_DISC.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE	NON_DISC.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe	Dfnder windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe	Dfnder windows.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoxxsd.exe	aoxxsd.exe

Loads dropped DLL 9 IoCs

Processes:

cmd.exepowershell.exeaoxxsd.exe

pid process

1744 cmd.exe
1744 cmd.exe
896 powershell.exe
896 powershell.exe
1260 aoxxsd.exe
1260 aoxxsd.exe
1260 aoxxsd.exe
1260 aoxxsd.exe
1260 aoxxsd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1744	cmd.exe
1744	cmd.exe
896	powershell.exe
896	powershell.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe

Windows security modification 2 TTPs 13 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

NON_DISC.EXEaoxxsd.exeDfnder windows.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	NON_DISC.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	NON_DISC.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoxxsd.exe = "0"	aoxxsd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe = "0"	aoxxsd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE = "0"	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE = "0"	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	NON_DISC.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	NON_DISC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe = "0"	Dfnder windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Dfnder windows.exe = "0"	Dfnder windows.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NON_DISC.EXEDfnder windows.exeaoxxsd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NON_DISC.EXE"	NON_DISC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\NON_DISC.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NON_DISC.EXE"	NON_DISC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Roaming\\Dfnder windows.exe"	Dfnder windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dfnder windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Dfnder windows.exe"	Dfnder windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoxxsd.exe"	aoxxsd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\aoxxsd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aoxxsd.exe"	aoxxsd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

NON_DISC.EXEDfnder windows.exe

description	pid	process	target process
PID 1204 set thread context of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1956 set thread context of 520	1956	Dfnder windows.exe	Dfnder windows.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1696 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2036 timeout.exe

pid	process
1696	schtasks.exe

pid	process
2036	timeout.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeNON_DISC.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDfnder windows.exepowershell.exepowershell.exepowershell.exeaoxxsd.exepowershell.exe

pid	process
1780	powershell.exe
1776	powershell.exe
1184	powershell.exe
1964	powershell.exe
1964	powershell.exe
1780	powershell.exe
1184	powershell.exe
1776	powershell.exe
1704	NON_DISC.EXE
1704	NON_DISC.EXE
1704	NON_DISC.EXE
372	powershell.exe
1484	powershell.exe
844	powershell.exe
1772	powershell.exe
1484	powershell.exe
372	powershell.exe
844	powershell.exe
1772	powershell.exe
896	powershell.exe
896	powershell.exe
520	Dfnder windows.exe
1276	powershell.exe
1572	powershell.exe
1792	powershell.exe
1276	powershell.exe
1572	powershell.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1260	aoxxsd.exe
1608	powershell.exe
1608	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

NON_DISC.EXEpowershell.exepowershell.exepowershell.exepowershell.exeNON_DISC.EXEDfnder windows.exepowershell.exepowershell.exepowershell.exepowershell.exeDfnder windows.exepowershell.exeaoxxsd.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1204	NON_DISC.EXE
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1704	NON_DISC.EXE
Token: SeDebugPrivilege	1956	Dfnder windows.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	520	Dfnder windows.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1260	aoxxsd.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe

Suspicious use of WriteProcessMemory 130 IoCs

Processes:

NON_DISC.EXENON_DISC.EXEcmd.execmd.exeDfnder windows.exe

description	pid	process	target process
PID 1204 wrote to memory of 1184	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1184	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1184	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1184	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1964	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1964	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1964	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1964	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1780	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1780	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1780	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1780	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1776	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1776	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1776	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1776	1204	NON_DISC.EXE	powershell.exe
PID 1204 wrote to memory of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1204 wrote to memory of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1204 wrote to memory of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1204 wrote to memory of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1204 wrote to memory of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1204 wrote to memory of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1204 wrote to memory of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1204 wrote to memory of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1204 wrote to memory of 1704	1204	NON_DISC.EXE	NON_DISC.EXE
PID 1704 wrote to memory of 912	1704	NON_DISC.EXE	cmd.exe
PID 1704 wrote to memory of 912	1704	NON_DISC.EXE	cmd.exe
PID 1704 wrote to memory of 912	1704	NON_DISC.EXE	cmd.exe
PID 1704 wrote to memory of 912	1704	NON_DISC.EXE	cmd.exe
PID 1704 wrote to memory of 1744	1704	NON_DISC.EXE	cmd.exe
PID 1704 wrote to memory of 1744	1704	NON_DISC.EXE	cmd.exe
PID 1704 wrote to memory of 1744	1704	NON_DISC.EXE	cmd.exe
PID 1704 wrote to memory of 1744	1704	NON_DISC.EXE	cmd.exe
PID 912 wrote to memory of 1696	912	cmd.exe	schtasks.exe
PID 912 wrote to memory of 1696	912	cmd.exe	schtasks.exe
PID 912 wrote to memory of 1696	912	cmd.exe	schtasks.exe
PID 912 wrote to memory of 1696	912	cmd.exe	schtasks.exe
PID 1744 wrote to memory of 2036	1744	cmd.exe	timeout.exe
PID 1744 wrote to memory of 2036	1744	cmd.exe	timeout.exe
PID 1744 wrote to memory of 2036	1744	cmd.exe	timeout.exe
PID 1744 wrote to memory of 2036	1744	cmd.exe	timeout.exe
PID 1744 wrote to memory of 1956	1744	cmd.exe	Dfnder windows.exe
PID 1744 wrote to memory of 1956	1744	cmd.exe	Dfnder windows.exe
PID 1744 wrote to memory of 1956	1744	cmd.exe	Dfnder windows.exe
PID 1744 wrote to memory of 1956	1744	cmd.exe	Dfnder windows.exe
PID 1956 wrote to memory of 1484	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 1484	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 1484	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 1484	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 372	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 372	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 372	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 372	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 844	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 844	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 844	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 844	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 1772	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 1772	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 1772	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 1772	1956	Dfnder windows.exe	powershell.exe
PID 1956 wrote to memory of 520	1956	Dfnder windows.exe	Dfnder windows.exe
PID 1956 wrote to memory of 520	1956	Dfnder windows.exe	Dfnder windows.exe
PID 1956 wrote to memory of 520	1956	Dfnder windows.exe	Dfnder windows.exe

C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE
"C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NON_DISC.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE
"C:\Users\Admin\AppData\Local\Temp\NON_DISC.EXE"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Dfnder windows" /tr '"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Dfnder windows" /tr '"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"'
4⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp56F6.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2036

C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe" -Force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe" -Force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dfnder windows.exe" -Force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Dfnder windows.exe" -Force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
"C:\Users\Admin\AppData\Roaming\Dfnder windows.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe"' & exit
6⤵
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe"'
7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
"C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoxxsd.exe" -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoxxsd.exe" -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aoxxsd.exe" -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe" -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
"C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe"
9⤵
- Executes dropped EXE
PID:2036

C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
"C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe"
9⤵
- Executes dropped EXE
PID:1352

C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
"C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe"
9⤵
- Executes dropped EXE
PID:308

C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
"C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe"
9⤵
- Executes dropped EXE
PID:1956

C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
"C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe"
9⤵
- Executes dropped EXE
PID:528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2996d60b-6b84-48c0-b2aa-4cf87e887ebf
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4e96846f-3a0d-45fa-9ff6-cb50175a3881
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c2655f79-cbb6-42c2-91c0-4218d5178a73
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e63fe887-9491-498f-93b6-9d9f900dbc9a
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
2b0b7bfba32b013dbbe72b871bb01bef

SHA1
ac1c2fcf025cd886025a9ef6884ca3b4aaed1aaf

SHA256
6edda5df5db8b874c68deebbfbb90007f1a0a14e757d5f14554e72fb132301c0

SHA512
37fff858e6835e22ba784a5f8f2e5262806f1ab820c9dfb7dd0fe66d7b73bdc144aa76b75b979211d92481d9b5f9736bc69c9c269ff9e9cf1635ad0e991a634d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d950727e8df10c1f1dec480c3e6b0cd0

SHA1
9c58e3f69e38805f9c9c83d9e301d3c807a12854

SHA256
19441ee53466eb5ff0ec8a76ae8457994467ebb57bffaa08cc2c0b4b157a0740

SHA512
66fdf597b94a059e6bc092433bda5a1c82f731e153d813b54cf95e2912157601e63d8597283679930e0d04439ae94d31d0fd37fafcaeea48e81d0f309e72e303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
1aa4bcc690c4feabc353f530763c1dc6

SHA1
81dbd6825909e0b6b39028bc91fcb7c0adbc4222

SHA256
7a479fac1c141ddbec226b8594b8b9ae4106df1b2c03e39820ac030574e14930

SHA512
8dd107b5eaa006e1610eccb5501b495dd6054bf0e7021c6769a929dc5e092f7933d5f980847c6d4ad963899d111e11892831e5d1d6997cad4b3d5e93801de69f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
32fef32e45f0a6db711d9857cba69fe7

SHA1
7d89fdee4be35741f0ed35ec02a301745abf869a

SHA256
8fe69b6ee5512954903f251a1f7d5afba793dec70a27a98b409d1f78809319f2

SHA512
15da0101fc00f7075308cf14f99ab4a6f4d14434716dd2e4f4e2059eb756f1f7e32465d4c2d0ce80850c714646f404d4bbd7d4c6c3b3e224ba377811995567f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
2b0b7bfba32b013dbbe72b871bb01bef

SHA1
ac1c2fcf025cd886025a9ef6884ca3b4aaed1aaf

SHA256
6edda5df5db8b874c68deebbfbb90007f1a0a14e757d5f14554e72fb132301c0

SHA512
37fff858e6835e22ba784a5f8f2e5262806f1ab820c9dfb7dd0fe66d7b73bdc144aa76b75b979211d92481d9b5f9736bc69c9c269ff9e9cf1635ad0e991a634d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56F6.tmp.bat
MD5
d4bc9116f6b042a79f309c58601baf12

SHA1
e091029c4d93cec6a78fcad5afcd65706956f2e7

SHA256
c8b0a8569097bbf39878044767e3e770e609b9bb6f251c0924d2953666907a22

SHA512
9d1c728061de0f9db09aa69b54c32885b6e36ee9ad0601e4ed36c278aa8715083e2fd35c5cfabf724c32af3c5b1c342ab9a880fef37a295d92eb80c490807ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
5a26073186d5cd797817ab71676082c1

SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf

SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396

SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Download Submit
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
5a26073186d5cd797817ab71676082c1

SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf

SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396

SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Download Submit
C:\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
5a26073186d5cd797817ab71676082c1

SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf

SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396

SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
61ffac77f81faf0499fcbfebe3efa3b4

SHA1
c8ec74c4f72bbc42b3eb4cbf68228c36eb1f502e

SHA256
1c24d15b2dc1fb4ec821c46117b592bf853ae59f610e078e659d31d2c2495ec6

SHA512
2556785feac730865f682cf0dd7a788bbc261049a432ef171cf8ebb02c22cd5994257e708fa1acb24240820be8679986d8876b8944e19ff5de276dfb0b818ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
61ffac77f81faf0499fcbfebe3efa3b4

SHA1
c8ec74c4f72bbc42b3eb4cbf68228c36eb1f502e

SHA256
1c24d15b2dc1fb4ec821c46117b592bf853ae59f610e078e659d31d2c2495ec6

SHA512
2556785feac730865f682cf0dd7a788bbc261049a432ef171cf8ebb02c22cd5994257e708fa1acb24240820be8679986d8876b8944e19ff5de276dfb0b818ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
61ffac77f81faf0499fcbfebe3efa3b4

SHA1
c8ec74c4f72bbc42b3eb4cbf68228c36eb1f502e

SHA256
1c24d15b2dc1fb4ec821c46117b592bf853ae59f610e078e659d31d2c2495ec6

SHA512
2556785feac730865f682cf0dd7a788bbc261049a432ef171cf8ebb02c22cd5994257e708fa1acb24240820be8679986d8876b8944e19ff5de276dfb0b818ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e76d6419e5237fa292655e13004778cf

SHA1
5727570e7ae2077f8bb14bf7626bd3fcca239709

SHA256
59bca74a3a27655e63fc35ca0bed4a85966eb5423509f7a325fbd4b71d0bc78b

SHA512
42645518992b61caf50bb1fd2132f6c13b53e960a3e396c34c955b3417e1c30ac27909fab14d82db2bb3d927616eab068a6e2a7a93d89e52f9f6966e49fa66b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
61ffac77f81faf0499fcbfebe3efa3b4

SHA1
c8ec74c4f72bbc42b3eb4cbf68228c36eb1f502e

SHA256
1c24d15b2dc1fb4ec821c46117b592bf853ae59f610e078e659d31d2c2495ec6

SHA512
2556785feac730865f682cf0dd7a788bbc261049a432ef171cf8ebb02c22cd5994257e708fa1acb24240820be8679986d8876b8944e19ff5de276dfb0b818ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
61ffac77f81faf0499fcbfebe3efa3b4

SHA1
c8ec74c4f72bbc42b3eb4cbf68228c36eb1f502e

SHA256
1c24d15b2dc1fb4ec821c46117b592bf853ae59f610e078e659d31d2c2495ec6

SHA512
2556785feac730865f682cf0dd7a788bbc261049a432ef171cf8ebb02c22cd5994257e708fa1acb24240820be8679986d8876b8944e19ff5de276dfb0b818ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e76d6419e5237fa292655e13004778cf

SHA1
5727570e7ae2077f8bb14bf7626bd3fcca239709

SHA256
59bca74a3a27655e63fc35ca0bed4a85966eb5423509f7a325fbd4b71d0bc78b

SHA512
42645518992b61caf50bb1fd2132f6c13b53e960a3e396c34c955b3417e1c30ac27909fab14d82db2bb3d927616eab068a6e2a7a93d89e52f9f6966e49fa66b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
61ffac77f81faf0499fcbfebe3efa3b4

SHA1
c8ec74c4f72bbc42b3eb4cbf68228c36eb1f502e

SHA256
1c24d15b2dc1fb4ec821c46117b592bf853ae59f610e078e659d31d2c2495ec6

SHA512
2556785feac730865f682cf0dd7a788bbc261049a432ef171cf8ebb02c22cd5994257e708fa1acb24240820be8679986d8876b8944e19ff5de276dfb0b818ab6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e76d6419e5237fa292655e13004778cf

SHA1
5727570e7ae2077f8bb14bf7626bd3fcca239709

SHA256
59bca74a3a27655e63fc35ca0bed4a85966eb5423509f7a325fbd4b71d0bc78b

SHA512
42645518992b61caf50bb1fd2132f6c13b53e960a3e396c34c955b3417e1c30ac27909fab14d82db2bb3d927616eab068a6e2a7a93d89e52f9f6966e49fa66b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e76d6419e5237fa292655e13004778cf

SHA1
5727570e7ae2077f8bb14bf7626bd3fcca239709

SHA256
59bca74a3a27655e63fc35ca0bed4a85966eb5423509f7a325fbd4b71d0bc78b

SHA512
42645518992b61caf50bb1fd2132f6c13b53e960a3e396c34c955b3417e1c30ac27909fab14d82db2bb3d927616eab068a6e2a7a93d89e52f9f6966e49fa66b1

Download Submit
\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
\Users\Admin\AppData\Local\Temp\aoxxsd.exe
MD5
30f2b3760a00e7b0dd99a092e5c81fdd

SHA1
4908acf9594ec65e75a1dbcb94760417400b9ace

SHA256
21b30b5d30d0503d26a1c53cd3d9efedfc88731485ea126f0347a77fe43cf03c

SHA512
19ba7994a1e15073788fcb8b022c5d2a823c2188e5beb68cc56f2a47b49f41458fd3798d2e7094014ec7b4cec9ef5d13673c4552956e114dab2f830253320ec8

Download Submit
\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
5a26073186d5cd797817ab71676082c1

SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf

SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396

SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Download Submit
\Users\Admin\AppData\Roaming\Dfnder windows.exe
MD5
5a26073186d5cd797817ab71676082c1

SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf

SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396

SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1

Download Submit
memory/372-111-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/372-104-0x0000000000000000-mapping.dmp

Download
memory/520-141-0x0000000005EA0000-0x0000000005F19000-memory.dmp

Filesize
484KB

Download
memory/520-144-0x0000000005610000-0x0000000005669000-memory.dmp

Filesize
356KB

Download
memory/520-143-0x0000000006260000-0x00000000062ED000-memory.dmp

Filesize
564KB

Download
memory/520-142-0x0000000000590000-0x0000000000594000-memory.dmp

Filesize
16KB

Download
memory/520-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/520-134-0x000000000040C79E-mapping.dmp

Download
memory/520-138-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/520-145-0x0000000000720000-0x000000000073B000-memory.dmp

Filesize
108KB

Download
memory/520-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/756-146-0x0000000000000000-mapping.dmp

Download
memory/844-118-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/844-105-0x0000000000000000-mapping.dmp

Download
memory/896-151-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/896-148-0x0000000000000000-mapping.dmp

Download
memory/896-152-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/896-147-0x0000000000000000-mapping.dmp

Download
memory/896-153-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/896-154-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/896-155-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/896-150-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/912-88-0x0000000000000000-mapping.dmp

Download
memory/1184-13-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1184-6-0x0000000000000000-mapping.dmp

Download
memory/1204-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1204-3-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1204-5-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/1260-159-0x0000000000000000-mapping.dmp

Download
memory/1260-162-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1260-164-0x0000000000290000-0x00000000002C2000-memory.dmp

Filesize
200KB

Download
memory/1260-161-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1276-170-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1276-188-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1276-183-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1276-172-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1276-175-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1276-165-0x0000000000000000-mapping.dmp

Download
memory/1484-113-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1484-122-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1484-110-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/1484-107-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/1484-103-0x0000000000000000-mapping.dmp

Download
memory/1484-127-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1572-166-0x0000000000000000-mapping.dmp

Download
memory/1572-173-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1608-167-0x0000000000000000-mapping.dmp

Download
memory/1608-202-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1608-182-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-91-0x0000000000000000-mapping.dmp

Download
memory/1704-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1704-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1704-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1704-35-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1704-32-0x000000000040C79E-mapping.dmp

Download
memory/1744-89-0x0000000000000000-mapping.dmp

Download
memory/1772-108-0x0000000000000000-mapping.dmp

Download
memory/1772-116-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/1776-40-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1776-18-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1776-46-0x00000000061D0000-0x00000000061D1000-memory.dmp

Filesize
4KB

Download
memory/1776-45-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/1776-60-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/1776-23-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1776-75-0x0000000006560000-0x0000000006561000-memory.dmp

Filesize
4KB

Download
memory/1776-53-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1776-76-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/1776-14-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1776-27-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1776-9-0x0000000000000000-mapping.dmp

Download
memory/1780-8-0x0000000000000000-mapping.dmp

Download
memory/1780-12-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1792-168-0x0000000000000000-mapping.dmp

Download
memory/1792-177-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1956-96-0x0000000000000000-mapping.dmp

Download
memory/1956-97-0x0000000000000000-mapping.dmp

Download
memory/1956-99-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/1956-100-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1964-15-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1964-11-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1964-7-0x0000000000000000-mapping.dmp

Download
memory/2036-92-0x0000000000000000-mapping.dmp

Download