asyncrat | 19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0

Analysis

max time kernel
151s
max time network
147s
platform
windows10_x64
resource
win10v20210408
submitted
30-04-2021 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4d8a5580372bcff92a7be2f385eb7f7.exe
Size

350KB
MD5

e4d8a5580372bcff92a7be2f385eb7f7
SHA1

31b731099104f5dfda61b79dcea723d3cd5e1d84
SHA256

19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
SHA512

ce95e7bd0cc55223423c43c3c8fb33ef2e206dd13381759ac4ab59139792b9b20e5e6b87b54be9adfa431759a0736d9c699dec4912ad763492c1d1d86c0d2916

Score

10^/10

asyncrat redline smokeloader backdoor discovery infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

null:null

Mutex

Aakn1515knAakn1515kn!

Attributes

aes_key
8qTK5zOGKTFDhfISYupTRvALhuVbWSgX
anti_detection
false
autorun
false
bdos
false
delay
-=-=-=-=-=SPOOFER-=-=-=-=-=
host
null
hwid
3
install_file
install_folder
%AppData%
mutex
Aakn1515knAakn1515kn!
pastebin_config
https://pastebin.com/raw/uqaaCRiU
port
null
version
0.5.7B

aes.plain

Extracted

Family

smokeloader

Version

2020

http://greenco2020.top/

http://greenco2021.top/

http://greenco2022.top/

rc4.i32

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2157.exe2290.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\aposffot.exe\","	2157.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\aposfffot.exe\","	2290.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/608-264-0x00000000004171E6-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2792 created 3620 2792 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 2792 created 3620	2792	WerFault.exe	RegAsm.exe

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4092-132-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4092-133-0x000000000040C78E-mapping.dmp	asyncrat

Nirsoft 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeBtwgyizzspfr.exe1994.exe1D2E.exe1F23.exe2157.exe2290.exe2A04.exe32BF.exe3BA9.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe2A04.exeAdvancedRun.exeRegAsm.exe32BF.exeRegAsm.exeRegAsm.exeRegAsm.exewwgesihRegAsm.exe

pid	process
744	AdvancedRun.exe
2776	AdvancedRun.exe
3392	AdvancedRun.exe
3856	AdvancedRun.exe
4064	Btwgyizzspfr.exe
2260	1994.exe
3976	1D2E.exe
3396	1F23.exe
1396	2157.exe
2164	2290.exe
3940	2A04.exe
4056	32BF.exe
3744	3BA9.exe
3168	AdvancedRun.exe
2308	AdvancedRun.exe
768	AdvancedRun.exe
1768	2A04.exe
2884	AdvancedRun.exe
1076	RegAsm.exe
2952	32BF.exe
608	RegAsm.exe
3832	RegAsm.exe
3344	RegAsm.exe
2560	wwgesih
3620	RegAsm.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1994.exe	upx
C:\Users\Admin\AppData\Local\Temp\1994.exe	upx

Loads dropped DLL 1 IoCs

Processes:

Btwgyizzspfr.exe

pid process

4064 Btwgyizzspfr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4064	Btwgyizzspfr.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1994.exe32BF.exe1D2E.exee4d8a5580372bcff92a7be2f385eb7f7.exe2A04.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe㜀"	1994.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\asuspgw = "\"C:\\Users\\Admin\\AppData\\Roaming\\asuspgw.exe\""	32BF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\rrrtttsyysuttttttttttidododd = "\"C:\\Users\\Admin\\AppData\\Roaming\\rrrtttsyysuttttttttttidododd.exe\""	1D2E.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Onedrives = "\"C:\\Users\\Admin\\AppData\\Roaming\\Onedrives.exe\""	e4d8a5580372bcff92a7be2f385eb7f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe"	1994.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\asuspw = "\"C:\\Users\\Admin\\AppData\\Roaming\\asuspw.exe\""	2A04.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

1994.exe

pid process

2260 1994.exe
2260 1994.exe
2260 1994.exe
2260 1994.exe

pid	process
2260	1994.exe
2260	1994.exe
2260	1994.exe
2260	1994.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

e4d8a5580372bcff92a7be2f385eb7f7.exe2A04.exe2157.exe32BF.exe1F23.exe2290.exe3BA9.exe1D2E.exe

description	pid	process	target process
PID 908 set thread context of 4092	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 3940 set thread context of 1768	3940	2A04.exe	2A04.exe
PID 1396 set thread context of 1076	1396	2157.exe	RegAsm.exe
PID 4056 set thread context of 2952	4056	32BF.exe	32BF.exe
PID 3396 set thread context of 608	3396	1F23.exe	RegAsm.exe
PID 2164 set thread context of 3832	2164	2290.exe	RegAsm.exe
PID 3744 set thread context of 3344	3744	3BA9.exe	RegAsm.exe
PID 3976 set thread context of 3620	3976	1D2E.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3340 3620 WerFault.exe RegAsm.exe
1144 3620 WerFault.exe RegAsm.exe
2792 3620 WerFault.exe RegAsm.exe

pid	pid_target	process	target process
3340	3620	WerFault.exe	RegAsm.exe
1144	3620	WerFault.exe	RegAsm.exe
2792	3620	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Btwgyizzspfr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Btwgyizzspfr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Btwgyizzspfr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Btwgyizzspfr.exe

Modifies registry class 2 IoCs

Processes:

e4d8a5580372bcff92a7be2f385eb7f7.exe2157.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	e4d8a5580372bcff92a7be2f385eb7f7.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	2157.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

RegAsm.exe

pid process

3832 RegAsm.exe

pid	process
3832	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exee4d8a5580372bcff92a7be2f385eb7f7.exeBtwgyizzspfr.exepowershell.exe

pid	process
744	AdvancedRun.exe
744	AdvancedRun.exe
744	AdvancedRun.exe
744	AdvancedRun.exe
2776	AdvancedRun.exe
2776	AdvancedRun.exe
2776	AdvancedRun.exe
2776	AdvancedRun.exe
3392	AdvancedRun.exe
3392	AdvancedRun.exe
3392	AdvancedRun.exe
3392	AdvancedRun.exe
3856	AdvancedRun.exe
3856	AdvancedRun.exe
3856	AdvancedRun.exe
3856	AdvancedRun.exe
908	e4d8a5580372bcff92a7be2f385eb7f7.exe
908	e4d8a5580372bcff92a7be2f385eb7f7.exe
908	e4d8a5580372bcff92a7be2f385eb7f7.exe
908	e4d8a5580372bcff92a7be2f385eb7f7.exe
908	e4d8a5580372bcff92a7be2f385eb7f7.exe
908	e4d8a5580372bcff92a7be2f385eb7f7.exe
4064	Btwgyizzspfr.exe
4064	Btwgyizzspfr.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3044
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Btwgyizzspfr.exe

pid process

4064 Btwgyizzspfr.exe
3044
3044
3044
3044

pid	process
3044

pid	process
4064	Btwgyizzspfr.exe
3044
3044
3044
3044

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e4d8a5580372bcff92a7be2f385eb7f7.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepowershell.exee4d8a5580372bcff92a7be2f385eb7f7.exe1994.exe1F23.exe2290.exeAdvancedRun.exe2A04.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe2157.exe32BF.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	908	e4d8a5580372bcff92a7be2f385eb7f7.exe
Token: SeDebugPrivilege	744	AdvancedRun.exe
Token: SeImpersonatePrivilege	744	AdvancedRun.exe
Token: SeDebugPrivilege	2776	AdvancedRun.exe
Token: SeImpersonatePrivilege	2776	AdvancedRun.exe
Token: SeDebugPrivilege	3392	AdvancedRun.exe
Token: SeImpersonatePrivilege	3392	AdvancedRun.exe
Token: SeDebugPrivilege	3856	AdvancedRun.exe
Token: SeImpersonatePrivilege	3856	AdvancedRun.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4092	e4d8a5580372bcff92a7be2f385eb7f7.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	2260	1994.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeDebugPrivilege	3396	1F23.exe
Token: SeDebugPrivilege	2164	2290.exe
Token: SeDebugPrivilege	3168	AdvancedRun.exe
Token: SeImpersonatePrivilege	3168	AdvancedRun.exe
Token: SeDebugPrivilege	3940	2A04.exe
Token: SeDebugPrivilege	2308	AdvancedRun.exe
Token: SeImpersonatePrivilege	2308	AdvancedRun.exe
Token: SeDebugPrivilege	768	AdvancedRun.exe
Token: SeImpersonatePrivilege	768	AdvancedRun.exe
Token: SeDebugPrivilege	2884	AdvancedRun.exe
Token: SeImpersonatePrivilege	2884	AdvancedRun.exe
Token: SeDebugPrivilege	1396	2157.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeDebugPrivilege	4056	32BF.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	608	RegAsm.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1994.exe

pid process

2260 1994.exe
2260 1994.exe

pid	process
2260	1994.exe
2260	1994.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e4d8a5580372bcff92a7be2f385eb7f7.exeAdvancedRun.exeAdvancedRun.exeWScript.exeWScript.exe2157.exe

description	pid	process	target process
PID 908 wrote to memory of 744	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 908 wrote to memory of 744	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 908 wrote to memory of 744	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 744 wrote to memory of 2776	744	AdvancedRun.exe	AdvancedRun.exe
PID 744 wrote to memory of 2776	744	AdvancedRun.exe	AdvancedRun.exe
PID 744 wrote to memory of 2776	744	AdvancedRun.exe	AdvancedRun.exe
PID 908 wrote to memory of 3392	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 908 wrote to memory of 3392	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 908 wrote to memory of 3392	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 3392 wrote to memory of 3856	3392	AdvancedRun.exe	AdvancedRun.exe
PID 3392 wrote to memory of 3856	3392	AdvancedRun.exe	AdvancedRun.exe
PID 3392 wrote to memory of 3856	3392	AdvancedRun.exe	AdvancedRun.exe
PID 908 wrote to memory of 2340	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 908 wrote to memory of 2340	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 908 wrote to memory of 2340	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 908 wrote to memory of 3744	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 908 wrote to memory of 3744	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 908 wrote to memory of 3744	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 908 wrote to memory of 2300	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 2300	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 2300	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 4092	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 4092	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 4092	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 4092	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 4092	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 4092	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 4092	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 908 wrote to memory of 4092	908	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 3744 wrote to memory of 4064	3744	WScript.exe	Btwgyizzspfr.exe
PID 3744 wrote to memory of 4064	3744	WScript.exe	Btwgyizzspfr.exe
PID 3744 wrote to memory of 4064	3744	WScript.exe	Btwgyizzspfr.exe
PID 2340 wrote to memory of 4004	2340	WScript.exe	powershell.exe
PID 2340 wrote to memory of 4004	2340	WScript.exe	powershell.exe
PID 2340 wrote to memory of 4004	2340	WScript.exe	powershell.exe
PID 3044 wrote to memory of 2260	3044		1994.exe
PID 3044 wrote to memory of 2260	3044		1994.exe
PID 3044 wrote to memory of 2260	3044		1994.exe
PID 3044 wrote to memory of 3976	3044		1D2E.exe
PID 3044 wrote to memory of 3976	3044		1D2E.exe
PID 3044 wrote to memory of 3396	3044		1F23.exe
PID 3044 wrote to memory of 3396	3044		1F23.exe
PID 3044 wrote to memory of 3396	3044		1F23.exe
PID 3044 wrote to memory of 1396	3044		2157.exe
PID 3044 wrote to memory of 1396	3044		2157.exe
PID 3044 wrote to memory of 1396	3044		2157.exe
PID 3044 wrote to memory of 2164	3044		2290.exe
PID 3044 wrote to memory of 2164	3044		2290.exe
PID 3044 wrote to memory of 2164	3044		2290.exe
PID 3044 wrote to memory of 3940	3044		2A04.exe
PID 3044 wrote to memory of 3940	3044		2A04.exe
PID 3044 wrote to memory of 4056	3044		32BF.exe
PID 3044 wrote to memory of 4056	3044		32BF.exe
PID 3044 wrote to memory of 3744	3044		3BA9.exe
PID 3044 wrote to memory of 3744	3044		3BA9.exe
PID 3044 wrote to memory of 3744	3044		3BA9.exe
PID 3044 wrote to memory of 2392	3044		explorer.exe
PID 3044 wrote to memory of 2392	3044		explorer.exe
PID 3044 wrote to memory of 2392	3044		explorer.exe
PID 3044 wrote to memory of 2392	3044		explorer.exe
PID 3044 wrote to memory of 2692	3044		explorer.exe
PID 3044 wrote to memory of 2692	3044		explorer.exe
PID 3044 wrote to memory of 2692	3044		explorer.exe
PID 1396 wrote to memory of 3168	1396	2157.exe	AdvancedRun.exe

C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe
"C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 744
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3392
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zEyverccjl.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Onedrives.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eyverccjl.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\Btwgyizzspfr.exe
"C:\Users\Admin\AppData\Local\Temp\Btwgyizzspfr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4064

C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe
C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe
2⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe
C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Users\Admin\AppData\Local\Temp\1994.exe
C:\Users\Admin\AppData\Local\Temp\1994.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Users\Admin\AppData\Local\Temp\1D2E.exe
C:\Users\Admin\AppData\Local\Temp\1D2E.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3976

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 88
3⤵
- Program crash
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 80
3⤵
- Program crash
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 84
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:2792

C:\Users\Admin\AppData\Local\Temp\1F23.exe
C:\Users\Admin\AppData\Local\Temp\1F23.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Users\Admin\AppData\Local\Temp\2157.exe
C:\Users\Admin\AppData\Local\Temp\2157.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3168
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 768
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zIxguld.vbs"
2⤵
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\aposffot.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:1076

C:\Users\Admin\AppData\Local\Temp\2290.exe
C:\Users\Admin\AppData\Local\Temp\2290.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\2290.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3832

C:\Users\Admin\AppData\Local\Temp\2A04.exe
C:\Users\Admin\AppData\Local\Temp\2A04.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Users\Admin\AppData\Local\Temp\2A04.exe
C:\Users\Admin\AppData\Local\Temp\2A04.exe
2⤵
- Executes dropped EXE
PID:1768

C:\Users\Admin\AppData\Local\Temp\32BF.exe
C:\Users\Admin\AppData\Local\Temp\32BF.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Users\Admin\AppData\Local\Temp\32BF.exe
C:\Users\Admin\AppData\Local\Temp\32BF.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Users\Admin\AppData\Local\Temp\3BA9.exe
C:\Users\Admin\AppData\Local\Temp\3BA9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3744

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:3344

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2392

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2692

C:\Users\Admin\AppData\Roaming\wwgesih
C:\Users\Admin\AppData\Roaming\wwgesih
1⤵
- Executes dropped EXE
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
MD5
a0613d38ffeb5c99b6f8d085c7ba985e

SHA1
d5394e5509841b2c7a073543a66e0916741bad66

SHA256
88bfd8c0caa80171d51051bcca51f3581ccd4cbec3540501958e73ae560de668

SHA512
8be6641aa27e82b9f4a53804e05f84f39603a14bcdba4dda08cc149121e039ffa856ed5584fdc40a2d09f3b1b70c02571e9bd30678b763c89b0265df8f208168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
10560217c4c11320f260e2d77eb5549c

SHA1
9bc7dde1758d886259744fb6bb8054585d1b9202

SHA256
b2ae1fa81283c597800629e9fb06dbaaf0497d396dbd31e743bac83287f9202a

SHA512
8504ab2190190df9fdb9deac1f25a462c6d60e1750a40b1a23948616bbbab300cf55bf0d70de9e81a0b48f6c67638e1f74d2989dc6edd83b87a703a589366a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f5801015f45687b308220a5ed1b2c1f2

SHA1
3395e12f0968a3519e300982864458c8b65f1d9e

SHA256
77d8588175f1315a1afcba2c4db7dc3107675dc78c56a7b82dfd0488939d4b25

SHA512
0a9d5dc86e98df574e210a85a6c471b4847dd7cd989360b6e0c1f6262fe9d0fc3ed5a096fd7a067a907bdcf44f8097e41c58226593078fe4e0dc6b3d9bf2345c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1994.exe
MD5
cb74327798fbd255e6aa1ba041276ebc

SHA1
204ee8f8e1781a6c57e75829f9b7236b04f10ebe

SHA256
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103

SHA512
83eda079c3af13da9a5a9934ca9c5478a9deb3e9ae5ea8d7b94af26773e2b8e89a2ee3ce147bc2238772c4c643a076b33e83d49dd6aed020520ad032f110d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\1994.exe
MD5
cb74327798fbd255e6aa1ba041276ebc

SHA1
204ee8f8e1781a6c57e75829f9b7236b04f10ebe

SHA256
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103

SHA512
83eda079c3af13da9a5a9934ca9c5478a9deb3e9ae5ea8d7b94af26773e2b8e89a2ee3ce147bc2238772c4c643a076b33e83d49dd6aed020520ad032f110d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D2E.exe
MD5
dc713fb52826a486c5034ea27a8f3ce0

SHA1
1e38c2480382d8a82a7968c704a2cde19a6d03b7

SHA256
1807a1c455c816fa443b2aa7e27e5997a0cf64ffae37d3db4aa542de6587201f

SHA512
ecdf3080cad82a1e3d614c997da77e1ae3da71badb4eb21d629cefe133cfe1b0dff49e1d5766cf48589f54de4abae184edb365f343d2cbc06260d4662ad0da1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D2E.exe
MD5
dc713fb52826a486c5034ea27a8f3ce0

SHA1
1e38c2480382d8a82a7968c704a2cde19a6d03b7

SHA256
1807a1c455c816fa443b2aa7e27e5997a0cf64ffae37d3db4aa542de6587201f

SHA512
ecdf3080cad82a1e3d614c997da77e1ae3da71badb4eb21d629cefe133cfe1b0dff49e1d5766cf48589f54de4abae184edb365f343d2cbc06260d4662ad0da1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F23.exe
MD5
2731037b9508852311223a7b79d0c298

SHA1
fde870e18456c230d371d84fe746de66487fbf32

SHA256
b4b15f7787006e9757865b66a747135ac7452d8bafbbad777fd9491742eba06a

SHA512
e9042c23a99d16a0882b49cbe42cf7a2e301c8de3d1bd5bb125df4f5c0bf2552412fc218c0ad7c8160541f4cf60352a81cff1e5eb8090579748e146bafa657ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F23.exe
MD5
2731037b9508852311223a7b79d0c298

SHA1
fde870e18456c230d371d84fe746de66487fbf32

SHA256
b4b15f7787006e9757865b66a747135ac7452d8bafbbad777fd9491742eba06a

SHA512
e9042c23a99d16a0882b49cbe42cf7a2e301c8de3d1bd5bb125df4f5c0bf2552412fc218c0ad7c8160541f4cf60352a81cff1e5eb8090579748e146bafa657ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2157.exe
MD5
e9ce4b7b7139b741494e335a0598f604

SHA1
3014a09ca15d352f70395b854d0c9d602ca2f0b3

SHA256
09f9730533676c6dbb81b671e4bf807e0b0acb9c9acd7f555eeac26b9c312270

SHA512
35a6701fc6895d41c708612152b1bd0a9d2d0515c88631ca891018417a954a025994b72244cf469236733608bd95633843d34f30e8018ef8166c65c8f4539dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2157.exe
MD5
e9ce4b7b7139b741494e335a0598f604

SHA1
3014a09ca15d352f70395b854d0c9d602ca2f0b3

SHA256
09f9730533676c6dbb81b671e4bf807e0b0acb9c9acd7f555eeac26b9c312270

SHA512
35a6701fc6895d41c708612152b1bd0a9d2d0515c88631ca891018417a954a025994b72244cf469236733608bd95633843d34f30e8018ef8166c65c8f4539dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2290.exe
MD5
3a53838adab869781ed0e70728677977

SHA1
526c9e32bc7c020baf839f5ae22109bb3f74ebbe

SHA256
b233ad1f408ee49ef9dd7e4b9c4ff5f167305d5b00f323e894f9e8a910e9f627

SHA512
8e81d303af2973a787f1b60687c0857e4fcb58983a5c8fa7dd83e262156b09cfb195984ccf6b43c5ab8d51c09ffed7d86734698e922430d9007506ba489fc20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2290.exe
MD5
3a53838adab869781ed0e70728677977

SHA1
526c9e32bc7c020baf839f5ae22109bb3f74ebbe

SHA256
b233ad1f408ee49ef9dd7e4b9c4ff5f167305d5b00f323e894f9e8a910e9f627

SHA512
8e81d303af2973a787f1b60687c0857e4fcb58983a5c8fa7dd83e262156b09cfb195984ccf6b43c5ab8d51c09ffed7d86734698e922430d9007506ba489fc20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A04.exe
MD5
2f5a73857af73e809706fa61dd19137b

SHA1
dd858fbc27a5fc43b9405fbe3650bc0fbe0b2cc9

SHA256
01419f6a9cb219224a2898b4e953f9aca722abe2fc4b340498805a23c5936b18

SHA512
c5e2b4c8456c19be34f2927c4971e0b870b12f816ba5634adefff9fb58de436a6a15c00e64a48f9cd80509ecb0ed4bede66e2a60526a801e921bdcc45c7bc8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A04.exe
MD5
2f5a73857af73e809706fa61dd19137b

SHA1
dd858fbc27a5fc43b9405fbe3650bc0fbe0b2cc9

SHA256
01419f6a9cb219224a2898b4e953f9aca722abe2fc4b340498805a23c5936b18

SHA512
c5e2b4c8456c19be34f2927c4971e0b870b12f816ba5634adefff9fb58de436a6a15c00e64a48f9cd80509ecb0ed4bede66e2a60526a801e921bdcc45c7bc8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A04.exe
MD5
2f5a73857af73e809706fa61dd19137b

SHA1
dd858fbc27a5fc43b9405fbe3650bc0fbe0b2cc9

SHA256
01419f6a9cb219224a2898b4e953f9aca722abe2fc4b340498805a23c5936b18

SHA512
c5e2b4c8456c19be34f2927c4971e0b870b12f816ba5634adefff9fb58de436a6a15c00e64a48f9cd80509ecb0ed4bede66e2a60526a801e921bdcc45c7bc8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\32BF.exe
MD5
fcddfa914a050a7fe38d0bf80b9d4142

SHA1
67c5ec80602e7cf4dd2eaf1b0bcfa1057c724f87

SHA256
c380585ad3c4926faf2e4821bd69fb57121cf8771f628e18d675865cd1c2d763

SHA512
b4148880882244fb37d9f46e46773f1e4960f893940308e581932e574dcc300bc93c460fcf29ba87baae64acae620a77c6a18d643db6337f3f870af81ef3e211

Download Submit
C:\Users\Admin\AppData\Local\Temp\32BF.exe
MD5
fcddfa914a050a7fe38d0bf80b9d4142

SHA1
67c5ec80602e7cf4dd2eaf1b0bcfa1057c724f87

SHA256
c380585ad3c4926faf2e4821bd69fb57121cf8771f628e18d675865cd1c2d763

SHA512
b4148880882244fb37d9f46e46773f1e4960f893940308e581932e574dcc300bc93c460fcf29ba87baae64acae620a77c6a18d643db6337f3f870af81ef3e211

Download Submit
C:\Users\Admin\AppData\Local\Temp\32BF.exe
MD5
fcddfa914a050a7fe38d0bf80b9d4142

SHA1
67c5ec80602e7cf4dd2eaf1b0bcfa1057c724f87

SHA256
c380585ad3c4926faf2e4821bd69fb57121cf8771f628e18d675865cd1c2d763

SHA512
b4148880882244fb37d9f46e46773f1e4960f893940308e581932e574dcc300bc93c460fcf29ba87baae64acae620a77c6a18d643db6337f3f870af81ef3e211

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA9.exe
MD5
4d294529114281567096c9e5830a8612

SHA1
558284449604bffc4839069079946d99db4be133

SHA256
e2368e6be35a352b8e93ab66b063884d2fe8f3b2b1f745d57cf2a485abe1c603

SHA512
130cb772d67a75d2a2b9a52679260618ba6589516541fd34b23478152cb7f03c869950d8dd35e31e684bf8cbb724b9ecbabd731b5a3a8e4b1c420a1ed350281a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA9.exe
MD5
4d294529114281567096c9e5830a8612

SHA1
558284449604bffc4839069079946d99db4be133

SHA256
e2368e6be35a352b8e93ab66b063884d2fe8f3b2b1f745d57cf2a485abe1c603

SHA512
130cb772d67a75d2a2b9a52679260618ba6589516541fd34b23478152cb7f03c869950d8dd35e31e684bf8cbb724b9ecbabd731b5a3a8e4b1c420a1ed350281a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Btwgyizzspfr.exe
MD5
7ceaa5ee0a25213d3b1256f70779027d

SHA1
b7597773064c8e9409ef679357fc01495149a54b

SHA256
49a63a13a37aafb8cf468981153e0dbd9019c79bdc1ecef5e4611c06db182bf3

SHA512
811c47b133198292c67aafa39129627cdae7e89852c6654d4407c4d989702a757f3ec9b6c4272076b7629094df9cdfc8b54f57df8c97d39fbf1a6650abd76563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Btwgyizzspfr.exe
MD5
7ceaa5ee0a25213d3b1256f70779027d

SHA1
b7597773064c8e9409ef679357fc01495149a54b

SHA256
49a63a13a37aafb8cf468981153e0dbd9019c79bdc1ecef5e4611c06db182bf3

SHA512
811c47b133198292c67aafa39129627cdae7e89852c6654d4407c4d989702a757f3ec9b6c4272076b7629094df9cdfc8b54f57df8c97d39fbf1a6650abd76563

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8E6.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eyverccjl.vbs
MD5
2fb1788961f1ced65a09748abb356f2c

SHA1
fcca0125f725195f7791bd049b5e4375c46a1190

SHA256
99158f5c22985ec974d8963206712e8f889ad002d49393c70903605a6a54a0ff

SHA512
14a7274d6e785774f81d49cd7be01b0cdad071561212975b312309ef43297707718ee0b5b12296778d03b4a94c98a50f87b41e3059eab2b936a37d4cccb8751d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEyverccjl.vbs
MD5
aabdd72fa5429d7fb6ddc251acaea15c

SHA1
eb269752c3b1aeb9dc328caffdecfc1ba264745e

SHA256
d7a8f9542907b4936b4dfde22cd782e7a784d14d04f777cf44e5711e4bc4a89c

SHA512
9e86e2686d1ab1b8c299c25b1eb5899493138da90f72c190d2f638feb04850fe0763346c3e0a8dd39344b8276f7df4f25e124d82849b93a8890f648abb0b32e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIxguld.vbs
MD5
55f9042a60f84c4e6ca9ff84f11005ca

SHA1
175dfafa0173759331f95c1c039dc02cd88b04ca

SHA256
596c97be58a98a6891d08561943853ea93a2143bf9942949e8290c9f7f259a57

SHA512
7a9d0ed98771372a5b504447072279aa51b8e119e2cbe776c95fbb1af4dc8ff64c3e44d6f4ffd70d5d4720b51e88b0db8c44e0e4753d4cbd4e911386ff49d337

Download Submit
C:\Users\Admin\AppData\Roaming\wwgesih
MD5
7ceaa5ee0a25213d3b1256f70779027d

SHA1
b7597773064c8e9409ef679357fc01495149a54b

SHA256
49a63a13a37aafb8cf468981153e0dbd9019c79bdc1ecef5e4611c06db182bf3

SHA512
811c47b133198292c67aafa39129627cdae7e89852c6654d4407c4d989702a757f3ec9b6c4272076b7629094df9cdfc8b54f57df8c97d39fbf1a6650abd76563

Download Submit
C:\Users\Admin\AppData\Roaming\wwgesih
MD5
7ceaa5ee0a25213d3b1256f70779027d

SHA1
b7597773064c8e9409ef679357fc01495149a54b

SHA256
49a63a13a37aafb8cf468981153e0dbd9019c79bdc1ecef5e4611c06db182bf3

SHA512
811c47b133198292c67aafa39129627cdae7e89852c6654d4407c4d989702a757f3ec9b6c4272076b7629094df9cdfc8b54f57df8c97d39fbf1a6650abd76563

Download Submit
\Users\Admin\AppData\Local\Temp\D8E6.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/208-276-0x0000000006EC3000-0x0000000006EC4000-memory.dmp

Filesize
4KB

Download
memory/208-260-0x0000000006EC2000-0x0000000006EC3000-memory.dmp

Filesize
4KB

Download
memory/208-275-0x000000007EEA0000-0x000000007EEA1000-memory.dmp

Filesize
4KB

Download
memory/208-259-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/208-257-0x0000000000000000-mapping.dmp

Download
memory/608-264-0x00000000004171E6-mapping.dmp

Download
memory/608-269-0x0000000005070000-0x0000000005676000-memory.dmp

Filesize
6.0MB

Download
memory/744-120-0x0000000000000000-mapping.dmp

Download
memory/768-245-0x0000000000000000-mapping.dmp

Download
memory/908-270-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/908-114-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/908-116-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/908-117-0x0000000004CE0000-0x0000000004CE2000-memory.dmp

Filesize
8KB

Download
memory/908-271-0x0000000006F92000-0x0000000006F93000-memory.dmp

Filesize
4KB

Download
memory/908-266-0x0000000000000000-mapping.dmp

Download
memory/908-281-0x0000000006F93000-0x0000000006F94000-memory.dmp

Filesize
4KB

Download
memory/908-118-0x0000000005900000-0x0000000005949000-memory.dmp

Filesize
292KB

Download
memory/908-119-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/1076-252-0x00000000004253BE-mapping.dmp

Download
memory/1076-256-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1304-251-0x0000000000000000-mapping.dmp

Download
memory/1396-220-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1396-212-0x0000000000000000-mapping.dmp

Download
memory/1768-247-0x0000000140000000-mapping.dmp

Download
memory/2164-221-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2164-215-0x0000000000000000-mapping.dmp

Download
memory/2260-203-0x0000000000000000-mapping.dmp

Download
memory/2308-243-0x0000000000000000-mapping.dmp

Download
memory/2340-129-0x0000000000000000-mapping.dmp

Download
memory/2392-237-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/2392-233-0x0000000000000000-mapping.dmp

Download
memory/2392-236-0x0000000000520000-0x0000000000594000-memory.dmp

Filesize
464KB

Download
memory/2692-238-0x00000000009E0000-0x00000000009E7000-memory.dmp

Filesize
28KB

Download
memory/2692-235-0x0000000000000000-mapping.dmp

Download
memory/2692-239-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/2776-123-0x0000000000000000-mapping.dmp

Download
memory/2884-248-0x0000000000000000-mapping.dmp

Download
memory/2952-262-0x0000000140000000-mapping.dmp

Download
memory/3044-177-0x00000000012D0000-0x00000000012E5000-memory.dmp

Filesize
84KB

Download
memory/3168-240-0x0000000000000000-mapping.dmp

Download
memory/3344-273-0x0000000000BDFE5A-mapping.dmp

Download
memory/3392-125-0x0000000000000000-mapping.dmp

Download
memory/3396-209-0x0000000000000000-mapping.dmp

Download
memory/3396-219-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/3620-283-0x0000000140000000-mapping.dmp

Download
memory/3744-230-0x0000000000000000-mapping.dmp

Download
memory/3744-234-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/3744-130-0x0000000000000000-mapping.dmp

Download
memory/3832-267-0x0000000000403E2A-mapping.dmp

Download
memory/3832-272-0x00000000053F0000-0x00000000058EE000-memory.dmp

Filesize
5.0MB

Download
memory/3856-127-0x0000000000000000-mapping.dmp

Download
memory/3940-225-0x000000001CEB0000-0x000000001CEB2000-memory.dmp

Filesize
8KB

Download
memory/3940-222-0x0000000000000000-mapping.dmp

Download
memory/3976-218-0x000000001C530000-0x000000001C532000-memory.dmp

Filesize
8KB

Download
memory/3976-206-0x0000000000000000-mapping.dmp

Download
memory/4004-170-0x00000000094D0000-0x00000000094D1000-memory.dmp

Filesize
4KB

Download
memory/4004-175-0x0000000009630000-0x0000000009631000-memory.dmp

Filesize
4KB

Download
memory/4004-151-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/4004-153-0x0000000008720000-0x0000000008721000-memory.dmp

Filesize
4KB

Download
memory/4004-150-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/4004-147-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/4004-148-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/4004-178-0x0000000007513000-0x0000000007514000-memory.dmp

Filesize
4KB

Download
memory/4004-149-0x0000000007512000-0x0000000007513000-memory.dmp

Filesize
4KB

Download
memory/4004-146-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/4004-145-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/4004-144-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/4004-162-0x00000000094F0000-0x0000000009523000-memory.dmp

Filesize
204KB

Download
memory/4004-164-0x000000007F4B0000-0x000000007F4B1000-memory.dmp

Filesize
4KB

Download
memory/4004-143-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/4004-140-0x0000000000000000-mapping.dmp

Download
memory/4004-176-0x0000000009A60000-0x0000000009A61000-memory.dmp

Filesize
4KB

Download
memory/4004-152-0x0000000008990000-0x0000000008991000-memory.dmp

Filesize
4KB

Download
memory/4056-226-0x0000000000000000-mapping.dmp

Download
memory/4056-229-0x000000001C540000-0x000000001C542000-memory.dmp

Filesize
8KB

Download
memory/4064-136-0x0000000000000000-mapping.dmp

Download
memory/4092-132-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4092-133-0x000000000040C78E-mapping.dmp

Download
memory/4092-156-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/4092-193-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download