asyncrat | 19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0

Analysis

max time kernel
151s
max time network
144s
platform
windows10_x64
resource
win10v20210408
submitted
30-04-2021 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4d8a5580372bcff92a7be2f385eb7f7.exe
Size

350KB
MD5

e4d8a5580372bcff92a7be2f385eb7f7
SHA1

31b731099104f5dfda61b79dcea723d3cd5e1d84
SHA256

19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
SHA512

ce95e7bd0cc55223423c43c3c8fb33ef2e206dd13381759ac4ab59139792b9b20e5e6b87b54be9adfa431759a0736d9c699dec4912ad763492c1d1d86c0d2916

Score

10^/10

asyncrat redline smokeloader backdoor discovery infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

null:null

Mutex

Aakn1515knAakn1515kn!

Attributes

aes_key
8qTK5zOGKTFDhfISYupTRvALhuVbWSgX
anti_detection
false
autorun
false
bdos
false
delay
-=-=-=-=-=SPOOFER-=-=-=-=-=
host
null
hwid
3
install_file
install_folder
%AppData%
mutex
Aakn1515knAakn1515kn!
pastebin_config
https://pastebin.com/raw/uqaaCRiU
port
null
version
0.5.7B

aes.plain

Extracted

Family

smokeloader

Version

2020

http://greenco2020.top/

http://greenco2021.top/

http://greenco2022.top/

rc4.i32

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

20AB.exe2252.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\aposffot.exe\","	20AB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\aposfffot.exe\","	2252.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1320-273-0x00000000004171E6-mapping.dmp	family_redline
behavioral2/memory/2760-335-0x00000000004171E6-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3868 created 636 3868 WerFault.exe RegAsm.exe
PID 1208 created 3900 1208 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 3868 created 636	3868	WerFault.exe	RegAsm.exe
PID 1208 created 3900	1208	WerFault.exe	RegAsm.exe

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2288-133-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/2288-134-0x000000000040C78E-mapping.dmp	asyncrat

Nirsoft 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 38 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeBtwgyizzspfr.exelgnhfk.exe15BB.exe1AFC.exe1DBC.exe20AB.exepjyuqp.exe2252.exe2E0B.exe38E9.exe4147.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeInstallUtil.exeInstallUtil.exeRegAsm.exeInstallUtil.exeRegAsm.exe38E9.exeRegAsm.exeRegAsm.exe4147.exeehvwiu.exezuumke.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exezuumke.exe

pid	process
632	AdvancedRun.exe
476	AdvancedRun.exe
1276	AdvancedRun.exe
1512	AdvancedRun.exe
2808	Btwgyizzspfr.exe
3972	lgnhfk.exe
3196	15BB.exe
4160	1AFC.exe
4972	1DBC.exe
5004	20AB.exe
352	pjyuqp.exe
908	2252.exe
1392	2E0B.exe
632	38E9.exe
3508	4147.exe
4540	AdvancedRun.exe
972	AdvancedRun.exe
2884	AdvancedRun.exe
2928	AdvancedRun.exe
1004	InstallUtil.exe
1532	InstallUtil.exe
1320	RegAsm.exe
3340	InstallUtil.exe
3820	RegAsm.exe
3320	38E9.exe
1056	RegAsm.exe
904	RegAsm.exe
3540	4147.exe
4036	ehvwiu.exe
1800	zuumke.exe
636	RegAsm.exe
3900	RegAsm.exe
2436	RegAsm.exe
2148	RegAsm.exe
3292	RegAsm.exe
1448	RegAsm.exe
2760	RegAsm.exe
4532	zuumke.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\lgnhfk.exe	upx
C:\Users\Admin\AppData\Local\Temp\lgnhfk.exe	upx
C:\Users\Admin\AppData\Local\Temp\15BB.exe	upx
C:\Users\Admin\AppData\Local\Temp\15BB.exe	upx

Loads dropped DLL 2 IoCs

Processes:

Btwgyizzspfr.exezuumke.exe

pid process

2808 Btwgyizzspfr.exe
4532 zuumke.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2808	Btwgyizzspfr.exe
4532	zuumke.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lgnhfk.exe2E0B.exe38E9.exee4d8a5580372bcff92a7be2f385eb7f7.exe4147.exepjyuqp.exe1AFC.exezuumke.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exeꠀ"	lgnhfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\htrhtrhsssqqqqssxtttttxxxxxxrth = "\"C:\\Users\\Admin\\AppData\\Local\\htrhtrhsssqqqqssxtttttxxxxxxrth.exe\""	2E0B.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe\uff00"	lgnhfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\asuspw = "\"C:\\Users\\Admin\\AppData\\Roaming\\asuspw.exe\""	38E9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Onedrives = "\"C:\\Users\\Admin\\AppData\\Roaming\\Onedrives.exe\""	e4d8a5580372bcff92a7be2f385eb7f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe茀"	lgnhfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\asuspgw = "\"C:\\Users\\Admin\\AppData\\Roaming\\asuspgw.exe\""	4147.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\rrrtttsyysuttttttttttidododd = "\"C:\\Users\\Admin\\AppData\\Roaming\\rrrtttsyysuttttttttttidododd.exe\""	pjyuqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe"	lgnhfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe⠀"	lgnhfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\rrrtttsyysuttttttttttidododd = "\"C:\\Users\\Admin\\AppData\\Roaming\\rrrtttsyysuttttttttttidododd.exe\""	1AFC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe\ue500"	lgnhfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\aposffftfsggfgffot = "\"C:\\Users\\Admin\\AppData\\Roaming\\aposffftfsggfgffot.exe\""	zuumke.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exeȀ"	lgnhfk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

lgnhfk.exe15BB.exe

pid process

3972 lgnhfk.exe
3972 lgnhfk.exe
3972 lgnhfk.exe
3972 lgnhfk.exe
3196 15BB.exe

pid	process
3972	lgnhfk.exe
3972	lgnhfk.exe
3972	lgnhfk.exe
3972	lgnhfk.exe
3196	15BB.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

e4d8a5580372bcff92a7be2f385eb7f7.exe1DBC.exe2E0B.exe20AB.exe38E9.exe2252.exe4147.exe1AFC.exepjyuqp.exeehvwiu.exezuumke.exe

description	pid	process	target process
PID 4804 set thread context of 2288	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 4972 set thread context of 1320	4972	1DBC.exe	RegAsm.exe
PID 1392 set thread context of 3340	1392	2E0B.exe	InstallUtil.exe
PID 5004 set thread context of 3820	5004	20AB.exe	RegAsm.exe
PID 632 set thread context of 3320	632	38E9.exe	38E9.exe
PID 908 set thread context of 904	908	2252.exe	RegAsm.exe
PID 3508 set thread context of 3540	3508	4147.exe	4147.exe
PID 4160 set thread context of 636	4160	1AFC.exe	RegAsm.exe
PID 352 set thread context of 3900	352	pjyuqp.exe	RegAsm.exe
PID 4036 set thread context of 2760	4036	ehvwiu.exe	RegAsm.exe
PID 1800 set thread context of 4532	1800	zuumke.exe	zuumke.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2072	636	WerFault.exe	RegAsm.exe
4656	636	WerFault.exe	RegAsm.exe
3868	636	WerFault.exe	RegAsm.exe
2888	3900	WerFault.exe	RegAsm.exe
3480	3900	WerFault.exe	RegAsm.exe
1208	3900	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

zuumke.exeBtwgyizzspfr.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zuumke.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zuumke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Btwgyizzspfr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Btwgyizzspfr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Btwgyizzspfr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zuumke.exe

Modifies registry class 2 IoCs

Processes:

e4d8a5580372bcff92a7be2f385eb7f7.exe20AB.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	e4d8a5580372bcff92a7be2f385eb7f7.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	20AB.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

RegAsm.exe

pid process

904 RegAsm.exe

pid	process
904	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exee4d8a5580372bcff92a7be2f385eb7f7.exeBtwgyizzspfr.exepowershell.exe

pid	process
632	AdvancedRun.exe
632	AdvancedRun.exe
632	AdvancedRun.exe
632	AdvancedRun.exe
476	AdvancedRun.exe
476	AdvancedRun.exe
476	AdvancedRun.exe
476	AdvancedRun.exe
1276	AdvancedRun.exe
1276	AdvancedRun.exe
1276	AdvancedRun.exe
1276	AdvancedRun.exe
1512	AdvancedRun.exe
1512	AdvancedRun.exe
1512	AdvancedRun.exe
1512	AdvancedRun.exe
4804	e4d8a5580372bcff92a7be2f385eb7f7.exe
4804	e4d8a5580372bcff92a7be2f385eb7f7.exe
2808	Btwgyizzspfr.exe
2808	Btwgyizzspfr.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2900
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Btwgyizzspfr.exezuumke.exe

pid process

2808 Btwgyizzspfr.exe
2900
2900
2900
2900
4532 zuumke.exe

pid	process
2900

pid	process
2808	Btwgyizzspfr.exe
2900
2900
2900
2900
4532	zuumke.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e4d8a5580372bcff92a7be2f385eb7f7.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepowershell.exee4d8a5580372bcff92a7be2f385eb7f7.exepowershell.exelgnhfk.exepowershell.exe15BB.exe1DBC.exe2252.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe2E0B.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe
Token: SeDebugPrivilege	632	AdvancedRun.exe
Token: SeImpersonatePrivilege	632	AdvancedRun.exe
Token: SeDebugPrivilege	476	AdvancedRun.exe
Token: SeImpersonatePrivilege	476	AdvancedRun.exe
Token: SeDebugPrivilege	1276	AdvancedRun.exe
Token: SeImpersonatePrivilege	1276	AdvancedRun.exe
Token: SeDebugPrivilege	1512	AdvancedRun.exe
Token: SeImpersonatePrivilege	1512	AdvancedRun.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	2288	e4d8a5580372bcff92a7be2f385eb7f7.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	3972	lgnhfk.exe
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeShutdownPrivilege	3196	15BB.exe
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeDebugPrivilege	4972	1DBC.exe
Token: SeDebugPrivilege	908	2252.exe
Token: SeDebugPrivilege	4540	AdvancedRun.exe
Token: SeImpersonatePrivilege	4540	AdvancedRun.exe
Token: SeDebugPrivilege	972	AdvancedRun.exe
Token: SeImpersonatePrivilege	972	AdvancedRun.exe
Token: SeDebugPrivilege	2884	AdvancedRun.exe
Token: SeImpersonatePrivilege	2884	AdvancedRun.exe
Token: SeDebugPrivilege	1392	2E0B.exe
Token: SeDebugPrivilege	2928	AdvancedRun.exe
Token: SeImpersonatePrivilege	2928	AdvancedRun.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lgnhfk.exe

pid process

3972 lgnhfk.exe
3972 lgnhfk.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2900

pid	process
3972	lgnhfk.exe
3972	lgnhfk.exe

pid	process
2900

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e4d8a5580372bcff92a7be2f385eb7f7.exeAdvancedRun.exeAdvancedRun.exeWScript.exeWScript.exee4d8a5580372bcff92a7be2f385eb7f7.execmd.exepowershell.execmd.exepowershell.exe

description	pid	process	target process
PID 4804 wrote to memory of 632	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 4804 wrote to memory of 632	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 4804 wrote to memory of 632	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 632 wrote to memory of 476	632	AdvancedRun.exe	AdvancedRun.exe
PID 632 wrote to memory of 476	632	AdvancedRun.exe	AdvancedRun.exe
PID 632 wrote to memory of 476	632	AdvancedRun.exe	AdvancedRun.exe
PID 4804 wrote to memory of 1276	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 4804 wrote to memory of 1276	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 4804 wrote to memory of 1276	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	AdvancedRun.exe
PID 1276 wrote to memory of 1512	1276	AdvancedRun.exe	AdvancedRun.exe
PID 1276 wrote to memory of 1512	1276	AdvancedRun.exe	AdvancedRun.exe
PID 1276 wrote to memory of 1512	1276	AdvancedRun.exe	AdvancedRun.exe
PID 4804 wrote to memory of 1808	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 4804 wrote to memory of 1808	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 4804 wrote to memory of 1808	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 4804 wrote to memory of 1984	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 4804 wrote to memory of 1984	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 4804 wrote to memory of 1984	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	WScript.exe
PID 4804 wrote to memory of 2288	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 4804 wrote to memory of 2288	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 4804 wrote to memory of 2288	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 4804 wrote to memory of 2288	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 4804 wrote to memory of 2288	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 4804 wrote to memory of 2288	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 4804 wrote to memory of 2288	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 4804 wrote to memory of 2288	4804	e4d8a5580372bcff92a7be2f385eb7f7.exe	e4d8a5580372bcff92a7be2f385eb7f7.exe
PID 1984 wrote to memory of 2808	1984	WScript.exe	Btwgyizzspfr.exe
PID 1984 wrote to memory of 2808	1984	WScript.exe	Btwgyizzspfr.exe
PID 1984 wrote to memory of 2808	1984	WScript.exe	Btwgyizzspfr.exe
PID 1808 wrote to memory of 3240	1808	WScript.exe	powershell.exe
PID 1808 wrote to memory of 3240	1808	WScript.exe	powershell.exe
PID 1808 wrote to memory of 3240	1808	WScript.exe	powershell.exe
PID 2288 wrote to memory of 3336	2288	e4d8a5580372bcff92a7be2f385eb7f7.exe	cmd.exe
PID 2288 wrote to memory of 3336	2288	e4d8a5580372bcff92a7be2f385eb7f7.exe	cmd.exe
PID 2288 wrote to memory of 3336	2288	e4d8a5580372bcff92a7be2f385eb7f7.exe	cmd.exe
PID 3336 wrote to memory of 3320	3336	cmd.exe	powershell.exe
PID 3336 wrote to memory of 3320	3336	cmd.exe	powershell.exe
PID 3336 wrote to memory of 3320	3336	cmd.exe	powershell.exe
PID 3320 wrote to memory of 3972	3320	powershell.exe	lgnhfk.exe
PID 3320 wrote to memory of 3972	3320	powershell.exe	lgnhfk.exe
PID 3320 wrote to memory of 3972	3320	powershell.exe	lgnhfk.exe
PID 2900 wrote to memory of 3196	2900		15BB.exe
PID 2900 wrote to memory of 3196	2900		15BB.exe
PID 2900 wrote to memory of 3196	2900		15BB.exe
PID 2288 wrote to memory of 4184	2288	e4d8a5580372bcff92a7be2f385eb7f7.exe	cmd.exe
PID 2288 wrote to memory of 4184	2288	e4d8a5580372bcff92a7be2f385eb7f7.exe	cmd.exe
PID 2288 wrote to memory of 4184	2288	e4d8a5580372bcff92a7be2f385eb7f7.exe	cmd.exe
PID 4184 wrote to memory of 3816	4184	cmd.exe	powershell.exe
PID 4184 wrote to memory of 3816	4184	cmd.exe	powershell.exe
PID 4184 wrote to memory of 3816	4184	cmd.exe	powershell.exe
PID 2900 wrote to memory of 4160	2900		1AFC.exe
PID 2900 wrote to memory of 4160	2900		1AFC.exe
PID 2900 wrote to memory of 4972	2900		1DBC.exe
PID 2900 wrote to memory of 4972	2900		1DBC.exe
PID 2900 wrote to memory of 4972	2900		1DBC.exe
PID 2900 wrote to memory of 5004	2900		20AB.exe
PID 2900 wrote to memory of 5004	2900		20AB.exe
PID 2900 wrote to memory of 5004	2900		20AB.exe
PID 3816 wrote to memory of 352	3816	powershell.exe	pjyuqp.exe
PID 3816 wrote to memory of 352	3816	powershell.exe	pjyuqp.exe
PID 2900 wrote to memory of 908	2900		2252.exe
PID 2900 wrote to memory of 908	2900		2252.exe
PID 2900 wrote to memory of 908	2900		2252.exe
PID 2900 wrote to memory of 1392	2900		2E0B.exe

C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe
"C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 632
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1276
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zEyverccjl.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Onedrives.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eyverccjl.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\Btwgyizzspfr.exe
"C:\Users\Admin\AppData\Local\Temp\Btwgyizzspfr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2808

C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe
C:\Users\Admin\AppData\Local\Temp\e4d8a5580372bcff92a7be2f385eb7f7.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lgnhfk.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lgnhfk.exe"'
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320

C:\Users\Admin\AppData\Local\Temp\lgnhfk.exe
"C:\Users\Admin\AppData\Local\Temp\lgnhfk.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pjyuqp.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pjyuqp.exe"'
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\pjyuqp.exe
"C:\Users\Admin\AppData\Local\Temp\pjyuqp.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:352

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
6⤵
- Executes dropped EXE
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 88
7⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 80
7⤵
- Program crash
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 84
7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cqldkc.exe"' & exit
3⤵
PID:2352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cqldkc.exe"'
4⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ehvwiu.exe"' & exit
3⤵
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ehvwiu.exe"'
4⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\ehvwiu.exe
"C:\Users\Admin\AppData\Local\Temp\ehvwiu.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4036

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
6⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
6⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
6⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
6⤵
- Executes dropped EXE
PID:1448

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
6⤵
- Executes dropped EXE
PID:2760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zuumke.exe"' & exit
3⤵
PID:972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zuumke.exe"'
4⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\zuumke.exe
"C:\Users\Admin\AppData\Local\Temp\zuumke.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1800

C:\Users\Admin\AppData\Local\Temp\zuumke.exe
C:\Users\Admin\AppData\Local\Temp\zuumke.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rhckzn.exe"' & exit
3⤵
PID:3300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rhckzn.exe"'
4⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\okrwpn.exe"' & exit
3⤵
PID:2972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\okrwpn.exe"'
4⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\htwvjd.exe"' & exit
3⤵
PID:2828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\htwvjd.exe"'
4⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\15BB.exe
C:\Users\Admin\AppData\Local\Temp\15BB.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Users\Admin\AppData\Local\Temp\1AFC.exe
C:\Users\Admin\AppData\Local\Temp\1AFC.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4160

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 88
3⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 80
3⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 84
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:3868

C:\Users\Admin\AppData\Local\Temp\1DBC.exe
C:\Users\Admin\AppData\Local\Temp\1DBC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:1320

C:\Users\Admin\AppData\Local\Temp\20AB.exe
C:\Users\Admin\AppData\Local\Temp\20AB.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:5004

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 4540
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2884
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zIxguld.vbs"
2⤵
PID:3240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\aposffot.exe'
3⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:3820

C:\Users\Admin\AppData\Local\Temp\2252.exe
C:\Users\Admin\AppData\Local\Temp\2252.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\2252.exe" -Force
2⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:1056

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:904

C:\Users\Admin\AppData\Local\Temp\2E0B.exe
C:\Users\Admin\AppData\Local\Temp\2E0B.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
2⤵
- Executes dropped EXE
PID:1004

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
2⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
2⤵
- Executes dropped EXE
PID:3340

C:\Users\Admin\AppData\Local\Temp\38E9.exe
C:\Users\Admin\AppData\Local\Temp\38E9.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:632

C:\Users\Admin\AppData\Local\Temp\38E9.exe
C:\Users\Admin\AppData\Local\Temp\38E9.exe
2⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\AppData\Local\Temp\4147.exe
C:\Users\Admin\AppData\Local\Temp\4147.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3508

C:\Users\Admin\AppData\Local\Temp\4147.exe
C:\Users\Admin\AppData\Local\Temp\4147.exe
2⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3296

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
MD5
a0613d38ffeb5c99b6f8d085c7ba985e

SHA1
d5394e5509841b2c7a073543a66e0916741bad66

SHA256
88bfd8c0caa80171d51051bcca51f3581ccd4cbec3540501958e73ae560de668

SHA512
8be6641aa27e82b9f4a53804e05f84f39603a14bcdba4dda08cc149121e039ffa856ed5584fdc40a2d09f3b1b70c02571e9bd30678b763c89b0265df8f208168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1d2a6d03517f04b77ba5ff7d0c9a0fd4

SHA1
224b931dc273ca48f00958cffbc8cbf8c2f2d374

SHA256
fac747498aab37e7956bdaabba159e760989cde796492f15cc45840d0e942135

SHA512
ec590c00156af8573f0d782676f506e45e4764e4e2b30eb908cc5f2ef55da7f15e9c93ebec8678499ea62ac1867394bdee9be118d2d9256bff54a3d437a5ecd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1d2a6d03517f04b77ba5ff7d0c9a0fd4

SHA1
224b931dc273ca48f00958cffbc8cbf8c2f2d374

SHA256
fac747498aab37e7956bdaabba159e760989cde796492f15cc45840d0e942135

SHA512
ec590c00156af8573f0d782676f506e45e4764e4e2b30eb908cc5f2ef55da7f15e9c93ebec8678499ea62ac1867394bdee9be118d2d9256bff54a3d437a5ecd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
03ad70012fdcdc1a9328ee17cb19335e

SHA1
6825d3f4dbef22a21d843cadb588da79e4580f81

SHA256
61a84d9edd9c2461af5a490a4a62b1cfcaa5250ea9d8233c9302a0e71d90f787

SHA512
090afbc51eb67bf156fb53f4aacafddf2aaf46a280e050f13fe109e8a4959d7e9b4efa5b921e204af384ba1447ff7be5fab34a8f49f74240a81b81079d889e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b41730c25a04d0faf06f9d8d7159dea2

SHA1
21818eece3a458811ef1bf5d5620e52ebf32a4b5

SHA256
8a90abe6426d3813db7f987d92d89939165d1181b061366133bcc3f8b1881c25

SHA512
6211a5e699ea062e777c27cd4458b193dae59c399c20df57a36b0d991a38898447200b3bc305d0106c5e95913dc99fb18dbda020466bc2e29f0f79fc84e8f21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b41730c25a04d0faf06f9d8d7159dea2

SHA1
21818eece3a458811ef1bf5d5620e52ebf32a4b5

SHA256
8a90abe6426d3813db7f987d92d89939165d1181b061366133bcc3f8b1881c25

SHA512
6211a5e699ea062e777c27cd4458b193dae59c399c20df57a36b0d991a38898447200b3bc305d0106c5e95913dc99fb18dbda020466bc2e29f0f79fc84e8f21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8aa7d895761004609d471303f2c91474

SHA1
4ff1b6d895772a882952235adee66e6c16ff9457

SHA256
f3da47d9b88c8cc6f7d846914d4b1c6e010fc2bd86498e6a6f8a7c0c3e2cd01c

SHA512
dd00d94c3e0a0fef8fc5fb6616444f0add6714f019cc1ae7f9010fa879cf2367994cec9082913324aacc853801277bc690fb331ebea5706ba2452020ceaef926

Download Submit
C:\Users\Admin\AppData\Local\Temp\15BB.exe
MD5
cb74327798fbd255e6aa1ba041276ebc

SHA1
204ee8f8e1781a6c57e75829f9b7236b04f10ebe

SHA256
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103

SHA512
83eda079c3af13da9a5a9934ca9c5478a9deb3e9ae5ea8d7b94af26773e2b8e89a2ee3ce147bc2238772c4c643a076b33e83d49dd6aed020520ad032f110d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\15BB.exe
MD5
cb74327798fbd255e6aa1ba041276ebc

SHA1
204ee8f8e1781a6c57e75829f9b7236b04f10ebe

SHA256
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103

SHA512
83eda079c3af13da9a5a9934ca9c5478a9deb3e9ae5ea8d7b94af26773e2b8e89a2ee3ce147bc2238772c4c643a076b33e83d49dd6aed020520ad032f110d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AFC.exe
MD5
dc713fb52826a486c5034ea27a8f3ce0

SHA1
1e38c2480382d8a82a7968c704a2cde19a6d03b7

SHA256
1807a1c455c816fa443b2aa7e27e5997a0cf64ffae37d3db4aa542de6587201f

SHA512
ecdf3080cad82a1e3d614c997da77e1ae3da71badb4eb21d629cefe133cfe1b0dff49e1d5766cf48589f54de4abae184edb365f343d2cbc06260d4662ad0da1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AFC.exe
MD5
dc713fb52826a486c5034ea27a8f3ce0

SHA1
1e38c2480382d8a82a7968c704a2cde19a6d03b7

SHA256
1807a1c455c816fa443b2aa7e27e5997a0cf64ffae37d3db4aa542de6587201f

SHA512
ecdf3080cad82a1e3d614c997da77e1ae3da71badb4eb21d629cefe133cfe1b0dff49e1d5766cf48589f54de4abae184edb365f343d2cbc06260d4662ad0da1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DBC.exe
MD5
2731037b9508852311223a7b79d0c298

SHA1
fde870e18456c230d371d84fe746de66487fbf32

SHA256
b4b15f7787006e9757865b66a747135ac7452d8bafbbad777fd9491742eba06a

SHA512
e9042c23a99d16a0882b49cbe42cf7a2e301c8de3d1bd5bb125df4f5c0bf2552412fc218c0ad7c8160541f4cf60352a81cff1e5eb8090579748e146bafa657ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DBC.exe
MD5
2731037b9508852311223a7b79d0c298

SHA1
fde870e18456c230d371d84fe746de66487fbf32

SHA256
b4b15f7787006e9757865b66a747135ac7452d8bafbbad777fd9491742eba06a

SHA512
e9042c23a99d16a0882b49cbe42cf7a2e301c8de3d1bd5bb125df4f5c0bf2552412fc218c0ad7c8160541f4cf60352a81cff1e5eb8090579748e146bafa657ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\20AB.exe
MD5
e9ce4b7b7139b741494e335a0598f604

SHA1
3014a09ca15d352f70395b854d0c9d602ca2f0b3

SHA256
09f9730533676c6dbb81b671e4bf807e0b0acb9c9acd7f555eeac26b9c312270

SHA512
35a6701fc6895d41c708612152b1bd0a9d2d0515c88631ca891018417a954a025994b72244cf469236733608bd95633843d34f30e8018ef8166c65c8f4539dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\20AB.exe
MD5
e9ce4b7b7139b741494e335a0598f604

SHA1
3014a09ca15d352f70395b854d0c9d602ca2f0b3

SHA256
09f9730533676c6dbb81b671e4bf807e0b0acb9c9acd7f555eeac26b9c312270

SHA512
35a6701fc6895d41c708612152b1bd0a9d2d0515c88631ca891018417a954a025994b72244cf469236733608bd95633843d34f30e8018ef8166c65c8f4539dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2252.exe
MD5
3a53838adab869781ed0e70728677977

SHA1
526c9e32bc7c020baf839f5ae22109bb3f74ebbe

SHA256
b233ad1f408ee49ef9dd7e4b9c4ff5f167305d5b00f323e894f9e8a910e9f627

SHA512
8e81d303af2973a787f1b60687c0857e4fcb58983a5c8fa7dd83e262156b09cfb195984ccf6b43c5ab8d51c09ffed7d86734698e922430d9007506ba489fc20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2252.exe
MD5
3a53838adab869781ed0e70728677977

SHA1
526c9e32bc7c020baf839f5ae22109bb3f74ebbe

SHA256
b233ad1f408ee49ef9dd7e4b9c4ff5f167305d5b00f323e894f9e8a910e9f627

SHA512
8e81d303af2973a787f1b60687c0857e4fcb58983a5c8fa7dd83e262156b09cfb195984ccf6b43c5ab8d51c09ffed7d86734698e922430d9007506ba489fc20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E0B.exe
MD5
3377db826cec11af9eb7f39a0653f2f7

SHA1
7d090459456b148edcd1077287fd70ddec99b5f9

SHA256
ca1116c959307624499e99a2a64f3bb5fb6aa5a2d4f716d57e2d8dc31d7d3126

SHA512
f3caf42c4211280935aada45032890d9b5f4c44aa1928896a44084fd7c98924039d372e1adceb7af276e0c26a9b3b531510819ec32f733dc5956c493fec4dae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E0B.exe
MD5
3377db826cec11af9eb7f39a0653f2f7

SHA1
7d090459456b148edcd1077287fd70ddec99b5f9

SHA256
ca1116c959307624499e99a2a64f3bb5fb6aa5a2d4f716d57e2d8dc31d7d3126

SHA512
f3caf42c4211280935aada45032890d9b5f4c44aa1928896a44084fd7c98924039d372e1adceb7af276e0c26a9b3b531510819ec32f733dc5956c493fec4dae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\38E9.exe
MD5
2f5a73857af73e809706fa61dd19137b

SHA1
dd858fbc27a5fc43b9405fbe3650bc0fbe0b2cc9

SHA256
01419f6a9cb219224a2898b4e953f9aca722abe2fc4b340498805a23c5936b18

SHA512
c5e2b4c8456c19be34f2927c4971e0b870b12f816ba5634adefff9fb58de436a6a15c00e64a48f9cd80509ecb0ed4bede66e2a60526a801e921bdcc45c7bc8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\38E9.exe
MD5
2f5a73857af73e809706fa61dd19137b

SHA1
dd858fbc27a5fc43b9405fbe3650bc0fbe0b2cc9

SHA256
01419f6a9cb219224a2898b4e953f9aca722abe2fc4b340498805a23c5936b18

SHA512
c5e2b4c8456c19be34f2927c4971e0b870b12f816ba5634adefff9fb58de436a6a15c00e64a48f9cd80509ecb0ed4bede66e2a60526a801e921bdcc45c7bc8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\38E9.exe
MD5
2f5a73857af73e809706fa61dd19137b

SHA1
dd858fbc27a5fc43b9405fbe3650bc0fbe0b2cc9

SHA256
01419f6a9cb219224a2898b4e953f9aca722abe2fc4b340498805a23c5936b18

SHA512
c5e2b4c8456c19be34f2927c4971e0b870b12f816ba5634adefff9fb58de436a6a15c00e64a48f9cd80509ecb0ed4bede66e2a60526a801e921bdcc45c7bc8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4147.exe
MD5
fcddfa914a050a7fe38d0bf80b9d4142

SHA1
67c5ec80602e7cf4dd2eaf1b0bcfa1057c724f87

SHA256
c380585ad3c4926faf2e4821bd69fb57121cf8771f628e18d675865cd1c2d763

SHA512
b4148880882244fb37d9f46e46773f1e4960f893940308e581932e574dcc300bc93c460fcf29ba87baae64acae620a77c6a18d643db6337f3f870af81ef3e211

Download Submit
C:\Users\Admin\AppData\Local\Temp\4147.exe
MD5
fcddfa914a050a7fe38d0bf80b9d4142

SHA1
67c5ec80602e7cf4dd2eaf1b0bcfa1057c724f87

SHA256
c380585ad3c4926faf2e4821bd69fb57121cf8771f628e18d675865cd1c2d763

SHA512
b4148880882244fb37d9f46e46773f1e4960f893940308e581932e574dcc300bc93c460fcf29ba87baae64acae620a77c6a18d643db6337f3f870af81ef3e211

Download Submit
C:\Users\Admin\AppData\Local\Temp\4147.exe
MD5
fcddfa914a050a7fe38d0bf80b9d4142

SHA1
67c5ec80602e7cf4dd2eaf1b0bcfa1057c724f87

SHA256
c380585ad3c4926faf2e4821bd69fb57121cf8771f628e18d675865cd1c2d763

SHA512
b4148880882244fb37d9f46e46773f1e4960f893940308e581932e574dcc300bc93c460fcf29ba87baae64acae620a77c6a18d643db6337f3f870af81ef3e211

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Btwgyizzspfr.exe
MD5
7ceaa5ee0a25213d3b1256f70779027d

SHA1
b7597773064c8e9409ef679357fc01495149a54b

SHA256
49a63a13a37aafb8cf468981153e0dbd9019c79bdc1ecef5e4611c06db182bf3

SHA512
811c47b133198292c67aafa39129627cdae7e89852c6654d4407c4d989702a757f3ec9b6c4272076b7629094df9cdfc8b54f57df8c97d39fbf1a6650abd76563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Btwgyizzspfr.exe
MD5
7ceaa5ee0a25213d3b1256f70779027d

SHA1
b7597773064c8e9409ef679357fc01495149a54b

SHA256
49a63a13a37aafb8cf468981153e0dbd9019c79bdc1ecef5e4611c06db182bf3

SHA512
811c47b133198292c67aafa39129627cdae7e89852c6654d4407c4d989702a757f3ec9b6c4272076b7629094df9cdfc8b54f57df8c97d39fbf1a6650abd76563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eyverccjl.vbs
MD5
2fb1788961f1ced65a09748abb356f2c

SHA1
fcca0125f725195f7791bd049b5e4375c46a1190

SHA256
99158f5c22985ec974d8963206712e8f889ad002d49393c70903605a6a54a0ff

SHA512
14a7274d6e785774f81d49cd7be01b0cdad071561212975b312309ef43297707718ee0b5b12296778d03b4a94c98a50f87b41e3059eab2b936a37d4cccb8751d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehvwiu.exe
MD5
2731037b9508852311223a7b79d0c298

SHA1
fde870e18456c230d371d84fe746de66487fbf32

SHA256
b4b15f7787006e9757865b66a747135ac7452d8bafbbad777fd9491742eba06a

SHA512
e9042c23a99d16a0882b49cbe42cf7a2e301c8de3d1bd5bb125df4f5c0bf2552412fc218c0ad7c8160541f4cf60352a81cff1e5eb8090579748e146bafa657ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehvwiu.exe
MD5
2731037b9508852311223a7b79d0c298

SHA1
fde870e18456c230d371d84fe746de66487fbf32

SHA256
b4b15f7787006e9757865b66a747135ac7452d8bafbbad777fd9491742eba06a

SHA512
e9042c23a99d16a0882b49cbe42cf7a2e301c8de3d1bd5bb125df4f5c0bf2552412fc218c0ad7c8160541f4cf60352a81cff1e5eb8090579748e146bafa657ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgnhfk.exe
MD5
cb74327798fbd255e6aa1ba041276ebc

SHA1
204ee8f8e1781a6c57e75829f9b7236b04f10ebe

SHA256
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103

SHA512
83eda079c3af13da9a5a9934ca9c5478a9deb3e9ae5ea8d7b94af26773e2b8e89a2ee3ce147bc2238772c4c643a076b33e83d49dd6aed020520ad032f110d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgnhfk.exe
MD5
cb74327798fbd255e6aa1ba041276ebc

SHA1
204ee8f8e1781a6c57e75829f9b7236b04f10ebe

SHA256
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103

SHA512
83eda079c3af13da9a5a9934ca9c5478a9deb3e9ae5ea8d7b94af26773e2b8e89a2ee3ce147bc2238772c4c643a076b33e83d49dd6aed020520ad032f110d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjyuqp.exe
MD5
dc713fb52826a486c5034ea27a8f3ce0

SHA1
1e38c2480382d8a82a7968c704a2cde19a6d03b7

SHA256
1807a1c455c816fa443b2aa7e27e5997a0cf64ffae37d3db4aa542de6587201f

SHA512
ecdf3080cad82a1e3d614c997da77e1ae3da71badb4eb21d629cefe133cfe1b0dff49e1d5766cf48589f54de4abae184edb365f343d2cbc06260d4662ad0da1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjyuqp.exe
MD5
dc713fb52826a486c5034ea27a8f3ce0

SHA1
1e38c2480382d8a82a7968c704a2cde19a6d03b7

SHA256
1807a1c455c816fa443b2aa7e27e5997a0cf64ffae37d3db4aa542de6587201f

SHA512
ecdf3080cad82a1e3d614c997da77e1ae3da71badb4eb21d629cefe133cfe1b0dff49e1d5766cf48589f54de4abae184edb365f343d2cbc06260d4662ad0da1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEyverccjl.vbs
MD5
aabdd72fa5429d7fb6ddc251acaea15c

SHA1
eb269752c3b1aeb9dc328caffdecfc1ba264745e

SHA256
d7a8f9542907b4936b4dfde22cd782e7a784d14d04f777cf44e5711e4bc4a89c

SHA512
9e86e2686d1ab1b8c299c25b1eb5899493138da90f72c190d2f638feb04850fe0763346c3e0a8dd39344b8276f7df4f25e124d82849b93a8890f648abb0b32e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIxguld.vbs
MD5
55f9042a60f84c4e6ca9ff84f11005ca

SHA1
175dfafa0173759331f95c1c039dc02cd88b04ca

SHA256
596c97be58a98a6891d08561943853ea93a2143bf9942949e8290c9f7f259a57

SHA512
7a9d0ed98771372a5b504447072279aa51b8e119e2cbe776c95fbb1af4dc8ff64c3e44d6f4ffd70d5d4720b51e88b0db8c44e0e4753d4cbd4e911386ff49d337

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuumke.exe
MD5
eb114880d17329d9e90b7461d49c9d6f

SHA1
ca524f9a4aac309c66362a0f9e5ed6964223ce92

SHA256
6254f1fc8ea117b9a0b9501ddf9152a382553f5ab52f984286b6a8573fe0b44f

SHA512
348fcdde7e8ac677a9091d725998a2fcb9cb42a6d1f2c78942c971b7c9ab341f63e3f427abb6c6c996bd6d096b023b4ecd221e833d103a3e1ba20239cdf075b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuumke.exe
MD5
eb114880d17329d9e90b7461d49c9d6f

SHA1
ca524f9a4aac309c66362a0f9e5ed6964223ce92

SHA256
6254f1fc8ea117b9a0b9501ddf9152a382553f5ab52f984286b6a8573fe0b44f

SHA512
348fcdde7e8ac677a9091d725998a2fcb9cb42a6d1f2c78942c971b7c9ab341f63e3f427abb6c6c996bd6d096b023b4ecd221e833d103a3e1ba20239cdf075b6

Download Submit
C:\Users\Admin\AppData\Roaming\rrrtttsyysuttttttttttidododd.exe
MD5
dc713fb52826a486c5034ea27a8f3ce0

SHA1
1e38c2480382d8a82a7968c704a2cde19a6d03b7

SHA256
1807a1c455c816fa443b2aa7e27e5997a0cf64ffae37d3db4aa542de6587201f

SHA512
ecdf3080cad82a1e3d614c997da77e1ae3da71badb4eb21d629cefe133cfe1b0dff49e1d5766cf48589f54de4abae184edb365f343d2cbc06260d4662ad0da1f

Download Submit
\Users\Admin\AppData\Local\Temp\D8E6.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/352-235-0x0000000000000000-mapping.dmp

Download
memory/352-242-0x000000001CE20000-0x000000001CE22000-memory.dmp

Filesize
8KB

Download
memory/476-123-0x0000000000000000-mapping.dmp

Download
memory/632-250-0x000000001CA50000-0x000000001CA52000-memory.dmp

Filesize
8KB

Download
memory/632-247-0x0000000000000000-mapping.dmp

Download
memory/632-120-0x0000000000000000-mapping.dmp

Download
memory/636-325-0x0000000140000000-mapping.dmp

Download
memory/904-291-0x0000000000403E2A-mapping.dmp

Download
memory/904-300-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/908-241-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/908-236-0x0000000000000000-mapping.dmp

Download
memory/972-313-0x0000000000000000-mapping.dmp

Download
memory/972-266-0x0000000000000000-mapping.dmp

Download
memory/1032-332-0x0000000000000000-mapping.dmp

Download
memory/1276-125-0x0000000000000000-mapping.dmp

Download
memory/1320-273-0x00000000004171E6-mapping.dmp

Download
memory/1320-281-0x0000000005110000-0x0000000005716000-memory.dmp

Filesize
6.0MB

Download
memory/1392-243-0x0000000000000000-mapping.dmp

Download
memory/1392-246-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/1512-127-0x0000000000000000-mapping.dmp

Download
memory/1672-299-0x0000000000000000-mapping.dmp

Download
memory/1800-321-0x0000000000000000-mapping.dmp

Download
memory/1800-324-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1808-129-0x0000000000000000-mapping.dmp

Download
memory/1984-130-0x0000000000000000-mapping.dmp

Download
memory/1988-260-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/1988-259-0x0000000000B40000-0x0000000000B47000-memory.dmp

Filesize
28KB

Download
memory/1988-258-0x0000000000000000-mapping.dmp

Download
memory/2288-134-0x000000000040C78E-mapping.dmp

Download
memory/2288-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2288-178-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/2288-157-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/2352-261-0x0000000000000000-mapping.dmp

Download
memory/2760-336-0x0000000005680000-0x0000000005C86000-memory.dmp

Filesize
6.0MB

Download
memory/2760-335-0x00000000004171E6-mapping.dmp

Download
memory/2808-137-0x0000000000000000-mapping.dmp

Download
memory/2828-342-0x0000000000000000-mapping.dmp

Download
memory/2884-268-0x0000000000000000-mapping.dmp

Download
memory/2900-339-0x00000000010A0000-0x00000000010B5000-memory.dmp

Filesize
84KB

Download
memory/2900-203-0x0000000001030000-0x0000000001045000-memory.dmp

Filesize
84KB

Download
memory/2928-270-0x0000000000000000-mapping.dmp

Download
memory/2972-340-0x0000000000000000-mapping.dmp

Download
memory/3112-341-0x0000000000000000-mapping.dmp

Download
memory/3196-214-0x0000000000000000-mapping.dmp

Download
memory/3240-144-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/3240-179-0x0000000009530000-0x0000000009531000-memory.dmp

Filesize
4KB

Download
memory/3240-153-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/3240-152-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/3240-163-0x0000000009230000-0x0000000009263000-memory.dmp

Filesize
204KB

Download
memory/3240-151-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/3240-141-0x0000000000000000-mapping.dmp

Download
memory/3240-145-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/3240-146-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/3240-147-0x0000000004782000-0x0000000004783000-memory.dmp

Filesize
4KB

Download
memory/3240-148-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/3240-154-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/3240-176-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/3240-280-0x0000000000000000-mapping.dmp

Download
memory/3240-149-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/3240-177-0x0000000004783000-0x0000000004784000-memory.dmp

Filesize
4KB

Download
memory/3240-175-0x0000000009370000-0x0000000009371000-memory.dmp

Filesize
4KB

Download
memory/3240-170-0x0000000009010000-0x0000000009011000-memory.dmp

Filesize
4KB

Download
memory/3240-150-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/3296-257-0x0000000000A50000-0x0000000000ABB000-memory.dmp

Filesize
428KB

Download
memory/3296-256-0x0000000000AC0000-0x0000000000B34000-memory.dmp

Filesize
464KB

Download
memory/3296-254-0x0000000000000000-mapping.dmp

Download
memory/3300-331-0x0000000000000000-mapping.dmp

Download
memory/3320-286-0x0000000140000000-mapping.dmp

Download
memory/3320-206-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/3320-207-0x0000000006892000-0x0000000006893000-memory.dmp

Filesize
4KB

Download
memory/3320-205-0x0000000000000000-mapping.dmp

Download
memory/3320-213-0x0000000006893000-0x0000000006894000-memory.dmp

Filesize
4KB

Download
memory/3336-204-0x0000000000000000-mapping.dmp

Download
memory/3340-275-0x0000000000BDFE5A-mapping.dmp

Download
memory/3508-255-0x000000001C220000-0x000000001C222000-memory.dmp

Filesize
8KB

Download
memory/3508-251-0x0000000000000000-mapping.dmp

Download
memory/3540-296-0x0000000140000000-mapping.dmp

Download
memory/3584-343-0x0000000000000000-mapping.dmp

Download
memory/3816-223-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/3816-224-0x0000000004862000-0x0000000004863000-memory.dmp

Filesize
4KB

Download
memory/3816-218-0x0000000000000000-mapping.dmp

Download
memory/3816-240-0x0000000004863000-0x0000000004864000-memory.dmp

Filesize
4KB

Download
memory/3820-282-0x00000000004253BE-mapping.dmp

Download
memory/3820-288-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3900-329-0x0000000140000000-mapping.dmp

Download
memory/3972-209-0x0000000000000000-mapping.dmp

Download
memory/3988-294-0x0000000006F52000-0x0000000006F53000-memory.dmp

Filesize
4KB

Download
memory/3988-305-0x000000007EBE0000-0x000000007EBE1000-memory.dmp

Filesize
4KB

Download
memory/3988-292-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/3988-285-0x0000000000000000-mapping.dmp

Download
memory/3988-306-0x0000000006F53000-0x0000000006F54000-memory.dmp

Filesize
4KB

Download
memory/4036-308-0x0000000000000000-mapping.dmp

Download
memory/4036-311-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/4160-225-0x000000001C140000-0x000000001C142000-memory.dmp

Filesize
8KB

Download
memory/4160-220-0x0000000000000000-mapping.dmp

Download
memory/4184-217-0x0000000000000000-mapping.dmp

Download
memory/4348-262-0x0000000000000000-mapping.dmp

Download
memory/4532-337-0x0000000000402D4A-mapping.dmp

Download
memory/4532-338-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4540-263-0x0000000000000000-mapping.dmp

Download
memory/4636-316-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/4636-323-0x0000000001273000-0x0000000001274000-memory.dmp

Filesize
4KB

Download
memory/4636-317-0x0000000001272000-0x0000000001273000-memory.dmp

Filesize
4KB

Download
memory/4636-315-0x0000000000000000-mapping.dmp

Download
memory/4804-116-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download
memory/4804-119-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/4804-118-0x0000000005E30000-0x0000000005E79000-memory.dmp

Filesize
292KB

Download
memory/4804-117-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/4804-114-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4820-310-0x0000000000CA3000-0x0000000000CA4000-memory.dmp

Filesize
4KB

Download
memory/4820-303-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4820-304-0x0000000000CA2000-0x0000000000CA3000-memory.dmp

Filesize
4KB

Download
memory/4820-302-0x0000000000000000-mapping.dmp

Download
memory/4968-295-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/4968-298-0x0000000000DE2000-0x0000000000DE3000-memory.dmp

Filesize
4KB

Download
memory/4968-314-0x0000000000DE3000-0x0000000000DE4000-memory.dmp

Filesize
4KB

Download
memory/4968-289-0x0000000000000000-mapping.dmp

Download
memory/4972-226-0x0000000000000000-mapping.dmp

Download
memory/4972-232-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/5004-229-0x0000000000000000-mapping.dmp

Download
memory/5004-233-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download