azorult | 394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a

Analysis

max time kernel
142s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
03-10-2021 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
Size

3.6MB
MD5

1c14f817504c54653c779387de0a058a
SHA1

87e8826484135a91d14a610176f7ed6347ebdc5d
SHA256

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a
SHA512

10e8886d68c8e0db77037d926a613301b915afd79320d53a25f8174a63530facf68f76eb4d24a19d138049662f627520211fa80f3ab51a77037ecb8c6952bf8b

Score

10^/10

azorult oski raccoon e16d9c3413a8d3bc552d87560e5a14148908608d discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

e16d9c3413a8d3bc552d87560e5a14148908608d

Attributes

url4cnc
https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

maurizio.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

Syrtlbqrhgojcisaconsoleapp18.exeLrtBBe6rqY.exeqnNsxgFw53.exeSyrtlbqrhgojcisaconsoleapp18.exeaspnet_compiler.exeQtscbzjoconsoleapp5.exeLrtBBe6rqY.exefodhelper.exeQtscbzjoconsoleapp5.exeQtscbzjoconsoleapp5.exe

pid	process
3772	Syrtlbqrhgojcisaconsoleapp18.exe
3864	LrtBBe6rqY.exe
736	qnNsxgFw53.exe
1012	Syrtlbqrhgojcisaconsoleapp18.exe
1832	aspnet_compiler.exe
2952	Qtscbzjoconsoleapp5.exe
3740	LrtBBe6rqY.exe
4688	fodhelper.exe
1832	aspnet_compiler.exe
3176	Qtscbzjoconsoleapp5.exe
736	Qtscbzjoconsoleapp5.exe

Loads dropped DLL 9 IoCs

Processes:

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exeQtscbzjoconsoleapp5.exe

pid	process
2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
736	Qtscbzjoconsoleapp5.exe
736	Qtscbzjoconsoleapp5.exe
736	Qtscbzjoconsoleapp5.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Qtscbzjoconsoleapp5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winda = "\"C:\\Users\\Admin\\AppData\\Roaming\\winda.exe\""	Qtscbzjoconsoleapp5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exeSyrtlbqrhgojcisaconsoleapp18.exeLrtBBe6rqY.exeQtscbzjoconsoleapp5.exeQtscbzjoconsoleapp5.exe

description	pid	process	target process
PID 652 set thread context of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 3772 set thread context of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 3864 set thread context of 3740	3864	LrtBBe6rqY.exe	LrtBBe6rqY.exe
PID 736 set thread context of 1832	736	Qtscbzjoconsoleapp5.exe	aspnet_compiler.exe
PID 2952 set thread context of 736	2952	Qtscbzjoconsoleapp5.exe	Qtscbzjoconsoleapp5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Qtscbzjoconsoleapp5.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Qtscbzjoconsoleapp5.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2852 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3488 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4424 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Qtscbzjoconsoleapp5.exe

pid	process
2852	schtasks.exe

pid	process
3488	timeout.exe

pid	process
4424	taskkill.exe

Modifies registry class 2 IoCs

Processes:

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exeSyrtlbqrhgojcisaconsoleapp18.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Syrtlbqrhgojcisaconsoleapp18.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

4552 reg.exe
4768 reg.exe
4944 reg.exe

pid	process
4552	reg.exe
4768	reg.exe
4944	reg.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

powershell.exepowershell.exe394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exepowershell.exepowershell.exeqnNsxgFw53.exepowershell.exeSyrtlbqrhgojcisaconsoleapp18.exepowershell.exepowershell.exepowershell.exeQtscbzjoconsoleapp5.exeQtscbzjoconsoleapp5.exeaspnet_compiler.exe

pid	process
1088	powershell.exe
1088	powershell.exe
1088	powershell.exe
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe
652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
3084	powershell.exe
3084	powershell.exe
3084	powershell.exe
736	qnNsxgFw53.exe
492	powershell.exe
492	powershell.exe
492	powershell.exe
3772	Syrtlbqrhgojcisaconsoleapp18.exe
3772	Syrtlbqrhgojcisaconsoleapp18.exe
3772	Syrtlbqrhgojcisaconsoleapp18.exe
3772	Syrtlbqrhgojcisaconsoleapp18.exe
3772	Syrtlbqrhgojcisaconsoleapp18.exe
3772	Syrtlbqrhgojcisaconsoleapp18.exe
3772	Syrtlbqrhgojcisaconsoleapp18.exe
744	powershell.exe
744	powershell.exe
744	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe
736	Qtscbzjoconsoleapp5.exe
736	Qtscbzjoconsoleapp5.exe
736	Qtscbzjoconsoleapp5.exe
2952	Qtscbzjoconsoleapp5.exe
2952	Qtscbzjoconsoleapp5.exe
2952	Qtscbzjoconsoleapp5.exe
2952	Qtscbzjoconsoleapp5.exe
2952	Qtscbzjoconsoleapp5.exe
2952	Qtscbzjoconsoleapp5.exe
2952	Qtscbzjoconsoleapp5.exe
1832	aspnet_compiler.exe
1832	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeIncreaseQuotaPrivilege	1088	powershell.exe
Token: SeSecurityPrivilege	1088	powershell.exe
Token: SeTakeOwnershipPrivilege	1088	powershell.exe
Token: SeLoadDriverPrivilege	1088	powershell.exe
Token: SeSystemProfilePrivilege	1088	powershell.exe
Token: SeSystemtimePrivilege	1088	powershell.exe
Token: SeProfSingleProcessPrivilege	1088	powershell.exe
Token: SeIncBasePriorityPrivilege	1088	powershell.exe
Token: SeCreatePagefilePrivilege	1088	powershell.exe
Token: SeBackupPrivilege	1088	powershell.exe
Token: SeRestorePrivilege	1088	powershell.exe
Token: SeShutdownPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeSystemEnvironmentPrivilege	1088	powershell.exe
Token: SeRemoteShutdownPrivilege	1088	powershell.exe
Token: SeUndockPrivilege	1088	powershell.exe
Token: SeManageVolumePrivilege	1088	powershell.exe
Token: 33	1088	powershell.exe
Token: 34	1088	powershell.exe
Token: 35	1088	powershell.exe
Token: 36	1088	powershell.exe
Token: SeIncreaseQuotaPrivilege	1088	powershell.exe
Token: SeSecurityPrivilege	1088	powershell.exe
Token: SeTakeOwnershipPrivilege	1088	powershell.exe
Token: SeLoadDriverPrivilege	1088	powershell.exe
Token: SeSystemProfilePrivilege	1088	powershell.exe
Token: SeSystemtimePrivilege	1088	powershell.exe
Token: SeProfSingleProcessPrivilege	1088	powershell.exe
Token: SeIncBasePriorityPrivilege	1088	powershell.exe
Token: SeCreatePagefilePrivilege	1088	powershell.exe
Token: SeBackupPrivilege	1088	powershell.exe
Token: SeRestorePrivilege	1088	powershell.exe
Token: SeShutdownPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeSystemEnvironmentPrivilege	1088	powershell.exe
Token: SeRemoteShutdownPrivilege	1088	powershell.exe
Token: SeUndockPrivilege	1088	powershell.exe
Token: SeManageVolumePrivilege	1088	powershell.exe
Token: 33	1088	powershell.exe
Token: 34	1088	powershell.exe
Token: 35	1088	powershell.exe
Token: 36	1088	powershell.exe
Token: SeIncreaseQuotaPrivilege	1088	powershell.exe
Token: SeSecurityPrivilege	1088	powershell.exe
Token: SeTakeOwnershipPrivilege	1088	powershell.exe
Token: SeLoadDriverPrivilege	1088	powershell.exe
Token: SeSystemProfilePrivilege	1088	powershell.exe
Token: SeSystemtimePrivilege	1088	powershell.exe
Token: SeProfSingleProcessPrivilege	1088	powershell.exe
Token: SeIncBasePriorityPrivilege	1088	powershell.exe
Token: SeCreatePagefilePrivilege	1088	powershell.exe
Token: SeBackupPrivilege	1088	powershell.exe
Token: SeRestorePrivilege	1088	powershell.exe
Token: SeShutdownPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeSystemEnvironmentPrivilege	1088	powershell.exe
Token: SeRemoteShutdownPrivilege	1088	powershell.exe
Token: SeUndockPrivilege	1088	powershell.exe
Token: SeManageVolumePrivilege	1088	powershell.exe
Token: 33	1088	powershell.exe
Token: 34	1088	powershell.exe
Token: 35	1088	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exeWScript.exeSyrtlbqrhgojcisaconsoleapp18.exe394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.execmd.exeqnNsxgFw53.exeWScript.exeQtscbzjoconsoleapp5.exe

description	pid	process	target process
PID 652 wrote to memory of 1088	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 652 wrote to memory of 1088	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 652 wrote to memory of 1088	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 652 wrote to memory of 3980	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 652 wrote to memory of 3980	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 652 wrote to memory of 3980	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 652 wrote to memory of 2156	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	WScript.exe
PID 652 wrote to memory of 2156	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	WScript.exe
PID 652 wrote to memory of 2156	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	WScript.exe
PID 652 wrote to memory of 2356	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2356	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2356	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 652 wrote to memory of 2372	652	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 2156 wrote to memory of 3772	2156	WScript.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2156 wrote to memory of 3772	2156	WScript.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2156 wrote to memory of 3772	2156	WScript.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 3772 wrote to memory of 1636	3772	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 3772 wrote to memory of 1636	3772	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 3772 wrote to memory of 1636	3772	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 3772 wrote to memory of 3084	3772	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 3772 wrote to memory of 3084	3772	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 3772 wrote to memory of 3084	3772	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 2372 wrote to memory of 3864	2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	LrtBBe6rqY.exe
PID 2372 wrote to memory of 3864	2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	LrtBBe6rqY.exe
PID 2372 wrote to memory of 3864	2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	LrtBBe6rqY.exe
PID 2372 wrote to memory of 736	2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	qnNsxgFw53.exe
PID 2372 wrote to memory of 736	2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	qnNsxgFw53.exe
PID 2372 wrote to memory of 3408	2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	cmd.exe
PID 2372 wrote to memory of 3408	2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	cmd.exe
PID 2372 wrote to memory of 3408	2372	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	cmd.exe
PID 3408 wrote to memory of 3488	3408	cmd.exe	timeout.exe
PID 3408 wrote to memory of 3488	3408	cmd.exe	timeout.exe
PID 3408 wrote to memory of 3488	3408	cmd.exe	timeout.exe
PID 736 wrote to memory of 492	736	qnNsxgFw53.exe	powershell.exe
PID 736 wrote to memory of 492	736	qnNsxgFw53.exe	powershell.exe
PID 3772 wrote to memory of 776	3772	Syrtlbqrhgojcisaconsoleapp18.exe	WScript.exe
PID 3772 wrote to memory of 776	3772	Syrtlbqrhgojcisaconsoleapp18.exe	WScript.exe
PID 3772 wrote to memory of 776	3772	Syrtlbqrhgojcisaconsoleapp18.exe	WScript.exe
PID 3772 wrote to memory of 1012	3772	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 3772 wrote to memory of 1012	3772	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 3772 wrote to memory of 1012	3772	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 3772 wrote to memory of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 3772 wrote to memory of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 3772 wrote to memory of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 3772 wrote to memory of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 3772 wrote to memory of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 3772 wrote to memory of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 3772 wrote to memory of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 3772 wrote to memory of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 3772 wrote to memory of 1832	3772	Syrtlbqrhgojcisaconsoleapp18.exe	aspnet_compiler.exe
PID 776 wrote to memory of 2952	776	WScript.exe	Qtscbzjoconsoleapp5.exe
PID 776 wrote to memory of 2952	776	WScript.exe	Qtscbzjoconsoleapp5.exe
PID 776 wrote to memory of 2952	776	WScript.exe	Qtscbzjoconsoleapp5.exe
PID 2952 wrote to memory of 744	2952	Qtscbzjoconsoleapp5.exe	powershell.exe
PID 2952 wrote to memory of 744	2952	Qtscbzjoconsoleapp5.exe	powershell.exe
PID 2952 wrote to memory of 744	2952	Qtscbzjoconsoleapp5.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
"C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sinshwgbbjkobohqpsxmxghl.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
"C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Aataxxmllamhvbgmkenndscw.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
"C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
6⤵
- Executes dropped EXE
PID:3176

C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 736 & erase C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe & RD /S /Q C:\\ProgramData\\462281499604675\\* & exit
7⤵
PID:4332

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 736
8⤵
- Kills process with taskkill
PID:4424

C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
4⤵
- Executes dropped EXE
PID:1012

C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
4⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
2⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\LrtBBe6rqY.exe
"C:\Users\Admin\AppData\Local\Temp\LrtBBe6rqY.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3864

C:\Users\Admin\AppData\Local\Temp\LrtBBe6rqY.exe
C:\Users\Admin\AppData\Local\Temp\LrtBBe6rqY.exe
4⤵
- Executes dropped EXE
PID:3740

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
5⤵
- Creates scheduled task(s)
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "
4⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
5⤵
PID:4180

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
6⤵
- Modifies registry key
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
6⤵
- Modifies registry key
PID:4768

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
6⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "
4⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
5⤵
- Modifies registry key
PID:4944

C:\Users\Admin\AppData\Local\Temp\qnNsxgFw53.exe
"C:\Users\Admin\AppData\Local\Temp\qnNsxgFw53.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164

C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:3488

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
26cfaf6b321c86dfc24262e01f03d929

SHA1
7026c2d0182aee991326da0967418a3b72d97970

SHA256
ef42a7bbf10616760366d4baba9976be9b8497f610389b5b8994eea2c498489b

SHA512
fed2081182d4b7d8f679e0e06eea4a4c1292f83c6b4ffaf46f0d199c384efca86da03d69ecd65cdd87c52745979f53eabe6ab19e1251000849c5c67a8038eac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bc319a49a6a58add34c24f335706a795

SHA1
15b0ba28224ac0b033cca7c57e40e1c1517cba73

SHA256
8f913ae5fd63ba893ec36aff11c0e2a205efd102a565d74c61301183718e0c4e

SHA512
df95d6b8ed025b417bc84de75ec3b45320a41dfbc08b5415cb30ed5847e4e4d34877a6bab2ed6f9cd4be988dbbce2ae5a15ddcdbfeb1f65a42c3b385fddbbcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1c33ff599b382b705675229c91fc2f99

SHA1
c20086746c14c5d57be9a3df47bd75fa77abe7e0

SHA256
d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a

SHA512
5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c22732ba5363acd85b50f02fc341cfa8

SHA1
1d00c794e6fb8f19205b8fded943ca263ca7e731

SHA256
fd9398bdbc9999d6c0fc4896a73273aa464ce654d202aa331e1cd479b429b56d

SHA512
ac4181df93d4b447cf8f14428cc8aced1e917aa6f8fd1d2c05bccc4f91629a081a9b58be3afe26a160912952fe5bfc38f3a537d8f1c28771deef95e3f4bd56b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c22732ba5363acd85b50f02fc341cfa8

SHA1
1d00c794e6fb8f19205b8fded943ca263ca7e731

SHA256
fd9398bdbc9999d6c0fc4896a73273aa464ce654d202aa331e1cd479b429b56d

SHA512
ac4181df93d4b447cf8f14428cc8aced1e917aa6f8fd1d2c05bccc4f91629a081a9b58be3afe26a160912952fe5bfc38f3a537d8f1c28771deef95e3f4bd56b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
aa80aee272ed740b035b5b045400e1f7

SHA1
2b085926e8141a5a2f0fdf52ad82e5149ddc9f88

SHA256
ffd5c81d268e3a841571cdfd44d15210e12c5a18adc7b9058122db735c811d4f

SHA512
ac61239e56c651ed7ce4a1effc23b7dee84b56d5bed33fd185369c920ee5af7872edac3c6b0a7d5fd457b243d32312186dbcd76a599a4434d60142ad7d6a8808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b5e5ce6e5dfe01aba4d503329790f635

SHA1
27ea259cf1cd5848430e9b17f0c78adfde2feace

SHA256
2a4cb655021e9f61271b3027f61f78c36aef53ce35fad9e5d85052193c51663b

SHA512
3ca7356e07ff1ef13bff4e64d0c3593226cba3c02886894fe852a1478bd15d69edc04b502a74e819d421170b2c21dc14c2d59702dd440e56152db3d7e0f78146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
42b1d3ddd012a2190620418b51e285df

SHA1
1f5c5b85bfed48422dac4fb777e1209c8573576f

SHA256
738ea60f8106b8f60d8b929f200c8f39ab11eb5697589076876ce9c694b1dde3

SHA512
7715f90335a037301d9c4585ab3abb139dab958234a8d822a40fe01ac14efcfb21d0849406a60eccdc7c162cde3b4d4f81e3a7148220a9ff394e2bca904f21e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aataxxmllamhvbgmkenndscw.vbs
MD5
6e09876f674d62cf569f34c2b9900164

SHA1
40db5acc8ec91e01178f02d9c82f5a7fa5cf5b70

SHA256
b40103ef93c0b87328623bcd4d80b978558282ba08769c618edb8d45a2ab9a8a

SHA512
25d6d4f7878e69d56c050da2b694fc854d52765826abdb387dd3f512d5e66c931c746d769ade210c10b094724e7fc48a7b8a8ef78a019949415367d96590f3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrtBBe6rqY.exe
MD5
77660feaa0a13e4209e50860de77a2db

SHA1
15e7e73c32d8f2faf284ec0db24e405fd255be2c

SHA256
cd6f4032380cd399d9320ddf9bc6f805838e455f9ab39e84100b30307cf028db

SHA512
e059e209aaf65443bd9e26cdefe2dc11a3594c3cf83b1a7342bff97ce77318b9a4086b354a5dafbed8dba1373ccd2579909ff3149203893e0bd200bd453f5f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrtBBe6rqY.exe
MD5
77660feaa0a13e4209e50860de77a2db

SHA1
15e7e73c32d8f2faf284ec0db24e405fd255be2c

SHA256
cd6f4032380cd399d9320ddf9bc6f805838e455f9ab39e84100b30307cf028db

SHA512
e059e209aaf65443bd9e26cdefe2dc11a3594c3cf83b1a7342bff97ce77318b9a4086b354a5dafbed8dba1373ccd2579909ff3149203893e0bd200bd453f5f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrtBBe6rqY.exe
MD5
77660feaa0a13e4209e50860de77a2db

SHA1
15e7e73c32d8f2faf284ec0db24e405fd255be2c

SHA256
cd6f4032380cd399d9320ddf9bc6f805838e455f9ab39e84100b30307cf028db

SHA512
e059e209aaf65443bd9e26cdefe2dc11a3594c3cf83b1a7342bff97ce77318b9a4086b354a5dafbed8dba1373ccd2579909ff3149203893e0bd200bd453f5f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
MD5
536b06e106b9f179a16635a5d3c5034b

SHA1
e8f5c1cd4bb27ac6cedfa8beb05918db4b568501

SHA256
1253dff2e1b7d465478b535867516e54be57ebde1aaa71d6365978bedbf8a9f5

SHA512
d65fa96ce3f8360af1e70018ec9143705a9fda585ab1315aa908ee6e08bea3c184eebbe84108ae3494e585836fa0fd1dc468873d64579875a17f18e663c9647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
MD5
536b06e106b9f179a16635a5d3c5034b

SHA1
e8f5c1cd4bb27ac6cedfa8beb05918db4b568501

SHA256
1253dff2e1b7d465478b535867516e54be57ebde1aaa71d6365978bedbf8a9f5

SHA512
d65fa96ce3f8360af1e70018ec9143705a9fda585ab1315aa908ee6e08bea3c184eebbe84108ae3494e585836fa0fd1dc468873d64579875a17f18e663c9647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
MD5
536b06e106b9f179a16635a5d3c5034b

SHA1
e8f5c1cd4bb27ac6cedfa8beb05918db4b568501

SHA256
1253dff2e1b7d465478b535867516e54be57ebde1aaa71d6365978bedbf8a9f5

SHA512
d65fa96ce3f8360af1e70018ec9143705a9fda585ab1315aa908ee6e08bea3c184eebbe84108ae3494e585836fa0fd1dc468873d64579875a17f18e663c9647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
MD5
536b06e106b9f179a16635a5d3c5034b

SHA1
e8f5c1cd4bb27ac6cedfa8beb05918db4b568501

SHA256
1253dff2e1b7d465478b535867516e54be57ebde1aaa71d6365978bedbf8a9f5

SHA512
d65fa96ce3f8360af1e70018ec9143705a9fda585ab1315aa908ee6e08bea3c184eebbe84108ae3494e585836fa0fd1dc468873d64579875a17f18e663c9647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sinshwgbbjkobohqpsxmxghl.vbs
MD5
573670414b0087f053b79f50f9a3f06b

SHA1
61222881cb0235e0f87eeb6ce3e5e6c1ffc6a075

SHA256
3a85350adde1bec707dcab1c1fe4389e8751c2880e754089573a3d0cdcd84024

SHA512
04b6438fccae5d608216869a9aabe32e9ca6efd3de80202042f37f905b423af4e7bd8974c4525a0539233a5006114d58af1af5d628a753bd891560eebd68f468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
MD5
542d9c144a1a6f94ec70822c8d8b757c

SHA1
1bab2c68f4ac848b0627a13927c6d71c5a094bd0

SHA256
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5

SHA512
f80c3acec61051a2971c02ee08ff3858826951ec1e94c60a9959ce4291d8bce6607781388ebcf1a651f64d7ee7f33354e0aa89bf600f208c63010718b6b073a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
MD5
542d9c144a1a6f94ec70822c8d8b757c

SHA1
1bab2c68f4ac848b0627a13927c6d71c5a094bd0

SHA256
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5

SHA512
f80c3acec61051a2971c02ee08ff3858826951ec1e94c60a9959ce4291d8bce6607781388ebcf1a651f64d7ee7f33354e0aa89bf600f208c63010718b6b073a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
MD5
542d9c144a1a6f94ec70822c8d8b757c

SHA1
1bab2c68f4ac848b0627a13927c6d71c5a094bd0

SHA256
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5

SHA512
f80c3acec61051a2971c02ee08ff3858826951ec1e94c60a9959ce4291d8bce6607781388ebcf1a651f64d7ee7f33354e0aa89bf600f208c63010718b6b073a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
MD5
542d9c144a1a6f94ec70822c8d8b757c

SHA1
1bab2c68f4ac848b0627a13927c6d71c5a094bd0

SHA256
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5

SHA512
f80c3acec61051a2971c02ee08ff3858826951ec1e94c60a9959ce4291d8bce6607781388ebcf1a651f64d7ee7f33354e0aa89bf600f208c63010718b6b073a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
MD5
843969865a92a4e82c26a2fa75ca4026

SHA1
c1046b49bc93cb3b37cebe1388d0b72bb66ab2e7

SHA256
3bd221cdc9867ee90ba3633f2266f298b4cb4fac98c70a0f208ce4afb6748637

SHA512
b9b30b9a69b5c7d536fe5d3c7d4615b2d9eec8410d20727c1ad17ba36c2876cb9ddbfe77353101fd80d92653724a176cd7f20c85cfaf69c6b74e95cf7de7440a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
MD5
843969865a92a4e82c26a2fa75ca4026

SHA1
c1046b49bc93cb3b37cebe1388d0b72bb66ab2e7

SHA256
3bd221cdc9867ee90ba3633f2266f298b4cb4fac98c70a0f208ce4afb6748637

SHA512
b9b30b9a69b5c7d536fe5d3c7d4615b2d9eec8410d20727c1ad17ba36c2876cb9ddbfe77353101fd80d92653724a176cd7f20c85cfaf69c6b74e95cf7de7440a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnNsxgFw53.exe
MD5
7bbc2539d7196864b7745b8065a35e7e

SHA1
0dd2782389c400e8ebd57ce68c425a6e6d5134f1

SHA256
4d265a1ee6dd0bdccd7e31fce027ccd42f1e19c09a92e911fba7db7696698b4d

SHA512
8facb340b78e4c4b17c355c5eb16fdca7dba0cd49626ae7897cd44b498a9d10a6508e532b0607a31b122286b855b78abc4c63a831977e3043e7e78217ef427be

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnNsxgFw53.exe
MD5
7bbc2539d7196864b7745b8065a35e7e

SHA1
0dd2782389c400e8ebd57ce68c425a6e6d5134f1

SHA256
4d265a1ee6dd0bdccd7e31fce027ccd42f1e19c09a92e911fba7db7696698b4d

SHA512
8facb340b78e4c4b17c355c5eb16fdca7dba0cd49626ae7897cd44b498a9d10a6508e532b0607a31b122286b855b78abc4c63a831977e3043e7e78217ef427be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
77660feaa0a13e4209e50860de77a2db

SHA1
15e7e73c32d8f2faf284ec0db24e405fd255be2c

SHA256
cd6f4032380cd399d9320ddf9bc6f805838e455f9ab39e84100b30307cf028db

SHA512
e059e209aaf65443bd9e26cdefe2dc11a3594c3cf83b1a7342bff97ce77318b9a4086b354a5dafbed8dba1373ccd2579909ff3149203893e0bd200bd453f5f00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
MD5
77660feaa0a13e4209e50860de77a2db

SHA1
15e7e73c32d8f2faf284ec0db24e405fd255be2c

SHA256
cd6f4032380cd399d9320ddf9bc6f805838e455f9ab39e84100b30307cf028db

SHA512
e059e209aaf65443bd9e26cdefe2dc11a3594c3cf83b1a7342bff97ce77318b9a4086b354a5dafbed8dba1373ccd2579909ff3149203893e0bd200bd453f5f00

Download Submit
C:\Users\Public\Trast.bat
MD5
4068c9f69fcd8a171c67f81d4a952a54

SHA1
4d2536a8c28cdcc17465e20d6693fb9e8e713b36

SHA256
24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

SHA512
a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

Download Submit
C:\Users\Public\UKO.bat
MD5
eaf8d967454c3bbddbf2e05a421411f8

SHA1
6170880409b24de75c2dc3d56a506fbff7f6622c

SHA256
f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

SHA512
fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

Download Submit
C:\Users\Public\nest.bat
MD5
8ada51400b7915de2124baaf75e3414c

SHA1
1a7b9db12184ab7fd7fce1c383f9670a00adb081

SHA256
45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

SHA512
9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
memory/492-3771-0x0000025FFC0E9000-0x0000025FFC0EF000-memory.dmp

Filesize
24KB

Download
memory/492-1902-0x0000000000000000-mapping.dmp

Download
memory/492-1938-0x0000025FFC0E0000-0x0000025FFC0E2000-memory.dmp

Filesize
8KB

Download
memory/492-1939-0x0000025FFC0E3000-0x0000025FFC0E5000-memory.dmp

Filesize
8KB

Download
memory/492-2245-0x0000025FFC0E6000-0x0000025FFC0E8000-memory.dmp

Filesize
8KB

Download
memory/492-2243-0x0000025FFC0E8000-0x0000025FFC0E9000-memory.dmp

Filesize
4KB

Download
memory/492-2053-0x00007FF6DA350000-0x00007FF6DA351000-memory.dmp

Filesize
4KB

Download
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/652-1156-0x0000000004FB0000-0x0000000005007000-memory.dmp

Filesize
348KB

Download
memory/652-116-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/652-1154-0x0000000005B10000-0x0000000005D8D000-memory.dmp

Filesize
2.5MB

Download
memory/736-3754-0x0000000000417A8B-mapping.dmp

Download
memory/736-1887-0x0000000001150000-0x0000000001152000-memory.dmp

Filesize
8KB

Download
memory/736-1865-0x0000000000000000-mapping.dmp

Download
memory/736-3760-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-2576-0x0000000004D94000-0x0000000004D96000-memory.dmp

Filesize
8KB

Download
memory/744-2472-0x0000000004D92000-0x0000000004D93000-memory.dmp

Filesize
4KB

Download
memory/744-2452-0x0000000000000000-mapping.dmp

Download
memory/744-2573-0x0000000004D93000-0x0000000004D94000-memory.dmp

Filesize
4KB

Download
memory/744-3318-0x0000000004D96000-0x0000000004D97000-memory.dmp

Filesize
4KB

Download
memory/744-2470-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/776-2400-0x0000000000000000-mapping.dmp

Download
memory/1088-552-0x000000000B250000-0x000000000B251000-memory.dmp

Filesize
4KB

Download
memory/1088-150-0x0000000009A30000-0x0000000009A31000-memory.dmp

Filesize
4KB

Download
memory/1088-124-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/1088-129-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/1088-125-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/1088-123-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1088-151-0x000000007DFF0000-0x000000007DFF1000-memory.dmp

Filesize
4KB

Download
memory/1088-145-0x00000000098A0000-0x00000000098A1000-memory.dmp

Filesize
4KB

Download
memory/1088-138-0x00000000098C0000-0x00000000098F3000-memory.dmp

Filesize
204KB

Download
memory/1088-121-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/1088-152-0x0000000009DF0000-0x0000000009DF1000-memory.dmp

Filesize
4KB

Download
memory/1088-122-0x0000000007342000-0x0000000007343000-memory.dmp

Filesize
4KB

Download
memory/1088-126-0x00000000083C0000-0x00000000083C1000-memory.dmp

Filesize
4KB

Download
memory/1088-221-0x0000000007343000-0x0000000007344000-memory.dmp

Filesize
4KB

Download
memory/1088-120-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/1088-127-0x00000000084B0000-0x00000000084B1000-memory.dmp

Filesize
4KB

Download
memory/1088-381-0x000000000B5A0000-0x000000000B5A1000-memory.dmp

Filesize
4KB

Download
memory/1088-117-0x0000000000000000-mapping.dmp

Download
memory/1088-382-0x000000000AF40000-0x000000000AF41000-memory.dmp

Filesize
4KB

Download
memory/1088-393-0x000000000B1E0000-0x000000000B1E1000-memory.dmp

Filesize
4KB

Download
memory/1088-128-0x0000000008840000-0x0000000008841000-memory.dmp

Filesize
4KB

Download
memory/1088-469-0x000000000B220000-0x000000000B221000-memory.dmp

Filesize
4KB

Download
memory/1088-571-0x000000000B1F0000-0x000000000B1F1000-memory.dmp

Filesize
4KB

Download
memory/1088-562-0x0000000007346000-0x0000000007348000-memory.dmp

Filesize
8KB

Download
memory/1088-130-0x0000000008B80000-0x0000000008B81000-memory.dmp

Filesize
4KB

Download
memory/1636-1202-0x0000000004E13000-0x0000000004E14000-memory.dmp

Filesize
4KB

Download
memory/1636-1533-0x0000000004E16000-0x0000000004E17000-memory.dmp

Filesize
4KB

Download
memory/1636-1205-0x0000000004E14000-0x0000000004E16000-memory.dmp

Filesize
8KB

Download
memory/1636-1182-0x0000000004E12000-0x0000000004E13000-memory.dmp

Filesize
4KB

Download
memory/1636-1181-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1636-1165-0x0000000000000000-mapping.dmp

Download
memory/1832-3492-0x0000000140000000-mapping.dmp

Download
memory/1832-3705-0x000002222D220000-0x000002222D222000-memory.dmp

Filesize
8KB

Download
memory/1832-2417-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1832-2408-0x000000000041A684-mapping.dmp

Download
memory/2156-1155-0x0000000000000000-mapping.dmp

Download
memory/2372-1159-0x00000000004407D8-mapping.dmp

Download
memory/2372-1166-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2372-1158-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2852-2514-0x0000000000000000-mapping.dmp

Download
memory/2952-2468-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2952-2424-0x0000000000000000-mapping.dmp

Download
memory/3084-1660-0x0000000000D02000-0x0000000000D03000-memory.dmp

Filesize
4KB

Download
memory/3084-1714-0x0000000000D04000-0x0000000000D06000-memory.dmp

Filesize
8KB

Download
memory/3084-1648-0x0000000000000000-mapping.dmp

Download
memory/3084-2055-0x0000000000D06000-0x0000000000D07000-memory.dmp

Filesize
4KB

Download
memory/3084-1659-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3084-1712-0x0000000000D03000-0x0000000000D04000-memory.dmp

Filesize
4KB

Download
memory/3408-1870-0x0000000000000000-mapping.dmp

Download
memory/3488-1901-0x0000000000000000-mapping.dmp

Download
memory/3740-2515-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3740-2511-0x000000000040202B-mapping.dmp

Download
memory/3764-2513-0x0000000000000000-mapping.dmp

Download
memory/3772-1163-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/3772-1161-0x0000000000000000-mapping.dmp

Download
memory/3772-1167-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3864-1864-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3864-1847-0x0000000000000000-mapping.dmp

Download
memory/3980-676-0x0000000000000000-mapping.dmp

Download
memory/3980-688-0x0000000006C62000-0x0000000006C63000-memory.dmp

Filesize
4KB

Download
memory/3980-687-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3980-795-0x0000000006C63000-0x0000000006C64000-memory.dmp

Filesize
4KB

Download
memory/3980-796-0x0000000006C64000-0x0000000006C66000-memory.dmp

Filesize
8KB

Download
memory/3980-1046-0x0000000006C66000-0x0000000006C67000-memory.dmp

Filesize
4KB

Download
memory/4164-2805-0x00000186717F3000-0x00000186717F5000-memory.dmp

Filesize
8KB

Download
memory/4164-2766-0x0000000000000000-mapping.dmp

Download
memory/4164-2851-0x00000186717F6000-0x00000186717F8000-memory.dmp

Filesize
8KB

Download
memory/4164-2802-0x00000186717F0000-0x00000186717F2000-memory.dmp

Filesize
8KB

Download
memory/4180-2543-0x0000000000000000-mapping.dmp

Download
memory/4332-3772-0x0000000000000000-mapping.dmp

Download
memory/4368-3071-0x0000000000000000-mapping.dmp

Download
memory/4372-3352-0x0000000007082000-0x0000000007083000-memory.dmp

Filesize
4KB

Download
memory/4372-3349-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/4372-3512-0x0000000007083000-0x0000000007084000-memory.dmp

Filesize
4KB

Download
memory/4372-3314-0x0000000000000000-mapping.dmp

Download
memory/4372-3485-0x000000007EE70000-0x000000007EE71000-memory.dmp

Filesize
4KB

Download
memory/4424-3773-0x0000000000000000-mapping.dmp

Download
memory/4552-2624-0x0000000000000000-mapping.dmp

Download
memory/4688-3784-0x00000000004E0000-0x000000000058E000-memory.dmp

Filesize
696KB

Download
memory/4768-2674-0x0000000000000000-mapping.dmp

Download
memory/4920-2706-0x0000000000000000-mapping.dmp

Download
memory/4944-3190-0x0000000000000000-mapping.dmp

Download