asyncrat | e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-08-2022 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dll Injector V1 Full_nls..scr
Size

681KB
MD5

0cfa5f7c008e3dc2df275a99aef9cbbb
SHA1

51ebdbc8a8227667b20b5cb40f17ff1bb8550098
SHA256

e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1
SHA512

bac124c7bd934b1bc9ba9fd09ada77fe2c37208637337a349f2ee213f91e81ae401e3ec9910a7cfe7aff991d49be986d448ab6a834cb1b9709ceccb4f64bb37e

Score

10^/10

asyncrat windows defendersmartscreen windowssystem guardruntime persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WindowsSystem GuardRuntime

217.64.31.3:8437

Mutex

WindowsSystem GuardRuntime

Attributes

delay
3
install
false
install_file
WindowsSystem Guard Runtime.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Windows DefenderSmartScreen

217.64.31.3:9742

Mutex

Windows DefenderSmartScreen

Attributes

delay
1
install
false
install_file
Windows DefenderSmartScreen
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2032-131-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2032-134-0x000000000040D07E-mapping.dmp	asyncrat
behavioral1/memory/2032-133-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2032-140-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2032-137-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2032-130-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2432-192-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/2432-193-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

tmpCB1D.tmp.exeGRIM ORG START.EXEGRIM PURE.EXEPURE.EXESOFTICA.EXEVALSINKI DATAEN.EXEVALSINKI PURE.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEDefenderProtector.exeWindows DefenderSmartScreen.exeWindowDefenderSmartScreen.exe

pid	process
1512	tmpCB1D.tmp.exe
1764	GRIM ORG START.EXE
688	GRIM PURE.EXE
1720	PURE.EXE
1980	SOFTICA.EXE
580	VALSINKI DATAEN.EXE
1656	VALSINKI PURE.EXE
1428	WINDOWS DEFENDERSMARTSCREEN2.EXE
1212	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
1624	DefenderProtector.exe
2304	Windows DefenderSmartScreen.exe
2512	WindowDefenderSmartScreen.exe

Loads dropped DLL 12 IoCs

Processes:

AppLaunch.exetmpCB1D.tmp.execmd.execmd.exe

pid	process
2020	AppLaunch.exe
2020	AppLaunch.exe
1512	tmpCB1D.tmp.exe
1512	tmpCB1D.tmp.exe
1512	tmpCB1D.tmp.exe
1512	tmpCB1D.tmp.exe
1512	tmpCB1D.tmp.exe
1512	tmpCB1D.tmp.exe
1512	tmpCB1D.tmp.exe
1512	tmpCB1D.tmp.exe
628	cmd.exe
1212	cmd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exepowershell.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows DefenderSmartScreen = "C:\\Users\\Admin\\AppData\\Roaming\\Windows DefenderSmartScreen.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSystem GuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSystem GuardRuntime\\WindowsSystem GuardRuntime.exe"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindoDefenderSmartScreen = "C:\\Users\\Admin\\AppData\\Roaming\\WindowDefenderSmartScreen.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Dll Injector V1 Full_nls..scrWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE

description	pid	process	target process
PID 1904 set thread context of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1212 set thread context of 2032	1212	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

484 schtasks.exe
1200 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1404 timeout.exe

pid	process
484	schtasks.exe
1200	schtasks.exe

pid	process
1404	timeout.exe

Modifies registry class 10 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sln_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.sln	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sln_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.sln\ = "sln_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sln_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sln_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sln_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sln_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2100 PING.EXE
2220 PING.EXE
2260 PING.EXE
1928 PING.EXE
584 PING.EXE
2088 PING.EXE

pid	process
2100	PING.EXE
2220	PING.EXE
2260	PING.EXE
1928	PING.EXE
584	PING.EXE
2088	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Dll Injector V1 Full_nls..scrpowershell.exeGRIM ORG START.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEVALSINKI DATAEN.EXEWindows DefenderSmartScreen.exeWindowDefenderSmartScreen.exe

pid	process
1904	Dll Injector V1 Full_nls..scr
1924	powershell.exe
1764	GRIM ORG START.EXE
1428	WINDOWS DEFENDERSMARTSCREEN2.EXE
580	VALSINKI DATAEN.EXE
1428	WINDOWS DEFENDERSMARTSCREEN2.EXE
580	VALSINKI DATAEN.EXE
1428	WINDOWS DEFENDERSMARTSCREEN2.EXE
580	VALSINKI DATAEN.EXE
2304	Windows DefenderSmartScreen.exe
2304	Windows DefenderSmartScreen.exe
2512	WindowDefenderSmartScreen.exe
2512	WindowDefenderSmartScreen.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Dll Injector V1 Full_nls..scrAppLaunch.exePURE.EXEGRIM PURE.EXEVALSINKI PURE.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEVALSINKI DATAEN.EXEpowershell.exeGRIM ORG START.EXEDefenderProtector.exeWindows DefenderSmartScreen.exeWindowDefenderSmartScreen.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1904	Dll Injector V1 Full_nls..scr
Token: SeDebugPrivilege	2020	AppLaunch.exe
Token: SeDebugPrivilege	1720	PURE.EXE
Token: SeDebugPrivilege	688	GRIM PURE.EXE
Token: SeDebugPrivilege	1656	VALSINKI PURE.EXE
Token: SeDebugPrivilege	1428	WINDOWS DEFENDERSMARTSCREEN2.EXE
Token: SeDebugPrivilege	580	VALSINKI DATAEN.EXE
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1764	GRIM ORG START.EXE
Token: SeDebugPrivilege	1624	DefenderProtector.exe
Token: SeDebugPrivilege	2304	Windows DefenderSmartScreen.exe
Token: SeDebugPrivilege	2512	WindowDefenderSmartScreen.exe
Token: 33	2724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2724	AUDIODG.EXE
Token: 33	2724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2724	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

864 AcroRd32.exe
864 AcroRd32.exe

pid	process
864	AcroRd32.exe
864	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dll Injector V1 Full_nls..scrrundll32.exeAppLaunch.exetmpCB1D.tmp.exe

description	pid	process	target process
PID 1904 wrote to memory of 1772	1904	Dll Injector V1 Full_nls..scr	rundll32.exe
PID 1904 wrote to memory of 1772	1904	Dll Injector V1 Full_nls..scr	rundll32.exe
PID 1904 wrote to memory of 1772	1904	Dll Injector V1 Full_nls..scr	rundll32.exe
PID 1904 wrote to memory of 1772	1904	Dll Injector V1 Full_nls..scr	rundll32.exe
PID 1904 wrote to memory of 1772	1904	Dll Injector V1 Full_nls..scr	rundll32.exe
PID 1904 wrote to memory of 1772	1904	Dll Injector V1 Full_nls..scr	rundll32.exe
PID 1904 wrote to memory of 1772	1904	Dll Injector V1 Full_nls..scr	rundll32.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1904 wrote to memory of 2020	1904	Dll Injector V1 Full_nls..scr	AppLaunch.exe
PID 1772 wrote to memory of 864	1772	rundll32.exe	AcroRd32.exe
PID 1772 wrote to memory of 864	1772	rundll32.exe	AcroRd32.exe
PID 1772 wrote to memory of 864	1772	rundll32.exe	AcroRd32.exe
PID 1772 wrote to memory of 864	1772	rundll32.exe	AcroRd32.exe
PID 2020 wrote to memory of 1512	2020	AppLaunch.exe	tmpCB1D.tmp.exe
PID 2020 wrote to memory of 1512	2020	AppLaunch.exe	tmpCB1D.tmp.exe
PID 2020 wrote to memory of 1512	2020	AppLaunch.exe	tmpCB1D.tmp.exe
PID 2020 wrote to memory of 1512	2020	AppLaunch.exe	tmpCB1D.tmp.exe
PID 2020 wrote to memory of 1512	2020	AppLaunch.exe	tmpCB1D.tmp.exe
PID 2020 wrote to memory of 1512	2020	AppLaunch.exe	tmpCB1D.tmp.exe
PID 2020 wrote to memory of 1512	2020	AppLaunch.exe	tmpCB1D.tmp.exe
PID 1512 wrote to memory of 1764	1512	tmpCB1D.tmp.exe	GRIM ORG START.EXE
PID 1512 wrote to memory of 1764	1512	tmpCB1D.tmp.exe	GRIM ORG START.EXE
PID 1512 wrote to memory of 1764	1512	tmpCB1D.tmp.exe	GRIM ORG START.EXE
PID 1512 wrote to memory of 1764	1512	tmpCB1D.tmp.exe	GRIM ORG START.EXE
PID 1512 wrote to memory of 688	1512	tmpCB1D.tmp.exe	GRIM PURE.EXE
PID 1512 wrote to memory of 688	1512	tmpCB1D.tmp.exe	GRIM PURE.EXE
PID 1512 wrote to memory of 688	1512	tmpCB1D.tmp.exe	GRIM PURE.EXE
PID 1512 wrote to memory of 688	1512	tmpCB1D.tmp.exe	GRIM PURE.EXE
PID 1512 wrote to memory of 688	1512	tmpCB1D.tmp.exe	GRIM PURE.EXE
PID 1512 wrote to memory of 688	1512	tmpCB1D.tmp.exe	GRIM PURE.EXE
PID 1512 wrote to memory of 688	1512	tmpCB1D.tmp.exe	GRIM PURE.EXE
PID 1512 wrote to memory of 1720	1512	tmpCB1D.tmp.exe	PURE.EXE
PID 1512 wrote to memory of 1720	1512	tmpCB1D.tmp.exe	PURE.EXE
PID 1512 wrote to memory of 1720	1512	tmpCB1D.tmp.exe	PURE.EXE
PID 1512 wrote to memory of 1720	1512	tmpCB1D.tmp.exe	PURE.EXE
PID 1512 wrote to memory of 1720	1512	tmpCB1D.tmp.exe	PURE.EXE
PID 1512 wrote to memory of 1720	1512	tmpCB1D.tmp.exe	PURE.EXE
PID 1512 wrote to memory of 1720	1512	tmpCB1D.tmp.exe	PURE.EXE
PID 1512 wrote to memory of 1980	1512	tmpCB1D.tmp.exe	SOFTICA.EXE
PID 1512 wrote to memory of 1980	1512	tmpCB1D.tmp.exe	SOFTICA.EXE
PID 1512 wrote to memory of 1980	1512	tmpCB1D.tmp.exe	SOFTICA.EXE
PID 1512 wrote to memory of 1980	1512	tmpCB1D.tmp.exe	SOFTICA.EXE
PID 1512 wrote to memory of 1980	1512	tmpCB1D.tmp.exe	SOFTICA.EXE
PID 1512 wrote to memory of 1980	1512	tmpCB1D.tmp.exe	SOFTICA.EXE
PID 1512 wrote to memory of 1980	1512	tmpCB1D.tmp.exe	SOFTICA.EXE
PID 1512 wrote to memory of 580	1512	tmpCB1D.tmp.exe	VALSINKI DATAEN.EXE
PID 1512 wrote to memory of 580	1512	tmpCB1D.tmp.exe	VALSINKI DATAEN.EXE
PID 1512 wrote to memory of 580	1512	tmpCB1D.tmp.exe	VALSINKI DATAEN.EXE
PID 1512 wrote to memory of 580	1512	tmpCB1D.tmp.exe	VALSINKI DATAEN.EXE
PID 1512 wrote to memory of 580	1512	tmpCB1D.tmp.exe	VALSINKI DATAEN.EXE
PID 1512 wrote to memory of 580	1512	tmpCB1D.tmp.exe	VALSINKI DATAEN.EXE
PID 1512 wrote to memory of 580	1512	tmpCB1D.tmp.exe	VALSINKI DATAEN.EXE
PID 1512 wrote to memory of 1656	1512	tmpCB1D.tmp.exe	VALSINKI PURE.EXE
PID 1512 wrote to memory of 1656	1512	tmpCB1D.tmp.exe	VALSINKI PURE.EXE

C:\Users\Admin\AppData\Local\Temp\Dll Injector V1 Full_nls..scr
"C:\Users\Admin\AppData\Local\Temp\Dll Injector V1 Full_nls..scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Odgyeoklliwtjtvgzvhfhypervisor.sln
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Odgyeoklliwtjtvgzvhfhypervisor.sln"
3⤵
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmpCB1D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCB1D.tmp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
"C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DefenderProtector" /tr '"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"' & exit
5⤵
PID:1644

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "DefenderProtector" /tr '"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"'
6⤵
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1F45.tmp.bat""
5⤵
PID:1436

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:1404

C:\Users\Admin\AppData\Roaming\DefenderProtector.exe
"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE
"C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Users\Admin\AppData\Roaming\PURE.EXE
"C:\Users\Admin\AppData\Roaming\PURE.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Roaming\SOFTICA.EXE
"C:\Users\Admin\AppData\Roaming\SOFTICA.EXE"
4⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
"C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WindoDefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
5⤵
PID:1512

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
6⤵
- Runs ping.exe
PID:584

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WindoDefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
6⤵
- Adds Run key to start application
PID:2164

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE" "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
5⤵
- Loads dropped DLL
PID:1212

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 17
6⤵
- Runs ping.exe
PID:2088

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 17
6⤵
- Runs ping.exe
PID:2260

C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
"C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
"C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSystem GuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSystem GuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe"' -PropertyType 'String'
5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
5⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WindowsSystem GuardRuntime /tr "C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
5⤵
PID:1624

C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows DefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
5⤵
PID:1644

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
6⤵
- Runs ping.exe
PID:1928

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows DefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
6⤵
- Adds Run key to start application
PID:2192

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE" "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
5⤵
- Loads dropped DLL
PID:628

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
6⤵
- Runs ping.exe
PID:2100

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
6⤵
- Runs ping.exe
PID:2220

C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe
"C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WindowsSystem GuardRuntime /tr "C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:484

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
3e952918e0fef68e236f46f51819188a

SHA1
836dc86e185f2197f8e6cc5a8c92edd22b4ec0bf

SHA256
1fb81f33d949a2745bef5f95649a2ea3f0846d7360628e0df4353bfb8551bbe8

SHA512
23dde177156bc123010dd9c5456c2ae91cc4e4452732c75e0dbae42bcf1a68bee154334b266be33a479e2a5fb2a43620c94170905d706b5cca60902e73fcb92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Odgyeoklliwtjtvgzvhfhypervisor.sln
Filesize
2KB

MD5
233e420492175acc2b43b92ad8af33db

SHA1
6b25efde5f7414a566d2682ba59ecf76e778e50b

SHA256
d6bed796b2f927fcd511dc180f7a5fdc573988e18aa9465192ebfd45a6298f19

SHA512
71acf852a84aede8f48967b1db0746120754e8549ed4ccc88d4c422bf32b8f7bb6e7bd0741245cf45c342d5fa426c24072488efad2d1234dba029753ee94dc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F45.tmp.bat
Filesize
161B

MD5
364f88af817370270ed3369fd6047753

SHA1
514001549b65da8319fc70537bd5a0826afe56ca

SHA256
44a0c830280214a713183efec367840fc684a3d1b9248f361c66cf4ee4bf2697

SHA512
8f176d296488c01d3517bd141e9f27b1c364147736f01f927ad5519b00053fbf8355e1b987b9b1d03d1e97dedcf03f2fa04288fc608542a2cfde814b7dcb735c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB1D.tmp.exe
Filesize
5.6MB

MD5
4bb7f0bad8e479f59da6821dc3cbc03f

SHA1
354c80b709a8eff0da641fabc73f036c5b45b4d3

SHA256
4cd3c805a6c796530a65b0e3650a92eac73b44d8b534669231865837c6c27a69

SHA512
caa08b5114fd98fb7d4baedfc11796196c844a47b915d9b6db6c2fd0d4eb5a5a2715df505247ee40cf3c308b4861a9994995586eb28250d5157d8b56298a86f5

Download Submit
C:\Users\Admin\AppData\Roaming\DefenderProtector.exe
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\DefenderProtector.exe
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE
Filesize
12KB

MD5
0f7bba77e7a6219abb730495e7f4b4c7

SHA1
34ae94ef50573476a34f0545009e44b4364b9f48

SHA256
4a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b

SHA512
4f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE
Filesize
12KB

MD5
0f7bba77e7a6219abb730495e7f4b4c7

SHA1
34ae94ef50573476a34f0545009e44b4364b9f48

SHA256
4a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b

SHA512
4f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae

Download Submit
C:\Users\Admin\AppData\Roaming\PURE.EXE
Filesize
12KB

MD5
067b49ce5caf426877fcc6ca178491a7

SHA1
ac71a4d3f5eeafac96f5d1915ca7e5d0bdf292f3

SHA256
1a8e00e3e52a737a298a474f205d205955661415500c3d7f9e22fb311a7e162d

SHA512
52cc0de51953e092261d4c94e6c1045d984cc1bc0877bd799a0aca22ce17e2cb9b851761527dcec584eb37d1370c6fe17ce5c8870b82f5a45d8cc4571dd6084d

Download Submit
C:\Users\Admin\AppData\Roaming\PURE.EXE
Filesize
12KB

MD5
067b49ce5caf426877fcc6ca178491a7

SHA1
ac71a4d3f5eeafac96f5d1915ca7e5d0bdf292f3

SHA256
1a8e00e3e52a737a298a474f205d205955661415500c3d7f9e22fb311a7e162d

SHA512
52cc0de51953e092261d4c94e6c1045d984cc1bc0877bd799a0aca22ce17e2cb9b851761527dcec584eb37d1370c6fe17ce5c8870b82f5a45d8cc4571dd6084d

Download Submit
C:\Users\Admin\AppData\Roaming\SOFTICA.EXE
Filesize
4.0MB

MD5
040bd5f344fe41128d1372340d9650b7

SHA1
8c67bccebf50a74a4f32ae5db55d33c333811d42

SHA256
2b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc

SHA512
14657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
Filesize
12KB

MD5
a338b5d30d5e20938f6c7d186b013759

SHA1
1b30c511aabf8c55c327898b1bc82ae2022b1f20

SHA256
f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7

SHA512
2e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
Filesize
12KB

MD5
a338b5d30d5e20938f6c7d186b013759

SHA1
1b30c511aabf8c55c327898b1bc82ae2022b1f20

SHA256
f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7

SHA512
2e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
Filesize
87KB

MD5
75fd186e8710fe1db3195e9495360d97

SHA1
9ca803b7c7f531da6f2e0d41d20103524164f487

SHA256
3382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c

SHA512
722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
Filesize
87KB

MD5
75fd186e8710fe1db3195e9495360d97

SHA1
9ca803b7c7f531da6f2e0d41d20103524164f487

SHA256
3382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c

SHA512
722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506

Download Submit
C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
\Users\Admin\AppData\Local\Temp\tmpCB1D.tmp.exe
Filesize
5.6MB

MD5
4bb7f0bad8e479f59da6821dc3cbc03f

SHA1
354c80b709a8eff0da641fabc73f036c5b45b4d3

SHA256
4cd3c805a6c796530a65b0e3650a92eac73b44d8b534669231865837c6c27a69

SHA512
caa08b5114fd98fb7d4baedfc11796196c844a47b915d9b6db6c2fd0d4eb5a5a2715df505247ee40cf3c308b4861a9994995586eb28250d5157d8b56298a86f5

Download Submit
\Users\Admin\AppData\Local\Temp\tmpCB1D.tmp.exe
Filesize
5.6MB

MD5
4bb7f0bad8e479f59da6821dc3cbc03f

SHA1
354c80b709a8eff0da641fabc73f036c5b45b4d3

SHA256
4cd3c805a6c796530a65b0e3650a92eac73b44d8b534669231865837c6c27a69

SHA512
caa08b5114fd98fb7d4baedfc11796196c844a47b915d9b6db6c2fd0d4eb5a5a2715df505247ee40cf3c308b4861a9994995586eb28250d5157d8b56298a86f5

Download Submit
\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
\Users\Admin\AppData\Roaming\GRIM PURE.EXE
Filesize
12KB

MD5
0f7bba77e7a6219abb730495e7f4b4c7

SHA1
34ae94ef50573476a34f0545009e44b4364b9f48

SHA256
4a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b

SHA512
4f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae

Download Submit
\Users\Admin\AppData\Roaming\PURE.EXE
Filesize
12KB

MD5
067b49ce5caf426877fcc6ca178491a7

SHA1
ac71a4d3f5eeafac96f5d1915ca7e5d0bdf292f3

SHA256
1a8e00e3e52a737a298a474f205d205955661415500c3d7f9e22fb311a7e162d

SHA512
52cc0de51953e092261d4c94e6c1045d984cc1bc0877bd799a0aca22ce17e2cb9b851761527dcec584eb37d1370c6fe17ce5c8870b82f5a45d8cc4571dd6084d

Download Submit
\Users\Admin\AppData\Roaming\SOFTICA.EXE
Filesize
4.0MB

MD5
040bd5f344fe41128d1372340d9650b7

SHA1
8c67bccebf50a74a4f32ae5db55d33c333811d42

SHA256
2b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc

SHA512
14657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85

Download Submit
\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
Filesize
12KB

MD5
a338b5d30d5e20938f6c7d186b013759

SHA1
1b30c511aabf8c55c327898b1bc82ae2022b1f20

SHA256
f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7

SHA512
2e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660

Download Submit
\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
Filesize
87KB

MD5
75fd186e8710fe1db3195e9495360d97

SHA1
9ca803b7c7f531da6f2e0d41d20103524164f487

SHA256
3382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c

SHA512
722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506

Download Submit
\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
memory/484-135-0x0000000000000000-mapping.dmp

Download
memory/580-150-0x0000000000880000-0x00000000008B0000-memory.dmp

Filesize
192KB

Download
memory/580-151-0x00000000008C0000-0x00000000008D8000-memory.dmp

Filesize
96KB

Download
memory/580-122-0x00000000001B0000-0x0000000000252000-memory.dmp

Filesize
648KB

Download
memory/580-101-0x0000000000000000-mapping.dmp

Download
memory/584-160-0x0000000000000000-mapping.dmp

Download
memory/628-165-0x0000000000000000-mapping.dmp

Download
memory/688-93-0x0000000001210000-0x0000000001218000-memory.dmp

Filesize
32KB

Download
memory/688-85-0x0000000000000000-mapping.dmp

Download
memory/864-72-0x0000000000000000-mapping.dmp

Download
memory/1200-146-0x0000000000000000-mapping.dmp

Download
memory/1212-121-0x0000000000970000-0x000000000098C000-memory.dmp

Filesize
112KB

Download
memory/1212-166-0x0000000000000000-mapping.dmp

Download
memory/1212-114-0x0000000000000000-mapping.dmp

Download
memory/1404-149-0x0000000000000000-mapping.dmp

Download
memory/1428-112-0x0000000000000000-mapping.dmp

Download
memory/1428-123-0x0000000000370000-0x0000000000406000-memory.dmp

Filesize
600KB

Download
memory/1436-147-0x0000000000000000-mapping.dmp

Download
memory/1512-157-0x0000000000000000-mapping.dmp

Download
memory/1512-77-0x0000000000000000-mapping.dmp

Download
memory/1624-155-0x00000000008B0000-0x00000000008FC000-memory.dmp

Filesize
304KB

Download
memory/1624-125-0x0000000000000000-mapping.dmp

Download
memory/1624-152-0x0000000000000000-mapping.dmp

Download
memory/1644-156-0x0000000000000000-mapping.dmp

Download
memory/1644-145-0x0000000000000000-mapping.dmp

Download
memory/1656-110-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/1656-105-0x0000000000000000-mapping.dmp

Download
memory/1720-95-0x0000000001090000-0x0000000001098000-memory.dmp

Filesize
32KB

Download
memory/1720-89-0x0000000000000000-mapping.dmp

Download
memory/1764-141-0x0000000001200000-0x000000000124C000-memory.dmp

Filesize
304KB

Download
memory/1764-81-0x0000000000000000-mapping.dmp

Download
memory/1772-58-0x0000000000000000-mapping.dmp

Download
memory/1904-54-0x00000000013C0000-0x0000000001470000-memory.dmp

Filesize
704KB

Download
memory/1904-57-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1904-56-0x0000000001110000-0x00000000011A2000-memory.dmp

Filesize
584KB

Download
memory/1904-55-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1924-143-0x000000006CE20000-0x000000006D3CB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-144-0x000000006CE20000-0x000000006D3CB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-124-0x0000000000000000-mapping.dmp

Download
memory/1928-161-0x0000000000000000-mapping.dmp

Download
memory/1980-97-0x0000000000000000-mapping.dmp

Download
memory/2020-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2020-61-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2020-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2020-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2020-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2020-66-0x0000000000402D0E-mapping.dmp

Download
memory/2020-68-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2020-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2032-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2032-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2032-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2032-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2032-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2032-134-0x000000000040D07E-mapping.dmp

Download
memory/2032-131-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2032-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2088-169-0x0000000000000000-mapping.dmp

Download
memory/2100-170-0x0000000000000000-mapping.dmp

Download
memory/2164-173-0x0000000000000000-mapping.dmp

Download
memory/2192-175-0x0000000000000000-mapping.dmp

Download
memory/2220-177-0x0000000000000000-mapping.dmp

Download
memory/2260-179-0x0000000000000000-mapping.dmp

Download
memory/2304-187-0x0000000004990000-0x00000000049AA000-memory.dmp

Filesize
104KB

Download
memory/2304-188-0x0000000000B20000-0x0000000000B26000-memory.dmp

Filesize
24KB

Download
memory/2304-186-0x00000000009D0000-0x0000000000A66000-memory.dmp

Filesize
600KB

Download
memory/2304-182-0x0000000000000000-mapping.dmp

Download
memory/2432-189-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2432-190-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2432-192-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2432-193-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2512-195-0x0000000000000000-mapping.dmp

Download
memory/2512-199-0x00000000002F0000-0x0000000000392000-memory.dmp

Filesize
648KB

Download
memory/2588-200-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download