njrat | 81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

Analysis

max time kernel
151s
max time network
2s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Size

715KB
MD5

df265fe540eaf09ba00fa6fa29af3624
SHA1

2ab46e8c20481068f15291ef31356bca50b2ecb7
SHA256

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b
SHA512

7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec
SSDEEP

12288:+H7Wcjdc/r2sxxiPGGAOOPSXDV8ClgVYhX5FSsf8QU3NELIHIYwE4HVA:+bCj2sObHtqQ4QSTwt1A

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

5.34.183.64:1699

Mutex

2814667a3ff5b067280784d8be595983

Attributes

reg_key
2814667a3ff5b067280784d8be595983
splitter
|'|'|

Signatures

Modifies WinLogon for persistence 2 TTPs 29 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 48 IoCs

Processes:

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWindowsUpdate.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

pid	process
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
3360	WindowsUpdate.exe
384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4288	WindowsUpdate.exe
2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4112	WindowsUpdate.exe
4608	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
112	WindowsUpdate.exe
4188	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
2764	WindowsUpdate.exe
4156	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4972	WindowsUpdate.exe
4264	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
2488	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
3024	WindowsUpdate.exe
3148	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
3936	WindowsUpdate.exe
4340	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
3040	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
3188	WindowsUpdate.exe
2040	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4952	WindowsUpdate.exe
1192	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
3452	WindowsUpdate.exe
3360	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
3172	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4288	WindowsUpdate.exe
2224	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
588	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1636	WindowsUpdate.exe
100	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4244	WindowsUpdate.exe
4368	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4508	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
3236	WindowsUpdate.exe
3324	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1868	WindowsUpdate.exe
4744	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1700	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
2096	WindowsUpdate.exe
4892	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
2288	WindowsUpdate.exe
1872	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
2824	WindowsUpdate.exe
2812	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
5104	WindowsUpdate.exe
2876	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Checks computer location settings 2 TTPs 22 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWScript.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	autoit_exe

Suspicious use of SetThreadContext 28 IoCs

Processes:

description	pid	process	target process
PID 1544 set thread context of 3484	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4424 set thread context of 4864	4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 736 set thread context of 3096	736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 384 set thread context of 1508	384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2064 set thread context of 4644	2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4608 set thread context of 260	4608	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4188 set thread context of 540	4188	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4156 set thread context of 4468	4156	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4264 set thread context of 4452	4264	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2488 set thread context of 1476	2488	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 3148 set thread context of 3076	3148	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4340 set thread context of 3696	4340	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 3040 set thread context of 1220	3040	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2040 set thread context of 2304	2040	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1192 set thread context of 3484	1192	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 3360 set thread context of 4768	3360	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 3172 set thread context of 4224	3172	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2224 set thread context of 688	2224	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 588 set thread context of 2128	588	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 100 set thread context of 316	100	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4368 set thread context of 2052	4368	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4508 set thread context of 1188	4508	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 3324 set thread context of 1984	3324	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4744 set thread context of 1880	4744	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1700 set thread context of 2816	1700	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4892 set thread context of 1476	4892	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1872 set thread context of 2444	1872	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2812 set thread context of 2324	2812	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4772	4864	WerFault.exe	RegAsm.exe
2704	4452	WerFault.exe	RegAsm.exe
1804	3696	WerFault.exe	RegAsm.exe
384	4768	WerFault.exe	RegAsm.exe
4572	688	WerFault.exe	RegAsm.exe
4056	2052	WerFault.exe	RegAsm.exe
64	1880	WerFault.exe	RegAsm.exe

Modifies registry class 1 IoCs

Processes:

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeWScript.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeRegAsm.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeRegAsm.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exeRegAsm.exe81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

description	pid	process	target process
PID 1544 wrote to memory of 2408	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	WScript.exe
PID 1544 wrote to memory of 2408	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	WScript.exe
PID 1544 wrote to memory of 2408	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	WScript.exe
PID 2408 wrote to memory of 4424	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 4424	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 4424	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 1544 wrote to memory of 3484	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1544 wrote to memory of 3484	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1544 wrote to memory of 3484	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1544 wrote to memory of 3484	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1544 wrote to memory of 3484	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1544 wrote to memory of 3484	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1544 wrote to memory of 3484	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1544 wrote to memory of 3484	1544	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4424 wrote to memory of 4864	4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4424 wrote to memory of 4864	4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4424 wrote to memory of 4864	4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4424 wrote to memory of 4864	4424	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2408 wrote to memory of 736	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 736	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 736	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 736 wrote to memory of 3096	736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 736 wrote to memory of 3096	736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 736 wrote to memory of 3096	736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 736 wrote to memory of 3096	736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 736 wrote to memory of 3096	736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 736 wrote to memory of 3096	736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 736 wrote to memory of 3096	736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 736 wrote to memory of 3096	736	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 3096 wrote to memory of 3360	3096	RegAsm.exe	WindowsUpdate.exe
PID 3096 wrote to memory of 3360	3096	RegAsm.exe	WindowsUpdate.exe
PID 3096 wrote to memory of 3360	3096	RegAsm.exe	WindowsUpdate.exe
PID 2408 wrote to memory of 384	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 384	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 384	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 384 wrote to memory of 1508	384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 384 wrote to memory of 1508	384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 384 wrote to memory of 1508	384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 384 wrote to memory of 1508	384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 384 wrote to memory of 1508	384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 384 wrote to memory of 1508	384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 384 wrote to memory of 1508	384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 384 wrote to memory of 1508	384	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 1508 wrote to memory of 4288	1508	RegAsm.exe	WindowsUpdate.exe
PID 1508 wrote to memory of 4288	1508	RegAsm.exe	WindowsUpdate.exe
PID 1508 wrote to memory of 4288	1508	RegAsm.exe	WindowsUpdate.exe
PID 2408 wrote to memory of 2064	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 2064	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 2064	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2064 wrote to memory of 4644	2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2064 wrote to memory of 4644	2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2064 wrote to memory of 4644	2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2064 wrote to memory of 4644	2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2064 wrote to memory of 4644	2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2064 wrote to memory of 4644	2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2064 wrote to memory of 4644	2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 2064 wrote to memory of 4644	2064	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe
PID 4644 wrote to memory of 4112	4644	RegAsm.exe	WindowsUpdate.exe
PID 4644 wrote to memory of 4112	4644	RegAsm.exe	WindowsUpdate.exe
PID 4644 wrote to memory of 4112	4644	RegAsm.exe	WindowsUpdate.exe
PID 2408 wrote to memory of 4608	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 4608	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 2408 wrote to memory of 4608	2408	WScript.exe	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
PID 4608 wrote to memory of 260	4608	81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
"C:\Users\Admin\AppData\Local\Temp\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcsv.vbs" 0
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      PID:4864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 80
        5⤵
        Program crash
        
        PID:4772
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:3360
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:4288
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:4112
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:260
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:112
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:4188
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:540
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:2764
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:4156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:4468
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:4972
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:4264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      PID:4452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 80
        5⤵
        Program crash
        
        PID:2704
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:2488
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:1476
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:3024
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:3148
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:3936
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:4340
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      PID:3696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 84
        5⤵
        Program crash
        
        PID:1804
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:3040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:3188
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:2040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:4952
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:1192
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:3484
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:3452
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:3360
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      PID:4768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 80
        5⤵
        Program crash
        
        PID:384
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:3172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:4288
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:2224
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      PID:688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 80
        5⤵
        Program crash
        
        PID:4572
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:588
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:1636
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:316
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:4244
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:4368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      PID:2052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 80
        5⤵
        Program crash
        
        PID:4056
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:4508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:1188
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:3236
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:3324
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:1984
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:1868
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:4744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      PID:1880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 76
        5⤵
        Program crash
        
        PID:64
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:1700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:2096
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:4892
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:1476
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:2288
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:1872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:2444
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:2824
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    PID:2812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:2324
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        
        PID:5104
- - C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe
    "C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2876
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4864 -ip 4864
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4452 -ip 4452
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3696 -ip 3696
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4768 -ip 4768
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 688 -ip 688
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2052 -ip 2052
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1880 -ip 1880
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

Filesize
319B

MD5
824ba7b7eed8b900a98dd25129c4cd83

SHA1
54478770b2158000ef365591d42977cb854453a1

SHA256
d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03

SHA512
ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcsv.vbs

Filesize
220B

MD5
636fefb27aff9b5f04ef18d7ef8df23b

SHA1
458e2da29f27854b96aeb688763b7cf7471b0d6e

SHA256
8b65e8f1300bd147b263cdb7cf9a496a1c133e172a534f71511fdbf1abe69778

SHA512
6a4a806e47914f5d80c58267e6d261356c9a54300ef72d2374faca3be2aea07821d387a8076cd6f0230e0cf2cf9472fa00cbec9e2d05125f673200067ec07755

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Filesize
715KB

MD5
df265fe540eaf09ba00fa6fa29af3624

SHA1
2ab46e8c20481068f15291ef31356bca50b2ecb7

SHA256
81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b

SHA512
7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/100-295-0x0000000000000000-mapping.dmp

Download
memory/112-189-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/112-190-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/112-185-0x0000000000000000-mapping.dmp

Download
memory/260-187-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/260-183-0x0000000000000000-mapping.dmp

Download
memory/316-299-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/316-296-0x0000000000000000-mapping.dmp

Download
memory/384-156-0x0000000000000000-mapping.dmp

Download
memory/540-199-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/540-196-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/540-194-0x0000000000000000-mapping.dmp

Download
memory/588-289-0x0000000000000000-mapping.dmp

Download
memory/688-287-0x0000000000000000-mapping.dmp

Download
memory/736-143-0x0000000000000000-mapping.dmp

Download
memory/1188-308-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/1188-305-0x0000000000000000-mapping.dmp

Download
memory/1192-267-0x0000000000000000-mapping.dmp

Download
memory/1220-253-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/1220-249-0x0000000000000000-mapping.dmp

Download
memory/1476-324-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/1476-225-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/1476-221-0x0000000000000000-mapping.dmp

Download
memory/1508-164-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/1508-160-0x0000000000000000-mapping.dmp

Download
memory/1636-294-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/1636-292-0x0000000000000000-mapping.dmp

Download
memory/1868-314-0x0000000000000000-mapping.dmp

Download
memory/1868-316-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/1880-318-0x0000000000000000-mapping.dmp

Download
memory/1984-312-0x0000000000000000-mapping.dmp

Download
memory/1984-315-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/2040-256-0x0000000000000000-mapping.dmp

Download
memory/2052-302-0x0000000000000000-mapping.dmp

Download
memory/2064-168-0x0000000000000000-mapping.dmp

Download
memory/2096-330-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/2096-322-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/2128-293-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/2128-290-0x0000000000000000-mapping.dmp

Download
memory/2224-286-0x0000000000000000-mapping.dmp

Download
memory/2288-325-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/2304-259-0x0000000000000000-mapping.dmp

Download
memory/2304-261-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/2304-264-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/2324-332-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/2408-132-0x0000000000000000-mapping.dmp

Download
memory/2444-327-0x00000000728E0000-0x0000000072E91000-memory.dmp

Filesize
5.7MB

Download
memory/2444-328-0x00000000728E0000-0x0000000072E91000-memory.dmp

Filesize
5.7MB

Download
memory/2488-218-0x0000000000000000-mapping.dmp

Download
memory/2764-197-0x0000000000000000-mapping.dmp

Download
memory/2764-217-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-201-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/2816-321-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/2824-329-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/3024-223-0x0000000000000000-mapping.dmp

Download
memory/3024-228-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/3040-246-0x0000000000000000-mapping.dmp

Download
memory/3076-236-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/3076-232-0x0000000000000000-mapping.dmp

Download
memory/3096-153-0x0000000072880000-0x0000000072E31000-memory.dmp

Filesize
5.7MB

Download
memory/3096-148-0x0000000072880000-0x0000000072E31000-memory.dmp

Filesize
5.7MB

Download
memory/3096-146-0x0000000000000000-mapping.dmp

Download
memory/3148-229-0x0000000000000000-mapping.dmp

Download
memory/3172-280-0x0000000000000000-mapping.dmp

Download
memory/3188-251-0x0000000000000000-mapping.dmp

Download
memory/3188-255-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/3236-309-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/3236-307-0x0000000000000000-mapping.dmp

Download
memory/3236-310-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/3324-311-0x0000000000000000-mapping.dmp

Download
memory/3360-179-0x0000000072BA0000-0x0000000073151000-memory.dmp

Filesize
5.7MB

Download
memory/3360-150-0x0000000000000000-mapping.dmp

Download
memory/3360-277-0x0000000000000000-mapping.dmp

Download
memory/3360-155-0x0000000072BA0000-0x0000000073151000-memory.dmp

Filesize
5.7MB

Download
memory/3452-272-0x0000000000000000-mapping.dmp

Download
memory/3452-276-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/3484-139-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3484-274-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/3484-138-0x0000000000000000-mapping.dmp

Download
memory/3484-270-0x0000000000000000-mapping.dmp

Download
memory/3484-149-0x0000000072880000-0x0000000072E31000-memory.dmp

Filesize
5.7MB

Download
memory/3484-142-0x0000000072880000-0x0000000072E31000-memory.dmp

Filesize
5.7MB

Download
memory/3696-244-0x0000000000000000-mapping.dmp

Download
memory/3936-238-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/3936-239-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/3936-234-0x0000000000000000-mapping.dmp

Download
memory/4112-174-0x0000000000000000-mapping.dmp

Download
memory/4112-178-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/4156-202-0x0000000000000000-mapping.dmp

Download
memory/4188-191-0x0000000000000000-mapping.dmp

Download
memory/4224-281-0x0000000000000000-mapping.dmp

Download
memory/4224-284-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/4244-300-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/4244-298-0x0000000000000000-mapping.dmp

Download
memory/4264-212-0x0000000000000000-mapping.dmp

Download
memory/4288-162-0x0000000000000000-mapping.dmp

Download
memory/4288-167-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/4288-285-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/4288-283-0x0000000000000000-mapping.dmp

Download
memory/4340-240-0x0000000000000000-mapping.dmp

Download
memory/4368-301-0x0000000000000000-mapping.dmp

Download
memory/4424-135-0x0000000000000000-mapping.dmp

Download
memory/4452-215-0x0000000000000000-mapping.dmp

Download
memory/4468-205-0x0000000000000000-mapping.dmp

Download
memory/4468-209-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/4468-227-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/4508-304-0x0000000000000000-mapping.dmp

Download
memory/4608-180-0x0000000000000000-mapping.dmp

Download
memory/4644-176-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download
memory/4644-172-0x0000000000000000-mapping.dmp

Download
memory/4744-317-0x0000000000000000-mapping.dmp

Download
memory/4768-278-0x0000000000000000-mapping.dmp

Download
memory/4864-140-0x0000000000000000-mapping.dmp

Download
memory/4952-262-0x0000000000000000-mapping.dmp

Download
memory/4952-266-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/4972-211-0x0000000072C00000-0x00000000731B1000-memory.dmp

Filesize
5.7MB

Download
memory/4972-207-0x0000000000000000-mapping.dmp

Download
memory/5104-333-0x0000000072970000-0x0000000072F21000-memory.dmp

Filesize
5.7MB

Download