asyncrat | 9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

Analysis

max time kernel
1050s
max time network
1049s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Start.exe
Size

45KB
MD5

b733e729705bf66c1e5c66d97e247701
SHA1

25eec814abdf1fc6afe621e16aa89c4eb42616b9
SHA256

9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023
SHA512

09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320
SSDEEP

768:Nu2/0TckJ26WUsFvgmo2q7MKjPGaG6PIyzjbFgX3iWlcF4S0ru1pYI0sBDZOx:Nu2/0TceH2ZKTkDy3bCXSWlc6SKuRjdM

Score

10^/10

asyncrat default discovery evasion execution rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes

delay
3
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

one-accordance.gl.at.ply.gg:9590

Attributes

delay
1
install
true
install_file
Windows Defender.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Windows Defender.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Windows Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Windows Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Windows Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Windows Defender.exe

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023c86-11.dat	family_asyncrat
behavioral1/memory/2832-27-0x0000000004C30000-0x0000000004C46000-memory.dmp	family_asyncrat
behavioral1/files/0x000400000000071b-67.dat	family_asyncrat

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Start.exeSystem32.exeWindows Defender.exeSystem32.exeykpaok.exeWindows Defender.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Windows Defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ykpaok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Windows Defender.exe

Executes dropped EXE 5 IoCs

Processes:

System32.exeWindows Defender.exeSystem32.exeykpaok.exeWindows Defender.exe

pid	Process
2832	System32.exe
5824	Windows Defender.exe
6052	System32.exe
6080	ykpaok.exe
3432	Windows Defender.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Windows Defender.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Windows Defender.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2696	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.execmd.execmd.execmd.exeschtasks.execmd.execmd.exeschtasks.exetimeout.exetimeout.exeSystem32.exepowershell.execmd.exetimeout.exeWindows Defender.execmd.exeStart.execmd.exeSystem32.execmd.exeschtasks.exetimeout.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 5 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
7652	timeout.exe
3172	timeout.exe
5784	timeout.exe
6016	timeout.exe
6484	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
5704	schtasks.exe
5908	schtasks.exe
6400	schtasks.exe
4756	schtasks.exe
2708	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

System32.exeWindows Defender.exe

pid	Process
2832	System32.exe
3432	Windows Defender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Start.exeSystem32.exeWindows Defender.exepowershell.exeSystem32.exe

pid	Process
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
3116	Start.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
2832	System32.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
5824	Windows Defender.exe
2696	powershell.exe
2696	powershell.exe
6052	System32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows Defender.exe

pid	Process
3432	Windows Defender.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Start.exeSystem32.exeWindows Defender.exeSystem32.exepowershell.exeykpaok.exeWindows Defender.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3116	Start.exe
Token: SeDebugPrivilege	2832	System32.exe
Token: SeDebugPrivilege	5824	Windows Defender.exe
Token: SeDebugPrivilege	6052	System32.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	6080	ykpaok.exe
Token: SeDebugPrivilege	3432	Windows Defender.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	5164	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe
4032	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

System32.exeWindows Defender.exe

pid	Process
2832	System32.exe
3432	Windows Defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Start.execmd.execmd.exeSystem32.execmd.execmd.exeWindows Defender.execmd.execmd.exeSystem32.execmd.exepowershell.exeykpaok.execmd.execmd.exeWindows Defender.exe

description	pid	Process	procid_target
PID 3116 wrote to memory of 5048	3116	Start.exe	84
PID 3116 wrote to memory of 5048	3116	Start.exe	84
PID 3116 wrote to memory of 5048	3116	Start.exe	84
PID 3116 wrote to memory of 3332	3116	Start.exe	86
PID 3116 wrote to memory of 3332	3116	Start.exe	86
PID 3116 wrote to memory of 3332	3116	Start.exe	86
PID 5048 wrote to memory of 2708	5048	cmd.exe	88
PID 5048 wrote to memory of 2708	5048	cmd.exe	88
PID 5048 wrote to memory of 2708	5048	cmd.exe	88
PID 3332 wrote to memory of 3172	3332	cmd.exe	89
PID 3332 wrote to memory of 3172	3332	cmd.exe	89
PID 3332 wrote to memory of 3172	3332	cmd.exe	89
PID 3332 wrote to memory of 2832	3332	cmd.exe	91
PID 3332 wrote to memory of 2832	3332	cmd.exe	91
PID 3332 wrote to memory of 2832	3332	cmd.exe	91
PID 2832 wrote to memory of 5660	2832	System32.exe	108
PID 2832 wrote to memory of 5660	2832	System32.exe	108
PID 2832 wrote to memory of 5660	2832	System32.exe	108
PID 2832 wrote to memory of 5676	2832	System32.exe	109
PID 2832 wrote to memory of 5676	2832	System32.exe	109
PID 2832 wrote to memory of 5676	2832	System32.exe	109
PID 5660 wrote to memory of 5704	5660	cmd.exe	112
PID 5660 wrote to memory of 5704	5660	cmd.exe	112
PID 5660 wrote to memory of 5704	5660	cmd.exe	112
PID 5676 wrote to memory of 5784	5676	cmd.exe	113
PID 5676 wrote to memory of 5784	5676	cmd.exe	113
PID 5676 wrote to memory of 5784	5676	cmd.exe	113
PID 5676 wrote to memory of 5824	5676	cmd.exe	114
PID 5676 wrote to memory of 5824	5676	cmd.exe	114
PID 5676 wrote to memory of 5824	5676	cmd.exe	114
PID 5824 wrote to memory of 5576	5824	Windows Defender.exe	115
PID 5824 wrote to memory of 5576	5824	Windows Defender.exe	115
PID 5824 wrote to memory of 5576	5824	Windows Defender.exe	115
PID 5576 wrote to memory of 5908	5576	cmd.exe	117
PID 5576 wrote to memory of 5908	5576	cmd.exe	117
PID 5576 wrote to memory of 5908	5576	cmd.exe	117
PID 5824 wrote to memory of 5932	5824	Windows Defender.exe	118
PID 5824 wrote to memory of 5932	5824	Windows Defender.exe	118
PID 5824 wrote to memory of 5932	5824	Windows Defender.exe	118
PID 5932 wrote to memory of 6016	5932	cmd.exe	120
PID 5932 wrote to memory of 6016	5932	cmd.exe	120
PID 5932 wrote to memory of 6016	5932	cmd.exe	120
PID 5932 wrote to memory of 6052	5932	cmd.exe	121
PID 5932 wrote to memory of 6052	5932	cmd.exe	121
PID 5932 wrote to memory of 6052	5932	cmd.exe	121
PID 6052 wrote to memory of 1848	6052	System32.exe	124
PID 6052 wrote to memory of 1848	6052	System32.exe	124
PID 6052 wrote to memory of 1848	6052	System32.exe	124
PID 1848 wrote to memory of 2696	1848	cmd.exe	126
PID 1848 wrote to memory of 2696	1848	cmd.exe	126
PID 1848 wrote to memory of 2696	1848	cmd.exe	126
PID 2696 wrote to memory of 6080	2696	powershell.exe	127
PID 2696 wrote to memory of 6080	2696	powershell.exe	127
PID 6080 wrote to memory of 6324	6080	ykpaok.exe	128
PID 6080 wrote to memory of 6324	6080	ykpaok.exe	128
PID 6324 wrote to memory of 6400	6324	cmd.exe	130
PID 6324 wrote to memory of 6400	6324	cmd.exe	130
PID 6080 wrote to memory of 6424	6080	ykpaok.exe	131
PID 6080 wrote to memory of 6424	6080	ykpaok.exe	131
PID 6424 wrote to memory of 6484	6424	cmd.exe	133
PID 6424 wrote to memory of 6484	6424	cmd.exe	133
PID 6424 wrote to memory of 3432	6424	cmd.exe	134
PID 6424 wrote to memory of 3432	6424	cmd.exe	134
PID 3432 wrote to memory of 1196	3432	Windows Defender.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Start.exe
"C:\Users\Admin\AppData\Local\Temp\Start.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB9F.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3172
- - C:\Users\Admin\AppData\Roaming\System32.exe
    "C:\Users\Admin\AppData\Roaming\System32.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp416F.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5676
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5784
    - - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5824
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DB2.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5932
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6016
        
        C:\Users\Admin\AppData\Roaming\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ykpaok.exe"' & exit
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ykpaok.exe"'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\ykpaok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ykpaok.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:6324
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB1CD.tmp.bat""
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:6424
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        12⤵
        Delays execution with timeout.exe
        
        PID:6484
        
        C:\Users\Admin\AppData\Roaming\Windows Defender.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
        12⤵
        Modifies Windows Defender Real-time Protection settings
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"' & exit
        13⤵
        
        PID:7144
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"'
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "System32"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7524
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn "System32"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1DDE.tmp.bat""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7584
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:7652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8e33d46f8,0x7ff8e33d4708,0x7ff8e33d4718
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:6524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:8568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:6156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,10853674600190042036,8718527358068010337,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 /prefetch:2
  2⤵
  PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System32.exe.log

Filesize
1KB

MD5
ef18a04ff3a4ca3ed3d7ebb2cb187bd8

SHA1
1c22ad29c521ca9e6bd1a17cdf65d8cac57524ba

SHA256
fdd131beeb403444c5ae1370858d4881e24fc782429f591454faacb000eabedf

SHA512
2b8065578da1a37b463b2b564d8039d6e85fa79bebe8ae9842789b5f5714a5fc79fe210178d2b423b5c41164562d0cc9db8b98327f651f8ed03680879e883abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a8834353c9965459a9c15064327133e

SHA1
8f67118c0aae1cf2ce5ebcd25b4534b0079d0ea1

SHA256
1aa76e2abf86f1c549acc26a0cd997a374e4ae7659f6da55a18e066fdbdc7ffe

SHA512
227f7774b77fbb484bad3d1b4b32f1da9781ae7e030b1daf331faabf07d1b480df643a3d98f6732cd03c6d28da094e26250c6d9516b2f650c4945279c47abea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de75d3c894fd70c2ca89ee7f130dc329

SHA1
bfcfe09fbbbbc80ffb1220c245b76138079962ed

SHA256
ec31e1e2edb3c10e71011b88a3cb447ee8b10c708bac555357d7020bde343d9c

SHA512
dd42ce9068eabf1b95ffa226ef0eb2b3a41135fce68156f165cab165d5327a3963304c30e1bc927e0eaf11039562f3d56cafa50c1b0f6bca2420c77a3c3e1b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
517dd19a9371d6f63219e9c21c412ebc

SHA1
0692b7add502679531bfb849ffd11133d9a4e4ab

SHA256
121ce63451608654d31f366eaa7c66a0b6a5f28ed0181fbc04b760957fdec658

SHA512
7b08280d35b4d20a7bc26f6e2ae61d85f40a40ec135b7a1c5d1b3b0e982a16be8ebadd62364503e5b3a227d88c3db832b6ade808a8d90942183e2c699e2b7597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5eab300cf6f32124a7e76bbcb7cde10e

SHA1
28aded9b060fe8ed5de84190d9b51aced939af2b

SHA256
133fb7f665ce06cd07d8a8b1a00f9f35d42fe1b63ed75c658435ee496e4847af

SHA512
b8cc940d1f7e85fc8b0c787b891b653a6fe7f623bfdeafb2ed76af6796ab527b8babe26b11ca591f6d479a40e37f50a97a714b9e49b6970eb06fba2354b25cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
d3976ee5c15a9fa2c0fadc1a864bd6bc

SHA1
5c1933cabd5d9f68d54b934c17fc490262a09459

SHA256
40e164bd699c73dde0bcc8b87ed990c12f03dfd17cab7b8767e7a3fca86d5d14

SHA512
4b2705cf34622008587b43723f1cf272ed10e57666940e24efd8b4a4cb60c91b06cfcd279e12437e0e0af586e5a565675459341c1dea8754cb1fb7b158848367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
2d2ebd2b316471003f7f726a1091a3df

SHA1
38d4ee95d33760bbd39a4d70a3ac6eafb3e9b5ac

SHA256
c9d5036013a111405fd816c97179941dfacae706a4275692d1051bbaa49b2d25

SHA512
a8e4a0c807bd0f2012edc9ad3715710d605bb045ce095b6106e5ec183be05bca089da8ee2a4c232ac7be8a8782075047952c7bace61450335a0570caa646bd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfbxvwv4.3wl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DDE.tmp.bat

Filesize
157B

MD5
f76111e9ceb98c4a39b7cc71381522ca

SHA1
c8a105210776e2329c80bac181732857c4751f41

SHA256
c1c3c5187f445d697197b2e6272afc5368a339589e8ba59c159c7b830ebacc2f

SHA512
f4d9be3d77f667f3dc038f922c97c4266b5d20b1e332c4c8921a685eb06c6da9437392dfb8b3e2fae71b12993dcb4dc1fafbd1096b5bddd86f1e671c3e6d49ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp416F.tmp.bat

Filesize
160B

MD5
c4938850fde64739db4d2bc7448f86fa

SHA1
7109232d51d007861b994961f159635817459bab

SHA256
c161d0f59a96d2ba1e37e941235074c0d7ff010be2ba39d7cf8b00a0e7697159

SHA512
6867b734edd0a1296b5ecf3f3b92d186713b79e5b9fe9854735f64ade448d16e04147e65fcdcd6d72715f7164588ed5457a3aec596b3ccaf9344709b6ba7bc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DB2.tmp.bat

Filesize
152B

MD5
75a42af99bab9b733a6fec4de031a131

SHA1
6cf864d1eb69f97a0a5f75b17949fbf7ada8466f

SHA256
5dbe532e8e86cb6c2c92a7ed69e1d97c30ab83433598070e9a0f5253990eaf99

SHA512
c3fc678cde0e1b2669512c0e52794cadd36759a9d6a745c14df956154c3562e24725770ce7cfc65f4ea5766f71898e614e57c1650fb0271d946b2f82ad4eeaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB1CD.tmp.bat

Filesize
160B

MD5
bceb9834aaa5aca2cf9b4dba05f41547

SHA1
a903e8b3b5d7af934dfbc4cbb014b93580438d2b

SHA256
985d61a5063d512f574d2413c4606373cd934d06691c4a458dfa4e9e3b93d905

SHA512
38ed8a2119ed2278956e6bb3f9e8ccb9a506c9424bcbde4b7b6b56731f08f61d03fb8e83cc6a86f7be8c4414f270d708355b321e178ea462760a472cd63dfa1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB9F.tmp.bat

Filesize
152B

MD5
2e699e9a454338d9109b604af7e59f29

SHA1
93ed8b70e5dc53b5985867c3f0c5928189265ab7

SHA256
1a0aadf5c57fcd9011197da09b8b904c32064a420f5ddbdc7384512399db3058

SHA512
ea6db71fc2ab96123c93a0ad719317b0dc5144f8ea696386d326f2c9ac684b4e0716e6c09095d19543b3ebe367c0209f7711d7b4c793af090565b9d1c9cff7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykpaok.exe

Filesize
63KB

MD5
aba726ec9183c855cfa084ee66f49f7f

SHA1
f12f9cf0920b0d3a76bb16027539ba0c13da035d

SHA256
fb680425e6edc0fa4d2fe526cd78d6ec69683fcafe57744993c8b7192b2c0a71

SHA512
a03a1c596e9570c6766d051d76e1a14894852cfa3889dd567f9e187be1055a49479355b8ed3a876a2934308aac945b232c1b206664614b66791ed0cc1f0b5c1f

Download Submit
C:\Users\Admin\AppData\Roaming\System32.exe

Filesize
45KB

MD5
b733e729705bf66c1e5c66d97e247701

SHA1
25eec814abdf1fc6afe621e16aa89c4eb42616b9

SHA256
9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

SHA512
09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

Download Submit
\??\pipe\LOCAL\crashpad_4032_SZRGSZSZLGMQLPVT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1196-92-0x000001966ACD0000-0x000001966ACF2000-memory.dmp

Filesize
136KB

Download
memory/2696-59-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/2696-64-0x0000000006730000-0x00000000067C6000-memory.dmp

Filesize
600KB

Download
memory/2696-48-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/2696-49-0x0000000005350000-0x0000000005978000-memory.dmp

Filesize
6.2MB

Download
memory/2696-50-0x0000000005A30000-0x0000000005A52000-memory.dmp

Filesize
136KB

Download
memory/2696-51-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/2696-66-0x0000000007380000-0x00000000073A2000-memory.dmp

Filesize
136KB

Download
memory/2696-65-0x00000000066C0000-0x00000000066DA000-memory.dmp

Filesize
104KB

Download
memory/2696-62-0x00000000061C0000-0x00000000061DE000-memory.dmp

Filesize
120KB

Download
memory/2696-63-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/2832-25-0x0000000000B50000-0x0000000000BB2000-memory.dmp

Filesize
392KB

Download
memory/2832-13-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/2832-32-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/2832-27-0x0000000004C30000-0x0000000004C46000-memory.dmp

Filesize
88KB

Download
memory/2832-18-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/2832-26-0x0000000005250000-0x00000000052B2000-memory.dmp

Filesize
392KB

Download
memory/2832-19-0x00000000065B0000-0x0000000006626000-memory.dmp

Filesize
472KB

Download
memory/2832-20-0x0000000006530000-0x0000000006598000-memory.dmp

Filesize
416KB

Download
memory/2832-21-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/2832-16-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/2832-24-0x0000000007370000-0x000000000737A000-memory.dmp

Filesize
40KB

Download
memory/2832-23-0x00000000582C0000-0x0000000058322000-memory.dmp

Filesize
392KB

Download
memory/2832-22-0x0000000006790000-0x0000000006822000-memory.dmp

Filesize
584KB

Download
memory/2832-17-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/3116-8-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3116-3-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

Filesize
624KB

Download
memory/3116-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/3116-2-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3116-1-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/3432-81-0x000000001BA80000-0x000000001BAB4000-memory.dmp

Filesize
208KB

Download
memory/3432-110-0x000000001DBF0000-0x000000001DC22000-memory.dmp

Filesize
200KB

Download
memory/3432-108-0x000000001D9C0000-0x000000001DA72000-memory.dmp

Filesize
712KB

Download
memory/3432-188-0x000000001E1F0000-0x000000001E214000-memory.dmp

Filesize
144KB

Download
memory/3432-82-0x000000001BAD0000-0x000000001BAEE000-memory.dmp

Filesize
120KB

Download
memory/3432-80-0x000000001D940000-0x000000001D9B6000-memory.dmp

Filesize
472KB

Download
memory/6052-46-0x0000000006900000-0x0000000006962000-memory.dmp

Filesize
392KB

Download
memory/6052-252-0x0000000005D90000-0x0000000005DF4000-memory.dmp

Filesize
400KB

Download
memory/6080-69-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download