Analysis
-
max time kernel
308s -
max time network
311s -
platform
windows11_x64 -
resource
win11 -
submitted
08-11-2021 14:05
Static task
static1
Behavioral task
behavioral1
Sample
040d9a95f9e954e29ceb2469fcf3a9e9.exe
Resource
win7-ja-20211104
Behavioral task
behavioral2
Sample
040d9a95f9e954e29ceb2469fcf3a9e9.exe
Resource
win7-en-20211104
Behavioral task
behavioral3
Sample
040d9a95f9e954e29ceb2469fcf3a9e9.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
040d9a95f9e954e29ceb2469fcf3a9e9.exe
Resource
win11
Behavioral task
behavioral5
Sample
040d9a95f9e954e29ceb2469fcf3a9e9.exe
Resource
win10-ja-20211104
Behavioral task
behavioral6
Sample
040d9a95f9e954e29ceb2469fcf3a9e9.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
040d9a95f9e954e29ceb2469fcf3a9e9.exe
Resource
win10-de-20211104
General
-
Target
040d9a95f9e954e29ceb2469fcf3a9e9.exe
-
Size
228KB
-
MD5
040d9a95f9e954e29ceb2469fcf3a9e9
-
SHA1
e04f9f919575e694dc4fe2f7f4646fc3440457b5
-
SHA256
b6a1ce3e1d1dfa3057e7473c9219ba29218014de81c922ad38e96800c1f388e7
-
SHA512
6fd2ae969ea6e3184929aa8e04a024432a135523a9508acf0372b2821660df1aace14a97de195101a6f2af0667ad4b7b64b60b3c414cac9a30079485f6bd4669
Malware Config
Extracted
smokeloader
2020
http://nalirou70.top/
http://xacokuo80.top/
Extracted
redline
new2
93.115.20.139:28978
Extracted
redline
SuperStar
185.215.113.29:36224
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
sc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\chromedrlver.exe," sc.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral4/memory/2024-173-0x000000001B280000-0x000000001B29B000-memory.dmp family_redline behavioral4/memory/2488-185-0x00000000023D0000-0x00000000023EC000-memory.dmp family_redline behavioral4/memory/2488-188-0x0000000002510000-0x000000000252B000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 12 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 3036 created 1264 3036 WerFault.exe 3668.exe PID 4432 created 2100 4432 WerFault.exe 5443.exe PID 916 created 420 916 WerFault.exe 86BF.exe PID 1072 created 4844 1072 WerFault.exe 942D.exe PID 3344 created 3016 3344 WerFault.exe AB41.exe PID 1428 created 4916 1428 WerFault.exe D8C.exe PID 1648 created 4916 1648 WerFault.exe D8C.exe PID 3256 created 5632 3256 powershell.exe 5081.exe PID 6316 created 5632 6316 WerFault.exe 5081.exe PID 1936 created 6228 1936 WerFault.exe 7B3C.exe PID 5400 created 4408 5400 WerFault.exe test1.exe PID 6292 created 4032 6292 WerFault.exe E197.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs
Processes:
svchost.exedescription pid process target process PID 3676 created 3368 3676 svchost.exe AdvancedRun.exe PID 3676 created 3368 3676 svchost.exe AdvancedRun.exe PID 3676 created 1708 3676 svchost.exe AdvancedRun.exe PID 3676 created 1708 3676 svchost.exe AdvancedRun.exe PID 3676 created 5532 3676 svchost.exe AdvancedRun.exe PID 3676 created 5532 3676 svchost.exe AdvancedRun.exe PID 3676 created 5564 3676 svchost.exe AdvancedRun.exe PID 3676 created 5564 3676 svchost.exe AdvancedRun.exe PID 3676 created 5588 3676 svchost.exe Conhost.exe PID 3676 created 5588 3676 svchost.exe Conhost.exe PID 3676 created 5628 3676 svchost.exe AdvancedRun.exe PID 3676 created 5628 3676 svchost.exe AdvancedRun.exe PID 3676 created 6992 3676 svchost.exe AdvancedRun.exe PID 3676 created 6992 3676 svchost.exe AdvancedRun.exe PID 3676 created 6156 3676 svchost.exe AdvancedRun.exe PID 3676 created 6156 3676 svchost.exe AdvancedRun.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Nirsoft 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\cfd2c909-98c0-493c-bc5a-8fe1a101cd42\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\6b26555d-8952-4155-b481-9b91a98f9eed\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\8ec9aa74-5ae5-4178-afe3-73f048b40edc\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\40a594fa-b69f-49c3-a305-3c8fb723176d\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\0fb43cf6-8166-4a3f-bf81-3a75fe3aaa37\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\acd2f948-9567-44da-ae8f-fd7428fc8cdd\AdvancedRun.exe Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 43 IoCs
Processes:
27B2.exe27B2.exe3668.exe48B9.exe5443.exe6859.exe6859.exe86BF.exe942D.exeAB41.exeB44A.exeC91B.exeD234.exeE197.exeEED6.exeFEA6.exeAdvancedRun.exeAdvancedRun.exeD8C.exe123.exescriptwriters.exeOlecranonsCasein.exeAdvancedRun.exeAdvancedRun.exeConhost.exeAdvancedRun.exeOlecranonsCasein.exe5081.exedeforcing.exe7B3C.exeAdvancedRun.exeAdvancedRun.exeE2E0.execlean.exetest1.exeb1.exechromedrlver.exeInstallUtil.exeD234.exeD234.exeB44A.exeB44A.exeE197.exepid process 3916 27B2.exe 3180 27B2.exe 1264 3668.exe 2024 48B9.exe 2100 5443.exe 2804 6859.exe 2488 6859.exe 420 86BF.exe 4844 942D.exe 3016 AB41.exe 3304 B44A.exe 2192 C91B.exe 940 D234.exe 1996 E197.exe 2156 EED6.exe 4016 FEA6.exe 1708 AdvancedRun.exe 3368 AdvancedRun.exe 4916 D8C.exe 3780 123.exe 2468 scriptwriters.exe 2996 OlecranonsCasein.exe 5532 AdvancedRun.exe 5564 AdvancedRun.exe 5588 Conhost.exe 5628 AdvancedRun.exe 5328 OlecranonsCasein.exe 5632 5081.exe 6256 deforcing.exe 6228 7B3C.exe 6992 AdvancedRun.exe 6156 AdvancedRun.exe 2136 E2E0.exe 480 clean.exe 4408 test1.exe 4348 b1.exe 7420 chromedrlver.exe 1620 InstallUtil.exe 2992 D234.exe 1872 D234.exe 5176 B44A.exe 5600 B44A.exe 4032 E197.exe -
Stops running service(s) 3 TTPs
-
Drops startup file 4 IoCs
Processes:
FEA6.exe123.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe FEA6.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe 123.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe 123.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe FEA6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
FEA6.exe123.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths FEA6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection FEA6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features FEA6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\veejays\svchost.exe = "0" FEA6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions FEA6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\FEA6.exe = "0" FEA6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe = "0" FEA6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\123.exe = "0" 123.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\appertaining\svchost.exe = "0" 123.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" FEA6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe = "0" 123.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" FEA6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet FEA6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" FEA6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" FEA6.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
FEA6.exescriptwriters.exe123.exedeforcing.exeb1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\scriptwriters = "C:\\Windows\\Cursors\\veejays\\svchost.exe" FEA6.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\scriptwriters = "C:\\Windows\\Cursors\\veejays\\svchost.exe" scriptwriters.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\deforcing = "C:\\Windows\\Resources\\Themes\\appertaining\\svchost.exe" 123.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\deforcing = "C:\\Windows\\Resources\\Themes\\appertaining\\svchost.exe" deforcing.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppServices = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AppServices.exe" b1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
scriptwriters.exe123.exedeforcing.exeFEA6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" scriptwriters.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 123.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 123.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA deforcing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" deforcing.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FEA6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FEA6.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA scriptwriters.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 12 IoCs
Processes:
040d9a95f9e954e29ceb2469fcf3a9e9.exe27B2.exe6859.exeFEA6.exeOlecranonsCasein.exescriptwriters.exe123.exedeforcing.exechromedrlver.exeD234.exeB44A.exeE197.exedescription pid process target process PID 1148 set thread context of 2460 1148 040d9a95f9e954e29ceb2469fcf3a9e9.exe 040d9a95f9e954e29ceb2469fcf3a9e9.exe PID 3916 set thread context of 3180 3916 27B2.exe 27B2.exe PID 2804 set thread context of 2488 2804 6859.exe 6859.exe PID 4016 set thread context of 5744 4016 FEA6.exe AddInProcess32.exe PID 2996 set thread context of 5328 2996 OlecranonsCasein.exe OlecranonsCasein.exe PID 2468 set thread context of 6440 2468 scriptwriters.exe RegSvcs.exe PID 3780 set thread context of 6188 3780 123.exe aspnet_regsql.exe PID 6256 set thread context of 4152 6256 deforcing.exe aspnet_regsql.exe PID 7420 set thread context of 1620 7420 chromedrlver.exe InstallUtil.exe PID 940 set thread context of 1872 940 D234.exe D234.exe PID 3304 set thread context of 5600 3304 B44A.exe B44A.exe PID 1996 set thread context of 4032 1996 E197.exe E197.exe -
Drops file in Windows directory 2 IoCs
Processes:
FEA6.exe123.exedescription ioc process File created C:\Windows\Cursors\veejays\svchost.exe FEA6.exe File created C:\Windows\Resources\Themes\appertaining\svchost.exe 123.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 12 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1860 1264 WerFault.exe 3668.exe 2700 2100 WerFault.exe 5443.exe 1932 420 WerFault.exe 86BF.exe 2228 4844 WerFault.exe 942D.exe 3264 3016 WerFault.exe AB41.exe 1308 4916 WerFault.exe D8C.exe 420 4916 WerFault.exe D8C.exe 5204 5632 WerFault.exe 5081.exe 6692 5632 WerFault.exe 5081.exe 1196 6228 WerFault.exe 7B3C.exe 868 4408 WerFault.exe test1.exe 5844 4032 WerFault.exe E197.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
040d9a95f9e954e29ceb2469fcf3a9e9.exe27B2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 040d9a95f9e954e29ceb2469fcf3a9e9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 040d9a95f9e954e29ceb2469fcf3a9e9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 040d9a95f9e954e29ceb2469fcf3a9e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 27B2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 27B2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 27B2.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe -
Enumerates system info in registry 2 TTPs 24 IoCs
Processes:
powershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exepid process 4036 ipconfig.exe 3344 ipconfig.exe 1084 ipconfig.exe 6800 ipconfig.exe -
Processes:
E197.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 E197.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c00000001000000040000000010000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e820000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 E197.exe -
Runs ping.exe 1 TTPs 10 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4120 PING.EXE 5456 PING.EXE 4624 PING.EXE 1080 PING.EXE 3896 PING.EXE 3240 PING.EXE 1304 PING.EXE 5516 PING.EXE 6176 PING.EXE 3664 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
040d9a95f9e954e29ceb2469fcf3a9e9.exepid process 2460 040d9a95f9e954e29ceb2469fcf3a9e9.exe 2460 040d9a95f9e954e29ceb2469fcf3a9e9.exe 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 3208 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3208 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
040d9a95f9e954e29ceb2469fcf3a9e9.exe27B2.exepid process 2460 040d9a95f9e954e29ceb2469fcf3a9e9.exe 3180 27B2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exe48B9.exeB44A.exepowershell.exeD234.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeRestorePrivilege 1860 WerFault.exe Token: SeBackupPrivilege 1860 WerFault.exe Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeDebugPrivilege 2024 48B9.exe Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeDebugPrivilege 3304 B44A.exe Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeDebugPrivilege 3496 powershell.exe Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeDebugPrivilege 940 D234.exe Token: SeShutdownPrivilege 3208 Token: SeCreatePagefilePrivilege 3208 Token: SeIncreaseQuotaPrivilege 3496 powershell.exe Token: SeSecurityPrivilege 3496 powershell.exe Token: SeTakeOwnershipPrivilege 3496 powershell.exe Token: SeLoadDriverPrivilege 3496 powershell.exe Token: SeSystemProfilePrivilege 3496 powershell.exe Token: SeSystemtimePrivilege 3496 powershell.exe Token: SeProfSingleProcessPrivilege 3496 powershell.exe Token: SeIncBasePriorityPrivilege 3496 powershell.exe Token: SeCreatePagefilePrivilege 3496 powershell.exe Token: SeBackupPrivilege 3496 powershell.exe Token: SeRestorePrivilege 3496 powershell.exe Token: SeShutdownPrivilege 3496 powershell.exe Token: SeDebugPrivilege 3496 powershell.exe Token: SeSystemEnvironmentPrivilege 3496 powershell.exe Token: SeRemoteShutdownPrivilege 3496 powershell.exe Token: SeUndockPrivilege 3496 powershell.exe Token: SeManageVolumePrivilege 3496 powershell.exe Token: 33 3496 powershell.exe Token: 34 3496 powershell.exe Token: 35 3496 powershell.exe Token: 36 3496 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeIncreaseQuotaPrivilege 3496 powershell.exe Token: SeSecurityPrivilege 3496 powershell.exe Token: SeTakeOwnershipPrivilege 3496 powershell.exe Token: SeLoadDriverPrivilege 3496 powershell.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3208 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
040d9a95f9e954e29ceb2469fcf3a9e9.exe27B2.exeWerFault.exeWerFault.exe6859.exeWerFault.exeWerFault.exeWerFault.exeB44A.exedescription pid process target process PID 1148 wrote to memory of 2460 1148 040d9a95f9e954e29ceb2469fcf3a9e9.exe 040d9a95f9e954e29ceb2469fcf3a9e9.exe PID 1148 wrote to memory of 2460 1148 040d9a95f9e954e29ceb2469fcf3a9e9.exe 040d9a95f9e954e29ceb2469fcf3a9e9.exe PID 1148 wrote to memory of 2460 1148 040d9a95f9e954e29ceb2469fcf3a9e9.exe 040d9a95f9e954e29ceb2469fcf3a9e9.exe PID 1148 wrote to memory of 2460 1148 040d9a95f9e954e29ceb2469fcf3a9e9.exe 040d9a95f9e954e29ceb2469fcf3a9e9.exe PID 1148 wrote to memory of 2460 1148 040d9a95f9e954e29ceb2469fcf3a9e9.exe 040d9a95f9e954e29ceb2469fcf3a9e9.exe PID 1148 wrote to memory of 2460 1148 040d9a95f9e954e29ceb2469fcf3a9e9.exe 040d9a95f9e954e29ceb2469fcf3a9e9.exe PID 3208 wrote to memory of 3916 3208 27B2.exe PID 3208 wrote to memory of 3916 3208 27B2.exe PID 3208 wrote to memory of 3916 3208 27B2.exe PID 3916 wrote to memory of 3180 3916 27B2.exe 27B2.exe PID 3916 wrote to memory of 3180 3916 27B2.exe 27B2.exe PID 3916 wrote to memory of 3180 3916 27B2.exe 27B2.exe PID 3916 wrote to memory of 3180 3916 27B2.exe 27B2.exe PID 3916 wrote to memory of 3180 3916 27B2.exe 27B2.exe PID 3916 wrote to memory of 3180 3916 27B2.exe 27B2.exe PID 3208 wrote to memory of 1264 3208 3668.exe PID 3208 wrote to memory of 1264 3208 3668.exe PID 3208 wrote to memory of 1264 3208 3668.exe PID 3036 wrote to memory of 1264 3036 WerFault.exe 3668.exe PID 3036 wrote to memory of 1264 3036 WerFault.exe 3668.exe PID 3208 wrote to memory of 2024 3208 48B9.exe PID 3208 wrote to memory of 2024 3208 48B9.exe PID 3208 wrote to memory of 2100 3208 5443.exe PID 3208 wrote to memory of 2100 3208 5443.exe PID 3208 wrote to memory of 2100 3208 5443.exe PID 4432 wrote to memory of 2100 4432 WerFault.exe 5443.exe PID 4432 wrote to memory of 2100 4432 WerFault.exe 5443.exe PID 3208 wrote to memory of 2804 3208 6859.exe PID 3208 wrote to memory of 2804 3208 6859.exe PID 3208 wrote to memory of 2804 3208 6859.exe PID 2804 wrote to memory of 2488 2804 6859.exe 6859.exe PID 2804 wrote to memory of 2488 2804 6859.exe 6859.exe PID 2804 wrote to memory of 2488 2804 6859.exe 6859.exe PID 2804 wrote to memory of 2488 2804 6859.exe 6859.exe PID 2804 wrote to memory of 2488 2804 6859.exe 6859.exe PID 2804 wrote to memory of 2488 2804 6859.exe 6859.exe PID 2804 wrote to memory of 2488 2804 6859.exe 6859.exe PID 2804 wrote to memory of 2488 2804 6859.exe 6859.exe PID 2804 wrote to memory of 2488 2804 6859.exe 6859.exe PID 3208 wrote to memory of 420 3208 86BF.exe PID 3208 wrote to memory of 420 3208 86BF.exe PID 3208 wrote to memory of 420 3208 86BF.exe PID 916 wrote to memory of 420 916 WerFault.exe 86BF.exe PID 916 wrote to memory of 420 916 WerFault.exe 86BF.exe PID 3208 wrote to memory of 4844 3208 942D.exe PID 3208 wrote to memory of 4844 3208 942D.exe PID 3208 wrote to memory of 4844 3208 942D.exe PID 1072 wrote to memory of 4844 1072 WerFault.exe 942D.exe PID 1072 wrote to memory of 4844 1072 WerFault.exe 942D.exe PID 3208 wrote to memory of 3016 3208 AB41.exe PID 3208 wrote to memory of 3016 3208 AB41.exe PID 3208 wrote to memory of 3016 3208 AB41.exe PID 3344 wrote to memory of 3016 3344 WerFault.exe AB41.exe PID 3344 wrote to memory of 3016 3344 WerFault.exe AB41.exe PID 3208 wrote to memory of 3304 3208 B44A.exe PID 3208 wrote to memory of 3304 3208 B44A.exe PID 3208 wrote to memory of 3304 3208 B44A.exe PID 3304 wrote to memory of 3496 3304 B44A.exe powershell.exe PID 3304 wrote to memory of 3496 3304 B44A.exe powershell.exe PID 3304 wrote to memory of 3496 3304 B44A.exe powershell.exe PID 3208 wrote to memory of 2192 3208 C91B.exe PID 3208 wrote to memory of 2192 3208 C91B.exe PID 3208 wrote to memory of 940 3208 D234.exe PID 3208 wrote to memory of 940 3208 D234.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
scriptwriters.exe123.exedeforcing.exeFEA6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" scriptwriters.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 123.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" deforcing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FEA6.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\040d9a95f9e954e29ceb2469fcf3a9e9.exe"C:\Users\Admin\AppData\Local\Temp\040d9a95f9e954e29ceb2469fcf3a9e9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\040d9a95f9e954e29ceb2469fcf3a9e9.exe"C:\Users\Admin\AppData\Local\Temp\040d9a95f9e954e29ceb2469fcf3a9e9.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\27B2.exeC:\Users\Admin\AppData\Local\Temp\27B2.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\27B2.exeC:\Users\Admin\AppData\Local\Temp\27B2.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3668.exeC:\Users\Admin\AppData\Local\Temp\3668.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 2722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1264 -ip 12641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\48B9.exeC:\Users\Admin\AppData\Local\Temp\48B9.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5443.exeC:\Users\Admin\AppData\Local\Temp\5443.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 2922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2100 -ip 21001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6859.exeC:\Users\Admin\AppData\Local\Temp\6859.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6859.exeC:\Users\Admin\AppData\Local\Temp\6859.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\86BF.exeC:\Users\Admin\AppData\Local\Temp\86BF.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 420 -ip 4201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\942D.exeC:\Users\Admin\AppData\Local\Temp\942D.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 2962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4844 -ip 48441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AB41.exeC:\Users\Admin\AppData\Local\Temp\AB41.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3016 -ip 30161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B44A.exeC:\Users\Admin\AppData\Local\Temp\B44A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com2⤵
-
C:\Users\Admin\AppData\Local\Temp\B44A.exeC:\Users\Admin\AppData\Local\Temp\B44A.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B44A.exeC:\Users\Admin\AppData\Local\Temp\B44A.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C91B.exeC:\Users\Admin\AppData\Local\Temp\C91B.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\acd2f948-9567-44da-ae8f-fd7428fc8cdd\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\acd2f948-9567-44da-ae8f-fd7428fc8cdd\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\acd2f948-9567-44da-ae8f-fd7428fc8cdd\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\acd2f948-9567-44da-ae8f-fd7428fc8cdd\test.bat"4⤵
-
C:\Users\Admin\AppData\Local\Temp\8ec9aa74-5ae5-4178-afe3-73f048b40edc\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\8ec9aa74-5ae5-4178-afe3-73f048b40edc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8ec9aa74-5ae5-4178-afe3-73f048b40edc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ec9aa74-5ae5-4178-afe3-73f048b40edc\test.bat"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\123.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\123.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\123.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\123.exe" -Force3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\c35cdb36-88d7-4e83-8bdd-86f7ba859d65\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\c35cdb36-88d7-4e83-8bdd-86f7ba859d65\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c35cdb36-88d7-4e83-8bdd-86f7ba859d65\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c35cdb36-88d7-4e83-8bdd-86f7ba859d65\test.bat"5⤵
-
C:\Users\Admin\AppData\Local\Temp\d9ae3a18-9698-449b-8981-2f3593b80b72\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d9ae3a18-9698-449b-8981-2f3593b80b72\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d9ae3a18-9698-449b-8981-2f3593b80b72\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d9ae3a18-9698-449b-8981-2f3593b80b72\test.bat"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exe" -Force4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\123.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\appertaining\svchost.exe" -Force3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\OlecranonsCasein.exe"C:\Users\Admin\AppData\Local\Temp\OlecranonsCasein.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\OlecranonsCasein.exeC:\Users\Admin\AppData\Local\Temp\OlecranonsCasein.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D234.exeC:\Users\Admin\AppData\Local\Temp\D234.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /release3⤵
- Gathers network information
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew2⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /renew3⤵
- Gathers network information
-
C:\Users\Admin\AppData\Local\Temp\D234.exeC:\Users\Admin\AppData\Local\Temp\D234.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D234.exeC:\Users\Admin\AppData\Local\Temp\D234.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E197.exeC:\Users\Admin\AppData\Local\Temp\E197.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release2⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /release3⤵
- Gathers network information
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew2⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /renew3⤵
- Gathers network information
-
C:\Users\Admin\AppData\Local\Temp\E197.exeC:\Users\Admin\AppData\Local\Temp\E197.exe2⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 6243⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\EED6.exeC:\Users\Admin\AppData\Local\Temp\EED6.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"3⤵
-
C:\Users\Admin\AppData\Local\chromedrlver.exe"C:\Users\Admin\AppData\Local\chromedrlver.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FEA6.exeC:\Users\Admin\AppData\Local\Temp\FEA6.exe1⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\cfd2c909-98c0-493c-bc5a-8fe1a101cd42\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\cfd2c909-98c0-493c-bc5a-8fe1a101cd42\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cfd2c909-98c0-493c-bc5a-8fe1a101cd42\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cfd2c909-98c0-493c-bc5a-8fe1a101cd42\test.bat"3⤵
-
C:\Windows\system32\sc.exesc stop windefend4⤵
-
C:\Windows\system32\sc.exesc config windefend start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop Sense4⤵
-
C:\Windows\system32\sc.exesc config Sense start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop usosvc4⤵
-
C:\Windows\system32\sc.exesc config usosvc start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc4⤵
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop SecurityHealthService4⤵
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop SDRSVC4⤵
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop wscsvc4⤵
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop WdiServiceHost4⤵
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop WdiSystemHost4⤵
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop InstallService4⤵
-
C:\Windows\system32\sc.exesc config InstallService Start= disabled4⤵
-
C:\Users\Admin\AppData\Local\Temp\6b26555d-8952-4155-b481-9b91a98f9eed\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6b26555d-8952-4155-b481-9b91a98f9eed\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6b26555d-8952-4155-b481-9b91a98f9eed\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b26555d-8952-4155-b481-9b91a98f9eed\test.bat"3⤵
-
C:\Windows\system32\sc.exesc stop windefend4⤵
-
C:\Windows\system32\sc.exesc config windefend start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop Sense4⤵
-
C:\Windows\system32\sc.exesc config Sense start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled4⤵
- Modifies WinLogon for persistence
-
C:\Windows\system32\sc.exesc stop usosvc4⤵
-
C:\Windows\system32\sc.exesc config usosvc start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc4⤵
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop SecurityHealthService4⤵
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop SDRSVC4⤵
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop wscsvc4⤵
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop WdiServiceHost4⤵
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop WdiSystemHost4⤵
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled4⤵
-
C:\Windows\system32\sc.exesc stop InstallService4⤵
-
C:\Windows\system32\sc.exesc config InstallService Start= disabled4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FEA6.exe" -Force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FEA6.exe" -Force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FEA6.exe" -Force2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FEA6.exe" -Force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\40a594fa-b69f-49c3-a305-3c8fb723176d\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\40a594fa-b69f-49c3-a305-3c8fb723176d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\40a594fa-b69f-49c3-a305-3c8fb723176d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\40a594fa-b69f-49c3-a305-3c8fb723176d\test.bat"4⤵
-
C:\Users\Admin\AppData\Local\Temp\0fb43cf6-8166-4a3f-bf81-3a75fe3aaa37\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\0fb43cf6-8166-4a3f-bf81-3a75fe3aaa37\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0fb43cf6-8166-4a3f-bf81-3a75fe3aaa37\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FEA6.exe" -Force2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Users\Admin\AppData\Local\Temp\D8C.exeC:\Users\Admin\AppData\Local\Temp\D8C.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 4642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 4722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4916 -ip 49161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4916 -ip 49161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0fb43cf6-8166-4a3f-bf81-3a75fe3aaa37\test.bat"1⤵
-
C:\Windows\system32\sc.exesc stop windefend2⤵
-
C:\Users\Admin\AppData\Local\Temp\5081.exeC:\Users\Admin\AppData\Local\Temp\5081.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 4642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 4722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5632 -ip 56321⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5632 -ip 56321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\7B3C.exeC:\Users\Admin\AppData\Local\Temp\7B3C.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 2722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6228 -ip 62281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\E2E0.exeC:\Users\Admin\AppData\Local\Temp\E2E0.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b1.exe"C:\Users\Admin\AppData\Local\Temp\b1.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\system32\cmd.execmd /Q /C move /Y C:\Users\Admin\AppData\Local\Temp\b1.exe C:\Users\Admin\AppData\Roaming\Microsoft\AppServices.exe3⤵
-
C:\Windows\system32\cmd.execmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp4⤵
-
C:\Windows\system32\cmd.execmd /Q /C reg add "HKCU\Software\Microsoft Partners" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft Partners" /f4⤵
-
C:\Windows\system32\cmd.execmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft4⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\cmd.execmd /C "attrib +S +H C:\Users\Admin\AppData\Roaming\Microsoft\AppServices.exe"3⤵
-
C:\Windows\system32\attrib.exeattrib +S +H C:\Users\Admin\AppData\Roaming\Microsoft\AppServices.exe4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\test1.exe"C:\Users\Admin\AppData\Local\Temp\test1.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 83⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\clean.exe"C:\Users\Admin\AppData\Local\Temp\clean.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4408 -ip 44081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4032 -ip 40321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
2Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
9Disabling Security Tools
5Bypass User Account Control
1Hidden Files and Directories
2Impair Defenses
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OlecranonsCasein.exe.logMD5
7a5a0f7a4b074f21be8e9d7f9cc454a6
SHA181100f839c5980e57ecafc0f8e28b58889319f11
SHA25658155f175242657ff0a689e1bf725a467d91abab505af282c3cf26d3e99b229a
SHA5127b4f274516faa5629ea98a30132b944103866a8f132d1fc91719ef8429e4e31b156b164d4d7a474311f295b6afa0cd0b6d41f53abdc98372f241a76fe27a234d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
92e21ea83af40df48dd009926460fbb9
SHA154cee42949090d7483edc77aee0a94fdab218030
SHA256e6da2714fb61726f870682e22ff5a681161d05c69f7d84b128c657c10c39ce86
SHA5127114a3bb988669d0de385544991fe328f543ce6f07dc7e38cecc6348c7432a3bfda41eb6fa2e5951a2fec775c22f71946aacf63cf7727c6b78c832d3a9f438aa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
88272ac1759ae38d9c73c410544efdf9
SHA13b78accd6513a7dc88eb918d2ce92633ac70c7fa
SHA25695ba1a416265d4aeaeb68a8e41bf160c741e6952ecc233b703536179e55ff8cf
SHA512e84f1821d8fafce50cb748b70baf9056819a1dbc990fbb3b6861b1d45da70847a13699c6dcdc942217c5f6f77acc50a7c9812ace338ed6e7335fdc641d679aac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
555e8288c5fd499adf79b3a7a83e9d33
SHA125c5fa18dbff21ab65c13236b399ee08c5c045dd
SHA256ab817f55b93b6c9841068da279f31d3b914a92b6bdcd613a39699d17737dc064
SHA512a8c7eb3948b906819b86f3441cdb42a9583fe5ddb004211fe588313983cf549a50811ba6fca17a58b8057dd1fe41d9854b4db41ae909110e8d87644504e45c7c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
555e8288c5fd499adf79b3a7a83e9d33
SHA125c5fa18dbff21ab65c13236b399ee08c5c045dd
SHA256ab817f55b93b6c9841068da279f31d3b914a92b6bdcd613a39699d17737dc064
SHA512a8c7eb3948b906819b86f3441cdb42a9583fe5ddb004211fe588313983cf549a50811ba6fca17a58b8057dd1fe41d9854b4db41ae909110e8d87644504e45c7c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2252dd47ab1db8d29051d9d3ba297578
SHA17a7247ad4355d8db1008d5e7adf0d40a8e9cca71
SHA256a21e59bd25dc42d396f2438d27a1ee3c2ff941b2fa3163d9a1af6d6c7111d0f7
SHA512dc7b57f964a77724108f0f1cc2aa67c6765a1dc8137b4b7df731a16bb92f5394a088ad1fccc444554e2d6503764e570c28c29c5afbe3d9ce827a5e12ec976138
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
3d9000dabbf98853c621719293be59f2
SHA164986fde36cebb43ce8abfc4265b5a18c80406a6
SHA25666c4f8db18e07398953b32e75ba050351d366cac9cf4c14cc79d430d5778d179
SHA512c8842daa8f0cf7a4852f05101a1213fb9a39b86f5e4c96d40bf56bd08dc7fc6c6d1c281113cdd4a88f23ec6ee86faf1bab483016760e4f06f7b7f507296da7a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5283a24c196e801c00a1be167f7f34a9
SHA1436c898b30b39cb11acfb0ddaa35d5c49057fe06
SHA25664980534983025ace97e10a3b247dce326d79cc0a00874fd9ceb703e9fa879e6
SHA512c24af6e479159cc929026a4fb40f8d0cdee8d1e9165b634d8640f61ffd4411e513711b2c4fb0c00ec42dc6aaa8ff3714ad954225270092f9250d4bede210de3c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5283a24c196e801c00a1be167f7f34a9
SHA1436c898b30b39cb11acfb0ddaa35d5c49057fe06
SHA25664980534983025ace97e10a3b247dce326d79cc0a00874fd9ceb703e9fa879e6
SHA512c24af6e479159cc929026a4fb40f8d0cdee8d1e9165b634d8640f61ffd4411e513711b2c4fb0c00ec42dc6aaa8ff3714ad954225270092f9250d4bede210de3c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1b797abc4a197a67edfd664947916b2f
SHA18dcb47ce1d8806c10f4bca733e0eab8582d7bcfa
SHA25696a05f82069df50fc154b2f2c7adb2cf041860f90706d31aa06422e458483c35
SHA51244731a52e47a190507e81dfb740534b101778733a4a10e27978c43393098d0a65713eea06811bbc930918fffa08e02ae55dcac625ef2e2bf08a72719ec75e11e
-
C:\Users\Admin\AppData\Local\Temp\0fb43cf6-8166-4a3f-bf81-3a75fe3aaa37\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\0fb43cf6-8166-4a3f-bf81-3a75fe3aaa37\test.batMD5
b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
9c5236fc5bfdac54db11c9fe87d9daa5
SHA1a0170f41137646ae9ce74c5341564c800ff6930c
SHA2561966c61455d2cda210cafd47b9a475871184ebe5a21183ddc729ca46bab105c9
SHA5124d05aa283da8be5b7a50961f935d1424a66c691ffee4ad45af5dc2859f3de3cfc7e838172e40f08a929acad96f06d64e8d94a796ee8b56fffadf6aaedcb76b0f
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
9c5236fc5bfdac54db11c9fe87d9daa5
SHA1a0170f41137646ae9ce74c5341564c800ff6930c
SHA2561966c61455d2cda210cafd47b9a475871184ebe5a21183ddc729ca46bab105c9
SHA5124d05aa283da8be5b7a50961f935d1424a66c691ffee4ad45af5dc2859f3de3cfc7e838172e40f08a929acad96f06d64e8d94a796ee8b56fffadf6aaedcb76b0f
-
C:\Users\Admin\AppData\Local\Temp\27B2.exeMD5
040d9a95f9e954e29ceb2469fcf3a9e9
SHA1e04f9f919575e694dc4fe2f7f4646fc3440457b5
SHA256b6a1ce3e1d1dfa3057e7473c9219ba29218014de81c922ad38e96800c1f388e7
SHA5126fd2ae969ea6e3184929aa8e04a024432a135523a9508acf0372b2821660df1aace14a97de195101a6f2af0667ad4b7b64b60b3c414cac9a30079485f6bd4669
-
C:\Users\Admin\AppData\Local\Temp\27B2.exeMD5
040d9a95f9e954e29ceb2469fcf3a9e9
SHA1e04f9f919575e694dc4fe2f7f4646fc3440457b5
SHA256b6a1ce3e1d1dfa3057e7473c9219ba29218014de81c922ad38e96800c1f388e7
SHA5126fd2ae969ea6e3184929aa8e04a024432a135523a9508acf0372b2821660df1aace14a97de195101a6f2af0667ad4b7b64b60b3c414cac9a30079485f6bd4669
-
C:\Users\Admin\AppData\Local\Temp\27B2.exeMD5
040d9a95f9e954e29ceb2469fcf3a9e9
SHA1e04f9f919575e694dc4fe2f7f4646fc3440457b5
SHA256b6a1ce3e1d1dfa3057e7473c9219ba29218014de81c922ad38e96800c1f388e7
SHA5126fd2ae969ea6e3184929aa8e04a024432a135523a9508acf0372b2821660df1aace14a97de195101a6f2af0667ad4b7b64b60b3c414cac9a30079485f6bd4669
-
C:\Users\Admin\AppData\Local\Temp\3668.exeMD5
2b77cc45322086036b538f59a827b9ae
SHA1d7676037dbec7e08a46480faa5c375ac9be99769
SHA256384bf36c4d8db61f2638159f9927a3432b1d79ece0281d24369717a112c9dc35
SHA51209f958f600328daa4cd1a41b7763b92295355b8f2a5f2638413cc73a0f62cc5095a067022158377dd79f65e15f311ed003a591597c278b8573f737719cfd8e70
-
C:\Users\Admin\AppData\Local\Temp\3668.exeMD5
2b77cc45322086036b538f59a827b9ae
SHA1d7676037dbec7e08a46480faa5c375ac9be99769
SHA256384bf36c4d8db61f2638159f9927a3432b1d79ece0281d24369717a112c9dc35
SHA51209f958f600328daa4cd1a41b7763b92295355b8f2a5f2638413cc73a0f62cc5095a067022158377dd79f65e15f311ed003a591597c278b8573f737719cfd8e70
-
C:\Users\Admin\AppData\Local\Temp\40a594fa-b69f-49c3-a305-3c8fb723176d\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\40a594fa-b69f-49c3-a305-3c8fb723176d\test.batMD5
b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
C:\Users\Admin\AppData\Local\Temp\48B9.exeMD5
ec7ad2ab3d136ace300b71640375087c
SHA11e2147b61a1be5671d24696212c9d15d269be713
SHA256a280a28edbfaac0472252455550c283c3f44f2daf0ac0a59ddd48deb7cbbeee8
SHA512b642ae118bbe5235473ab12a9383ba8c23606e32627292964a215df376886c03928349de217ea42500d050ec5fee540fd593f95a65a598041eae1fcac5d0bc3e
-
C:\Users\Admin\AppData\Local\Temp\48B9.exeMD5
ec7ad2ab3d136ace300b71640375087c
SHA11e2147b61a1be5671d24696212c9d15d269be713
SHA256a280a28edbfaac0472252455550c283c3f44f2daf0ac0a59ddd48deb7cbbeee8
SHA512b642ae118bbe5235473ab12a9383ba8c23606e32627292964a215df376886c03928349de217ea42500d050ec5fee540fd593f95a65a598041eae1fcac5d0bc3e
-
C:\Users\Admin\AppData\Local\Temp\5081.exeMD5
bdd3423d6a17f956b45a2334feaa8656
SHA129aa8dcb333f4927e52da9b4be449817a6e00d17
SHA256fe4effbb85424d92ee6bc7249de7469890d71ff2a6f26ef5ab5b9d8341ad93be
SHA5128eedd0e1927b656269195ed04b1b376a6095cbc9a3ec8f82f0c13f25c3e9a5756a1e32e35ec4a220759fa287d420f07d0e351c3869228439f332c69ef5809dc0
-
C:\Users\Admin\AppData\Local\Temp\5081.exeMD5
bdd3423d6a17f956b45a2334feaa8656
SHA129aa8dcb333f4927e52da9b4be449817a6e00d17
SHA256fe4effbb85424d92ee6bc7249de7469890d71ff2a6f26ef5ab5b9d8341ad93be
SHA5128eedd0e1927b656269195ed04b1b376a6095cbc9a3ec8f82f0c13f25c3e9a5756a1e32e35ec4a220759fa287d420f07d0e351c3869228439f332c69ef5809dc0
-
C:\Users\Admin\AppData\Local\Temp\5443.exeMD5
36a3976a7678715fffe2300f0ae8a21a
SHA1d941d30a3a600d9f2bdb4b8fed77addd7f15806d
SHA25627098e89b511cd37b5aad597d2e3875d5f6ca232b6bc057cef67adc24243d33e
SHA5127447d26f2bfca5084a4652745a6aadfb90a9068198f00f411a6eb48be12473fde8a458814eb43328c7964f0dad685eea0012be37144c9c2a2dc5613326fc446c
-
C:\Users\Admin\AppData\Local\Temp\5443.exeMD5
36a3976a7678715fffe2300f0ae8a21a
SHA1d941d30a3a600d9f2bdb4b8fed77addd7f15806d
SHA25627098e89b511cd37b5aad597d2e3875d5f6ca232b6bc057cef67adc24243d33e
SHA5127447d26f2bfca5084a4652745a6aadfb90a9068198f00f411a6eb48be12473fde8a458814eb43328c7964f0dad685eea0012be37144c9c2a2dc5613326fc446c
-
C:\Users\Admin\AppData\Local\Temp\6859.exeMD5
e3529b41a669d9926370093f69b3dfbb
SHA17bb72ecd87897eef17ffb7bb915285892490ef11
SHA2569277ebc49f4e38c63e9a0c0a08cf160018e3f9ed94df18e8f30a3d72337d1264
SHA512bcf144544137c65c83d7328fc6ceec7a67bac64a93fb27388d334ca336387fd2cb98c18489596dfbf88cb1974a0b952d41aab96db911a58d064425ee54de6fd0
-
C:\Users\Admin\AppData\Local\Temp\6859.exeMD5
e3529b41a669d9926370093f69b3dfbb
SHA17bb72ecd87897eef17ffb7bb915285892490ef11
SHA2569277ebc49f4e38c63e9a0c0a08cf160018e3f9ed94df18e8f30a3d72337d1264
SHA512bcf144544137c65c83d7328fc6ceec7a67bac64a93fb27388d334ca336387fd2cb98c18489596dfbf88cb1974a0b952d41aab96db911a58d064425ee54de6fd0
-
C:\Users\Admin\AppData\Local\Temp\6859.exeMD5
e3529b41a669d9926370093f69b3dfbb
SHA17bb72ecd87897eef17ffb7bb915285892490ef11
SHA2569277ebc49f4e38c63e9a0c0a08cf160018e3f9ed94df18e8f30a3d72337d1264
SHA512bcf144544137c65c83d7328fc6ceec7a67bac64a93fb27388d334ca336387fd2cb98c18489596dfbf88cb1974a0b952d41aab96db911a58d064425ee54de6fd0
-
C:\Users\Admin\AppData\Local\Temp\6b26555d-8952-4155-b481-9b91a98f9eed\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\6b26555d-8952-4155-b481-9b91a98f9eed\test.batMD5
b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
C:\Users\Admin\AppData\Local\Temp\86BF.exeMD5
bde1dbafbe609f7da66db66356d8f9e3
SHA1a82f4a80f7f0849ecc021855fcbfbf3220982d06
SHA256d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86
SHA512fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb
-
C:\Users\Admin\AppData\Local\Temp\86BF.exeMD5
bde1dbafbe609f7da66db66356d8f9e3
SHA1a82f4a80f7f0849ecc021855fcbfbf3220982d06
SHA256d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86
SHA512fa4bc50784e84e1466a055e1a14a46b54903dfe0e3c557bed19f2c003486a9196bf4917c73fac087b471669dd42eebcb7550b0fb18cb8ee3baa2763d4e94c4eb
-
C:\Users\Admin\AppData\Local\Temp\8ec9aa74-5ae5-4178-afe3-73f048b40edc\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\8ec9aa74-5ae5-4178-afe3-73f048b40edc\test.batMD5
b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
C:\Users\Admin\AppData\Local\Temp\942D.exeMD5
65ecbb1c38b4ac891d8a90870e115398
SHA178e3f1782d238b6375224a3ce7793b1cb08a95d4
SHA25658c1b22873a1eab4f8a7cc5a26085a2968637eaa3f22e7cbe8032ad6f25bbd38
SHA512a95b0ccaecdf007c4590efde4e56ec4e65b8d900e2070726393b912f4ef37b3761a641e7c85dfe8a9698f1bf9864afc8613d956e14414d5a0c78c00aa17a7dd9
-
C:\Users\Admin\AppData\Local\Temp\942D.exeMD5
65ecbb1c38b4ac891d8a90870e115398
SHA178e3f1782d238b6375224a3ce7793b1cb08a95d4
SHA25658c1b22873a1eab4f8a7cc5a26085a2968637eaa3f22e7cbe8032ad6f25bbd38
SHA512a95b0ccaecdf007c4590efde4e56ec4e65b8d900e2070726393b912f4ef37b3761a641e7c85dfe8a9698f1bf9864afc8613d956e14414d5a0c78c00aa17a7dd9
-
C:\Users\Admin\AppData\Local\Temp\AB41.exeMD5
0dd386e2ac96f7ddd2206510b6d74663
SHA17e4b8f180047821a84f530dcbfed6164f117b630
SHA256c6abcdeac0d459de9d7ca2c3a65226710cb9656138c4b4bdc08c1546688c3675
SHA512fe2e34d130aec32c68962653116c6bfde043c44ac8865be75382991e343b04a11a79aae9c4fb75b6983bc1071e6547a1e26da98c844773ae51b0b39b5f72b732
-
C:\Users\Admin\AppData\Local\Temp\AB41.exeMD5
0dd386e2ac96f7ddd2206510b6d74663
SHA17e4b8f180047821a84f530dcbfed6164f117b630
SHA256c6abcdeac0d459de9d7ca2c3a65226710cb9656138c4b4bdc08c1546688c3675
SHA512fe2e34d130aec32c68962653116c6bfde043c44ac8865be75382991e343b04a11a79aae9c4fb75b6983bc1071e6547a1e26da98c844773ae51b0b39b5f72b732
-
C:\Users\Admin\AppData\Local\Temp\B44A.exeMD5
74e5ee47e3f1cec8ad5499d20d5e200d
SHA1c50c297394c849aea972fb922c91117094be38f1
SHA25615f47b7b5ca57126f9f9c51c3949e290553025c32c649fc5bd6ed9a2ff726278
SHA5120f53351b879c09383087854fc26c95c64c23f43f5cd08ffd2da0fe4718a8c1c13fee4b48cdccee3278636e47304ccff46617b4958fa6eef3ce1c489e7a9afb48
-
C:\Users\Admin\AppData\Local\Temp\B44A.exeMD5
74e5ee47e3f1cec8ad5499d20d5e200d
SHA1c50c297394c849aea972fb922c91117094be38f1
SHA25615f47b7b5ca57126f9f9c51c3949e290553025c32c649fc5bd6ed9a2ff726278
SHA5120f53351b879c09383087854fc26c95c64c23f43f5cd08ffd2da0fe4718a8c1c13fee4b48cdccee3278636e47304ccff46617b4958fa6eef3ce1c489e7a9afb48
-
C:\Users\Admin\AppData\Local\Temp\C91B.exeMD5
70af2782a658f04e84341f18e09207ae
SHA1a9284038d4261f7c4ae5a16851216cfd01c7b8c2
SHA2560b8f3e4e72ee0466fc5d415a62b3f9318879b23170179f6f40772da91b1d9c98
SHA512fcf55ac11a3834712e5cf3ef301fb47e7f81fa79a5cb54c1322ce353cee56f3ecb7547e330b2cf738e7a22992a0a335e501818d824178e494bcc845ca3b0db88
-
C:\Users\Admin\AppData\Local\Temp\C91B.exeMD5
70af2782a658f04e84341f18e09207ae
SHA1a9284038d4261f7c4ae5a16851216cfd01c7b8c2
SHA2560b8f3e4e72ee0466fc5d415a62b3f9318879b23170179f6f40772da91b1d9c98
SHA512fcf55ac11a3834712e5cf3ef301fb47e7f81fa79a5cb54c1322ce353cee56f3ecb7547e330b2cf738e7a22992a0a335e501818d824178e494bcc845ca3b0db88
-
C:\Users\Admin\AppData\Local\Temp\D234.exeMD5
fc0fc8c35a5808938bc23e31937ff028
SHA15c3d70bba5088c055a2c6c48ab35024e71d76476
SHA25603db9c7192d13a8c6481f430c0be86813a3d87c1cbcb937a2f92cd8b861a1303
SHA512ac3a8da2cf5797aeeffd371178fa972863d78728b5be814e2a9743c59ff0139210cc0f9f2f097376695a32b976cab4bf731ea9e6bb233d4ed06252c3563c3be5
-
C:\Users\Admin\AppData\Local\Temp\D234.exeMD5
fc0fc8c35a5808938bc23e31937ff028
SHA15c3d70bba5088c055a2c6c48ab35024e71d76476
SHA25603db9c7192d13a8c6481f430c0be86813a3d87c1cbcb937a2f92cd8b861a1303
SHA512ac3a8da2cf5797aeeffd371178fa972863d78728b5be814e2a9743c59ff0139210cc0f9f2f097376695a32b976cab4bf731ea9e6bb233d4ed06252c3563c3be5
-
C:\Users\Admin\AppData\Local\Temp\D8C.exeMD5
bdd3423d6a17f956b45a2334feaa8656
SHA129aa8dcb333f4927e52da9b4be449817a6e00d17
SHA256fe4effbb85424d92ee6bc7249de7469890d71ff2a6f26ef5ab5b9d8341ad93be
SHA5128eedd0e1927b656269195ed04b1b376a6095cbc9a3ec8f82f0c13f25c3e9a5756a1e32e35ec4a220759fa287d420f07d0e351c3869228439f332c69ef5809dc0
-
C:\Users\Admin\AppData\Local\Temp\D8C.exeMD5
bdd3423d6a17f956b45a2334feaa8656
SHA129aa8dcb333f4927e52da9b4be449817a6e00d17
SHA256fe4effbb85424d92ee6bc7249de7469890d71ff2a6f26ef5ab5b9d8341ad93be
SHA5128eedd0e1927b656269195ed04b1b376a6095cbc9a3ec8f82f0c13f25c3e9a5756a1e32e35ec4a220759fa287d420f07d0e351c3869228439f332c69ef5809dc0
-
C:\Users\Admin\AppData\Local\Temp\E197.exeMD5
91d4d9e326c8fc248005b8d1ab6ce48b
SHA19c786f375c1a4a5cdfd6c190cef4941c2be62786
SHA25651ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970
SHA51209e556afdd978599d57cebec57ffd7569fc0d3ee4d5180398706a31566a86c11249a867781bf00c5168ac6a9b233e1d6e353d91324813a9af49c83b025c329e7
-
C:\Users\Admin\AppData\Local\Temp\E197.exeMD5
91d4d9e326c8fc248005b8d1ab6ce48b
SHA19c786f375c1a4a5cdfd6c190cef4941c2be62786
SHA25651ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970
SHA51209e556afdd978599d57cebec57ffd7569fc0d3ee4d5180398706a31566a86c11249a867781bf00c5168ac6a9b233e1d6e353d91324813a9af49c83b025c329e7
-
C:\Users\Admin\AppData\Local\Temp\EED6.exeMD5
199ec17fa8be3e87cf4aae0e1c0e696c
SHA11611af72e38f3ecda6beca2354e50fdcfb8d58d6
SHA256517c0693df0caebe05d0f5a75a9cb63c613121854f6b6177157e77dfbcfb9e18
SHA5127f2c45ad1433cee9a73bdde2497665fa0aa4197d7040c048e3cf1a0d7616d4b137c98b1dc6fa65e37f6f192a6d35285b074c6c51e061c77934d36e2d68024f34
-
C:\Users\Admin\AppData\Local\Temp\EED6.exeMD5
199ec17fa8be3e87cf4aae0e1c0e696c
SHA11611af72e38f3ecda6beca2354e50fdcfb8d58d6
SHA256517c0693df0caebe05d0f5a75a9cb63c613121854f6b6177157e77dfbcfb9e18
SHA5127f2c45ad1433cee9a73bdde2497665fa0aa4197d7040c048e3cf1a0d7616d4b137c98b1dc6fa65e37f6f192a6d35285b074c6c51e061c77934d36e2d68024f34
-
C:\Users\Admin\AppData\Local\Temp\FEA6.exeMD5
680e08dfb787740be8313220da9c7674
SHA1709b52847483261b6288c4f0ea2d571c54a70275
SHA256e1267ac21ecbf34f7601c33b7b60c840fc459e3de54a8db2568c227ee340cb87
SHA5120b47b024a2ca99b08d86df0d17e0ed949e91c53230dc04b27763552929ad156f8af53a04bea3016895897e654ca1b75282287a161f85bff3d4f7d2d11f68d4a6
-
C:\Users\Admin\AppData\Local\Temp\FEA6.exeMD5
680e08dfb787740be8313220da9c7674
SHA1709b52847483261b6288c4f0ea2d571c54a70275
SHA256e1267ac21ecbf34f7601c33b7b60c840fc459e3de54a8db2568c227ee340cb87
SHA5120b47b024a2ca99b08d86df0d17e0ed949e91c53230dc04b27763552929ad156f8af53a04bea3016895897e654ca1b75282287a161f85bff3d4f7d2d11f68d4a6
-
C:\Users\Admin\AppData\Local\Temp\OlecranonsCasein.exeMD5
9d8ac1d99313a4701fc1d0dfd37acb86
SHA1ceb79925177f1656a93e91b28e797a403c666a9e
SHA25602358c60d0aa8d682fb2fa563c5fc8aaca68f60b6f6b3427b65aa25196a17748
SHA512beb55c0379f1e06b1178f100b42a54b536039c3018b4f2937f8d9feca99e35ebb543c03624b163513c5ce53ce1bd4357b3408fb919f7178961101019b962ac23
-
C:\Users\Admin\AppData\Local\Temp\OlecranonsCasein.exeMD5
9d8ac1d99313a4701fc1d0dfd37acb86
SHA1ceb79925177f1656a93e91b28e797a403c666a9e
SHA25602358c60d0aa8d682fb2fa563c5fc8aaca68f60b6f6b3427b65aa25196a17748
SHA512beb55c0379f1e06b1178f100b42a54b536039c3018b4f2937f8d9feca99e35ebb543c03624b163513c5ce53ce1bd4357b3408fb919f7178961101019b962ac23
-
C:\Users\Admin\AppData\Local\Temp\OlecranonsCasein.exeMD5
9d8ac1d99313a4701fc1d0dfd37acb86
SHA1ceb79925177f1656a93e91b28e797a403c666a9e
SHA25602358c60d0aa8d682fb2fa563c5fc8aaca68f60b6f6b3427b65aa25196a17748
SHA512beb55c0379f1e06b1178f100b42a54b536039c3018b4f2937f8d9feca99e35ebb543c03624b163513c5ce53ce1bd4357b3408fb919f7178961101019b962ac23
-
C:\Users\Admin\AppData\Local\Temp\acd2f948-9567-44da-ae8f-fd7428fc8cdd\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\acd2f948-9567-44da-ae8f-fd7428fc8cdd\test.batMD5
b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
C:\Users\Admin\AppData\Local\Temp\cfd2c909-98c0-493c-bc5a-8fe1a101cd42\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\cfd2c909-98c0-493c-bc5a-8fe1a101cd42\test.batMD5
b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deforcing.exeMD5
9c5236fc5bfdac54db11c9fe87d9daa5
SHA1a0170f41137646ae9ce74c5341564c800ff6930c
SHA2561966c61455d2cda210cafd47b9a475871184ebe5a21183ddc729ca46bab105c9
SHA5124d05aa283da8be5b7a50961f935d1424a66c691ffee4ad45af5dc2859f3de3cfc7e838172e40f08a929acad96f06d64e8d94a796ee8b56fffadf6aaedcb76b0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exeMD5
680e08dfb787740be8313220da9c7674
SHA1709b52847483261b6288c4f0ea2d571c54a70275
SHA256e1267ac21ecbf34f7601c33b7b60c840fc459e3de54a8db2568c227ee340cb87
SHA5120b47b024a2ca99b08d86df0d17e0ed949e91c53230dc04b27763552929ad156f8af53a04bea3016895897e654ca1b75282287a161f85bff3d4f7d2d11f68d4a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exeMD5
680e08dfb787740be8313220da9c7674
SHA1709b52847483261b6288c4f0ea2d571c54a70275
SHA256e1267ac21ecbf34f7601c33b7b60c840fc459e3de54a8db2568c227ee340cb87
SHA5120b47b024a2ca99b08d86df0d17e0ed949e91c53230dc04b27763552929ad156f8af53a04bea3016895897e654ca1b75282287a161f85bff3d4f7d2d11f68d4a6
-
memory/420-209-0x0000000000000000-mapping.dmp
-
memory/420-212-0x00000000021E0000-0x0000000002257000-memory.dmpFilesize
476KB
-
memory/420-213-0x0000000002260000-0x00000000022E3000-memory.dmpFilesize
524KB
-
memory/940-258-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/940-253-0x0000000000000000-mapping.dmp
-
memory/940-271-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/1048-265-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/1048-263-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/1048-273-0x0000000004600000-0x0000000004601000-memory.dmpFilesize
4KB
-
memory/1048-275-0x0000000004602000-0x0000000004603000-memory.dmpFilesize
4KB
-
memory/1048-261-0x0000000000000000-mapping.dmp
-
memory/1048-298-0x0000000004605000-0x0000000004607000-memory.dmpFilesize
8KB
-
memory/1148-148-0x0000000002250000-0x0000000002258000-memory.dmpFilesize
32KB
-
memory/1148-149-0x0000000002260000-0x0000000002269000-memory.dmpFilesize
36KB
-
memory/1208-458-0x0000000000000000-mapping.dmp
-
memory/1264-157-0x0000000000000000-mapping.dmp
-
memory/1264-161-0x0000000002020000-0x0000000002033000-memory.dmpFilesize
76KB
-
memory/1264-160-0x0000000000610000-0x000000000061D000-memory.dmpFilesize
52KB
-
memory/1280-399-0x0000000000000000-mapping.dmp
-
memory/1284-461-0x0000000000000000-mapping.dmp
-
memory/1304-434-0x0000000000000000-mapping.dmp
-
memory/1424-456-0x0000000000000000-mapping.dmp
-
memory/1516-531-0x0000000006CC0000-0x0000000006CC1000-memory.dmpFilesize
4KB
-
memory/1532-463-0x0000000000000000-mapping.dmp
-
memory/1584-274-0x0000000006FB0000-0x0000000006FB1000-memory.dmpFilesize
4KB
-
memory/1584-264-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/1584-262-0x0000000000000000-mapping.dmp
-
memory/1584-276-0x0000000006FB2000-0x0000000006FB3000-memory.dmpFilesize
4KB
-
memory/1584-393-0x0000000006FB5000-0x0000000006FB7000-memory.dmpFilesize
8KB
-
memory/1584-266-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/1596-454-0x0000000000000000-mapping.dmp
-
memory/1708-438-0x0000000000000000-mapping.dmp
-
memory/1756-446-0x0000000000000000-mapping.dmp
-
memory/1788-423-0x0000000007390000-0x0000000007391000-memory.dmpFilesize
4KB
-
memory/1788-405-0x0000000000000000-mapping.dmp
-
memory/1788-424-0x0000000007392000-0x0000000007393000-memory.dmpFilesize
4KB
-
memory/1940-420-0x0000000004AF5000-0x0000000004AF7000-memory.dmpFilesize
8KB
-
memory/1940-331-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/1940-332-0x0000000004AF2000-0x0000000004AF3000-memory.dmpFilesize
4KB
-
memory/1940-306-0x0000000000000000-mapping.dmp
-
memory/1996-299-0x0000000000000000-mapping.dmp
-
memory/1996-326-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/2024-166-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/2024-206-0x000000001D6B0000-0x000000001D6B1000-memory.dmpFilesize
4KB
-
memory/2024-174-0x000000001C1E0000-0x000000001C1E1000-memory.dmpFilesize
4KB
-
memory/2024-173-0x000000001B280000-0x000000001B29B000-memory.dmpFilesize
108KB
-
memory/2024-207-0x000000001C8D0000-0x000000001C8D1000-memory.dmpFilesize
4KB
-
memory/2024-176-0x000000001B320000-0x000000001B321000-memory.dmpFilesize
4KB
-
memory/2024-186-0x000000001C150000-0x000000001C151000-memory.dmpFilesize
4KB
-
memory/2024-205-0x000000001CA50000-0x000000001CA51000-memory.dmpFilesize
4KB
-
memory/2024-169-0x000000001B370000-0x000000001B372000-memory.dmpFilesize
8KB
-
memory/2024-168-0x0000000000E70000-0x0000000000E71000-memory.dmpFilesize
4KB
-
memory/2024-208-0x000000001B372000-0x000000001B374000-memory.dmpFilesize
8KB
-
memory/2024-163-0x0000000000000000-mapping.dmp
-
memory/2024-193-0x000000001B300000-0x000000001B301000-memory.dmpFilesize
4KB
-
memory/2024-175-0x000000001B2C0000-0x000000001B2C1000-memory.dmpFilesize
4KB
-
memory/2044-402-0x0000000000000000-mapping.dmp
-
memory/2044-457-0x0000000000000000-mapping.dmp
-
memory/2100-177-0x0000000000C0D000-0x0000000000C1D000-memory.dmpFilesize
64KB
-
memory/2100-170-0x0000000000000000-mapping.dmp
-
memory/2100-178-0x0000000000B20000-0x0000000000B29000-memory.dmpFilesize
36KB
-
memory/2100-448-0x0000000000000000-mapping.dmp
-
memory/2156-421-0x0000000005700000-0x0000000005CA6000-memory.dmpFilesize
5.6MB
-
memory/2156-373-0x0000000005700000-0x0000000005CA6000-memory.dmpFilesize
5.6MB
-
memory/2156-361-0x0000000000000000-mapping.dmp
-
memory/2192-247-0x0000000000000000-mapping.dmp
-
memory/2192-250-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/2200-568-0x0000000007402000-0x0000000007403000-memory.dmpFilesize
4KB
-
memory/2200-544-0x0000000007400000-0x0000000007401000-memory.dmpFilesize
4KB
-
memory/2272-562-0x0000000006E90000-0x0000000006E91000-memory.dmpFilesize
4KB
-
memory/2348-469-0x0000000000000000-mapping.dmp
-
memory/2460-147-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2460-146-0x0000000000000000-mapping.dmp
-
memory/2468-553-0x0000000005880000-0x0000000005E82000-memory.dmpFilesize
6.0MB
-
memory/2488-203-0x00000000024D4000-0x00000000024D6000-memory.dmpFilesize
8KB
-
memory/2488-196-0x0000000005D40000-0x0000000005D41000-memory.dmpFilesize
4KB
-
memory/2488-189-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/2488-188-0x0000000002510000-0x000000000252B000-memory.dmpFilesize
108KB
-
memory/2488-201-0x00000000024D2000-0x00000000024D3000-memory.dmpFilesize
4KB
-
memory/2488-190-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/2488-202-0x00000000024D3000-0x00000000024D4000-memory.dmpFilesize
4KB
-
memory/2488-200-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/2488-195-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/2488-194-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/2488-187-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/2488-199-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2488-191-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/2488-204-0x0000000005E20000-0x0000000005E21000-memory.dmpFilesize
4KB
-
memory/2488-182-0x0000000000000000-mapping.dmp
-
memory/2488-185-0x00000000023D0000-0x00000000023EC000-memory.dmpFilesize
112KB
-
memory/2488-192-0x0000000005940000-0x0000000005941000-memory.dmpFilesize
4KB
-
memory/2488-183-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2744-375-0x0000000000000000-mapping.dmp
-
memory/2744-395-0x0000000004622000-0x0000000004623000-memory.dmpFilesize
4KB
-
memory/2744-486-0x0000000004625000-0x0000000004627000-memory.dmpFilesize
8KB
-
memory/2744-394-0x0000000004620000-0x0000000004621000-memory.dmpFilesize
4KB
-
memory/2804-198-0x0000000002150000-0x0000000002180000-memory.dmpFilesize
192KB
-
memory/2804-179-0x0000000000000000-mapping.dmp
-
memory/2804-197-0x0000000002120000-0x0000000002142000-memory.dmpFilesize
136KB
-
memory/2996-549-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/2996-557-0x0000000002A30000-0x0000000002A31000-memory.dmpFilesize
4KB
-
memory/3016-219-0x0000000000000000-mapping.dmp
-
memory/3016-222-0x0000000000770000-0x000000000079B000-memory.dmpFilesize
172KB
-
memory/3016-345-0x0000000000000000-mapping.dmp
-
memory/3016-223-0x00000000021B0000-0x00000000021E9000-memory.dmpFilesize
228KB
-
memory/3016-357-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/3016-358-0x0000000004FA2000-0x0000000004FA3000-memory.dmpFilesize
4KB
-
memory/3048-460-0x0000000000000000-mapping.dmp
-
memory/3112-450-0x0000000000000000-mapping.dmp
-
memory/3136-452-0x0000000000000000-mapping.dmp
-
memory/3136-523-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/3180-154-0x0000000000000000-mapping.dmp
-
memory/3208-162-0x0000000004620000-0x0000000004636000-memory.dmpFilesize
88KB
-
memory/3208-150-0x0000000002A80000-0x0000000002A96000-memory.dmpFilesize
88KB
-
memory/3240-341-0x0000000000000000-mapping.dmp
-
memory/3304-224-0x0000000000000000-mapping.dmp
-
memory/3304-227-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/3304-229-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/3304-230-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/3344-340-0x0000000000000000-mapping.dmp
-
memory/3368-440-0x0000000000000000-mapping.dmp
-
memory/3376-468-0x0000000000000000-mapping.dmp
-
memory/3496-238-0x0000000007290000-0x0000000007291000-memory.dmpFilesize
4KB
-
memory/3496-245-0x0000000008500000-0x0000000008501000-memory.dmpFilesize
4KB
-
memory/3496-256-0x0000000008A20000-0x0000000008A21000-memory.dmpFilesize
4KB
-
memory/3496-233-0x0000000003060000-0x0000000003061000-memory.dmpFilesize
4KB
-
memory/3496-231-0x0000000000000000-mapping.dmp
-
memory/3496-234-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/3496-235-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/3496-255-0x00000000089D0000-0x00000000089D1000-memory.dmpFilesize
4KB
-
memory/3496-236-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/3496-237-0x0000000004922000-0x0000000004923000-memory.dmpFilesize
4KB
-
memory/3496-252-0x00000000096E0000-0x00000000096E1000-memory.dmpFilesize
4KB
-
memory/3496-232-0x0000000003060000-0x0000000003061000-memory.dmpFilesize
4KB
-
memory/3496-239-0x00000000073F0000-0x00000000073F1000-memory.dmpFilesize
4KB
-
memory/3496-243-0x00000000080A0000-0x00000000080A1000-memory.dmpFilesize
4KB
-
memory/3496-242-0x0000000007C80000-0x0000000007C81000-memory.dmpFilesize
4KB
-
memory/3496-241-0x0000000007C10000-0x0000000007C11000-memory.dmpFilesize
4KB
-
memory/3572-451-0x0000000000000000-mapping.dmp
-
memory/3660-472-0x0000000000000000-mapping.dmp
-
memory/3680-329-0x0000000006EE2000-0x0000000006EE3000-memory.dmpFilesize
4KB
-
memory/3680-328-0x0000000006EE0000-0x0000000006EE1000-memory.dmpFilesize
4KB
-
memory/3680-305-0x0000000000000000-mapping.dmp
-
memory/3680-355-0x0000000006EE5000-0x0000000006EE7000-memory.dmpFilesize
8KB
-
memory/3736-455-0x0000000000000000-mapping.dmp
-
memory/3780-546-0x0000000005330000-0x0000000005932000-memory.dmpFilesize
6.0MB
-
memory/3896-445-0x0000000000000000-mapping.dmp
-
memory/3896-296-0x0000000000000000-mapping.dmp
-
memory/3916-151-0x0000000000000000-mapping.dmp
-
memory/4016-422-0x0000000000000000-mapping.dmp
-
memory/4016-444-0x0000000004DC0000-0x00000000053C2000-memory.dmpFilesize
6.0MB
-
memory/4036-295-0x0000000000000000-mapping.dmp
-
memory/4044-539-0x0000000004622000-0x0000000004623000-memory.dmpFilesize
4KB
-
memory/4044-545-0x0000000004620000-0x0000000004621000-memory.dmpFilesize
4KB
-
memory/4116-447-0x0000000000000000-mapping.dmp
-
memory/4120-403-0x0000000000000000-mapping.dmp
-
memory/4276-453-0x0000000000000000-mapping.dmp
-
memory/4292-465-0x0000000000000000-mapping.dmp
-
memory/4332-470-0x0000000000000000-mapping.dmp
-
memory/4632-464-0x0000000000000000-mapping.dmp
-
memory/4652-489-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/4652-494-0x0000000000E92000-0x0000000000E93000-memory.dmpFilesize
4KB
-
memory/4672-462-0x0000000000000000-mapping.dmp
-
memory/4844-218-0x0000000002680000-0x000000000270F000-memory.dmpFilesize
572KB
-
memory/4844-214-0x0000000000000000-mapping.dmp
-
memory/4844-217-0x0000000000BDC000-0x0000000000C2B000-memory.dmpFilesize
316KB
-
memory/4916-509-0x0000000002700000-0x0000000002760000-memory.dmpFilesize
384KB
-
memory/4916-473-0x0000000000000000-mapping.dmp
-
memory/4936-467-0x0000000000000000-mapping.dmp
-
memory/4992-471-0x0000000000000000-mapping.dmp
-
memory/5028-466-0x0000000000000000-mapping.dmp
-
memory/5104-491-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/5104-459-0x0000000000000000-mapping.dmp
-
memory/5104-495-0x0000000004C42000-0x0000000004C43000-memory.dmpFilesize
4KB
-
memory/5112-449-0x0000000000000000-mapping.dmp